Optimize Authentication and Accounting
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
RADIUS servers provide authentication and accounting for RADIUS clients, and interact with the authentication servers. As a result, RADIUS server performance and availability impacts authentication and accounting performance.
To optimize authentication in your network, ensure that all redundant IAS servers use the same user account database, thereby ensuring that the user accounts are available for authentication. Also, specify that RADIUS clients use the redundant IAS servers to ensure proper authentication and accounting.
In larger organizations with complex forest or domain topologies, use IAS as a RADIUS proxy to forward authentication requests to remote RADIUS server groups. You can also designate remote RADIUS server groups to process only accounting requests, freeing the servers performing authentication from handling accounting traffic.
To optimize authentication and accounting performance in your IAS design, take the following actions:
Run IAS on the same computer as the domain controller. This speeds IAS access to the Active Directory user accounts database when IAS is performing user authentication and authorization.
Run IAS on the same computer that contains the global catalog. If it is not possible to run IAS on the same computer as the domain controller or the computer that contains the global catalog, verify that you have an efficient domain and site topology, and place the IAS server on the same subnet as a domain controller or global catalog server.
Reduce the number of user accounts in each domain by redesigning your domain topology.
Add IAS proxy servers to load balance authentication and accounting between servers in remote RADIUS server groups.
Upgrade the hardware resources of the existing IAS servers.
Replace existing IAS servers with higher performance servers.
Reduce the level of detail recorded in IAS accounting. IAS accounting can record user authentication requests, accounting requests, and periodic data. Make sure you are logging only the amount of information you need to troubleshoot network access.
If you configure IAS accounting for SQL Server logging, install SQL Server Desktop Engine (MSDE 2000) on the IAS server, and log to MSDE 2000 instead of directly to SQL Server 2000 running on another computer. This configuration assists in preventing logging failure due to network hardware failure or heavy network traffic. Use a custom application, service, or component to periodically publish the accounting logs from the MSDE 2000 database on each IAS server to the master SQL Server 2000 database.
For wireless deployments, use PEAP-EAP-MS-CHAPv2 with fast reconnect. PEAP uses cached TLS keys during re-authentication with access points configured as RADIUS clients of a single IAS server. Cached authentication is critical for wireless deployments because wireless clients authenticate each time they move to and associate with a new access point. In addition to improving performance, PEAP fast reconnect significantly reduces the latency of authentication and the public key operation overhead on both the client and the RADIUS server.
Use the MaxConcurrentApi registry entry (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\ Parameters) to increase the number of multiplexed connections to the domain controller.
Caution
- Do not edit the registry unless you have no alternative. The registry editor bypasses standard safeguards, allowing settings that can damage your system, or even require you to reinstall Windows. If you must edit the registry, back it up first and see the Windows Server 2003 Resource Kit Registry Reference on the Windows Server 2003 Deployment Kit companion CD or at https://www.microsoft.com/reskit.
For more information, see "Remote Access Logging" in Help and Support Center for Windows Server 2003.