On Wed, Sep 27, 2006 at 11:26:49PM -0500, Frank Bulk wrote: > Shumon: > > Vendors have bandied about different authentication rates for RADIUS > servers. What kinds of rates are you seeing, 50 auths/sec reasonable? > > Frank
Hmm, I think that any quoted numbers would have to be accompanied by additional details of the implementation: hardware, software, authentication protocols being used, what other backend systems are involved (eg. the RADIUS server might need to talk to a Kerberos server to verify a user's password and then talk to an LDAP server to obtain data necessary to generate authorization related response attributes etc etc). It's been a while since I've done performance testing of our RADIUS servers, so I'm relying on my imperfect memory for these numbers. With just simple RADIUS authentication (ie. when NOT encapsulating EAP) and authenticating users from a local BerkeleyDB database of users and hashed passwords, I'm pretty sure we can easily get several hundred authns/sec. When doing Kerberos password verification via an external KDC, I think that number dropped to around 50. And it should be *much* lower when adding EAP-TTLS, although I don't have any numbers for our site. Besides the additional cryptographic computation involved with TLS, according to a packet trace I did a few weeks ago, a full EAP-TTLS exchange in our environment required 6 round-trips between the client and server! Our RADIUS servers are Sun V480 (2x900MHz), Solaris 9, running Radiator. --Shumon. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
