Windows Slow EAP-TLS Authentication

Luca Borruto luca.borruto at agicap.com
Wed Sep 18 06:19:20 UTC 2024


Wow, thanks for this!
I couldn’t find any information about this online. I don’t think getting a
new subscription is an option for us.

I read somewhere that we can authorize TCP for RADIUS, right? If that’s not
the case, I should consider trying another provider (GCP?) or setting up
something on-premise, but that would limit the ability to connect other
cities to this RADIUS server.

Thanks for the answer!

On Wed 18 Sep 2024 at 06:50, George Benjin <george.benjin at gmail.com> wrote:

> You need to be very careful running a RADIUS server in Azure if you're
> using RADIUS/UDP.
>
> Azure has a network security feature on by default that drops
> fragmented UDP packets that arrive out of order. This negatively
> impacts RADIUS/UDP traffic.
>
> To give you an example, at least 20% of EAP-TLS auth attempts were
> failing for us in the cert auth phase due to this issue.
>
> Azure support can turn on the 'enable-udp-fragment-reordering' feature
> by request after providing packet captures and use case info etc. They
> will also only turn it on in a brand new subscription that's dedicated
> to running VMs that require this feature. After we did this, our auth
> success rate increased to 100%.
>
>
> Another thing to be wary of is setting 'tls_max_version' to 1.3.
> Windows 11 supports TLS 1.3 by default for EAP-TLS etc but does not
> yet support session resumption when using this protocol (see
>
> https://learn.microsoft.com/en-us/windows-server/networking/technologies/extensible-authentication-protocol/windows-11-changes
> ).
> It's worth dropping the Max version to 1.2.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


More information about the Freeradius-Users mailing list