[RADIATOR] Change Default Size for Capabilities Field
Heikki Vatiainen
hvn at open.com.au
Wed Sep 24 13:10:04 CDT 2014
On 09/24/2014 08:13 AM, James Austin wrote:
> The "Framed-MTU=2000" attribute in the Access Request appears to be the problem.
Frament size of 2000 does look a bit large. It's larger than Ethernet
MTU is so it would cause fragmentation on the IP layer.
However, even if the NAS says the MTU between itself and the mobile
station is 2000, Radiator will use MTU of 1400. The recommended MTU in
AuthBy WIMAX is 1400 and it will be used if the Framed-MTU exceeds the
recommended value. The idea here is that IP layer fragmentation should
be avoided.
Taking another look at the debug you sent earlier, I see 'Framed-MTU =
1400' is sent back to the WiMAX NAS in the final Access-Accept.
You could try adding this in the Handler that contains AuthBy WIMAX
StripFromReply Framed-MTU
The Access-Accept should then have no Framed-MTU.
In other words, the value of Framed-MTU = 2000 should not be a problem
for Radiator. EAP-TTLS can also split large EAP payloads, such as
certificate chains, into multiple messages but it likely fragments using
2000 as the limit. These will be then be fragmented on the IP layer. The
IP destination's operating system will then collect the IP layer
fragments seen by Wireshark. IP layer fragmentation is usually avoided
since, for example, some WLAN access points have had problems dealing
with IP fragments.
What might be happening is that the WiMAX NAS does not like Radiator
returning a different MTU it sends. This may be the case if you see
something related to MTUs in the log.
Please let us know if this helps.
Thanks,
Heikki
> Tue Sep 23 20:55:50 2014: DEBUG: Packet dump:
> *** Received from 10.57.192.207 port 1812 ....
> Code: Access-Request
> Identifier: 200
> Authentic: F<30><249><9><28><162><147><173><26><182><128>9Q0<201>S
> Attributes:
> User-Name = "{am=1}7B2C2BDECCF523456442A0A828065D33 at wimax.com"
> EAP-Message = <2><1><0>5<1>{am=1}7B2C2BDECCF523456442A0A828065D33 at wimax.com
> Message-Authenticator = x<145><13><143><182><21><168>j^<253><232><127>`<17><18><184>
> NAS-IP-Address = 10.57.192.207
> Calling-Station-Id = "F8-35-DD-64-45-CB"
> WiMAX-BS-ID = <0><0>e<1><1><1>
> NAS-Port-Type = Wireless-IEEE-802.16
> Framed-MTU = 2000
> Service-Type = Framed-User
> WiMAX-GMT-Timezone-Offset = 0
> WiMAX-Capability = <1><5>1.0<2><3><1><3><3><1><7><6><0><0><2><138>
>
>
> Wireshark shows it is being fragmented. Don't EAP-TTLS supports fragmentation.
>
> Don't know how to adjust it?
>
>
> James Austin
> Manager Technology & Projects
> Crystal Communications Ltd.
> 281-300-8294 Mobile
> 281-361-5199 Office
> ________________________________________
> From: Heikki Vatiainen [hvn at open.com.au]
> Sent: Tuesday, September 23, 2014 8:17 AM
> To: James Austin; radiator at open.com.au
> Subject: Re: [RADIATOR] Change Default Size for Capabilities Field
>
> On 23.9.2014 14.32, James Austin wrote:
>
>> That seemed to work. However I am still unable to get the WiMax device to authenticate.
>>
>> Can you take a look at the attached debug file and provide your thoughts?
>
> The log shows that Radiator is sending Access-Accept with attributes
> that look reasonable.
>
> I recommend taking a look at the WiMAX client logs and the logs of the
> device that is sending the RADIUS requests. The client side logs should
> tell if the device thinks there is something odd in the Access-Accept or
> if there's something else that prevents it from accessing the network.
>
> Thanks,
> Heikki
>
>
> --
> Heikki Vatiainen <hvn at open.com.au>
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.
>
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list