Radsec Limitations

Alan DeKok aland at deployingradius.com
Wed May 26 16:25:52 CEST 2021


On May 26, 2021, at 9:43 AM, Michael Cullen <michael.cullen at madetech.com> wrote:
> We have radsec tunnels between the authenticator and the server wherever it
> is supported, and a lot of the newer networking equipment that has this.
> The majority of traffic will be on Windows machines using EAP-TTLS. We came
> across this message:
> https://www.juniper.net/documentation/us/en/software/junos/user-access/topics/task/radsec-configuring.html#:~:text=Due%20to%20limitations%20of%20the,255%20RADIUS%20messages%20in%20flight
> which states "NOTE: Due to limitations of the TCP protocol, RADSEC can have
> no more than 255 RADIUS messages in flight."

  Or refer to the standard:

https://datatracker.ietf.org/doc/html/rfc6613#section-2.6.5

> Due to the majority of our traffic being from Windows machines using
> EAP-TTLS, will this also include RADIUS messages?

  EAP-TTLS is carried over RADIUS.  So yes.

> Has anyone been affected
> by this limitation? We are looking at scaling the RADIUS solution to a
> large number of users in the future.
> There seems to be no reported issues about these limitations, other than
> the article above.

  There aren't really many limitations based on this.  If there are more than 256 packets outstanding, FreeRADIUS will just open more connections.

  If you need many hundreds of open connections, then you're much better off using IPSec, and basic UDP over that.  Nothing beats using the right tool for the job.

  For example, TCP has issues with "head of line" blocking:

https://datatracker.ietf.org/doc/html/rfc6613#section-2.6.2

  The author of that standard knows what he's talking about.  :)

  Alan DeKok.




More information about the Freeradius-Users mailing list