Windows 7, wired 802.1x, native EAP-TLS w/o AD, NPS
Phil Mayers
p.mayers at imperial.ac.uk
Tue Apr 11 16:32:26 CEST 2017
On 10/04/17 16:48, Timo Buhrmester wrote:
>> The cert is generated by freeradius' makefile, however, the EAP session
>> stalls and FR complains:
>> | WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>> | WARNING: !! EAP session for state 0xe0880a2ce3de07a8 did not finish!
>> | WARNING: !! Please read http://wiki.freeradius.org/guide/Certificate_Compatibility
>> | WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>> which seems a bit circular, but I'll try to resolve this myself before
>> asking for further assistence.
> Progress! It turns out that 2048-bit certificates (as generated by FR's
> Makefile) cause the EAP session to stall, while 1024 bit certs do work!
>
> So that might indeed be an MTU issue. It's mildly surprising, though,
> because the FR certs are supposedly known to work.
Couple of things to note:
There are two MTUs to consider - the IP MTU between the NAS and radius
server, and the layer2 MTU between the NAS and the supplicant.
The EAP/TLS code will segment the EAP/TLS (or TLS-based like PEAP/TTLS)
data into chunks of len == Framed-MTU (from the Access-Accept) or if
that's absent, the "fragment_size" option from the tls{} block of the
EAP method.
So if the Access-Accept contains Framed-MTU=1024 you'll get an
Access-Accept that's a few hundred bytes larger (framing plus the other
attributes) which should then be a 1024-byte EAP frame at layer2.
It would be interesting to know if you're getting a Framed-MTU from the
NAS, and what size radius replies you are seeing going from FR to the NAS.
More information about the Freeradius-Users
mailing list