Windows Slow EAP-TLS Authentication
George Benjin
george.benjin at gmail.com
Wed Sep 18 04:49:20 UTC 2024
You need to be very careful running a RADIUS server in Azure if you're
using RADIUS/UDP.
Azure has a network security feature on by default that drops
fragmented UDP packets that arrive out of order. This negatively
impacts RADIUS/UDP traffic.
To give you an example, at least 20% of EAP-TLS auth attempts were
failing for us in the cert auth phase due to this issue.
Azure support can turn on the 'enable-udp-fragment-reordering' feature
by request after providing packet captures and use case info etc. They
will also only turn it on in a brand new subscription that's dedicated
to running VMs that require this feature. After we did this, our auth
success rate increased to 100%.
Another thing to be wary of is setting 'tls_max_version' to 1.3.
Windows 11 supports TLS 1.3 by default for EAP-TLS etc but does not
yet support session resumption when using this protocol (see
https://learn.microsoft.com/en-us/windows-server/networking/technologies/extensible-authentication-protocol/windows-11-changes).
It's worth dropping the Max version to 1.2.
More information about the Freeradius-Users
mailing list