Can't find what you need?


• Ask the Community
• Create a Case
Reset Search
 

 

Article

Identity Engines RADIUS Requests Slow or Unresponsive Due To "Queue is Full"

« Go Back

Information

 
TitleIdentity Engines RADIUS Requests Slow or Unresponsive Due To "Queue is Full"
Symptoms
  • RADIUS Accounting or Authentication requests are not processed timely
  • Some authentication requests are processed while the majority of requests are not
  • Ignition Dashboard Access Logs show in excess of dozens of incoming requests per second continuously
  • Ignition Dashboard Security Log shows events similar to:
Below is an example of "Queue is Full"

id:	629688
time:	2018-07-26 14:02:59 GMT
attr_list:
	catId:    10
	msgId:    5
	AuthenticatorIpAddr:    20.21.22.23
	Description:    RADIUS authentication request queue is full. Dropping packet.
	packetId:    31


Below is an example of "Request Timed Out"

id:	629900
time:	2018-07-26 14:03:19 GMT
attr_list:
	catId:    10
	msgId:    15
	AuthenticatorIpAddr:    10.11.12.13
	CallingStationId:    08-00-5A-7C-11-9B
	CredentialProtocol:    UNKNOWN
	TunnelProtocol:    PEAP
	UserId:    host/testmachine.local
Environment
  • Identity Engines Ignition
  • All Software Releases
  • EAP / EAP-TLS
  • NEAP
  • Ethernet Routing Switch (ERS)
  • Virtual Services Platform (VSP)
Cause
Switch EAP / NEAP eap-packet-mode is set to multihost multicast mode with mac-max not set or set to a value greater than 1 per port.
Resolution
Configure the switch globally to unicast mode, unicast mode per per or limit the mac-max to 1 per port.
 
Global config:
eapol multihost eap-packet-mode unicast

Port config:
eapol multihost port 1/ALL,2/ALL,3/ALL,4/ALL enable eap-mac-max 2 allow-non-eap-enable radius-non-eap-enable non-eap-phone-enable use-radius-assigned-vlan non-eap-use-radius-assigned-vlan eap-packet-mode unicast mac-max 2
Additional notes
Switch EAP / NEAP configuration is set to multicast mode with mac-max not set or set to a value greater than 1 per port. In this setting the switch will periodically solicit for additional stations off the port until mac-max has been reached.

The solicitation occurs by default every 30s equal to the supplicant timeout configuration on the switch. 

During each solicitation the switch sends an EAPOL Identity multicast request to all stations on the port. Existing, authenticated stations will interpret this as a request for re-authentication.

In dynamic high transactional environments this unnecessary re-authentication of existing clients will increase the transaction rate to the Ignition server which may overwhelm the RADIUS service resulting in increased queueing and potentially a queue-full scenario.

In unicast mode the switch no longer solicits for stations. It is up to each connecting station to initiate the EAP process by sending an EAPOL Start request.

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255