Free Radius problem with sending large certificate chains, usingEAP-TLS

[Alan DeKok]

Jouni Malinen wrote:
> The main (well, more or less, the only) reason for that limit on
> number of round trips is to work around issues where the EAP peer and
> server ended up in an infinite loop ACKing their messages. I would
> prefer to change that to be based on whether any real progress has
> been made during the last round trip or two, i.e., to remove the hard
> limit and allow as many round trips as it takes to get through the
> authentication (or whatever else one adds into EAP, e.g., TNC). It
> would be nicer to support the whatever maximum length is described for
> EAP-TLS or TNC, but not at the cost of bringing back interop issues
> that may result in infinite authentication loops.

  Defining "progress" per EAP type may be difficult.

> Anyway, the only case I remember of someone discussing the round trip
> limit as a too strict limit was for TNC, not for certificate sizes. If
> someone is really using huge certificates (or well, long enough chain
> to make the total size of the TLS message long) in real world, I would
> like to make sure it can be done. I just haven't come up with a real
> use case so far.

  Yes, I recall those discussions related to TNC and NEA a while ago.
>From what I see in the standards now, there is no reason for *bulk*
transfer of data over EAP.  The TNC standards require pretty small data
transfers.

  And even if wpa_supplicant is changed, it will be difficult to change
the millions of AP's out there.

  Alan DeKok.