Skip to main content

Capacity Testing for FreeRADIUS

To simulate RADIUS authentication traffic, we use eapol_test in combination with Apache JMeter. While other RADIUS benchmarking tools exist, they typically do not support TLS and EAP, making eapol_test essential for accurate performance evaluation.

Connection and setup

Select a staging RADIUS server and follow the setup instructions in this document to configure the test environment.

Performance tests were conducted using custom EC2 instances in the GovWifi staging environment, targeting FreeRADIUS under two authentication methods: EAP-MSCHAPv2 and EAP-TLS.

Results

EAP-MSCHAPv2

  • Sustained throughput: ~290 auth/s per RADIUS container
  • Scales linearly across multiple clients and server instances
  • CPU and memory usage remained stable

EAP-TLS

  • Default config (with verify directive):
  • ~23 auth/s, due to external OpenSSL verification
  • Spawns separate process per auth; unsustainable at scale
  • Optimised config (internal chain validation):
  • ~213 auth/s
  • Uses X509_V_FLAG_PARTIAL_CHAIN and removes verify
  • CPU becomes primary bottleneck (single-threaded processing)
This page was last reviewed on 23 January 2025. It needs to be reviewed again on 23 July 2025 by the page owner #govwifi .