Free Radius problem with sending large certificate chains, usingEAP-TLS
Smith, Brian (ESEA IS&A)
brian.smith at honeywell.com
Tue Feb 24 17:30:07 CET 2009
Again, thanks for your great reply. If we wanted to pursue this
capability, what would be the process to get FreeRadius to support large
freeradius-users-bounces+brian.smith=honeywell.com at lists.freeradius.org
[mailto:freeradius-users-bounces+brian.smith=honeywell.com at lists.freerad
ius.org] On Behalf Of Alan DeKok
Sent: Tuesday, February 24, 2009 12:20 AM
To: FreeRadius users mailing list
Subject: Re: Free Radius problem with sending large certificate
Smith, Brian (ESEA IS&A) wrote:
> Hi Alan,
> Thanks for the great reply. It makes perfect sense to me. Just be
> clear, FreeRadius will support a certificate/chain length up to the
> record limit of 16384 bytes (minus some overhead). And, you don't
> of anyone that has every tried to test beyond this, which tells me in
> practice, it's not done....
> Also, you point out that very likely AP's
> and STA' might not support multiple records, though the RFC says they
> should. Also telling me, this is not normally done.
No... they *do* support multiple round trips. But they have an upper
limit on "too many" round trips. For example, WPA supplicant (the most
widely used one) has a default limit of 50. This means it's *highly*
unlikely that it will work with 64K certificate chains.
> Two quick questions for you.
> - What do you think the market penetration of FreeRadius (or
> commercial clones) to authenticate wireless WPA2 clients is, verses
> commercial products?
It's the most widely used RADIUS server on the planet.
Most large telcos on Europe are either using it, or switching to it.
> - Do you know of any other Radius Server that does support
> multiple TLS records for a single message?
No idea, sorry. And if you're thinking of buying one that does, I can
pretty much guarantee you it'll be cheaper and faster to fix FreeRADIUS.
> - What is the largest certificate chain you have seen used with
I don't know. People don't usually report that kind of statistics.
List info/subscribe/unsubscribe? See
More information about the Freeradius-Users