Performance and IAS

  • Article
On This Page

Monitoring IAS Server Performance and Health
Capacity Planning

This section contains recommendations on fine-tuning IAS and monitoring its performance. It also includes sample performance information that can be helpful in determining your IAS server performance and health conditions.

Consider these points when fine-tuning the performance of an IAS server:

  • If IAS authenticates users against a Windows 2000-based domain controller that is running in native mode, the domain controller should also contain the global catalog.

  • High-latency connections between either the NAS and IAS server or the IAS server and the domain controller can negatively impact authentication times, causing retries and time-outs.

In very large ISP environments (millions of remote access users) with extremely heavy load conditions, where a large number of both authentication requests and accounting packets are being handled within seconds, the following items should be considered:

  • Typically, the number of authentications per second that you get depends on the hardware used for the domain controller. Using a faster domain controller should yield a better throughput.

  • Using separate IAS servers for authentication and accounting.

  • Running the IAS server on a domain controller with a global catalog. This would minimize network latency and may improve throughput.

  • Using the MaxConcurrentApi registry entry (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\ Parameters) to tune the number of concurrent authentication calls in progress at one time between the IAS server and the domain controller, achieving better throughput.

  • Deploying multiple IAS servers and using an IP load balancing scheme to point NASs to a single IP address that represents a pool of IAS servers. However, EAP is a stateful protocol and might not work with all IP load-balancing schemes.

Monitoring IAS Server Performance and Health

The RADIUS authentication protocol distinguishes between the client and server functions. In RADIUS authentication, clients send Access-Request packets, and servers reply with Access-Accept, Access-Reject, and Access-Challenge packets. Typically, NAS devices perform the client function and implement the RADIUS authentication client MIB (management information database), and RADIUS authentication servers perform the server function and implement the RADIUS authentication server MIB.

The two most commonly used counters for IAS performance monitoring are:

  • Access Requests per second.

  • Accounting Requests per second.

For more information about SNMP MIBs supported by IAS, see Appendix G.

Capacity Planning

IAS can scale to large numbers of accounts and authentications per second. Table 2 shows how IAS can scale using faster hardware.

Table 2 - Scaling with Faster Hardware

Type of organization

Authentications/second for typical use

Hardware configuration

Small to medium-sized organizations with less than 1000 users

1

Minimum hardware recommended for Windows 2000 Server

Large organizations with 50,000 users

10

Minimum hardware recommended for Windows 2000 Server

ISPs with 2 million users

50

200 MHz Pentium II or higher.

ISPs with 20 million users

300

4-processor Xeon or higher.

Table 3 lists performance numbers that can be used as guidelines for the throughput of a single IAS server.

Table 3 - Performance Guidelines for a Single IAS Server

Hardware

Authentication methods

Maximum authentications/second

Minimum hardware recommended for Windows 2000 Server and a remote Active Directory domain controller

CHAP, MS-CHAP v1, MS-CHAP v2

50

200 MHz Pentium II and a remote Active Directory domain controller

CHAP, MS-CHAP v1, MS-CHAP v2

200

4-proccessor Xeon and a remote Active Directory domain controller

CHAP, MS-CHAP v1, MS-CHAP v2

700

Instead of using a single faster computer, you can also increase IAS authentications per second by using multiple computers. For example, you can use an IP load-balancing scheme to balance the load between multiple IAS servers. Before you attempt to scale IAS up with a single faster computer or out by using multiple computers, determine whether the IAS computer is the bottleneck. At the peak number of authentications per second, use Windows 2000 Performance Logs and Alerts to track CPU utilization. If IAS server CPU utilization at the maximum number of authentications per second is high, you can improve performance by scaling up or out. If use of the IAS server CPU at the maximum number of authentications per second is not high, then the following methods might improve IAS performance:

  1. Run IAS on the same computer as the domain controller.

  2. Run IAS on the same computer that contains the global catalog.

  3. If it is not possible to run IAS on the same computer as the domain controller or the computer that contains the global catalog, verify that you have an efficient domain and site topology.

  4. Use the MaxConcurrentApi registry entry (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\ Parameters) to increase the number of multiplexed connections to the domain controller.

Here are some factors that commonly affect IAS performance:

  1. Network latency between the IAS server computer and the domain controller computer.

  2. Network latency between the IAS server computer and the Global Catalog computer.

  3. Performance and the current load of the domain controller computer.

  4. The resolution of user principal names, resulting in an additional Remote Procedure Call (RPC) query to the Global Catalog computer.

  5. EAP-based authentication methods, involving multiple challenge-response exchanges.

  6. The number of user accounts in the domain.