Windows 7, wired 802.1x, native EAP-TLS w/o AD, NPS

Phil Mayers p.mayers at
Tue Apr 11 16:32:26 CEST 2017

On 10/04/17 16:48, Timo Buhrmester wrote:
>> The cert is generated by freeradius' makefile, however, the EAP session
>> stalls and FR complains:
>> | WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>> | WARNING: !! EAP session for state 0xe0880a2ce3de07a8 did not finish!
>> | WARNING: !! Please read
>> | WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>> which seems a bit circular, but I'll try to resolve this myself before
>> asking for further assistence.
> Progress!  It turns out that 2048-bit certificates (as generated by FR's
> Makefile) cause the EAP session to stall, while 1024 bit certs do work!
> So that might indeed be an MTU issue.  It's mildly surprising, though,
> because the FR certs are supposedly known to work.

Couple of things to note:

There are two MTUs to consider - the IP MTU between the NAS and radius 
server, and the layer2 MTU between the NAS and the supplicant.

The EAP/TLS code will segment the EAP/TLS (or TLS-based like PEAP/TTLS) 
data into chunks of len == Framed-MTU (from the Access-Accept) or if 
that's absent, the "fragment_size" option from the tls{} block of the 
EAP method.

So if the Access-Accept contains Framed-MTU=1024 you'll get an 
Access-Accept that's a few hundred bytes larger (framing plus the other 
attributes) which should then be a 1024-byte EAP frame at layer2.

It would be interesting to know if you're getting a Framed-MTU from the 
NAS, and what size radius replies you are seeing going from FR to the NAS.

More information about the Freeradius-Users mailing list