Hello Tom.
It's a local setup. So radius server and eapol_client are located on the
near ports of cisco sg350 switch. And there is no rules on this switch
present regarding fragmented packets. Anyway it's capable of rspan, and
it's possible to mirror traffic from one port to another for analyse. to
be sure where those packet's loss. However this requires one more pc in
this scheme.
In freeradius documentation
(in/usr/local/share/examples/freeradius/mods-available/eap) mentioned
that server and client certificates should have 509 extensions for
server and client authentication. And they have.
Thank you.
On 3/6/23 02:27, Tom Smyth wrote:
> Hi Mikhael,
> Moving this on to Misc List as it is more approiaate for support type
> requests,
>
> It may not be OpenbSD, that is ignoring the fragments, depending on
> your setup
> an intermediate device ( NAT router etc) could be proccessing the IP
> fragments incorrectly and or dropping them...
> IP fragments are a pain as they dont really match the protocol of the
> original packet and have all sorts of issues when traversing
> multipath (hashed) multipath routes between the source and destination..
> cloudflare have a really good article on this
> https://blog.cloudflare.com/ip-fragmentation-is-broken/
>
> Hope this is of help...
>
>
> On Sun, 5 Mar 2023 at 22:04, Mikhael Lialin <soultenq@gmail.com> wrote:
>
> Hi.
>
> I'm successfully configured eap tls with freeradius.
>
> However with default value for fragment_size in wpa_supplicant.conf
> which equals 1398 - packets get fragmented and seems ignored by
> the server.
>
> Both systems are openbsd 7.2
>
> here is output from thsark:
>
> --target radius--
> 9 124.886123 10.10.2.10 ? 10.10.2.1 RADIUS 188 Access-Request
> id=0
> 10 124.894967 10.10.2.1 ? 10.10.2.10 RADIUS 106
> Access-Challenge id=0
> 11 124.914163 10.10.2.10 ? 10.10.2.1 RADIUS 373
> Access-Request id=1
> 12 125.010446 10.10.2.1 ? 10.10.2.10 RADIUS 1320
> Access-Challenge id=1
> 13 125.014979 10.10.2.10 ? 10.10.2.1 RADIUS 191
> Access-Request id=2
> 14 125.032537 10.10.2.1 ? 10.10.2.10 RADIUS 1320
> Access-Challenge id=2
> 15 125.034214 10.10.2.10 ? 10.10.2.1 RADIUS 191
> Access-Request id=3
> 16 125.045650 10.10.2.1 ? 10.10.2.10 RADIUS 300
> Access-Challenge id=3
>
>
> --source eapol_test with wpa_supplicant.conf---
>
> 1 0.000000 10.10.2.10 ? 10.10.2.1 RADIUS 188 Access-Request
> id=0
> 2 0.011025 10.10.2.1 ? 10.10.2.10 RADIUS 106
> Access-Challenge id=0
> 3 0.027023 10.10.2.10 ? 10.10.2.1 RADIUS 373 Access-Request
> id=1
> 4 0.126651 10.10.2.1 ? 10.10.2.10 RADIUS 1320
> Access-Challenge id=1
> 5 0.127440 10.10.2.10 ? 10.10.2.1 RADIUS 191 Access-Request
> id=2
> 6 0.148742 10.10.2.1 ? 10.10.2.10 RADIUS 1320
> Access-Challenge id=2
> 7 0.149411 10.10.2.10 ? 10.10.2.1 RADIUS 191 Access-Request
> id=3
> 8 0.161846 10.10.2.1 ? 10.10.2.10 RADIUS 300
> Access-Challenge id=3
> 9 0.179447 10.10.2.10 ? 10.10.2.1 IPv4 1514 Fragmented IP
> protocol (proto=UDP 17, off=0, ID=b444)
> 10 3.193244 10.10.2.10 ? 10.10.2.1 IPv4 1514 Fragmented IP
> protocol (proto=UDP 17, off=0, ID=b576)
> 11 9.213196 10.10.2.10 ? 10.10.2.1 IPv4 1514 Fragmented IP
> protocol (proto=UDP 17, off=0, ID=ef21)
> 12 21.233280 10.10.2.10 ? 10.10.2.1 IPv4 1514 Fragmented IP
> protocol (proto=UDP 17, off=0, ID=00d0)
>
> eapol_test fails
>
> setting fragment_size = 1212 in wpa_supplicant.conf and getting
> success.
