[RADIATOR] Radiator Version 4.13 released
Heikki Vatiainen
hvn at open.com.au
Mon May 5 08:39:54 CDT 2014
On 05/05/2014 04:18 PM, Hartmaier Alexander wrote:
>> Yes, the inner EAP-TLS creates fragments of size 1310 and based on your
>> message, I understand when these are given to outer PEAP for TLS
>> tunneling and transport, the result is too large: it does not fit in 1350.
> Can you add a critical logging for that case so the problem can quickly
> be found? With a calculated suggested value maybe?
Good idea. I'll ask if it's possible to detect if the inner request fits in.
>> Yes, with the addition, that if you have for example an EAP message that
>> is 1300 bytes long, it needs to be broken into EAP-Message attributes
>> which have payload size of 253 bytes.
> Where does the 253 come from?
It's just the RADIUS attribute format: one byte for type, one for length
and 253 for the payload size since the length field is only one octet long.
>> Yes. Also the inner AuthBy's MaxFragmentSize must track the outer
>> fragment size so that the chunks that inner AuthBy produces do not grow
>> too large after TLS processing. This is not a problem with EAP-MSCHAP-V2
>> but when EAP-TLS is the inner protocol, then the inner AuthBy requires
>> MaxFragmentSize.
> So the new feature in 4.13 only helps for PEAP-MSCHAPv2, not for PEAP-TLS?
PEAP/EAP-MSCHAP-V2 should not run into fragmentation issue the
EAP-MSCHAP-V2 message are short. It was meant for PEAP/EAP-TLS since
EAP-TLS can create long requests.
Any configuration that worked before 4.13 should work with 4.13 too. The
idea was to make sure any new configurations would not need to worry
about fragmentation issues when EAP-TLS was the tunnelled protocol.
Thanks,
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list