Windows Slow EAP-TLS Authentication
Alan DeKok
aland at deployingradius.com
Wed Sep 18 12:03:35 UTC 2024
On Sep 18, 2024, at 12:49 AM, George Benjin <george.benjin at gmail.com> wrote:
>
> You need to be very careful running a RADIUS server in Azure if you're
> using RADIUS/UDP.
>
> Azure has a network security feature on by default that drops
> fragmented UDP packets that arrive out of order. This negatively
> impacts RADIUS/UDP traffic.
Yes, that's a serious issue. The solution would be to use RADIUS/TLS.
> Another thing to be wary of is setting 'tls_max_version' to 1.3.
> Windows 11 supports TLS 1.3 by default for EAP-TLS etc but does not
> yet support session resumption when using this protocol (see
> https://learn.microsoft.com/en-us/windows-server/networking/technologies/extensible-authentication-protocol/windows-11-changes).
> It's worth dropping the Max version to 1.2.
I had discussions with Microsoft a year or so about this. They were very happy to tell me that they had decided to not implement session resumption for TLS 1.3. They were not happy when I explained it was 100% necessary for many environments.
A year later, "yeah, we'll fix it eventually".
That's not useful.
Alan DeKok.
More information about the Freeradius-Users
mailing list