On 2023/03/02 17:24, Mikhael Lialin wrote:
> Hello and good day.
>
> Finally found the actual reason.
>
> The outer client is failed eap tls because of packet fragmentation. on
> interface mtu is set as 1500, and packet is 1514.
>
> from tshark:
>
> RADIUS 1514 Access-Request id=4[BoundErrorUnreassembled Packet]
> RADIUS 1514 Access-Request id=4, Duplicate Request[BoundErrorUnreassembled
> Packet]
> RADIUS 1514 Access-Request id=4, Duplicate Request[BoundErrorUnreassembled
> Packet]
> RADIUS 1514 Access-Request id=4, Duplicate Request[BoundErrorUnreassembled
> Packet]
What do you see from freeradius debug output when this happens?
> if set fragment_size to wpa_supplicant.conf to a little below value, it
> helps and eap_tls is successful.
>
> It's good for configurable client, however how about phones where all
> parameters are default ?
It doesn't help you, but the RADIUS client is not the device trying to
connect to wifi, it's the AP.
It wasn't clear from your report, does it work with non-cert-based
methods e.g. EAP MSCHAPv2 or not?
If that's working and the problem is only with certificate auth, one
thought, are you able to shrink the certs at all? If you're using
3072/4096 bit RSA keys, try 2048bit instead.
I would try asking on the freeradius mailing list too. Be clear exactly
what you're testing (e.g. show the config on the client) and include the
full radiusd debug output, maybe also include packet dumps (full rather
than just the 1-line summary you showed here).
I don't think this is likely to be openbsd-specific.
No comments:
Post a Comment