2. Re: Setting Framed-MTU in Freeradius (Nick Porter)
Gday, To start with, thank you so much Nick Porter for answering! That is amazing! Thank you :-)
This is a case of AI being confidently wrong - but there is wrong information out there which was probably part of the training set.
Based on your email, I took another look and I found reference to Framed-MTU in the etc/raddb/users file, so I uncommented that in and tried to set it to 1024. I saved the changes and restarted the server in -x. And then reconnected to check the logs. A subset of logs are provided below the email. Framed-MTU is being set to 1002 or 994, not 1024. eg: (24) Framed-MTU += 994 (24) Framed-MTU = 1002 (24) &session-state:Framed-MTU = 994 Google Gemini tells me it is because of this line: (24) [files] = noop and that the default setting of Framed-MTU that I brought back in is being disregarded because the supplicant has an identity. So do I need to put that identity in the users file and set the Framed-MTU there specifically?
If you are running into issues with fragmentation on the packets from client to server, then usually the key is getting path MTU discovery to work correctly.? Failing that, it is a matter of ensuring that fragments are not getting dropped by firewalls.
I would like to set the Framed-MTU because I have been asked to do so. I don't know if it will help them or not but I want to do it because I have been asked to do so. Why they want to set Framed-MTU is because Freeradius is returning many debug lines that look like this: (458002) Cleaning up request packet ID 112 with timestamp +945036 due to cleanup_delay was reached They are hoping that setting the Framed-MTU will solve this.
Example logs: (24) Received Access-Request Id 193 from 172.17.0.1:52424 to 172.17.0.2:1812 length 243 (24) User-Name = "redacted" (24) NAS-IP-Address = redacted (24) NAS-Identifier = "redacted" (24) Called-Station-Id = "2A-70-4E-AB-FB-33:T-TEC Enterprise" (24) NAS-Port-Type = Wireless-802.11 (24) Service-Type = Framed-User (24) Calling-Station-Id = "redacted" (24) Connect-Info = "CONNECT 24Mbps 802.11a" (24) Acct-Session-Id = "1B70491FD72097B8" (24) Acct-Multi-Session-Id = "33F1B622305CBD65" (24) WLAN-Pairwise-Cipher = 1027076 (24) WLAN-Group-Cipher = 1027076 (24) WLAN-AKM-Suite = 1027073 (24) Framed-MTU = 1002 (24) EAP-Message = 0x02f500060d00 (24) State = 0xc08ccb62c779c6c0c349c973c80ddb37 (24) Chargeable-User-Identity = 0x00 (24) Message-Authenticator = 0x9151c9eca3140df6df7002b31dd0faa0 (24) Restoring &session-state (24) &session-state:Framed-MTU = 994 (24) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake, ClientHello" (24) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, ServerHello" (24) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, Certificate" (24) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, ServerKeyExchange" (24) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, CertificateRequest" (24) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, ServerHelloDone" (24) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.2 Handshake, Certificate" (24) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.2 Handshake, ClientKeyExchange" (24) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.2 Handshake, CertificateVerify" (24) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.2 Handshake, Finished" (24) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2 ChangeCipherSpec" (24) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, Finished" (24) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (24) &session-state:TLS-Session-Version = "TLS 1.2" (24) # Executing section authorize from file /etc/freeradius/sites-enabled/default (24) authorize { (24) policy filter_username { (24) if (&User-Name) { (24) if (&User-Name) -> TRUE (24) if (&User-Name) { (24) if (&User-Name =~ / /) { (24) if (&User-Name =~ / /) -> FALSE (24) if (&User-Name =~ /@[^@]*@/ ) { (24) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (24) if (&User-Name =~ /\.\./ ) { (24) if (&User-Name =~ /\.\./ ) -> FALSE (24) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (24) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (24) if (&User-Name =~ /\.$/) { (24) if (&User-Name =~ /\.$/) -> FALSE (24) if (&User-Name =~ /@\./) { (24) if (&User-Name =~ /@\./) -> FALSE (24) } # if (&User-Name) = notfound (24) } # policy filter_username = notfound (24) [preprocess] = ok (24) [digest] = noop (24) suffix: Checking for suffix after "@" (24) suffix: No '@' in User-Name = "redacted", looking up realm NULL (24) suffix: No such realm "NULL" (24) [suffix] = noop (24) eap: Peer sent EAP Response (code 2) ID 245 length 6 (24) eap: No EAP Start, assuming it's an on-going EAP conversation (24) [eap] = updated (24) [files] = noop (24) [expiration] = noop (24) [logintime] = noop (24) } # authorize = updated (24) Found Auth-Type = eap (24) # Executing group from file /etc/freeradius/sites-enabled/default (24) authenticate { (24) eap: Removing EAP session with state 0xc08ccb62c779c6c0 (24) eap: Previous EAP request found for state 0xc08ccb62c779c6c0, released from the list (24) eap: Peer sent packet with method EAP TLS (13) (24) eap: Calling submodule eap_tls to process data (24) eap_tls: (TLS) Peer ACKed our handshake fragment. handshake is finished (24) eap: Sending EAP Success (code 3) ID 245 length 4 (24) eap: Freeing handler (24) [eap] = ok (24) } # authenticate = ok (24) # Executing section post-auth from file /etc/freeradius/sites-enabled/default (24) post-auth { (24) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { (24) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE (24) update { (24) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 994 (24) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TLS - recv TLS 1.3 Handshake, ClientHello' (24) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.2 Handshake, ServerHello' (24) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.2 Handshake, Certificate' (24) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.2 Handshake, ServerKeyExchange' (24) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.2 Handshake, CertificateRequest' (24) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.2 Handshake, ServerHelloDone' (24) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TLS - recv TLS 1.2 Handshake, Certificate' (24) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TLS - recv TLS 1.2 Handshake, ClientKeyExchange' (24) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TLS - recv TLS 1.2 Handshake, CertificateVerify' (24) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TLS - recv TLS 1.2 Handshake, Finished' (24) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.2 ChangeCipherSpec' (24) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.2 Handshake, Finished' (24) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384' (24) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2' (24) } # update = noop (24) [exec] = noop (24) policy remove_reply_message_if_eap { (24) if (&reply:EAP-Message && &reply:Reply-Message) { (24) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (24) else { (24) [noop] = noop (24) } # else = noop (24) } # policy remove_reply_message_if_eap = noop (24) if (EAP-Key-Name && &reply:EAP-Session-Id) { (24) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE (24) } # post-auth = noop (24) Sent Access-Accept Id 193 from 172.17.0.2:1812 to 172.17.0.1:52424 length 173 (24) MS-MPPE-Recv-Key = 0x9e7d6bc3e620c918df655f5b6f3df6354afb8a122a23d067e577eeceef5d41dd (24) MS-MPPE-Send-Key = 0x30c4a64e47a5fadfdbe66e814dda937c5a16d504439fdb0c7e21602acbc3664b (24) EAP-Message = 0x03f50004 (24) Message-Authenticator = 0x00000000000000000000000000000000 (24) User-Name = "redacted" (24) Framed-MTU += 994 (24) Finished request Waking up in 4.8 seconds.