Problems with EAP-TTLS/EAP-TLS - One Step further

Jouni Malinen j
Fri Oct 31 06:28:08 PDT 2008

On Fri, Oct 31, 2008 at 11:28:11AM +0100, Carolin Latze wrote:

> > This worked when I lasted tested it, but I've only tested without an
> > engine and EAP-TLS inside EAP-PEAP or -TTLS has previously been somewhat
> > of a problem case, so you may need to update FreeRADIUS unless you are
> > using the latest release.
> >   
> Is that a problem of FreeRADIUS? As I wrote, I also do not use the
> newest wpa_supplicant. But anyhow, I upgraded the FreeRADIUS to version
> 2.1.1. I also tried it with the latest version from git (2.1.2). But I
> get still the same error. I attached the complete log to this mail.

I cannot reproduce the same error. However, I do see issues with
FreeRADIUS 2.1.1 when using its default fragment_size setting (in
eap.conf). If I set fragment_size to 2048, I can complete authentication
with eapol_test. With fragment_size 1024 (and my certificate size..)
EAP-TLS seems to fail in all cases (by itself, within PEAP, within
TTLS). 1400 as a fragment_size seems to work with EAP-TLS and
EAP-TTLS/EAP-TLS and that is more likely size to actually go through an
AP, so I would suggest a test with that. I'm still seeing
EAP-PEAP/EAP-TLS fail with FreeRADIUS 2.1.1 for some reason.

Based on a quick look, I would expect this to be caused by fragmentation
related issues in the current FreeRADIUS implementation, but I have not
yet fully analyzed what is happening.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list