We are having this exact issue and have been working with TAC for a month. We have clients that are mis-configured pounding the RADIUS servers, and one by one we are identifying and blacklisting devices that have never been on the network. This is only a couple days in the works, but seems to have helped and TAC thinks it's the issue.
[X] Per Tac.... Hi Bruce, Good Morning. After discussing the your scenario with the collaboration team, they suggest we track down the EAP-session timeouts and remove those clients or block them before reaching the ACS. “Clients sending malformed requests, or not compliant with the access-challenge that ACS sends after a failure can tie up threads for up to 120 seconds.” And “120” seconds is a lot of time. We have also add a third server for logging. So far so good |Bruce Boardman, Network Engineer, Syracuse University - 315 889-1667 ________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [[email protected]] on behalf of Chris Toth [[email protected]] Sent: Tuesday, October 23, 2012 11:32 AM To: [email protected] Subject: [WIRELESS-LAN] Wireless Design We are having authentication issues with our wireless network and I was wondering if any other universities are running a similar design without issue. We have 17 wireless controllers each providing both an unsecured web auth and a secured WPA/WPA2 access using radius. The secured access points to a load balancer using radius stickiness for 2 virtual cisco ACS servers running version 5.3. We have approximately 10k associated authenticated wireless users during peak hours. Our authentications servers don’t appear to be working very hard; however, they are having issues. We are working with the vendor to resolve these issues but I am curious if other universities run their auth servers behind a load balancer and how many auth servers are running / per authenticated clients. Any information you could provide would be helpful. Thank you, Chris Toth Senior Network Technician Bowling Green State University Phone: (419) 372-8462 Email: [email protected]<mailto:[email protected]> ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
