include_length in mods-available/eap
FreeRADIUS 3.2.4 on OpenSUSE Leap 15.6 mods-available/eap tls-config tls-common { # include_length is a flag which is # by default set to yes If set to # yes, Total Length of the message is # included in EVERY packet we send. # If set to no, Total Length of the # message is included ONLY in the # First packet of a fragment series. # include_length = yes I think I've just solved a long-standing problem for our EAP-TLS authentication for wired networks (NAS are Aruba 6200m and 3810m, supplicants are HP Windows 11). We'd see occasional problems where a laptop would start the authentication process, and freeradius would send-accept, but the laptop would never get the message. Eventually it would failover to wifi, then recognise that there was an ethernet connection, try ethernet again, same result, and repeat until the user pulled the ethernet cable out of the laptop or dock. This was quite a rare occurrence, and not consistently repeatable, so tricky to debug, though with several hundred users it seemed that there was always someone complaining (after the event!). We failed to find any pattern of hardware: although all laptops are recent HP we've a variety of USB docks. However, eventually I stumbled across this: https://community.cisco.com/t5/network-access-control/eap-tls-w-freeradius-f... Sure enough, setting include_length to no does seem to have fixed our problem. It's early days yet so I'm not 100% certain, but there were a couple of laptops failing yesterday which stopped when I made the change, and I've seen none failing today. -------------------------------------------------------------------------------------------------------------------------------------------------------- This email is intended for the named recipient only. If you have received it by mistake, please (i) contact the sender by email reply; (ii) delete the email from your system; . and (iii) do not copy the email or disclose its contents to anyone. --------------------------------------------------------------------------------------------------------------------------------------------------------
On Feb 27, 2026, at 7:27 AM, Stephen Mellor via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I think I've just solved a long-standing problem for our EAP-TLS authentication for wired networks (NAS are Aruba 6200m and 3810m, supplicants are HP Windows 11).
Nice. While Windows 11 is somewhat better than earlier versions for some things, it's still not perfect.
We'd see occasional problems where a laptop would start the authentication process, and freeradius would send-accept, but the laptop would never get the message. Eventually it would failover to wifi, then recognise that there was an ethernet connection, try ethernet again, same result, and repeat until the user pulled the ethernet cable out of the laptop or dock.
This was quite a rare occurrence, and not consistently repeatable, so tricky to debug, though with several hundred users it seemed that there was always someone complaining (after the event!). We failed to find any pattern of hardware: although all laptops are recent HP we've a variety of USB docks.
If you can get me a packet trace of the failing connections (off list) that would help. I don't need to see inside of the TLS tunnel, just the outer EAP stuff is OK. I can take a look to see what's going on, and also share the trace with the Windows team if that's OK with you. Windows might be miscounting the TLS data, or maybe FreeRADIUS is. Either way, a PCAP file would help to understand the root cause of the issue.
However, eventually I stumbled across this: https://community.cisco.com/t5/network-access-control/eap-tls-w-freeradius-f...
Sure enough, setting include_length to no does seem to have fixed our problem. It's early days yet so I'm not 100% certain, but there were a couple of laptops failing yesterday which stopped when I made the change, and I've seen none failing today.
Sounds good. Alan DeKok.
participants (2)
-
Alan DeKok -
Stephen Mellor