RadSec FR3.0 to Radiator: "Received packet will be too large"

Alan Buxey A.L.M.Buxey at lboro.ac.uk
Wed Feb 22 21:49:03 CET 2012


Hi,

> We're piloting RadSec as a federation server uplink.  They use Radiator.  When we first attempted to connect we'd get 
> a "Received packet will be too large!" carp from main/tls.c.  They checked on their end and say they have no fragment
> size option for RadSec TLS connections, only for EAP-TLS connections.
> 
> So we applied the below as a test and it works, but I was wondering as to the wisdom of it...

interesting....a RADSEC packet can be much bigger than that too - 2048 gives some room for a big
certificate - but not if its double-chained with intermediate and its got a nice security size
instead of being a little 512bit RSA one.  typically EAP-TLS can be fragmented on the server due
to it going through to the end-clients ..and being UDP things get a little nasty...whereas with RADSEC
theres no reason why a single TCP request couldnt be quite large and needing to be fragmented
by the routers....

alan



More information about the Freeradius-Users mailing list