[RADIATOR] EAPTLS_MaxFragmentSize settings
Heikki Vatiainen
hvn at open.com.au
Tue Oct 11 08:18:50 CDT 2011
On 10/11/2011 02:35 PM, Alexander Hartmaier wrote:
Hello Alexander,
thanks for the information. The doc mentions 1000 as an example of a
safe value, but these numbers look like probable reasonable values.
I'll make a note of adding this to the docs.
Thanks!
> I've tried a lot of different values and looked at the radius packets
> coming from our switches (for wired dot1x):
> peap 1350, inner tls 1300
> peap 1400, inner tls 1360
> peap 1412, inner tls 1350
>
> In the end I've used 1350/1300 because increasing it any further towards
> the limit didn't lower the number of packets so I preferred to have a
> little bit of safety margin left.
>
> The EAP packet that is encapsulated inside one of the radius key/value
> pairs + all other radius attributes doesn't exceed one ethernet frame
> because EAP doesn't support fragmentation.
> Depending on the number of other radius attributes your switches or wlan
> controllers send to the radius servers you can increase the EAP payload.
> Decreasing the number of packets reduces the authentication time and
> lowers to load on both the radius client (switch, wlan controller) and
> radius server.
>
> @Open guys: can you please add something like my description to the docs?
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list