Friday, May 22, 2020

Issues with IP Fragmentation when using EAP-TLS in RADIUS

We enforce 802.1x on the user access ports of our work from home devices (mix of Aruba RAP/IAP). The certificates/certificate chains EAP-TLS needs for workstation authentication are being stuffed whole inside single RADIUS Access-Request packets, albeit in 255-byte EAP fragments. Is there anything within EAP that allows these EAP fragments to be split across multiple RADIUS packets? Are there tweaks within EAP that result in only the host cert being passed rather than an entire chain?



No comments:

Post a Comment