Windows 7, wired 802.1x, native EAP-TLS w/o AD, NPS

Timo Buhrmester timo.buhrmester at fhr.fraunhofer.de
Mon Apr 10 17:48:54 CEST 2017


> The cert is generated by freeradius' makefile, however, the EAP session
> stalls and FR complains:
> | WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> | WARNING: !! EAP session for state 0xe0880a2ce3de07a8 did not finish!
> | WARNING: !! Please read http://wiki.freeradius.org/guide/Certificate_Compatibility
> | WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> which seems a bit circular, but I'll try to resolve this myself before
> asking for further assistence.
Progress!  It turns out that 2048-bit certificates (as generated by FR's
Makefile) cause the EAP session to stall, while 1024 bit certs do work!

So that might indeed be an MTU issue.  It's mildly surprising, though,
because the FR certs are supposedly known to work.

I'll provide more accurate data tomorrow (FR output, traffic dumps between
client and NAS as well as between NAS and FR), and verify the MTU hypo-
thesis as soon as I figure out how to set the MTU in Windows.

Cheers,
Timo


More information about the Freeradius-Users mailing list