Main Nav

We are having authentication issues with our wireless network and I was wondering if any other universities are running a similar design without issue.  We have 17 wireless controllers each providing both an unsecured web auth and a secured WPA/WPA2 access using radius.  The secured access points to a load balancer using radius stickiness for 2 virtual cisco ACS servers running version 5.3.  We have approximately 10k associated authenticated wireless users during peak hours. 

 

Our authentications servers don’t appear to be working very hard; however, they are having issues.  We are working with the vendor to resolve these issues but I am curious if other universities run their auth servers behind a load balancer and how many auth servers are running / per authenticated clients.

 

Any information you could provide would be helpful.

 

Thank you,

 

Chris Toth

Senior Network Technician

Bowling Green State University

Phone:    (419) 372-8462

Email:      ctoth@bgsu.edu

 

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Comments

We are having this exact issue and have been working with TAC for a month. We have clients that are mis-configured pounding the RADIUS servers, and one by one we are identifying and blacklisting devices that have never been on the network. This is only a couple days in the works, but seems to have helped and TAC thinks it's the issue.

 

 
Per Tac....
Hi Bruce,
Good Morning.
After discussing the your scenario with the collaboration team, they suggest we track down the EAP-session timeouts and remove those clients or block them before reaching the ACS.
“Clients sending malformed requests, or not compliant with the access-challenge that ACS sends after a failure can tie up threads for up to 120 seconds.”
And “120” seconds is a lot of time.

 

We have also add a third server for logging. So far so good

 
|Bruce Boardman, Network Engineer, Syracuse University -  315 889-1667
We have two ACS 4.2 servers behind load balancer(ACE) and we do not see any issues with wireless PEAP authentications. We are going to upgrade these servers to ACS 5.3 soon. Has Cisco confirmed the problem is related with LB? What if the ACS servers are not load balanced, will the problem still exist? Thanks. --- Dennis Xu Network Analyst, Computing and Communication Services University of Guelph 5198244120 x 56217
TAC has confirmed the problem and has not yet offered a work around to LB. The LB is manually pointing controllers to one of the two RADIUS servers, which helps, but of course is not really a solution. The ACE is RADIUS session aware I take it? |Bruce Boardman, Network Engineer, Syracuse University - 315 889-1667 ________________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Dennis Xu [dxu@uoguelph.ca] Sent: Tuesday, October 23, 2012 12:11 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless Design We have two ACS 4.2 servers behind load balancer(ACE) and we do not see any issues with wireless PEAP authentications. We are going to upgrade these servers to ACS 5.3 soon. Has Cisco confirmed the problem is related with LB? What if the ACS servers are not load balanced, will the problem still exist? Thanks. --- Dennis Xu Network Analyst, Computing and Communication Services University of Guelph 5198244120 x 56217
Yes ACE is radius session aware. Radius stickiness has been configured for ACS servers. --- Dennis Xu Network Analyst, Computing and Communication Services University of Guelph 5198244120 x 56217
Just to add to Bruce's narrative- I estimate that a couple of dozen errant clients (frequently Blackberry for some reason) add RADIUS transactional volume of thousands more clients to the servers by the way they act. Using client exclusion, or manually disabling the worst of the worst, seems to have knocked the problem down. Lee H. Badman Network Architect/Wireless TME Information Technology and Services (ITS) Syracuse University 315 443-3003    
Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.