We have Network Sentry as our NAC rather than Clearpass, but I think what you're saying might apply anyway. So on any given day multiple somebody's 180 Days have come up, and our system will force them to change their password. They have some number of devices that they've used their username and password to connect to our 802.1x SSID. The minute they change their password those devices are going to start failing to log in. Even if they have meticulously kept list of the devices that need to be told their new password for connecting to wireless and immediately proceeded to update those, there'd be multple failed logins from their devices. The more likely scenario is several days later they're thinking I should really look into why my phone doesn't seem to connect to the wireless network anymore.....oh well it can still connect to the cellular data.
I can't do anything about how many users have clients configured with old passwords in them, so does that make Clarity's tabulation of RADIUS authentication time useless to me? On Thu, Mar 15, 2018 at 11:20 AM, Holland, Stephen < [email protected]> wrote: > Adam > > > > I have spent a considerable amount of time looking into this with > Clearpass. Would be willing to talk in depth with you about this offline. > > > > We average about 500ms for 802.1x and have been told by Aruba this is a > good number. The number is based on the number of radius requests it takes > to complete a user authentication. > > > > With respect to failed MAC authentications I found that Clearpass delays > sending a reject for 1 second. This is done on purpose to prevent DOS > attacks. > > > > So I have seen failed requests skew the results displayed in Clarity and > other systems like Nyansa. > > > > Steve > > > > > > > > > > *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: > [email protected]] *On Behalf Of *Jake Snyder > *Sent:* Thursday, March 15, 2018 11:53 AM > *To:* [email protected] > *Subject:* Re: [WIRELESS-LAN] Measuring RADIUS Performance > > > > I would find 2+ seconds to authenticate as horribly unacceptable. > > > > The fact that Mac auth is so much lower begs the question if there is > something that is not keeping up (Like the AD environment). Might be worth > checking the MaxConcurrentAPI settings on the domain, if doing > certificates, make sure the OCSP or CRL server is responding quickly. > > > > 2 seconds will have impacts on association, roaming, etc. > > > > > > Sent from my iPhone > > > On Mar 15, 2018, at 9:44 AM, Adam Forsyth <[email protected]> wrote: > > How do you measure the performance of your RADIUS Serve? How fast is fast > enough? How slow is unacceptable? > > > > We have Aruba Airwave, and its Clarity module provides me a way to measure > the amount of time that RADIUS Authentication takes. For our RADIUS MAC > SSID's it says it takes 63ms, and for our 802.1x SSID it says 2392ms. The > settings Airwave comes with by default are that <500ms is marked green > meaning good, 500 -- 1000ms is marked yellow meaning warning and >1000ms is > marked read meaning poor. > > > > Of course faster is always better, but I wondered if others have opinions > on whether Airwave's ranges are reasonable, or whether they have > unrealisticly expectations. If they're reasonable, then I probably need to > figure out how to speed up our 802.1x RADIUS performance. > > > > -- > > *Adam Forsyth* > > Director of Network and Systems > > Luther College Information Technology Services > > 700 College Drive > <https://maps.google.com/?q=700+College+Drive+%0D%0A+Decorah,+IA+52101&entry=gmail&source=g> > > Decorah, IA 52101 > <https://maps.google.com/?q=700+College+Drive+%0D%0A+Decorah,+IA+52101&entry=gmail&source=g> > > 563-387-1402 <(563)%20387-1402> > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at http://www.educause.edu/ > discuss. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at http://www.educause.edu/ > discuss. > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at http://www.educause.edu/ > discuss. > > -- *Adam Forsyth* Director of Network and Systems Luther College Information Technology Services *700 College DriveDecorah, IA 52101563-387-1402* ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
