Can't find what you need?

• Ask the Community
• Create a Case
Reset Search



Identity Engines RADIUS Requests Slow or Unresponsive Due To "Queue is Full"

« Go Back


TitleIdentity Engines RADIUS Requests Slow or Unresponsive Due To "Queue is Full"
  • RADIUS Accounting or Authentication requests are not processed timely
  • Some authentication requests are processed while the majority of requests are not
  • Ignition Dashboard Access Logs show in excess of dozens of incoming requests per second continuously
  • Ignition Dashboard Security Log shows events similar to:
Below is an example of "Queue is Full"

id:	629688
time:	2018-07-26 14:02:59 GMT
	catId:    10
	msgId:    5
	Description:    RADIUS authentication request queue is full. Dropping packet.
	packetId:    31

Below is an example of "Request Timed Out"

id:	629900
time:	2018-07-26 14:03:19 GMT
	catId:    10
	msgId:    15
	CallingStationId:    08-00-5A-7C-11-9B
	CredentialProtocol:    UNKNOWN
	TunnelProtocol:    PEAP
	UserId:    host/testmachine.local
  • Identity Engines Ignition
  • All Software Releases
  • NEAP
  • Ethernet Routing Switch (ERS)
  • Virtual Services Platform (VSP)
Switch EAP / NEAP eap-packet-mode is set to multihost multicast mode with mac-max not set or set to a value greater than 1 per port.
Configure the switch globally to unicast mode, unicast mode per per or limit the mac-max to 1 per port.
Global config:
eapol multihost eap-packet-mode unicast

Port config:
eapol multihost port 1/ALL,2/ALL,3/ALL,4/ALL enable eap-mac-max 2 allow-non-eap-enable radius-non-eap-enable non-eap-phone-enable use-radius-assigned-vlan non-eap-use-radius-assigned-vlan eap-packet-mode unicast mac-max 2
Additional notes
Switch EAP / NEAP configuration is set to multicast mode with mac-max not set or set to a value greater than 1 per port. In this setting the switch will periodically solicit for additional stations off the port until mac-max has been reached.

The solicitation occurs by default every 30s equal to the supplicant timeout configuration on the switch. 

During each solicitation the switch sends an EAPOL Identity multicast request to all stations on the port. Existing, authenticated stations will interpret this as a request for re-authentication.

In dynamic high transactional environments this unnecessary re-authentication of existing clients will increase the transaction rate to the Ignition server which may overwhelm the RADIUS service resulting in increased queueing and potentially a queue-full scenario.

In unicast mode the switch no longer solicits for stations. It is up to each connecting station to initiate the EAP process by sending an EAPOL Start request.



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255