[RADIATOR] Radiator Version 4.13 released
Hartmaier Alexander
alexander.hartmaier at t-systems.at
Mon May 5 08:18:09 CDT 2014
On 2014-05-05 15:02, Heikki Vatiainen wrote:
> On 05/05/2014 03:01 PM, Hartmaier Alexander wrote:
>
>>> The correct number in your case is something between 1250 and 1300 when
>>> you have outer fragment size 1350? That is, when you have 1350 as outer
>>> fragment size, 1250 works but 1300 does not.
>> So what you're saying is that 1350 for the outer results in an inner
>> calcuated one of 1310 bytes which is too large?
> Yes, the inner EAP-TLS creates fragments of size 1310 and based on your
> message, I understand when these are given to outer PEAP for TLS
> tunneling and transport, the result is too large: it does not fit in 1350.
Can you add a critical logging for that case so the problem can quickly
be found? With a calculated suggested value maybe?
>
>> Which fragment size should be configured, the outer or the inner one?
>> If the inner is calculated from the outer I shouldn't configure the
>> inner one but simply reduce the outer one until it works?
> It should have worked so that the inner fragmentation matches the outer.
> However, since it does not, you should configure the outer handler
> MaxFragmentSize to as large value as possible, for example 1350 and then
> configure the MaxFragmentSize for the inner AuthBy to as large value as
> possible. It seems 1250 seems to work for you.
>
>> The value is the number of bytes the EAP messages are split into and
>> transmitted via the EAP-Message radius attribute, correct?
> Yes, with the addition, that if you have for example an EAP message that
> is 1300 bytes long, it needs to be broken into EAP-Message attributes
> which have payload size of 253 bytes.
Where does the 253 come from?
>
>> So the number is depended on how much bytes all other radius attributes
>> consume from the MTU which should be 1500 for both wired and wireless in
>> our case?
> Yes. Also the inner AuthBy's MaxFragmentSize must track the outer
> fragment size so that the chunks that inner AuthBy produces do not grow
> too large after TLS processing. This is not a problem with EAP-MSCHAP-V2
> but when EAP-TLS is the inner protocol, then the inner AuthBy requires
> MaxFragmentSize.
So the new feature in 4.13 only helps for PEAP-MSCHAPv2, not for PEAP-TLS?
>
> Thanks,
> Heikki
>
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
More information about the radiator
mailing list