On 2014-05-05 15:02, Heikki Vatiainen wrote: > On 05/05/2014 03:01 PM, Hartmaier Alexander wrote: > >>> The correct number in your case is something between 1250 and 1300 when >>> you have outer fragment size 1350? That is, when you have 1350 as outer >>> fragment size, 1250 works but 1300 does not. >> So what you're saying is that 1350 for the outer results in an inner >> calcuated one of 1310 bytes which is too large? > Yes, the inner EAP-TLS creates fragments of size 1310 and based on your > message, I understand when these are given to outer PEAP for TLS > tunneling and transport, the result is too large: it does not fit in 1350. Can you add a critical logging for that case so the problem can quickly be found? With a calculated suggested value maybe?
> >> Which fragment size should be configured, the outer or the inner one? >> If the inner is calculated from the outer I shouldn't configure the >> inner one but simply reduce the outer one until it works? > It should have worked so that the inner fragmentation matches the outer. > However, since it does not, you should configure the outer handler > MaxFragmentSize to as large value as possible, for example 1350 and then > configure the MaxFragmentSize for the inner AuthBy to as large value as > possible. It seems 1250 seems to work for you. > >> The value is the number of bytes the EAP messages are split into and >> transmitted via the EAP-Message radius attribute, correct? > Yes, with the addition, that if you have for example an EAP message that > is 1300 bytes long, it needs to be broken into EAP-Message attributes > which have payload size of 253 bytes. Where does the 253 come from? > >> So the number is depended on how much bytes all other radius attributes >> consume from the MTU which should be 1500 for both wired and wireless in >> our case? > Yes. Also the inner AuthBy's MaxFragmentSize must track the outer > fragment size so that the chunks that inner AuthBy produces do not grow > too large after TLS processing. This is not a problem with EAP-MSCHAP-V2 > but when EAP-TLS is the inner protocol, then the inner AuthBy requires > MaxFragmentSize. So the new feature in 4.13 only helps for PEAP-MSCHAPv2, not for PEAP-TLS? > > Thanks, > Heikki > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator