Free Radius problem with sending large certificate chains, usingEAP-TLS

Jouni Malinen jkmalinen at gmail.com
Tue Feb 24 10:12:15 CET 2009


On Tue, Feb 24, 2009 at 10:36 AM, Alan DeKok <aland at deployingradius.com> wrote:
>  Defining "progress" per EAP type may be difficult.

Indeed and that is why the hardcoded limit of round trips ended up
being there in the first place.. ;-)  Anyway, the most common issue
case I've seen is where EAP server and peer end up sending TLS ACK
messages in a loop and that would be easy to catch. Anyway, if this
were to change at some point, I would assume there ends up being the
default round trip limit and then some EAP type specific improvements
to optimize that for the methods that need support for longer
exchanges.

>  Yes, I recall those discussions related to TNC and NEA a while ago.
> From what I see in the standards now, there is no reason for *bulk*
> transfer of data over EAP.  The TNC standards require pretty small data
> transfers.

Sure, no bulk data should be supported, but even TNC requires IF-TNCCS
messages of up to 100 kilobytes in length which goes beyond the
50*1400 bytes or so (depending on max frame length) limit that is
currently hardcoded in wpa_supplicant.

>  And even if wpa_supplicant is changed, it will be difficult to change
> the millions of AP's out there.

Well, I would hope that most APs don't have such limits on the
EAP/EAPOL; this is supposed to be transparent data they are just
proxying through.. Anyway, yes, if they do have a hard limit, there is
not much that can be done to make this work with such a NAS.

- Jouni




More information about the Freeradius-Users mailing list