Re : Sending CA certificate during EAP-TLS
Is there any way to configure free radius + eap-tls module to avoid to send CA certificate during EAP-TLS negotiation? You may have to read the RFC :-). You need the certificates to do EAP-TLS ================================================== Benjamin K. Eshun ----- Message d'origine ---- De : Rafa Marin <rafa.marinlopez@gmail.com> À : freeradius-users@lists.freeradius.org Envoyé le : Mercredi, 20 Juin 2007, 13h16mn 05s Objet : Sending CA certificate during EAP-TLS Hi all, Is there any way to configure free radius + eap-tls module to avoid to send CA certificate during EAP-TLS negotiation? As Free Radius is sending it right now EAP-TLS packets get fragmented and I would like to avoid it. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _____________________________________________________________________________ Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail
Hi,
Is there any way to configure free radius + eap-tls module to avoid to send CA certificate during EAP-TLS negotiation? As Free Radius is sending it right now EAP-TLS packets get fragmented and I would like to avoid it.
err, no. you need to handle those fragmented packets. where is it failing, on your network or more remotely? EAP-TLS places much larger demands on the packet sizes during AAA process....several hundred bytes more than PEAP (which JUST ABOUT misses fragmentation in its current form from recent memory) you've GOT to pass the certs....and if you're using a larger cert (chained etc) those packets will be big. so....whos breaking the RFCs with respect to ICMP and pmtu? ;-) alan
Hi,
so....whos breaking the RFCs with respect to ICMP and pmtu? ;-)
I've been hunting one such case recently. Just in case it helps: in our case it was a BSD firewall that was misconfigured to only allow non-fragmented UDP packets. I'm not into BSD at all, the guy said something about this being a default setting? I hope I got him wrong back then. We also currently have a pending issue with Cisco WLAN Controllers. We suspect that it will take the EAPoL message from the client, and put the beginning of it into a UDP packet, simply forgetting about the rest if EAPoL payload > largest possible EAP-Message payload. We couldn't get our hands on a 100% positive test case, so didn't approach TAC yet. If any of the two are the case for you, please report back here - it's quite an interesting piece of info... Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: stefan.winter@restena.lu Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473
Hi Alan,
err, no. you need to handle those fragmented packets. where is it failing, on your network or more remotely?
Actually, it is not failing. I got a successful authentication I was only trying to avoid fragmentation if possible. EAP-TLS places much larger demands on the packet sizes during AAA
process....several hundred bytes more than PEAP (which JUST ABOUT misses fragmentation in its current form from recent memory)
Yes I know. you've GOT to pass the certs....and if you're using a larger cert (chained
etc) those packets will be big.
Actually I don't see any problem in sending server certificate and the client its own client certificate. What I would like to do is to avoid sending CA certificate. so....whos breaking the RFCs with respect to ICMP and pmtu? ;-)
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Benjamin 2007/6/20, Eshun Benjamin <bkeshun@yahoo.fr>:
Is there any way to configure free radius + eap-tls module to avoid to send CA certificate during EAP-TLS negotiation? You may have to read the RFC :-). You need the certificates to do EAP-TLS
Yes that's clear to me that you need to send your certificates. But my question was related with CA certificate. When you read TLS RFC (see below) it seems that sending CA certificate is not mandatory. That is the reason of my question. certificate_list This is a sequence (chain) of X.509v3 certificates. The sender's certificate must come first in the list. Each following certificate must directly certify the one preceding it. Because certificate validation requires that root keys be distributed independently, the self-signed certificate which specifies the root certificate authority may optionally be omitted from the chain, under the assumption that the remote end must already possess it in order to validate it in any case. ==================================================
Benjamin K. Eshun
----- Message d'origine ---- De : Rafa Marin <rafa.marinlopez@gmail.com> À : freeradius-users@lists.freeradius.org Envoyé le : Mercredi, 20 Juin 2007, 13h16mn 05s Objet : Sending CA certificate during EAP-TLS
Hi all,
Is there any way to configure free radius + eap-tls module to avoid to send CA certificate during EAP-TLS negotiation? As Free Radius is sending it right now EAP-TLS packets get fragmented and I would like to avoid it.
Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------ Ne gardez plus qu'une seule adresse mail ! Copiez vos mails<http://www.trueswitch.com/yahoo-fr/>vers Yahoo! Mail
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Eshun Benjamin -
Rafa Marin -
Stefan Winter