Novell Home

Preventing RADIUS Users from Timing out When Authenticating

Novell Cool Solutions: Feature

Digg This - Slashdot This

Posted: 1 Nov 2002

If your RADIUS users are having trouble authenticating, here's why, and what to do about it.

RADIUS has a built-in intelligence mechanism for handling duplicate request for the same user (specifically, intelligent handling of retries), so that it does not attempt to authenticate the same user multiple times. If RADIUS receives a duplicate packet, it will drop the duplicate packet and increase the "Special Q Handler" counter. This is symptomatic of either NDS name resolution problems or settings specific to the NAS.

Here's how to fix it:

1- Increase Accounting retry interval (on the NAS) from 20 to 60 seconds and Authentication retry interval from 3 to 15 seconds.

2- Load RADIUS with the AFFINITY=<preferred replica servername>
NOTE: This new feature for BMAS 3.5 and later, allows you to specify a "preferred replica server" which holds replicas of most/all user partitions. If the RADIUS server does not have a local R/W replica for a user or service, it will first try to resolve the request on the server specified in the Affinity setting before walking the tree to find it.

3- Increase the THREADS parameter from 5 to 20 and increase the AUTHENTICATION THREADS from 3 per socket to 10 per socket.
Note: The authentication threads parameter is new to BM 3.6 and is included in RADIUS v3.20 and later.

Details on the threads and authentication threads:

RADIUS v3.20 and later, contains a performance enhancement which by default improves the number of authentications per second from approximately 7 to approximately 33. This enhancement is contained in a new LOAD RADIUS 'authentication threads' option:

- AUTHTHREADS=<number of threads>

The default setting is 3, but this can be set as high as the server is capable of handling. In comparison, the default authentication threads setting in BMAS 3.5 (RADIUS v3.13 and earlier) was 1. This option defines the number of threads listening on the authentication socket.

This setting does not affect the accounting socket and is different from the THREADS= LOAD RADIUS parameter. The 'Threads' parameter handles threads that actually process the authentication requests, which by default is set to 5.

Specifically, focus on increasing the retry interval settings (NAS) and try bumping the Authentication threads to 10. (The special Q handing messages relate directly to the Authentication Threads.)

For more info see TID 10061640

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions.

© 2014 Novell