<[EMAIL PROTECTED]> wrote: > I'm proposing a FreeRadius solution for 802.1x authentication of Wired > client based on Client certificates, a CRL lookup, and vlan assoociation > from Active Directory.
FreeRADIUS doesn't do CRL lookups right now (i.e. OCSP), but it's probably not too hard to add. > The IT department, who usuall buy Steel Belted Radius from Juniper, are > saying FreeRadius is just too slow, and could not handle the traffic. Sure... See the survey results I posted yesterday. Ask Juniper how many sites with more than 10 million users have deployed SBR. Ask them why their market share is 1/3 that of Cisco or IAS. Ask them how they do load balancing or failover to LDAP directories... they don't. Performance isn't everything. And 99% of the servers performance is limited by the back-end database. > Now, I don't see the basis for these assertions and I would imagine the > bottlenext being the CRL lookups and AD requests. Yes. > I estimate the number of authentication sper sec to reach about 60 to > 100 for this project. That's a lot for a sustained load. And if that's a problem, you need to buy more machines. You don't say how many users you have, but if you have a few hundred thousand (or more), I would *strongly* suggest multiple RADIUS servers for redundancy, just in case one hiccups. Oh, wait... you can't do that with SBR, because it's model is to pay per server installation. That means your network is *more* likely to fail, because you're using 1-2 servers where a good design would use 3-4. Take the money you save by *not* buying SBR licenses, and buy more machines. Install FreeRADIUS on those machines, and your network will be thank you for it. :) > However I'd like to humbly ask the list what they think of such > assertions, is there something in SBR that would make them much more > scalable or faster? No. > Where would the bottlenecks be? The database, and the SSL traffic. > How many client cert auths/sec could FR handle, on say an entry level > single CPU server HW? Not a lot. If you're just doing PAP to the "users" file, the server can handle 1000's to 10's of 1000's per second. Add LDAP lookups, and that probably drops to low 1000's per second. Add SSL, and it drops even more. But SBR will have exactly the same issues with LDAP and SSL, for exactly the same reason: 99% of the time will be spent waiting for LDAP, or doing encryption. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
