[RADIATOR] Radiator Version 4.13 released

Heikki Vatiainen hvn at open.com.au
Mon May 5 08:02:27 CDT 2014


On 05/05/2014 03:01 PM, Hartmaier Alexander wrote:

>> The correct number in your case is something between 1250 and 1300 when
>> you have outer fragment size 1350? That is, when you have 1350 as outer
>> fragment size, 1250 works but 1300 does not.
> So what you're saying is that 1350 for the outer results in an inner
> calcuated one of 1310 bytes which is too large?

Yes, the inner EAP-TLS creates fragments of size 1310 and based on your
message, I understand when these are given to outer PEAP for TLS
tunneling and transport, the result is too large: it does not fit in 1350.

> Which fragment size should be configured, the outer or the inner one?
> If the inner is calculated from the outer I shouldn't configure the
> inner one but simply reduce the outer one until it works?

It should have worked so that the inner fragmentation matches the outer.
However, since it does not, you should configure the outer handler
MaxFragmentSize to as large value as possible, for example 1350 and then
configure the MaxFragmentSize for the inner AuthBy to as large value as
possible. It seems 1250 seems to work for you.

> The value is the number of bytes the EAP messages are split into and
> transmitted via the EAP-Message radius attribute, correct?

Yes, with the addition, that if you have for example an EAP message that
is 1300 bytes long, it needs to be broken into EAP-Message attributes
which have payload size of 253 bytes.

> So the number is depended on how much bytes all other radius attributes
> consume from the MTU which should be 1500 for both wired and wireless in
> our case?

Yes. Also the inner AuthBy's MaxFragmentSize must track the outer
fragment size so that the chunks that inner AuthBy produces do not grow
too large after TLS processing. This is not a problem with EAP-MSCHAP-V2
but when EAP-TLS is the inner protocol, then the inner AuthBy requires
MaxFragmentSize.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list