Access-Challenge on proxied radius request on eduroam

A.L.M.Buxey at A.L.M.Buxey at
Tue Oct 4 00:11:54 CEST 2016


> I am prepared for a lashing, because I am sure I have missed something stupid..

yes. you have forgotten the other peoples system  ;-)

> We are running 2.2.8 (yes, I know we should be on 3.X.  My systems architect quit and we are hiring another one and one of the first projects will be to get to 3.X.  If you want to apply, message me).


> Eduroam is our primary SSID on campus and we run EAP-TLS.  We authenticate 10s of thousands of people on our campus, and people at foreign campuses, every single day.  However, there is one school nearby where neither our users can authenticate on their network (using eduroam which proxies back to our campus) nor can their users authenticate on ours.  I am totally miffed.  If I do a radius -XXX on an attempt (UNC person is at foreign institution connecting which proxies the auth packet to us), this is what I see on our local freeradius server:

your users work everywhere but at that one place....other people can visit you ...but not if they are from that place.

at this point I see a place to be looking.

it could be several reasons.... eg MTU needing to be advertised in the RADIUS datagram - you can adjust the maximum reply size
in eap.conf - but really oyou should not need to go lower than around 1240. 

it could be that their firewall in front of their systems is dropping fragmented UDP.  you use EAP-TLS - thats a prime 
candidate for this as the server cert and client cert (and intermediates) are being chucked around) - big RADIUS datagrams
on small pipes = it gets fragmented. legitimately. 


More information about the Freeradius-Users mailing list