Re: [RADIATOR] EAP-TLS not getting client cert
Hi, I'd say the client doesn't trust the radiator certificate and stops the EAP conversation. Best regards, Alex On 2016-01-18 12:30, Christian Kratzer wrote: > Hi Sami, > > On Mon, 18 Jan 2016, Sami Keski-Kasari wrote: >> Hello Christian, >> >> Usually this kind of behaviour is due to MTU problems. >> There can be differences between different vendors for example how they >> do tunnelling and how it affects to MTUs etc. >> >> Please try to adjust maximum TLS fragment size to see if it helps. >> >> Please see more at page 92 >> 5.21.39 EAPTLS_MaxFragmentSize >> in ref.pdf. > yes we already have that set to 500. > > Just for understanding EAPTLS_MaxFragmentSize would only affect what radiator > sends. There is no way to limit the size of the fragements coming from the > ap. > > The trace4 logs stop exactly at the point radiator has completed sending of > it's certificate to the client. > > I would assume that I would at least see the first of the packets with the > client certificates. If not this could perhaps also be an issue with the > network dropping incoming udp fragments and the os never being able to > reassemble incomplete packets. I will have the customer check into that as > well. > > Greetings > Christian > > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] EAP-TLS not getting client cert
Hi, On Mon, 1 Feb 2016, Hartmaier Alexander wrote: > Hi, > I'd say the client doesn't trust the radiator certificate and stops the > EAP conversation. the same client worked when on site. It failed when offsite and the requests were coming over the vpn. It turned out to be a firewall with huge mtu on the inside interface that was sending jumbograms that got dropped on the radius. Greetings Christian > > Best regards, Alex > > On 2016-01-18 12:30, Christian Kratzer wrote: >> Hi Sami, >> >> On Mon, 18 Jan 2016, Sami Keski-Kasari wrote: >>> Hello Christian, >>> >>> Usually this kind of behaviour is due to MTU problems. >>> There can be differences between different vendors for example how they >>> do tunnelling and how it affects to MTUs etc. >>> >>> Please try to adjust maximum TLS fragment size to see if it helps. >>> >>> Please see more at page 92 >>> 5.21.39 EAPTLS_MaxFragmentSize >>> in ref.pdf. >> yes we already have that set to 500. >> >> Just for understanding EAPTLS_MaxFragmentSize would only affect what >> radiator sends. There is no way to limit the size of the fragements coming >> from the ap. >> >> The trace4 logs stop exactly at the point radiator has completed sending of >> it's certificate to the client. >> >> I would assume that I would at least see the first of the packets with the >> client certificates. If not this could perhaps also be an issue with the >> network dropping incoming udp fragments and the os never being able to >> reassemble incomplete packets. I will have the customer check into that as >> well. >> >> Greetings >> Christian -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer Web: http://www.cksoft.de/ ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] EAP-TLS not getting client cert
Hi, a customer of mine has a WLAN EAP-TLS setup where there is an issue that some clients don't complete the EAP handshake. When comparing the traces the issue with the failing clients seems to be that after receiving the certificate from the radius server the clients never send their client certificate. The failing clients are all coming from another site which uses cisco instead of hp access points. They claim they can connect fine at the site with hp access points. Im arguing that the access points are irrelevant here and the clients not sending their certificate is most propably because of certificate issues on the client. Would you all agree with this ? I cannot think of any other reason but client misconfiguration when TLS authentication would stop after sending of the server certificate. Greetings Christian -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer Web: http://www.cksoft.de/ ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] EAP-TLS not getting client cert
Hello Christian, Usually this kind of behaviour is due to MTU problems. There can be differences between different vendors for example how they do tunnelling and how it affects to MTUs etc. Please try to adjust maximum TLS fragment size to see if it helps. Please see more at page 92 5.21.39 EAPTLS_MaxFragmentSize in ref.pdf. Best Regards, Sami On 01/18/2016 12:44 PM, Christian Kratzer wrote: > Hi, > > a customer of mine has a WLAN EAP-TLS setup where there is an issue that some > clients don't complete the EAP handshake. > > When comparing the traces the issue with the failing clients seems to be > that after receiving the certificate from the radius server the clients > never send their client certificate. > > The failing clients are all coming from another site which uses cisco > instead of hp access points. > > They claim they can connect fine at the site with hp access points. > > Im arguing that the access points are irrelevant here and the clients > not sending their certificate is most propably because of certificate > issues on the client. > > Would you all agree with this ? > > I cannot think of any other reason but client misconfiguration when TLS > authentication would stop after sending of the server certificate. > > Greetings > Christian > -- Sami Keski-KasariRadiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator