Access-Challenge on proxied radius request on eduroam
Turner, Ryan H
rhturner at email.unc.edu
Tue Oct 4 15:56:09 CEST 2016
Many thanks. I have passed this along.
The framed-MTU in the request... I haven't looked at this field more closely in other auths. Is this an administrative request being sent from their system to limit the size of the response? I believe I have read that freeRadius doesn't honor these.
Ryan
-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+rhturner=email.unc.edu at lists.freeradius.org] On Behalf Of A.L.M.Buxey at lboro.ac.uk
Sent: Monday, October 3, 2016 6:12 PM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: Access-Challenge on proxied radius request on eduroam
Hi,
> I am prepared for a lashing, because I am sure I have missed something stupid..
yes. you have forgotten the other peoples system ;-)
> We are running 2.2.8 (yes, I know we should be on 3.X. My systems architect quit and we are hiring another one and one of the first projects will be to get to 3.X. If you want to apply, message me).
;-)
> Eduroam is our primary SSID on campus and we run EAP-TLS. We authenticate 10s of thousands of people on our campus, and people at foreign campuses, every single day. However, there is one school nearby where neither our users can authenticate on their network (using eduroam which proxies back to our campus) nor can their users authenticate on ours. I am totally miffed. If I do a radius -XXX on an attempt (UNC person is at foreign institution connecting which proxies the auth packet to us), this is what I see on our local freeradius server:
your users work everywhere but at that one place....other people can visit you ...but not if they are from that place.
at this point I see a place to be looking.
it could be several reasons.... eg MTU needing to be advertised in the RADIUS datagram - you can adjust the maximum reply size in eap.conf - but really oyou should not need to go lower than around 1240.
it could be that their firewall in front of their systems is dropping fragmented UDP. you use EAP-TLS - thats a prime candidate for this as the server cert and client cert (and intermediates) are being chucked around) - big RADIUS datagrams on small pipes = it gets fragmented. legitimately.
alan
-
List info/subscribe/unsubscribe? See https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=01%7C01%7Crhturner%40email.unc.edu%7Cf21674b89bfb49e5136108d3ebda8200%7C58b3d54f16c942d3af081fcabd095666%7C1&sdata=nBq%2BeLVt24DKP19sY%2FETbY9fCEwcWI5GrR2HH%2FxSPnU%3D&reserved=0
More information about the Freeradius-Users
mailing list