[RADIATOR] AuthBy LSA - Maximum AD group member? / Failure if too many users in AD group

Schwarz, S. (ICT) S.Schwarz at lumc.nl
Fri Jun 7 21:22:57 UTC 2019 

Hi,

Last week I've changed our configuration

>From this
        <AuthBy LSA>
            EAPType MSCHAP-V2
            DefaultDomain somedomain
            UsernameMatchesWithoutRealm
            Group wireless-lumc-0
            Group wireless-lumc-1
            Group wireless-lumc-2
            Group wireless-lumc-3
            Group wireless-lumc-4
            Group wireless-lumc-sa
            Group wireless-lumc-other
            Group Domain Computers
        </AuthBy>

To
        <AuthBy LSA>
            EAPType MSCHAP-V2
            DefaultDomain somedomain
            UsernameMatchesWithoutRealm
            Group wireless-lumc
            Group wireless-lumc-sa
            Group wireless-lumc-other
            Group Domain Computers
        </AuthBy>


Initially it works fine, however after several hours (random, fist time it took 12 hours, then we've also had it happen 3x within 12 hours) the AuthBy LSA module is unable to authenticate users.
Suddenly the logfiles are filled with entries that users trying to log in are not a member of any group.

Sat Jun  1 13:53:15 2019: DEBUG: Radius::AuthLSA looks for match with accountname [accountname at lumc.nl]
Sat Jun  1 13:53:15 2019: DEBUG: Checking LSA Group membership for \\DomainController, wireless-lumc, accountname
Sat Jun  1 13:53:15 2019: DEBUG: Checking LSA Group membership for \\DomainController, wireless-lumc-sa, accountname
Sat Jun  1 13:53:15 2019: DEBUG: Checking LSA Group membership for \\DomainController, wireless-lumc-other, accountname
Sat Jun  1 13:53:15 2019: DEBUG: Checking LSA Group membership for \\DomainController, Domain Computers, accountname
Sat Jun  1 13:53:15 2019: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is not a member of any Group: accountname [accountname at lumc.nl]

The "wireless-lumc" AD group, in this example, contains all users accounts that are able to authenticate (about 14500 accounts)
I wanted to phase out some AD groups in favor of a single AD group, but at this time that's not an option due to the large business impact if our entire wireless goes down at random.

Is there a known limit of members that an AD group may have (from a Radiator perspective)?

Kind regards,
Stephan Schwarz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20190607/b22bc40f/attachment.html>

More information about the radiator mailing list