Problems with EAP-TTLS/EAP-TLS - One Step further
Jouni Malinen
j at w1.fi
Fri Oct 31 09:28:08 EDT 2008
On Fri, Oct 31, 2008 at 11:28:11AM +0100, Carolin Latze wrote:
> > This worked when I lasted tested it, but I've only tested without an
> > engine and EAP-TLS inside EAP-PEAP or -TTLS has previously been somewhat
> > of a problem case, so you may need to update FreeRADIUS unless you are
> > using the latest release.
> >
> Is that a problem of FreeRADIUS? As I wrote, I also do not use the
> newest wpa_supplicant. But anyhow, I upgraded the FreeRADIUS to version
> 2.1.1. I also tried it with the latest version from git (2.1.2). But I
> get still the same error. I attached the complete log to this mail.
I cannot reproduce the same error. However, I do see issues with
FreeRADIUS 2.1.1 when using its default fragment_size setting (in
eap.conf). If I set fragment_size to 2048, I can complete authentication
with eapol_test. With fragment_size 1024 (and my certificate size..)
EAP-TLS seems to fail in all cases (by itself, within PEAP, within
TTLS). 1400 as a fragment_size seems to work with EAP-TLS and
EAP-TTLS/EAP-TLS and that is more likely size to actually go through an
AP, so I would suggest a test with that. I'm still seeing
EAP-PEAP/EAP-TLS fail with FreeRADIUS 2.1.1 for some reason.
Based on a quick look, I would expect this to be caused by fragmentation
related issues in the current FreeRADIUS implementation, but I have not
yet fully analyzed what is happening.
--
Jouni Malinen PGP id EFC895FA
More information about the HostAP
mailing list