[RADIATOR] Radiator Version 4.13 released
Hartmaier Alexander
alexander.hartmaier at t-systems.at
Mon May 5 09:07:37 CDT 2014
On 2014-05-05 15:39, Heikki Vatiainen wrote:
> On 05/05/2014 04:18 PM, Hartmaier Alexander wrote:
>
>>> Yes, the inner EAP-TLS creates fragments of size 1310 and based on your
>>> message, I understand when these are given to outer PEAP for TLS
>>> tunneling and transport, the result is too large: it does not fit in 1350.
>> Can you add a critical logging for that case so the problem can quickly
>> be found? With a calculated suggested value maybe?
> Good idea. I'll ask if it's possible to detect if the inner request fits in.
Thanks!
>
>>> Yes, with the addition, that if you have for example an EAP message that
>>> is 1300 bytes long, it needs to be broken into EAP-Message attributes
>>> which have payload size of 253 bytes.
>> Where does the 253 come from?
> It's just the RADIUS attribute format: one byte for type, one for length
> and 253 for the payload size since the length field is only one octet long.
So one RADIUS attribute can't get longer than 253 bytes so the EAP
message is split into multiple EAP-Message attributes across multiple
RADIUS request packets as well as multiple times in a single packet?
>
>>> Yes. Also the inner AuthBy's MaxFragmentSize must track the outer
>>> fragment size so that the chunks that inner AuthBy produces do not grow
>>> too large after TLS processing. This is not a problem with EAP-MSCHAP-V2
>>> but when EAP-TLS is the inner protocol, then the inner AuthBy requires
>>> MaxFragmentSize.
>> So the new feature in 4.13 only helps for PEAP-MSCHAPv2, not for PEAP-TLS?
> PEAP/EAP-MSCHAP-V2 should not run into fragmentation issue the
> EAP-MSCHAP-V2 message are short. It was meant for PEAP/EAP-TLS since
> EAP-TLS can create long requests.
>
> Any configuration that worked before 4.13 should work with 4.13 too. The
> idea was to make sure any new configurations would not need to worry
> about fragmentation issues when EAP-TLS was the tunnelled protocol.
Yes, the manual configured values continued to work, our wireless
PEAP-TLS config is a new one, the old used 1024/800.
I just hoped that I could simplify the config and it still works.
Should I try removing MaxFragmentSize from both the PEAP and the TLS
handler?
>
> Thanks,
> Heikki
>
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
More information about the radiator
mailing list