include_length in mods-available/eap

Alan DeKok alan.dekok at inkbridge.io
Fri Feb 27 14:54:11 UTC 2026 

On Feb 27, 2026, at 7:27 AM, Stephen Mellor via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> I think I've just solved a long-standing problem for our EAP-TLS authentication for wired networks (NAS are Aruba 6200m and 3810m, supplicants are HP Windows 11).

  Nice.

  While Windows 11 is somewhat better than earlier versions for some things, it's still not perfect.

> We'd see occasional problems where a laptop would start the authentication process, and freeradius would send-accept, but the laptop would never get the message. Eventually it would failover to wifi, then recognise that there was an ethernet connection, try ethernet again, same result, and repeat until the user pulled the ethernet cable out of the laptop or dock.
> 
> This was quite a rare occurrence, and not consistently repeatable, so tricky to debug, though with several hundred users it seemed that there was always someone complaining (after the event!). We failed to find any pattern of hardware: although all laptops are recent HP we've a variety of USB docks.

  If you can get me a packet trace of the failing connections (off list) that would help.  I don't need to see inside of the TLS tunnel, just the outer EAP stuff is OK.

  I can take a look to see what's going on, and also share the trace with the Windows team if that's OK with you.

  Windows might be miscounting the TLS data, or maybe FreeRADIUS is.  Either way, a PCAP file would help to understand the root cause of the issue.

> However, eventually I stumbled across this: https://community.cisco.com/t5/network-access-control/eap-tls-w-freeradius-failing-phone-doesn-t-present-client/td-p/1932767
> 
> Sure enough, setting include_length to no does seem to have fixed our problem. It's early days yet so I'm not 100% certain, but there were a couple of laptops failing yesterday which stopped when I made the change, and I've seen none failing today.

  Sounds good.

   Alan DeKok.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20260227/eca5c814/attachment.sig>

More information about the Freeradius-Users mailing list