Hi,
We're piloting RadSec as a federation server uplink. They use Radiator. When
we first attempted to connect we'd get
a "Received packet will be too large!" carp from main/tls.c. They checked on
their end and say they have no fragment
size option for RadSec TLS connections, only for EAP-TLS connections.
The above doesn't make much sense to me... there are size limits in
RADIUS, but not regarding the TLS stream around them. The limits in
question are:
- EAP-Message total length must be <= MTU between NAS and device (EAP
cannot be fragmented on layer 2)
- RADIUS datagram total length 4096 Bytes (arbitrary RFC limit)
The RADIUS/TLS wrapper around those datagrams is not size-limited at all
- it carries streams on "n" RADIUS datagrams. The TCP stack will take
care of sending the data in chunks like with any other TCP based protocol.
My guess is that main/tls.c "thinks" it operates within a EAP context
and tries to warn of too big data chunks, while there is actually
nothing to warn about.
Greetings,
Stefan Winter
So we applied the below as a test and it works, but I was wondering as to the
wisdom of it...
interesting....a RADSEC packet can be much bigger than that too - 2048 gives
some room for a big
certificate - but not if its double-chained with intermediate and its got a
nice security size
instead of being a little 512bit RSA one. typically EAP-TLS can be fragmented
on the server due
to it going through to the end-clients ..and being UDP things get a little
nasty...whereas with RADSEC
theres no reason why a single TCP request couldnt be quite large and needing to
be fragmented
by the routers....
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html