Free Radius problem with sending large certificate chains, usingEAP-TLS

Smith, Brian (ESEA IS&A) brian.smith at honeywell.com
Tue Feb 24 17:30:07 CET 2009 

Hi Alan,
Again, thanks for your great reply.  If we wanted to pursue this
capability, what would be the process to get FreeRadius to support large
chains?

Regards,
 
Brian Smith
Ph. 602-436-6691
Honeywell
-----Original Message-----
From:
freeradius-users-bounces+brian.smith=honeywell.com at lists.freeradius.org
[mailto:freeradius-users-bounces+brian.smith=honeywell.com at lists.freerad
ius.org] On Behalf Of Alan DeKok
Sent: Tuesday, February 24, 2009 12:20 AM
To: FreeRadius users mailing list
Subject: Re: Free Radius problem with sending large certificate
chains,usingEAP-TLS

Smith, Brian (ESEA IS&A) wrote:
> Hi Alan,
> Thanks for the great reply.  It makes perfect sense to me.  Just be
> clear, FreeRadius will support a certificate/chain length up to the
TLS
> record limit of 16384 bytes (minus some overhead).  And, you don't
know
> of anyone that has every tried to test beyond this, which tells me in
> practice, it's not done....

  Yes.

>  Also, you point out that very likely AP's
> and STA' might not support multiple records, though the RFC says they
> should.  Also telling me, this is not normally done.

  No... they *do* support multiple round trips.  But they have an upper
limit on "too many" round trips.  For example, WPA supplicant (the most
widely used one) has a default limit of 50.  This means it's *highly*
unlikely that it will work with 64K certificate chains.

> Two quick questions for you.  
> 
> 	-  What do you think the market penetration of FreeRadius (or
> commercial clones) to authenticate wireless WPA2 clients is, verses
> commercial products?

  It's the most widely used RADIUS server on the planet.

  Most large telcos on Europe are either using it, or switching to it.

> 	- Do you know of any other Radius Server that does support
> multiple TLS records for a single message?

  No idea, sorry.  And if you're thinking of buying one that does, I can
pretty much guarantee you it'll be cheaper and faster to fix FreeRADIUS.

> 	- What is the largest certificate chain you have seen used with
> FreeRadius?

  I don't know.  People don't usually report that kind of statistics.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list