Free Radius problem with sending large certificate chains, usingEAP-TLS

Alan DeKok aland at
Tue Feb 24 08:20:10 CET 2009

Smith, Brian (ESEA IS&A) wrote:
> Hi Alan,
> Thanks for the great reply.  It makes perfect sense to me.  Just be
> clear, FreeRadius will support a certificate/chain length up to the TLS
> record limit of 16384 bytes (minus some overhead).  And, you don't know
> of anyone that has every tried to test beyond this, which tells me in
> practice, it's not done....


>  Also, you point out that very likely AP's
> and STA' might not support multiple records, though the RFC says they
> should.  Also telling me, this is not normally done.

  No... they *do* support multiple round trips.  But they have an upper
limit on "too many" round trips.  For example, WPA supplicant (the most
widely used one) has a default limit of 50.  This means it's *highly*
unlikely that it will work with 64K certificate chains.

> Two quick questions for you.  
> 	-  What do you think the market penetration of FreeRadius (or
> commercial clones) to authenticate wireless WPA2 clients is, verses
> commercial products?

  It's the most widely used RADIUS server on the planet.

  Most large telcos on Europe are either using it, or switching to it.

> 	- Do you know of any other Radius Server that does support
> multiple TLS records for a single message?

  No idea, sorry.  And if you're thinking of buying one that does, I can
pretty much guarantee you it'll be cheaper and faster to fix FreeRADIUS.

> 	- What is the largest certificate chain you have seen used with
> FreeRadius?

  I don't know.  People don't usually report that kind of statistics.

  Alan DeKok.

More information about the Freeradius-Users mailing list