[RADIATOR] EAPTLS_MaxFragmentSize settings

Alexander Hartmaier alexander.hartmaier at t-systems.at
Tue Oct 11 06:35:08 CDT 2011


I've tried a lot of different values and looked at the radius packets coming from our switches (for wired dot1x):
peap 1350, inner tls 1300
peap 1400, inner tls 1360
peap 1412, inner tls 1350

In the end I've used 1350/1300 because increasing it any further towards the limit didn't lower the number of packets so I preferred to have a little bit of safety margin left.

The EAP packet that is encapsulated inside one of the radius key/value pairs + all other radius attributes doesn't exceed one ethernet frame because EAP doesn't support fragmentation.
Depending on the number of other radius attributes your switches or wlan controllers send to the radius servers you can increase the EAP payload.
Decreasing the number of packets reduces the authentication time and lowers to load on both the radius client (switch, wlan controller) and radius server.

@Open guys: can you please add something like my description to the docs?

Am 2011-10-11 13:16, schrieb Alex Sharaz:
Hi,

For a long time I've had

=====
# EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
# size that will be replied by Radiator. It must be small
# enough to fit in a single Radius request (ie less than 4096)
# and still leave enough space for other attributes
# Aironet APs seem to need a smaller MaxFragmentSize izes.
                EAPTLS_MaxFragmentSize 1000

==========

Set up in my Radiator radius.cfg file simply because it was there in the sample radius.cfg file I initially used. I'm now wondering if perhaps this is a bit small.

What are other people doing?
Is anyone explicitly setting this up or are people leaving it to the default value

Rgds
Alex




Time for another Macmillan Cancer Support event. This time its the 12 day Escape to Africa challenge
View route at http://maps.google.co.uk/maps/ms?ie=UTF8&hl=en&msa=0&msid=203779866436035016780.00049e867720273b73c39&z=8
Please sponsor me at http://www.justgiving.com/Alex-Sharaz






Checked by  Hu-fw-yhman




_______________________________________________
radiator mailing list
radiator at open.com.au<mailto:radiator at open.com.au>
http://www.open.com.au/mailman/listinfo/radiator

--
Cheers, Alex

*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20111011/711542f4/attachment.html 


More information about the radiator mailing list