>
> output from tshark:
>
> --target radius--
> 1 0.000000 10.10.2.10 ? 10.10.2.1 RADIUS 188 Access-Request
> id=0
> 2 0.006613 10.10.2.1 ? 10.10.2.10 RADIUS 106
> Access-Challenge id=0
> 3 0.024538 10.10.2.10 ? 10.10.2.1 RADIUS 373 Access-Request
> id=1
> 4 0.104617 10.10.2.1 ? 10.10.2.10 RADIUS 1320
> Access-Challenge id=1
> 5 0.106355 10.10.2.10 ? 10.10.2.1 RADIUS 191 Access-Request
> id=2
> 6 0.114877 10.10.2.1 ? 10.10.2.10 RADIUS 1320
> Access-Challenge id=2
> 7 0.118679 10.10.2.10 ? 10.10.2.1 RADIUS 191 Access-Request
> id=3
> 8 0.128309 10.10.2.1 ? 10.10.2.10 RADIUS 300
> Access-Challenge id=3
> 9 0.145442 10.10.2.10 ? 10.10.2.1 RADIUS 1415
> Access-Request id=4
> 10 0.160230 10.10.2.1 ? 10.10.2.10 RADIUS 106
> Access-Challenge id=4
> 11 0.161621 10.10.2.10 ? 10.10.2.1 RADIUS 1372
> Access-Request id=5
> 12 0.262102 10.10.2.1 ? 10.10.2.10 RADIUS 161
> Access-Challenge id=5
> 13 0.263753 10.10.2.10 ? 10.10.2.1 RADIUS 191
> Access-Request id=6
> 14 0.281330 10.10.2.1 ? 10.10.2.10 RADIUS 226 Access-Accept
> id=6
>
> --source eapol_test with wpa_supplicant.conf---
>
> 1 0.000000 10.10.2.10 ? 10.10.2.1 RADIUS 188
> Access-Request id=0
> 2 0.010060 10.10.2.1 ? 10.10.2.10 RADIUS 106
> Access-Challenge id=0
> 3 0.023662 10.10.2.10 ? 10.10.2.1 RADIUS 373
> Access-Request id=1
> 4 0.108072 10.10.2.1 ? 10.10.2.10 RADIUS 1320
> Access-Challenge id=1
> 5 0.108734 10.10.2.10 ? 10.10.2.1 RADIUS 191
> Access-Request id=2
> 6 0.118632 10.10.2.1 ? 10.10.2.10 RADIUS 1320
> Access-Challenge id=2
> 7 0.119341 10.10.2.10 ? 10.10.2.1 RADIUS 191
> Access-Request id=3
> 8 0.132026 10.10.2.1 ? 10.10.2.10 RADIUS 300
> Access-Challenge id=3
> 9 0.147236 10.10.2.10 ? 10.10.2.1 RADIUS 1415
> Access-Request
> id=4
> 10 0.163300 10.10.2.1 ? 10.10.2.10 RADIUS 106
> Access-Challenge id=4
> 11 0.164158 10.10.2.10 ? 10.10.2.1 RADIUS 1372
> Access-Request
> id=5
> 12 0.265514 10.10.2.1 ? 10.10.2.10 RADIUS 161
> Access-Challenge id=5
> 13 0.266328 10.10.2.10 ? 10.10.2.1 RADIUS 191
> Access-Request id=6
> 14 0.284607 10.10.2.1 ? 10.10.2.10 RADIUS 226
> Access-Accept id=6
>
> Question: How to avoid altering fragment_size to get this working ?
>
> Some clients could not be set so easily like phones.
>
> Thank you.
>
> Mikhael.
>
>
>
> --
> Kindest regards,
> Tom Smyth.
No comments:
Post a Comment