[RADIATOR] Radius packets dropped - DONT FRAG bit set
Ingvar Berg
ingvar.berg at ericsson.com
Thu Oct 9 01:08:08 CDT 2008
Hi,
The don't frag bit is in the IP header, to prevent a router along the
way to fragment the IP packet due to lower MTU on a link. It's hard to
see any value in setting this bit for a radius packet, but if it is set
when the router needs to fragment, the packet will be dropped. It should
be possible to transport a 1500 bytes packet, regardless of MTU along
the path, the only requiremen is that the reciever can assemble the
fragments again.
/Ingvar
-----Original Message-----
From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au]
On Behalf Of Hugh Irvine
Sent: den 9 oktober 2008 00:10
To: Bob Shafer
Cc: radiator at open.com.au
Subject: Re: [RADIATOR] Radius packets dropped - DONT FRAG bit set
Hello Bob -
Well, RADIUS is UDP, which to the best of my knowlege is single packet
send, single packet reply, and by definition cannot be fragmented.
It would be useful from my point of view to see your Radiator
configuration file and a trace 4 debug in conjunction with a Wireshark
capture.
Radiator also just hands the outgoing RADIUS packets to the operating
system to send - what hardware/software platform are you running on?
regards
Hugh
On 9 Oct 2008, at 00:00, Bob Shafer wrote:
> Our datacomm folks are having a problem with EAP passing through an
> Aruba controller to a non-Aruba AP. Aruba support says the same
> hardware works fine in their lab, but they are using a MS radius
> server.
>
> Here are the logs from the controller:
>
> Oct 7 11:35:38 :124004: <DBUG> |authmgr| Forwarding the Radius
> packet after stateful dot1x processing code:11/smac:
> 00:0f:f8:a0:a8:80/sport:1812/dport:32769
> Oct 7 11:35:38 :199802: <ERRS> |authmgr| radhdlr.c,
> rx_statefull_radius:204: the DONT FRAG bit set in the radius response,
> dropping the request Oct 7 11:35:38 :124004: <DBUG> |authmgr|
> Forwarding the Radius packet after stateful dot1x processing
> code:1/smac:00:0f:7d:
> 00:55:39/sport:32769/dport:1812
> Oct 7 11:35:38 :199802: <ERRS> |authmgr| radhdlr.c,
> rx_statefull_radius:204: the DONT FRAG bit set in the radius response,
> dropping the request Oct 7 11:35:38 :124004: <DBUG> |authmgr|
> Forwarding the Radius packet after stateful dot1x processing
> code:2/smac:
> 00:0f:f8:a0:a8:80/sport:1812/dport:32769
>
> In our radius.cfg we have:
>
> EAPTLS_MaxFragmentSize 1000
>
> though I'm not sure if this is the underlying issue, or not. If not
> suggestions on where to look are more than welcome.
>
> I'd be happy to send config, etc. but thought this might be a
> problem you have encountered. BTW we're running Radiator 4.2.
> I've been ready to switch to 4.3 for a couple of months, but datacomm
> hasn't had time to try their devices with the 4.3 test server I've set
> up.
>
> Thanks,
>
> Bob Shafer
> University of Denver
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec), and DIAMETER
translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator
More information about the radiator
mailing list