Setting Framed-MTU in Freeradius

Nick Porter nick at portercomputing.co.uk
Fri Feb 27 09:19:25 UTC 2026 

On 27/02/2026 05:24, Kat via Freeradius-Users wrote:
> Google Gemini is insisting quite strongly that, after changing 
> fragment size in the /etc/raddb/mods-enabled/eap, I also need to put 
> something in the post-auth part.
>
> The problem is that sometimes AI can be wrong and I cannot find 
> alternate sources that back this claim up. My Google-fu may be weak.

This is a case of AI being confidently wrong - but there is wrong 
information out there which was probably part of the training set.

Setting fragment size determines the largest EAP fragment which 
FreeRADIUS will send in an Access-Challenge - so controlling the RADIUS 
server -> client packet.

There is some incorrect information out there which claims that setting 
Framed-MTU will influence the client -> server EAP fragment sizes.  That 
is simply not the case.  That attribute can be used in an Access-Accept 
for setting the MTU on the connection which is being authenticated, but 
it has nothing to do with the packets involved in doing the authenticated.

It is a common issue with EAP authentication where the packet sizes grow 
beyond the MTU and get fragmented.

In a well behaved network, the fragments will get re-assembled, but 
there are cases where fragments get dropped by firewalls and so the 
authentication fails.

> into /etc/raddb/sites-enabled/default in the post-auth section. Gemini 
> points to a comment block that says: "# Please do not put "unlang" 
> configurations into the "authenticate"
> # section. Put them in the "post-auth" section instead. That's what
> # the post-auth section is for."

That is completely wrong - authenticate is another process section just 
like "authorize" and "post-auth" which contains unlang.  Usually it's 
only module calls to the modules performing the authentication, but it 
can have more complex policy.  It's all about where in the packet 
processing you need to perform given actions.

> In a previous email, 
> https://lists.freeradius.org/pipermail/freeradius-users/2022-March/101630.html, 
>  to this list, it sounds like it could be in sites-available/default
>
> Aren't they symlinks?

Usually sites-available contains symlinks to files in sites-enabled - 
but it can have normal files as well.  The sites-available / 
sites-enabled construct is simply a way to provide a load of sample 
virtual servers and then just use a symlink to enable the relevant ones 
to the system.

So, you can add that update section to post-auth if you want to - but it 
is not likely to be achieving what you want.

If you are running into issues with fragmentation on the packets from 
client to server, then usually the key is getting path MTU discovery to 
work correctly.  Failing that, it is a matter of ensuring that fragments 
are not getting dropped by firewalls.

Nick

-- 
Nick Porter

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20260227/e35ef345/attachment.sig>

More information about the Freeradius-Users mailing list