Freeradius Framed-MTU

Kat Kaz at t-tec.com.au
Mon Mar 2 03:36:24 UTC 2026 

>     2. Re: Setting Framed-MTU in Freeradius (Nick Porter)
> 

Gday,

To start with, thank you so much Nick Porter for answering! That is 
amazing! Thank you :-)

> 
> This is a case of AI being confidently wrong - but there is wrong
> information out there which was probably part of the training set.

Based on your email, I took another look and I found reference to 
Framed-MTU in the etc/raddb/users file, so I uncommented that in and 
tried to set it to 1024. I saved the changes and restarted the server in 
-x. And then reconnected to check the logs. A subset of logs are 
provided below the email.

Framed-MTU is being set to 1002 or 994, not 1024.


eg:
(24)   Framed-MTU += 994
(24)   Framed-MTU = 1002
(24)   &session-state:Framed-MTU = 994


Google Gemini tells me it is because of this line:
(24) [files] = noop

and that the default setting of Framed-MTU that I brought back in is 
being disregarded because the supplicant has an identity.

So do I need to put that identity in the users file and set the 
Framed-MTU there specifically?



> If you are running into issues with fragmentation on the packets from
> client to server, then usually the key is getting path MTU discovery to
> work correctly.? Failing that, it is a matter of ensuring that fragments
> are not getting dropped by firewalls.


I would like to set the Framed-MTU because I have been asked to do so. I 
don't know if it will help them or not but I want to do it because I 
have been asked to do so.

Why they want to set Framed-MTU is because Freeradius is returning many 
debug lines that look like this:

(458002) Cleaning up request packet ID 112 with timestamp +945036 due to 
cleanup_delay was reached

They are hoping that setting the Framed-MTU will solve this.
> 

Example logs:
(24) Received Access-Request Id 193 from 172.17.0.1:52424 to 
172.17.0.2:1812 length 243

(24)   User-Name = "redacted"

(24)   NAS-IP-Address = redacted

(24)   NAS-Identifier = "redacted"

(24)   Called-Station-Id = "2A-70-4E-AB-FB-33:T-TEC Enterprise"

(24)   NAS-Port-Type = Wireless-802.11

(24)   Service-Type = Framed-User

(24)   Calling-Station-Id = "redacted"

(24)   Connect-Info = "CONNECT 24Mbps 802.11a"

(24)   Acct-Session-Id = "1B70491FD72097B8"

(24)   Acct-Multi-Session-Id = "33F1B622305CBD65"

(24)   WLAN-Pairwise-Cipher = 1027076

(24)   WLAN-Group-Cipher = 1027076

(24)   WLAN-AKM-Suite = 1027073

(24)   Framed-MTU = 1002

(24)   EAP-Message = 0x02f500060d00

(24)   State = 0xc08ccb62c779c6c0c349c973c80ddb37

(24)   Chargeable-User-Identity = 0x00

(24)   Message-Authenticator = 0x9151c9eca3140df6df7002b31dd0faa0

(24) Restoring &session-state

(24)   &session-state:Framed-MTU = 994

(24)   &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 
1.3 Handshake, ClientHello"

(24)   &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 
1.2 Handshake, ServerHello"

(24)   &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 
1.2 Handshake, Certificate"

(24)   &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 
1.2 Handshake, ServerKeyExchange"

(24)   &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 
1.2 Handshake, CertificateRequest"

(24)   &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 
1.2 Handshake, ServerHelloDone"

(24)   &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 
1.2 Handshake, Certificate"

(24)   &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 
1.2 Handshake, ClientKeyExchange"

(24)   &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 
1.2 Handshake, CertificateVerify"

(24)   &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 
1.2 Handshake, Finished"

(24)   &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 
1.2 ChangeCipherSpec"

(24)   &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 
1.2 Handshake, Finished"

(24)   &session-state:TLS-Session-Cipher-Suite = 
"ECDHE-RSA-AES256-GCM-SHA384"

(24)   &session-state:TLS-Session-Version = "TLS 1.2"

(24) # Executing section authorize from file 
/etc/freeradius/sites-enabled/default

(24)   authorize {

(24)     policy filter_username {

(24)       if (&User-Name) {

(24)       if (&User-Name)  -> TRUE

(24)       if (&User-Name)  {

(24)         if (&User-Name =~ / /) {

(24)         if (&User-Name =~ / /)  -> FALSE

(24)         if (&User-Name =~ /@[^@]*@/ ) {

(24)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(24)         if (&User-Name =~ /\.\./ ) {

(24)         if (&User-Name =~ /\.\./ )  -> FALSE

(24)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(24)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) 
  -> FALSE

