Smith, Brian (ESEA IS&A) wrote: > Hi Alan, > Thanks for the great reply. It makes perfect sense to me. Just be > clear, FreeRadius will support a certificate/chain length up to the TLS > record limit of 16384 bytes (minus some overhead). And, you don't know > of anyone that has every tried to test beyond this, which tells me in > practice, it's not done....
Yes. > Also, you point out that very likely AP's > and STA' might not support multiple records, though the RFC says they > should. Also telling me, this is not normally done. No... they *do* support multiple round trips. But they have an upper limit on "too many" round trips. For example, WPA supplicant (the most widely used one) has a default limit of 50. This means it's *highly* unlikely that it will work with 64K certificate chains. > Two quick questions for you. > > - What do you think the market penetration of FreeRadius (or > commercial clones) to authenticate wireless WPA2 clients is, verses > commercial products? It's the most widely used RADIUS server on the planet. Most large telcos on Europe are either using it, or switching to it. > - Do you know of any other Radius Server that does support > multiple TLS records for a single message? No idea, sorry. And if you're thinking of buying one that does, I can pretty much guarantee you it'll be cheaper and faster to fix FreeRADIUS. > - What is the largest certificate chain you have seen used with > FreeRadius? I don't know. People don't usually report that kind of statistics. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
