Capacity Testing for FreeRADIUS
To simulate RADIUS authentication traffic, we use eapol_test in combination with Apache JMeter. While other RADIUS benchmarking tools exist, they typically do not support TLS and EAP, making eapol_test essential for accurate performance evaluation.
Connection and setup
Select a staging RADIUS server and follow the setup instructions in this document to configure the test environment.
Performance tests were conducted using custom EC2 instances in the GovWifi staging environment, targeting FreeRADIUS under two authentication methods: EAP-MSCHAPv2 and EAP-TLS.
Results
EAP-MSCHAPv2
- Sustained throughput: ~290 auth/s per RADIUS container
- Scales linearly across multiple clients and server instances
- CPU and memory usage remained stable
EAP-TLS
- Default config (with verify directive):
- ~23 auth/s, due to external OpenSSL verification
- Spawns separate process per auth; unsustainable at scale
- Optimised config (internal chain validation):
- ~213 auth/s
- Uses X509_V_FLAG_PARTIAL_CHAIN and removes verify
- CPU becomes primary bottleneck (single-threaded processing)