(24)         if (&User-Name =~ /\.$/)  {

(24)         if (&User-Name =~ /\.$/)   -> FALSE

(24)         if (&User-Name =~ /@\./)  {

(24)         if (&User-Name =~ /@\./)   -> FALSE

(24)       } # if (&User-Name)  = notfound

(24)     } # policy filter_username = notfound

(24)     [preprocess] = ok

(24)     [digest] = noop

(24) suffix: Checking for suffix after "@"

(24) suffix: No '@' in User-Name = "redacted", looking up realm NULL

(24) suffix: No such realm "NULL"

(24)     [suffix] = noop

(24) eap: Peer sent EAP Response (code 2) ID 245 length 6

(24) eap: No EAP Start, assuming it's an on-going EAP conversation

(24)     [eap] = updated

(24)     [files] = noop

(24)     [expiration] = noop

(24)     [logintime] = noop

(24)   } # authorize = updated

(24) Found Auth-Type = eap

(24) # Executing group from file /etc/freeradius/sites-enabled/default

(24)   authenticate {

(24) eap: Removing EAP session with state 0xc08ccb62c779c6c0

(24) eap: Previous EAP request found for state 0xc08ccb62c779c6c0, 
released from the list

(24) eap: Peer sent packet with method EAP TLS (13)

(24) eap: Calling submodule eap_tls to process data

(24) eap_tls: (TLS) Peer ACKed our handshake fragment.  handshake is 
finished

(24) eap: Sending EAP Success (code 3) ID 245 length 4

(24) eap: Freeing handler

(24)     [eap] = ok

(24)   } # authenticate = ok

(24) # Executing section post-auth from file 
/etc/freeradius/sites-enabled/default

(24)   post-auth {

(24)     if (session-state:User-Name && reply:User-Name && 
request:User-Name && (reply:User-Name == request:User-Name)) {

(24)     if (session-state:User-Name && reply:User-Name && 
request:User-Name && (reply:User-Name == request:User-Name))  -> FALSE

(24)     update {

(24)       &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 994

(24)       &reply::TLS-Session-Information += 
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - recv TLS 1.3 
Handshake, ClientHello'

(24)       &reply::TLS-Session-Information += 
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.2 
Handshake, ServerHello'

(24)       &reply::TLS-Session-Information += 
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.2 
Handshake, Certificate'

(24)       &reply::TLS-Session-Information += 
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.2 
Handshake, ServerKeyExchange'

(24)       &reply::TLS-Session-Information += 
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.2 
Handshake, CertificateRequest'

(24)       &reply::TLS-Session-Information += 
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.2 
Handshake, ServerHelloDone'

(24)       &reply::TLS-Session-Information += 
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - recv TLS 1.2 
Handshake, Certificate'

(24)       &reply::TLS-Session-Information += 
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - recv TLS 1.2 
Handshake, ClientKeyExchange'

(24)       &reply::TLS-Session-Information += 
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - recv TLS 1.2 
Handshake, CertificateVerify'

(24)       &reply::TLS-Session-Information += 
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - recv TLS 1.2 
Handshake, Finished'

(24)       &reply::TLS-Session-Information += 
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.2 
ChangeCipherSpec'

(24)       &reply::TLS-Session-Information += 
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.2 
Handshake, Finished'

(24)       &reply::TLS-Session-Cipher-Suite += 
&session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384'

(24)       &reply::TLS-Session-Version += 
&session-state:TLS-Session-Version[*] -> 'TLS 1.2'

(24)     } # update = noop

(24)     [exec] = noop

(24)     policy remove_reply_message_if_eap {

(24)       if (&reply:EAP-Message && &reply:Reply-Message) {

(24)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE

(24)       else {

(24)         [noop] = noop

(24)       } # else = noop

(24)     } # policy remove_reply_message_if_eap = noop

(24)     if (EAP-Key-Name && &reply:EAP-Session-Id) {

(24)     if (EAP-Key-Name && &reply:EAP-Session-Id)  -> FALSE

(24)   } # post-auth = noop

(24) Sent Access-Accept Id 193 from 172.17.0.2:1812 to 172.17.0.1:52424 
length 173

(24)   MS-MPPE-Recv-Key = 
0x9e7d6bc3e620c918df655f5b6f3df6354afb8a122a23d067e577eeceef5d41dd

(24)   MS-MPPE-Send-Key = 
0x30c4a64e47a5fadfdbe66e814dda937c5a16d504439fdb0c7e21602acbc3664b

(24)   EAP-Message = 0x03f50004

(24)   Message-Authenticator = 0x00000000000000000000000000000000

(24)   User-Name = "redacted"

(24)   Framed-MTU += 994

(24) Finished request

Waking up in 4.8 seconds.

More information about the Freeradius-Users mailing list