Govroam

The Roaming solution for the public sector

User Tools

Site Tools


public:how_to_deal_with_fragmentation_of_eap_packets

Dealing with packet fragmentation with EAP-TLS

Symptoms

  • If you're receiving reports from end users of authentication failing and you can't see anything in your logs.
  • If you're using EAP-TLS
  • If you're seeing firewall reports of potential packet fragmentation attacks from RADIUS servers.

Cause

MTU size on network interfaces is around 1500 bytes. If the RADIUS UDP packet exceeds this size then they packets will be split up. UDP packets are normally quite small so this isn't common. EAP-PEAP packets tend to be small because PEAP just uses certificates at one end and username/password at the other. On the other hand, EAP-TLS use certificates in both directions. Certificates are much bigger than a username and password so more likely to exceed the MTU size.

If a firewall is configured to be suspicious of packet fragmentation (often used as way of hacking organisations) then it could block these authentication attempts. We've only really heard of this happening with EAP-TLS for the reasons above.

The configuration of the client and servers with the certificate chain is an important factor. At a bare minimum the server needs a Root CA and a client needs a client certificate. In this simple case the packet size isn't likely to cause fragmentation. However, the certificate chain might contain one or more intermediate CAs and where these are deployed is critical. The key is to have as much of the chain as possible installed on the server and for the client to send as little as possible with each auth request.

The same applies to EAP-PEAP for the TTLS part - the client should have as much of the chain as possible and the server with just the server cert.

Doing this means that during an authentication the minimum (one server cert and one client cert) are passed around rather than a number of client, server and intermediates.

Solutions

These are not exclusive.

  • Disable packet fragmentation checks/blocks on the firewall (just for the NRPS and any other known RADIUS servers)
  • Ensure only the minimum number of certs are sent in the auth and that as much of the chain as possible is installed on the client and server.
  • Set Framed-MTU to 1100

The last option is somewhat of a last resort because it's not universally respected by RADIUS servers. However, what it does do is to pass a hint to a RADIUS server to request that the RADIUS server use a maximum of 1100 bytes for the RADIUS packet. This would mean that, with the additional headers provided by the TCP stack that the packets should never be fragmented.

The caveat is, as stated, that different RADIUS server react differently to seeing Framed-MTU. It certainly can't be relied on at the solution.

<insert info about RADIUS server support for Framed-MTU>

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
public/how_to_deal_with_fragmentation_of_eap_packets.txt · Last modified: 2022/10/05 13:04 by admin