Hi,
Should have made clearer that I asking "payload being spread across several packets" rather than "why do EAP packets need to be large".
You can control the amount of EAP Bytes to be transferred in one RADIUS message from server to client (eap_fragment_size). Setting it lower will avoid fragmentation on most scenarios. But not deterministically: an itnermediate proxy may add more attributes to its liking, so your packet can still grow beyond the local frag size limit at that point. The second uneasy scenario: if you use EAP-TLS, the *client* will send (potentially large) certificates itself. As the server operator, you have no control over supplicant EAP fragment size settings. In that case, the packet coming back from the client may need to be fragmented anyway. There's no real way to circumvent that (unless you have full control over the client side), which as a corollary means: make sure your infrastructure can handle fragments properly to be prepared. Unsetting DF is one part, having sane firewalls that treat fragmented packets in a dignified manner is another one. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473