Good afternoon, We have radsec tunnels between the authenticator and the server wherever it is supported, and a lot of the newer networking equipment that has this. The majority of traffic will be on Windows machines using EAP-TTLS. We came across this message: https://www.juniper.net/documentation/us/en/software/junos/user-access/topic... which states "NOTE: Due to limitations of the TCP protocol, RADSEC can have no more than 255 RADIUS messages in flight." Due to the majority of our traffic being from Windows machines using EAP-TTLS, will this also include RADIUS messages? Has anyone been affected by this limitation? We are looking at scaling the RADIUS solution to a large number of users in the future. There seems to be no reported issues about these limitations, other than the article above. Thanks for any help you can provide, Michael
On May 26, 2021, at 9:43 AM, Michael Cullen <michael.cullen@madetech.com> wrote:
We have radsec tunnels between the authenticator and the server wherever it is supported, and a lot of the newer networking equipment that has this. The majority of traffic will be on Windows machines using EAP-TTLS. We came across this message: https://www.juniper.net/documentation/us/en/software/junos/user-access/topic... which states "NOTE: Due to limitations of the TCP protocol, RADSEC can have no more than 255 RADIUS messages in flight."
Or refer to the standard: https://datatracker.ietf.org/doc/html/rfc6613#section-2.6.5
Due to the majority of our traffic being from Windows machines using EAP-TTLS, will this also include RADIUS messages?
EAP-TTLS is carried over RADIUS. So yes.
Has anyone been affected by this limitation? We are looking at scaling the RADIUS solution to a large number of users in the future. There seems to be no reported issues about these limitations, other than the article above.
There aren't really many limitations based on this. If there are more than 256 packets outstanding, FreeRADIUS will just open more connections. If you need many hundreds of open connections, then you're much better off using IPSec, and basic UDP over that. Nothing beats using the right tool for the job. For example, TCP has issues with "head of line" blocking: https://datatracker.ietf.org/doc/html/rfc6613#section-2.6.2 The author of that standard knows what he's talking about. :) Alan DeKok.
participants (2)
-
Alan DeKok -
Michael Cullen