Dynamic EAP fragment_size for low MTU
Samuel Melrose
sam.melrose at a1comms.com
Wed Dec 6 02:53:32 PST 2023
Hello,
If I can manage to get a patch together, what is everyone's feelings
about being able to dynamically tune the EAP fragment_size setting,
based on hints from the server?
I'm struggling with a low MTU network and EAP-TLS not working due to
the RADIUS Auth-Request packets being too large - they are fragmented
at layer 4 (UDP), but dropped in the network path due to fragmentation
not being correctly supported by the firewall devices.
On the server side, we've got FreeRADIUS and we've been able to
configure it with a low EAP fragment_size value of 1012, however, it
isn't possible to configure this on the clients, as they are all
running Chrome OS (so using the Linux version of
wpa_supplicant/hostapd, but with a read only rootfs where it's
impossible to tune the configuration file) for both wireless
WPA2-Enterprise & 802.1X.
I've spent nearly a week searching for a solution here, and while the
RADIUS standard supports the Framed-MTU attribute to adjust the
maximum packet size, this only appears to be supported in the Client
-> Server direction: this isn't helpful in our instance, as the
wpa_supplicant isn't doing PMTUD, it's just hard coding a value of
1400.
There are plenty of examples of people online suffering the same
problems and as far as I can tell, very few solutions are found,
beyond people giving up - at-least, none are posted.
A lot of people mention how impractical it is to be required to tune
the fragment_size value in the configuration of each client, rather
than having it pushed centrally.
My thoughts are accepting Framed-MTU from the server as part of the
Access-Challenge response, then tuning the EAP fragement_size based on
that (taking into account the additional overheads): would you be
willing to accept such a change?
Regards,
Samuel Melrose
[ Senior Systems Engineer ]
Tel: +44 (0) 1332 922429
[ A1 Comms Ltd. Contract House, Turnpike Business Park, Alfreton, DE55 7AD ]
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender and delete the email. Any views or opinions presented in
this email are solely those of the author and do not necessarily
represent those of A1 Comms Ltd. Please check this email and any
attachments for the presence of viruses as we accept no liability for
any damage caused by any virus transmitted by this email. Registered
Company No. 04455131 VAT No. 282 8135 89
More information about the Hostap
mailing list