Adam I have spent a considerable amount of time looking into this with Clearpass. Would be willing to talk in depth with you about this offline.
We average about 500ms for 802.1x and have been told by Aruba this is a good number. The number is based on the number of radius requests it takes to complete a user authentication. With respect to failed MAC authentications I found that Clearpass delays sending a reject for 1 second. This is done on purpose to prevent DOS attacks. So I have seen failed requests skew the results displayed in Clarity and other systems like Nyansa. Steve From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Jake Snyder Sent: Thursday, March 15, 2018 11:53 AM To: [email protected] Subject: Re: [WIRELESS-LAN] Measuring RADIUS Performance I would find 2+ seconds to authenticate as horribly unacceptable. The fact that Mac auth is so much lower begs the question if there is something that is not keeping up (Like the AD environment). Might be worth checking the MaxConcurrentAPI settings on the domain, if doing certificates, make sure the OCSP or CRL server is responding quickly. 2 seconds will have impacts on association, roaming, etc. Sent from my iPhone On Mar 15, 2018, at 9:44 AM, Adam Forsyth <[email protected]<mailto:[email protected]>> wrote: How do you measure the performance of your RADIUS Serve? How fast is fast enough? How slow is unacceptable? We have Aruba Airwave, and its Clarity module provides me a way to measure the amount of time that RADIUS Authentication takes. For our RADIUS MAC SSID's it says it takes 63ms, and for our 802.1x SSID it says 2392ms. The settings Airwave comes with by default are that <500ms is marked green meaning good, 500 -- 1000ms is marked yellow meaning warning and >1000ms is marked read meaning poor. Of course faster is always better, but I wondered if others have opinions on whether Airwave's ranges are reasonable, or whether they have unrealisticly expectations. If they're reasonable, then I probably need to figure out how to speed up our 802.1x RADIUS performance. -- Adam Forsyth Director of Network and Systems Luther College Information Technology Services 700 College Drive Decorah, IA 52101 563-387-1402 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
