Hi, On Thu, Mar 10, 2016 at 10:54:59AM -0800, Jake Snyder wrote: > That's for the great info on FreeRadius. I don't think this is > the case in what I'm seeing that, which is specifically that > Windows AD is not keeping up with NTLM.
OK, that's interesting. I think the issue that others have seen on this would look like that - and certainly the symptoms sound the same as you described - so I'm wondering how you came to the conclusion that it's AD itself rather than something between AD and ACS. However, I'm not at all familiar with ACS - I guess it sits on a member server and probably calls LsaLogonUser directly - so there is the communication between the member server and the DC, though I guess that /should/ be fairly slick in theory... > These are customers with environments that are relatively stable > and have been performing well for extended periods of time with > similar user counts. These are also well below the 256 radius > session limit. I'd throw in the consideration of student numbers as well. We always hit our peak number of wireless clients in February/March each year, so this is the time problems often show up. Why this time of year I have no idea! Probably all the new Christmas presents being connected. :) > The MaxConcurrentAPI raises the number of worker threads in AD > so that it NTLM on the DC can keep up with the incoming > requests. Why did the performance of NTLM change recently? I > have no idea, but it appears it has. I believe MaxConcurrentAPI helped some people[0] who were having problems with the FreeRADIUS/Samba setup as well, so again I'm not entirely sure it's a pointer to AD having necessarily changed. Maybe reviewing all Windows patches applied to the DCs and ACS servers in the last 3 months and see if anything seems relevant? But I'm not sure how easy this is to do. It's seems very likely to me that sites are seeing a combination of problems, which could be all of WLC running out of RADIUS IDs, ntlm_auth/Samba as well as MaxConcurrentAPI - so it wouldn't surprise me if different things seem to fix the same symptoms for different sites. It's just that the ACS sites don't have the ntlm_auth component of the problem, so it may have taken a few more months of load before the issue reared its head! Cheers, Matthew [0] see e.g. https://lists.freeradius.org/pipermail/freeradius-users/2015-March/075969.html -- Matthew Newton, Ph.D. <m...@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ith...@le.ac.uk> ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.