A lot of connection in MS radius server

  • 1
  • Question
  • Updated 2 years ago
We are in a high density area with 1500 students in a small area walking around from classroom to classroom.
On the MS radius server Event viewer , I can see 15.000. authentication in tree hours. 
As I see it everytime a student is moving from accesspoint to accesspoint a new authentication is made. 
Is there a settings somewhere - when students comes in in the morning they are authenticated, and will stay on for the next 8 hours, before they have to authenticated via radius again

At the moment we are using three accespoint as proxy-accesspoint. between a accesspoint and the MS radius server. we are using 802.1x authentification
Photo of Jan Boje

Jan Boje

  • 47 Posts
  • 0 Reply Likes

Posted 2 years ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hi Jan,

15,000 over three hours is, honestly, nothing at all to be worried about.

I would strongly recommend however not proxying through an access point before hitting NPS for reliability and performance reasons. This should not be done unless it is unavoidable.

Server 2012 lifted the max number of RADIUS clients restriction in the Standard edition so there isn't much of a justification for doing so these days. Previously, you would need the Enterprise edition in Server 2008/2008 R2 not not have a limit.

To understand what is available for Wi-Fi generally from a roaming perspective with 802.1X, take a look at:

http://www.revolutionwifi.net/revolutionwifi/2012/02/wi-fi-roaming-analysis-part-2-roaming.html

http://www.revolutionwifi.net/revolutionwifi/2013/05/apple-ios-fast-roaming-with-aerohive-wi.html

In reality, there is no best answer for optimising this and we end up using a combination of techniques in the real world because it is messy. Clients all support different features, many are buggy so there are often compatibility implications.

802.11k is the best option. It is a Voice-Enterprise feature and is not supported on all Aerohive APs, so check on a model-by-model basis. It has compatibly issues with certain clients/drivers, many clients don't support the feature regardless. It is often necessary to use a dedicated SSID due to the compatibility issues.

TLS session resumption, also known as fast reconnect, in a TLS-based EAP type is also helpful, especially as this is only a supplicant and RADIUS server concern, the points of EAP termination. This still results in the RADIUS server being contacted but it avoids round trips during auth and computationally burdensome work being carried out and is much quicker than doing a full auth.

With Aerohive you also have a Proactive PMK ID Response feature that is disabled by default, this again has compatibility issues with certain older clients/drivers.

Cheers,

Nick
(Edited)
Photo of Jan Boje

Jan Boje

  • 47 Posts
  • 0 Reply Likes
Hi Nick
Thanks for your answer, we will use 2012 server for authentication as soon as possible. We have set up a test server with 2012, 802.1x authentication and no Proxy-accespoint. 
It is working fine, but still it can take up 10-20 sek before login is finished, this is when you have never been authenticated before. 
1-2 out of 10 you have to try again (timeout ?)
Is there anyway that we can speed up the process ?

best regard  
Jan Boje
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hi Jan,

You will first want to take and review packet captures of both the EAPOL (supplicant <--> authenticator) and the RADIUS exchanges (authenticator <--> authentication server).

RAS tracing is available in Server 2012 to see what NPS gets up to during an authentication attempt, and what it blocks on if the problem is occurring there.
NPS itself also performs more basic logging.

Conceptually, you need to drill in to your problem to break it down to get an understand what's making it slow. Root cause analysis is better than conjecture.

Cheers,

Nick