Smith, Brian (ESEA IS&A) wrote:
Hi Alan, Thanks for the great reply. It makes perfect sense to me. Just be clear, FreeRadius will support a certificate/chain length up to the TLS record limit of 16384 bytes (minus some overhead). And, you don't know of anyone that has every tried to test beyond this, which tells me in practice, it's not done....
Yes.
Also, you point out that very likely AP's and STA' might not support multiple records, though the RFC says they should. Also telling me, this is not normally done.
No... they *do* support multiple round trips. But they have an upper limit on "too many" round trips. For example, WPA supplicant (the most widely used one) has a default limit of 50. This means it's *highly* unlikely that it will work with 64K certificate chains.
Two quick questions for you.
- What do you think the market penetration of FreeRadius (or commercial clones) to authenticate wireless WPA2 clients is, verses commercial products?
It's the most widely used RADIUS server on the planet. Most large telcos on Europe are either using it, or switching to it.
- Do you know of any other Radius Server that does support multiple TLS records for a single message?
No idea, sorry. And if you're thinking of buying one that does, I can pretty much guarantee you it'll be cheaper and faster to fix FreeRADIUS.
- What is the largest certificate chain you have seen used with FreeRadius?
I don't know. People don't usually report that kind of statistics. Alan DeKok.