[RADIATOR] AuthBy LSA - Maximum AD group member? / Failure if too many users in AD group

Fri, 07 Jun 2019 14:23:33 -0700 

Hi,

Last week I've changed our configuration

>From this
        <AuthBy LSA>
            EAPType MSCHAP-V2
            DefaultDomain somedomain
            UsernameMatchesWithoutRealm
            Group wireless-lumc-0
            Group wireless-lumc-1
            Group wireless-lumc-2
            Group wireless-lumc-3
            Group wireless-lumc-4
            Group wireless-lumc-sa
            Group wireless-lumc-other
            Group Domain Computers
        </AuthBy>

To
        <AuthBy LSA>
            EAPType MSCHAP-V2
            DefaultDomain somedomain
            UsernameMatchesWithoutRealm
            Group wireless-lumc
            Group wireless-lumc-sa
            Group wireless-lumc-other
            Group Domain Computers
        </AuthBy>


Initially it works fine, however after several hours (random, fist time it took 
12 hours, then we've also had it happen 3x within 12 hours) the AuthBy LSA 
module is unable to authenticate users.
Suddenly the logfiles are filled with entries that users trying to log in are 
not a member of any group.

Sat Jun  1 13:53:15 2019: DEBUG: Radius::AuthLSA looks for match with 
accountname [[email protected]]
Sat Jun  1 13:53:15 2019: DEBUG: Checking LSA Group membership for 
\\DomainController, wireless-lumc, accountname
Sat Jun  1 13:53:15 2019: DEBUG: Checking LSA Group membership for 
\\DomainController, wireless-lumc-sa, accountname
Sat Jun  1 13:53:15 2019: DEBUG: Checking LSA Group membership for 
\\DomainController, wireless-lumc-other, accountname
Sat Jun  1 13:53:15 2019: DEBUG: Checking LSA Group membership for 
\\DomainController, Domain Computers, accountname
Sat Jun  1 13:53:15 2019: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is not 
a member of any Group: accountname [[email protected]]

The "wireless-lumc" AD group, in this example, contains all users accounts that 
are able to authenticate (about 14500 accounts)
I wanted to phase out some AD groups in favor of a single AD group, but at this 
time that's not an option due to the large business impact if our entire 
wireless goes down at random.

Is there a known limit of members that an AD group may have (from a Radiator 
perspective)?

Kind regards,
Stephan Schwarz

_______________________________________________
radiator mailing list
[email protected]
https://lists.open.com.au/mailman/listinfo/radiator

Reply via email to