[RADIATOR] random EAP authentication errors since 4.17

Hartmaier Alexander alexander.hartmaier at t-systems.at
Tue Jan 24 12:58:39 UTC 2017

On 2017-01-24 12:57, Heikki Vatiainen wrote:
> On 24.1.2017 13.39, Hartmaier Alexander wrote:
>> Could you move the storage of reply attributes into the resume context
>> to a point after PostAuthHook is called so this isn't required?
> I think we'll need to think about an interface for this. This
> discussion has been useful to understanding the custom use cases, so
> rather than moving it, I' say it's better to provide a documented call
> or similar to do this.
That would be great! Can you name a timeframe how soon you would have a
patch for us to decide if we implement the current solution or wait for
the documented one?
>>> The latter is EAP-TTLS and the problem is PEAP/EAP-TLS?
>> We don't use EAP-TTLS, only PEAP-TLS and EAP-TLS. EAP-TLS works, also
>> resumption, PEAP-TLS doesn't.
> Ah, sorry, I read EAP-TLS twice.
>> What kind of logs do you need? I could mail you the packet capture as a
>> starting point, but we haven't had debugging enabled at that time, just
>> log level 3 where no sign of the mentioned request with id 57 can be
>> seen.
> I trace 4 log would be best. If you create one, just send it to me
> directly since the list does now allow large attachments.
We had no duplicate error since about four hours, but I'll enable debug
logging to file so we have it next time it occurs.
>>> That's a possibility since the adjustment is 40 which seems to be too
>>> little since you need 50. We probably need to update this value.
>> I see, please document this value in ref.pdf.
>> Which formula can be used to calculate this value?
> It's not calculated but an estimate that was based on watching how it
> worked with different certificate chains. It's a good idea to get this
> documented.
Note that the difference between PEAP max fragment size (1300) and inner
EAP-TLS max fragment size (1200) is 100, not 50.
Would you suggest to decrease the inner value even more or keep the
difference of 100 and decrease both?
What happens when Radiator builds a reply packet with 1300 bytes
EAP-Message and some other radius reply attributes and the udp packets
gets larger than the server interface MTU (1500 in our case)? Is it
possible that it gets silently dropped?

> Thanks,
> Heikki
Is anyone else on the list using PEAP-TLS anywhere and can share her/his

Thanks, Alex

T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.

More information about the radiator mailing list