Just to add to Bruce's narrative- I estimate that a couple of dozen errant clients (frequently Blackberry for some reason) add RADIUS transactional volume of thousands more clients to the servers by the way they act. Using client exclusion, or manually disabling the worst of the worst, seems to have knocked the problem down.
Lee H. Badman Network Architect/Wireless TME Information Technology and Services (ITS) Syracuse University 315 443-3003 -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Dennis Xu Sent: Tuesday, October 23, 2012 12:24 PM To: [email protected] Subject: Re: [WIRELESS-LAN] Wireless Design Yes ACE is radius session aware. Radius stickiness has been configured for ACS servers. --- Dennis Xu Network Analyst, Computing and Communication Services University of Guelph 5198244120 x 56217 ----- Original Message ----- From: "Bruce Boardman" <[email protected]> To: [email protected], [email protected] Sent: Tuesday, October 23, 2012 12:15:13 PM Subject: RE: [WIRELESS-LAN] Wireless Design TAC has confirmed the problem and has not yet offered a work around to LB. The LB is manually pointing controllers to one of the two RADIUS servers, which helps, but of course is not really a solution. The ACE is RADIUS session aware I take it? |Bruce Boardman, Network Engineer, Syracuse University - 315 889-1667 ________________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [[email protected]] on behalf of Dennis Xu [[email protected]] Sent: Tuesday, October 23, 2012 12:11 PM To: [email protected] Subject: Re: [WIRELESS-LAN] Wireless Design We have two ACS 4.2 servers behind load balancer(ACE) and we do not see any issues with wireless PEAP authentications. We are going to upgrade these servers to ACS 5.3 soon. Has Cisco confirmed the problem is related with LB? What if the ACS servers are not load balanced, will the problem still exist? Thanks. --- Dennis Xu Network Analyst, Computing and Communication Services University of Guelph 5198244120 x 56217 ----- Original Message ----- From: "Bruce Boardman" <[email protected]> To: [email protected] Sent: Tuesday, October 23, 2012 11:55:31 AM Subject: Re: [WIRELESS-LAN] Wireless Design We are having this exact issue and have been working with TAC for a month. We have clients that are mis -configured pounding the RADIUS servers, and one by one we are identifying and blacklisting devices that have never been on the network. This is only a couple days in the works, but seems to have helped and TAC thinks it's the issue. Per Tac .... Hi Bruce, Good Morning. After discussing the your scenario with the collaboration team, they suggest we track down the EAP -session timeouts and remove those clients or block them before reaching the ACS. “Clients sending malformed requests, or not compliant with the access-challenge that ACS sends after a failure can tie up threads for up to 120 seconds.” And “120” seconds is a lot of time. We have also add a third server for logging. So far so good |Bruce Boardman, Network Engineer, Syracuse University - 315 889-1667 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [[email protected]] on behalf of Chris Toth [[email protected]] Sent: Tuesday, October 23, 2012 11:32 AM To: [email protected] Subject: [WIRELESS-LAN] Wireless Design We are having authentication issues with our wireless network and I was wondering if any other universities are running a similar design without issue. We have 17 wireless controllers each providing both an unsecured web auth and a secured WPA/WPA2 access using radius. The secured access points to a load balancer using radius stickiness for 2 virtual cisco ACS servers running version 5.3. We have approximately 10k associated authenticated wireless users during peak hours. Our authentications servers don’t appear to be working very hard; however, they are having issues. We are working with the vendor to resolve these issues but I am curious if other universities run their auth servers behind a load balancer and how many auth servers are running / per authenticated clients. Any information you could provide would be helpful. Thank you, Chris Toth S enior N etwork T echnician Bowling Green State University Phone: (419) 372-8462 Email: [email protected] ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
