Free Radius problem with sending large certificate chains, usingEAP-TLS
Alan DeKok
aland at deployingradius.com
Tue Feb 24 08:20:10 CET 2009
Smith, Brian (ESEA IS&A) wrote:
> Hi Alan,
> Thanks for the great reply. It makes perfect sense to me. Just be
> clear, FreeRadius will support a certificate/chain length up to the TLS
> record limit of 16384 bytes (minus some overhead). And, you don't know
> of anyone that has every tried to test beyond this, which tells me in
> practice, it's not done....
Yes.
> Also, you point out that very likely AP's
> and STA' might not support multiple records, though the RFC says they
> should. Also telling me, this is not normally done.
No... they *do* support multiple round trips. But they have an upper
limit on "too many" round trips. For example, WPA supplicant (the most
widely used one) has a default limit of 50. This means it's *highly*
unlikely that it will work with 64K certificate chains.
> Two quick questions for you.
>
> - What do you think the market penetration of FreeRadius (or
> commercial clones) to authenticate wireless WPA2 clients is, verses
> commercial products?
It's the most widely used RADIUS server on the planet.
Most large telcos on Europe are either using it, or switching to it.
> - Do you know of any other Radius Server that does support
> multiple TLS records for a single message?
No idea, sorry. And if you're thinking of buying one that does, I can
pretty much guarantee you it'll be cheaper and faster to fix FreeRADIUS.
> - What is the largest certificate chain you have seen used with
> FreeRadius?
I don't know. People don't usually report that kind of statistics.
Alan DeKok.
More information about the Freeradius-Users
mailing list