[RADIATOR] EAP-TLS not getting client cert

Sami Keski-Kasari samikk at open.com.au
Mon Jan 18 05:07:08 CST 2016


Hello Christian,

Usually this kind of behaviour is due to MTU problems.
There can be differences between different vendors for example how they
do tunnelling and how it affects to MTUs etc.

Please try to adjust maximum TLS fragment size to see if it helps.

Please see more at page 92
5.21.39 EAPTLS_MaxFragmentSize
in ref.pdf.

Best Regards,
 Sami

On 01/18/2016 12:44 PM, Christian Kratzer wrote:
> Hi,
> 
> a customer of mine has a WLAN EAP-TLS setup where there is an issue that some
> clients don't complete the EAP handshake.
> 
> When comparing the traces the issue with the failing clients seems to be
> that after receiving the certificate from the radius server the clients
> never send their client certificate.
> 
> The failing clients are all coming from another site which uses cisco 
> instead of hp access points.
> 
> They claim they can connect fine at the site with hp access points.
> 
> Im arguing that the access points are irrelevant here and the clients
> not sending their certificate is most propably because of certificate
> issues on the client.
> 
> Would you all agree with this ?
> 
> I cannot think of any other reason but client misconfiguration when TLS
> authentication would stop after sending of the server certificate.
> 
> Greetings
> Christian
> 


-- 
Sami Keski-Kasari <samikk at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list