[RADIATOR] EAP-TLS not getting client cert

Christian Kratzer ck-lists at cksoft.de
Tue Feb 2 00:44:15 CST 2016


On Mon, 1 Feb 2016, Hartmaier Alexander wrote:
> Hi,
> I'd say the client doesn't trust the radiator certificate and stops the
> EAP conversation.

the same client worked when on site.  It failed when offsite and the requests were coming over the vpn.

It turned out to be a firewall with huge mtu on the inside interface that was sending jumbograms that got dropped on the radius.


> Best regards, Alex
> On 2016-01-18 12:30, Christian Kratzer wrote:
>> Hi Sami,
>> On Mon, 18 Jan 2016, Sami Keski-Kasari wrote:
>>> Hello Christian,
>>> Usually this kind of behaviour is due to MTU problems.
>>> There can be differences between different vendors for example how they
>>> do tunnelling and how it affects to MTUs etc.
>>> Please try to adjust maximum TLS fragment size to see if it helps.
>>> Please see more at page 92
>>> 5.21.39 EAPTLS_MaxFragmentSize
>>> in ref.pdf.
>> yes we already have that set to 500.
>> Just for understanding EAPTLS_MaxFragmentSize would only affect what radiator sends.  There is no way to limit the size of the fragements coming from the ap.
>> The trace4 logs stop exactly at the point radiator has completed sending of it's certificate to the client.
>> I would assume that I would at least see the first of the packets with the client certificates.  If not this could perhaps also be an issue with the network dropping incoming udp fragments and the os never being able to reassemble incomplete packets.  I will have the customer check into that as well.
>> Greetings
>> Christian

Christian Kratzer                   CK Software GmbH
Email:   ck at cksoft.de               Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0       D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9       HRB 245288, Amtsgericht Stuttgart
Mobile:  +49 171 1947 843           Geschaeftsfuehrer: Christian Kratzer
Web:     http://www.cksoft.de/

More information about the radiator mailing list