include_length in mods-available/eap

Stephen Mellor Stephen.Mellor at nhs.scot
Fri Feb 27 12:27:09 UTC 2026 

FreeRADIUS 3.2.4 on OpenSUSE Leap 15.6

mods-available/eap
      tls-config tls-common {

            #  include_length is a flag which is
            #  by default set to yes If set to
            #  yes, Total Length of the message is
            #  included in EVERY packet we send.
            #  If set to no, Total Length of the
            #  message is included ONLY in the
            #  First packet of a fragment series.

# include_length = yes

I think I've just solved a long-standing problem for our EAP-TLS authentication for wired networks (NAS are Aruba 6200m and 3810m, supplicants are HP Windows 11).

We'd see occasional problems where a laptop would start the authentication process, and freeradius would send-accept, but the laptop would never get the message. Eventually it would failover to wifi, then recognise that there was an ethernet connection, try ethernet again, same result, and repeat until the user pulled the ethernet cable out of the laptop or dock.

This was quite a rare occurrence, and not consistently repeatable, so tricky to debug, though with several hundred users it seemed that there was always someone complaining (after the event!). We failed to find any pattern of hardware: although all laptops are recent HP we've a variety of USB docks.

However, eventually I stumbled across this: https://community.cisco.com/t5/network-access-control/eap-tls-w-freeradius-failing-phone-doesn-t-present-client/td-p/1932767

Sure enough, setting include_length to no does seem to have fixed our problem. It's early days yet so I'm not 100% certain, but there were a couple of laptops failing yesterday which stopped when I made the change, and I've seen none failing today.








--------------------------------------------------------------------------------------------------------------------------------------------------------
This email is intended for the named recipient only. If you have received it by mistake,
please (i) contact the sender by email reply; (ii) delete the email from your system; .
and (iii) do not copy the email or disclose its contents to anyone.

--------------------------------------------------------------------------------------------------------------------------------------------------------

More information about the Freeradius-Users mailing list