radiusd debug understanding help needed (EAP session for state 0x... did not finish)

Alan DeKok aland at deployingradius.com
Fri Jun 26 03:42:48 CEST 2015


On Jun 25, 2015, at 12:09 PM, Stefan Winter <stefan.winter at restena.lu> wrote:
>> The size of that fragment, is pretty big, 1398 bytes. I think only fragments up to 1020 bytes are guaranteed to be handled by the authenticator.
> 
> Excellent analysis, just wondering about that sentence?

  The specs say that the EAP peers (supplicant and AP) have to handle 1020 byte packets.  My experience has been that some AP vendors interpret that to mean NO MORE THAN 1020 bytes.  So when they get an EAPoL packet of 1300 bytes, the AP runs around in circles screaming... and discards the packet.

  It's 2015 for crying out loud.  The AP should be able to handle 4K EAPoL packets.  Memory isn't expensive, even for small APs.

> The RADIUS side
> of the authenticator has to be prepared to get 4k RADIUS packets (with
> arbitrarily much of that being EAP-Message), and the EAPoL side of the
> authenticator needs to support sending the local link's MTU minus EAPoL
> headers as payload.

  Yes.  But why do that when you can read the spec, discover that 1020 bytes is OK, and then discard packets which are smaller than MTU, but larger than 1020 bytes?

> I don't recall any "grace" boundaries below that. Can you cite where
> they would come from?
> 
> FWIW, our eduroam Monitoring intentionally sends 4k RADIUS to test for
> proper fragmentation support. Not sure how much we stuff into the
> EAP-Messages inside those big packets though.

  If Framed-MTU is set, then the EAP packet size is limited by Framed-MTU.

  Alan DeKok.




More information about the Freeradius-Users mailing list