subject:"\[RADIATOR\] EAP\-TLS not getting client cert"

Re: [RADIATOR] EAP-TLS not getting client cert

2016-02-01 Thread Hartmaier Alexander

Hi,
I'd say the client doesn't trust the radiator certificate and stops the
EAP conversation.

Best regards, Alex

On 2016-01-18 12:30, Christian Kratzer wrote:
> Hi Sami,
>
> On Mon, 18 Jan 2016, Sami Keski-Kasari wrote:
>> Hello Christian,
>>
>> Usually this kind of behaviour is due to MTU problems.
>> There can be differences between different vendors for example how they
>> do tunnelling and how it affects to MTUs etc.
>>
>> Please try to adjust maximum TLS fragment size to see if it helps.
>>
>> Please see more at page 92
>> 5.21.39 EAPTLS_MaxFragmentSize
>> in ref.pdf.
> yes we already have that set to 500.
>
> Just for understanding EAPTLS_MaxFragmentSize would only affect what radiator 
> sends.  There is no way to limit the size of the fragements coming from the 
> ap.
>
> The trace4 logs stop exactly at the point radiator has completed sending of 
> it's certificate to the client.
>
> I would assume that I would at least see the first of the packets with the 
> client certificates.  If not this could perhaps also be an issue with the 
> network dropping incoming udp fragments and the os never being able to 
> reassemble incomplete packets.  I will have the customer check into that as 
> well.
>
> Greetings
> Christian
>
>

*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] EAP-TLS not getting client cert

2016-02-01 Thread Christian Kratzer

Hi,

On Mon, 1 Feb 2016, Hartmaier Alexander wrote:
> Hi,
> I'd say the client doesn't trust the radiator certificate and stops the
> EAP conversation.

the same client worked when on site.  It failed when offsite and the requests 
were coming over the vpn.

It turned out to be a firewall with huge mtu on the inside interface that was 
sending jumbograms that got dropped on the radius.

Greetings
Christian

>
> Best regards, Alex
>
> On 2016-01-18 12:30, Christian Kratzer wrote:
>> Hi Sami,
>>
>> On Mon, 18 Jan 2016, Sami Keski-Kasari wrote:
>>> Hello Christian,
>>>
>>> Usually this kind of behaviour is due to MTU problems.
>>> There can be differences between different vendors for example how they
>>> do tunnelling and how it affects to MTUs etc.
>>>
>>> Please try to adjust maximum TLS fragment size to see if it helps.
>>>
>>> Please see more at page 92
>>> 5.21.39 EAPTLS_MaxFragmentSize
>>> in ref.pdf.
>> yes we already have that set to 500.
>>
>> Just for understanding EAPTLS_MaxFragmentSize would only affect what 
>> radiator sends.  There is no way to limit the size of the fragements coming 
>> from the ap.
>>
>> The trace4 logs stop exactly at the point radiator has completed sending of 
>> it's certificate to the client.
>>
>> I would assume that I would at least see the first of the packets with the 
>> client certificates.  If not this could perhaps also be an issue with the 
>> network dropping incoming udp fragments and the os never being able to 
>> reassemble incomplete packets.  I will have the customer check into that as 
>> well.
>>
>> Greetings
>> Christian

-- 
Christian Kratzer   CK Software GmbH
Email:   c...@cksoft.de   Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0   D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9   HRB 245288, Amtsgericht Stuttgart
Mobile:  +49 171 1947 843   Geschaeftsfuehrer: Christian Kratzer
Web: http://www.cksoft.de/
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

[RADIATOR] EAP-TLS not getting client cert

2016-01-18 Thread Christian Kratzer

Hi,

a customer of mine has a WLAN EAP-TLS setup where there is an issue that some
clients don't complete the EAP handshake.

When comparing the traces the issue with the failing clients seems to be
that after receiving the certificate from the radius server the clients
never send their client certificate.

The failing clients are all coming from another site which uses cisco 
instead of hp access points.

They claim they can connect fine at the site with hp access points.

Im arguing that the access points are irrelevant here and the clients
not sending their certificate is most propably because of certificate
issues on the client.

Would you all agree with this ?

I cannot think of any other reason but client misconfiguration when TLS
authentication would stop after sending of the server certificate.

Greetings
Christian

-- 
Christian Kratzer   CK Software GmbH
Email:   c...@cksoft.de   Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0   D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9   HRB 245288, Amtsgericht Stuttgart
Mobile:  +49 171 1947 843   Geschaeftsfuehrer: Christian Kratzer
Web: http://www.cksoft.de/
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] EAP-TLS not getting client cert

2016-01-18 Thread Sami Keski-Kasari

Hello Christian,

Usually this kind of behaviour is due to MTU problems.
There can be differences between different vendors for example how they
do tunnelling and how it affects to MTUs etc.

Please try to adjust maximum TLS fragment size to see if it helps.

Please see more at page 92
5.21.39 EAPTLS_MaxFragmentSize
in ref.pdf.

Best Regards,
 Sami

On 01/18/2016 12:44 PM, Christian Kratzer wrote:
> Hi,
> 
> a customer of mine has a WLAN EAP-TLS setup where there is an issue that some
> clients don't complete the EAP handshake.
> 
> When comparing the traces the issue with the failing clients seems to be
> that after receiving the certificate from the radius server the clients
> never send their client certificate.
> 
> The failing clients are all coming from another site which uses cisco 
> instead of hp access points.
> 
> They claim they can connect fine at the site with hp access points.
> 
> Im arguing that the access points are irrelevant here and the clients
> not sending their certificate is most propably because of certificate
> issues on the client.
> 
> Would you all agree with this ?
> 
> I cannot think of any other reason but client misconfiguration when TLS
> authentication would stop after sending of the server certificate.
> 
> Greetings
> Christian
> 

-- 
Sami Keski-Kasari 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] EAP-TLS not getting client cert

Re: [RADIATOR] EAP-TLS not getting client cert

[RADIATOR] EAP-TLS not getting client cert

Re: [RADIATOR] EAP-TLS not getting client cert

4 matches

Site Navigation

Mail list logo

Footer information