Phil Mayers p.mayers at imperial.ac.uk
Thu Dec 13 16:36:12 CET 2012

On 13/12/12 15:22, David Peterson wrote:
> I wanted to ping the Eduroam people about EAP over WAN links.  Are there
> considerations that can cause connectivity issues that I should be
> examining?

Well... maybe.

EAP is lockstep, so round-trip time is a factor - if your RTT is 100ms 
and your EAP exchange sends 10 packets, it will take a *minimum* of 1 
second to authenticate.

In addition, since a given source/dest ip/port can only have 255 radius 
packets outstanding (because the ID field is 1 byte) a flurry of 
re-authentications might necessitate multiple proxy sockets (I can't 
remember if FreeRADIUS opens new ones for you automatically when the ID 
space is full). But TBH this is a pretty theoretical problem.

Packet loss is an issue, because you'll then suffer retransmits and the 
timers for these on most supplicants are slow. So avoid lossy links.

I guess in theory bit-error-rate is a factor if you have a "dirty" link, 
since the packet may/will fail Message-Authenticator checks and have to 
be retransmitted.

In short - the usual list of stuff with WAN links.

More information about the Freeradius-Users mailing list