Re: Disable fragmentation of EAP packets
From: Sam Salhi [MSFT] (samers_at_online.microsoft.com)
Date: 02/20/04
- Next message: Sam Salhi [MSFT]: "Re: forced CRL refresh/update with EAP-TLS"
- Previous message: Sam Salhi [MSFT]: "Re: PEAP and DHCP authentication failure"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 20 Feb 2004 11:43:36 -0800
Try to lower that number further to 1300, it should probably fix the issue
I'm glad the other solution works for you as well
-- =========================================================== This posting is provided "AS IS" with no warranties and confers no rights =========================================================== "Marco van Ginkel" <mvginkel@wanadoo.nl> wrote in message news:40320fc0$0$24451$18b6e80@news.wanadoo.nl... > Sorry for my late response... > > I've set the framed mtu size on the Radius server to 1400, but that makes no > difference. > But I've found a solution, in the new software for the gateway I use, I can > define a radius proxy and that works fine. > Thank you all for you're help! > > Regards Marco > > "Sam Salhi [MSFT]" <samers@online.microsoft.com> wrote in message > news:%23a9HAlP8DHA.3880@tk2msftngp13.phx.gbl... > > I would also like to add that Framed-MTU can not guarantee the size of the > > Radius packet, but rather keep the EAP payload in check > > In other words, Framed-MTU is NOT the max size of a Radius packet, but > > rather the EAP payload > > > > -- > > =========================================================== > > This posting is provided "AS IS" with no warranties and confers no rights > > =========================================================== > > > > > > "Sam Salhi [MSFT]" <samers@online.microsoft.com> wrote in message > > news:uI$QNPP8DHA.1112@tk2msftngp13.phx.gbl... > > > You can use the FRAMED-MTU attribute in the IAS server to specify the > > > maximum size of the packets > > > Remember to add a little bit of padding to the number so that you always > > > land below the 1500 mark. If your network is set to 1400 then make sure > > you > > > specify this for the IAS server as well. (default for IAS is 1500) > > > To modify the Framed-MTU attribute, goto Remote Access Policies, Open > the > > > policy, Edit Profile, Advanced, Add, (find) Framed-MTU and set it to > 1400 > > or > > > less > > > > > > Please let us know how it goes with you > > > > > > Thanks > > > > > > -- > > > =========================================================== > > > This posting is provided "AS IS" with no warranties and confers no > rights > > > =========================================================== > > > > > > > > > "Marco" <mvginkel@wanadoo.nl> wrote in message > > > news:4028d97f$0$93686$cd19a363@news.wanadoo.nl... > > > > It's not possible to manually set the framed-mtu setting. In debug > > traces > > > > I've seen that the default value of this attribute is set to 1400... > > > > > > > > Regards Marco > > > > > > > > > > > > > > > > "Ashwin Palekar(MS)" <ashwinp@online.microsoft.com> wrote in message > > > > news:OoGljz87DHA.2300@TK2MSFTNGP10.phx.gbl... > > > > > Marco, > > > > > > > > > > Still investigating. In the meantime a question -> Does this > wireless > > > > > access point allow you to set the MTU (maybe called Framed-MTU) > > > attribute? > > > > > As per the 802.1x/RADIUS standards, the access point can specify the > > > size > > > > of > > > > > the maximum EAP packet encapsulated within RADIUS packets. The > default > > > > value > > > > > is 1500, and you could reduce this value to create smaller EAP > > packets; > > > > and > > > > > hence essentially reducing the size of RADIUS packets. > > > > > > > > > > Regards, > > > > > > > > > > Ashwin > > > > > > > > > > -- > > > > > -- > > > > > =========================================================== > > > > > This posting is provided "AS IS" with no warranties and confers no > > > rights > > > > > =========================================================== > > > > > > > > > > "Marco van Ginkel" <mvginkel@wanadoo.nl> wrote in message > > > > > news:4027e382$0$32736$4a441750@news.euronet.nl... > > > > > > I'm using wireless access points behind a wireless gateway(Nomadix > > > HSG). > > > > > The > > > > > > MS IAS RADIUS Server is on the other side of that gateway. During > > the > > > > TLS > > > > > > authentication process, the Radius server generates packets bigger > > > than > > > > > 1500 > > > > > > bytes, so that data will be fragmented. The problem is, is that > the > > > > > gateway > > > > > > doesn't support fragmented packets, only the first packet will be > > send > > > > > back > > > > > > to the wireless access point, and the rest is blocked by the > > gateway. > > > > > > > > > > > > I've test the same setup with a Steel Belted Radius Server with > the > > > > > setting > > > > > > TLS_Message_Fragment_Length = 1020. This Setting prevents the > RADIUS > > > > > > challenge response from exceeding one Ethernet frame and create > more > > > > > RADIUS > > > > > > challenge/response round-trips required to conclude the TLS > > exchange. > > > > And > > > > > > that works.. > > > > > > > > > > > > I hope there is a solution for MS IAS. > > > > > > > > > > > > M. > > > > > > > > > > > > > > > > > > > > > > > > "Ashwin Palekar(MS)" <ashwinp@online.microsoft.com> wrote in > message > > > > > > news:urldmXz7DHA.1592@TK2MSFTNGP10.phx.gbl... > > > > > > > How can a RADIUS server completely disable fragmentation of EAP > > > > packets; > > > > > > and > > > > > > > send large EAP packets (like those found in TLS)? > > > > > > > > > > > > > > Can you explain the problem you are trying to address? There may > > be > > > > > other > > > > > > > ways of addressing them. > > > > > > > > > > > > > > I am guessing that the EAP fragment length may be controlled by > > the > > > > > > > Framed-MTU attribute sent in RADIUS packets by the > > access-point/vpn > > > > > > server. > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > -- > > > > > > > =========================================================== > > > > > > > This posting is provided "AS IS" with no warranties and confers > no > > > > > rights > > > > > > > =========================================================== > > > > > > > > > > > > > > "Marco" <mvginkel@wanadoo.nl> wrote in message > > > > > > > news:40279fb3$0$231$18b6e80@news.wanadoo.nl... > > > > > > > > Is it possible to turn of fragmentation of EAP packets in > > > Microsoft > > > > > IAS? > > > > > > > In > > > > > > > > Steel Belted Radius it can be done with the > > > > > > "TLS_Message_Fragment_Length" > > > > > > > > setting and then choose a value < 1400. > > > > > > > > > > > > > > > > Thanx in advance! > > > > > > > > > > > > > > > > Marco van Ginkel > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
- Next message: Sam Salhi [MSFT]: "Re: forced CRL refresh/update with EAP-TLS"
- Previous message: Sam Salhi [MSFT]: "Re: PEAP and DHCP authentication failure"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
