Jouni Malinen wrote: > The main (well, more or less, the only) reason for that limit on > number of round trips is to work around issues where the EAP peer and > server ended up in an infinite loop ACKing their messages. I would > prefer to change that to be based on whether any real progress has > been made during the last round trip or two, i.e., to remove the hard > limit and allow as many round trips as it takes to get through the > authentication (or whatever else one adds into EAP, e.g., TNC). It > would be nicer to support the whatever maximum length is described for > EAP-TLS or TNC, but not at the cost of bringing back interop issues > that may result in infinite authentication loops.
Defining "progress" per EAP type may be difficult. > Anyway, the only case I remember of someone discussing the round trip > limit as a too strict limit was for TNC, not for certificate sizes. If > someone is really using huge certificates (or well, long enough chain > to make the total size of the TLS message long) in real world, I would > like to make sure it can be done. I just haven't come up with a real > use case so far. Yes, I recall those discussions related to TNC and NEA a while ago. >From what I see in the standards now, there is no reason for *bulk* transfer of data over EAP. The TNC standards require pretty small data transfers. And even if wpa_supplicant is changed, it will be difficult to change the millions of AP's out there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html