On Wed, Dec 06, 2023 at 10:53:32AM +0000, Samuel Melrose wrote: > If I can manage to get a patch together, what is everyone's feelings > about being able to dynamically tune the EAP fragment_size setting, > based on hints from the server? Which fragment_size are you talking about here? The one in hostapd or the one in wpa_supplicant? And if the latter, how would a hint from the server make it to wpa_supplicant? > On the server side, we've got FreeRADIUS and we've been able to > configure it with a low EAP fragment_size value of 1012, however, it > isn't possible to configure this on the clients, as they are all > running Chrome OS (so using the Linux version of > wpa_supplicant/hostapd, but with a read only rootfs where it's > impossible to tune the configuration file) for both wireless > WPA2-Enterprise & 802.1X. Have you tested this with any other clients? Are there some client implementations that would actually dynamically change EAP-TLS fragmentation based on failures? > A lot of people mention how impractical it is to be required to tune > the fragment_size value in the configuration of each client, rather > than having it pushed centrally. > > My thoughts are accepting Framed-MTU from the server as part of the > Access-Challenge response, then tuning the EAP fragement_size based on > that (taking into account the additional overheads): would you be > willing to accept such a change? I'm not sure I can follow the design here.. Access-Challenge goes from the RADIUS server to the AP/RADIUS client. It does not go to the Supplicant/client/wpa_supplicant, so that use of Framed-MTU attribute on the client feels strange. If this network deployment scenario is such that the Supplicant/EAP client needs to somehow probe for the maximum EAP message length, things are quite inconvenient since there is not really any good way for doing that.. If the EAP exchange happens to have a large message from the server first (and EAP-TLS in many cases does), an EAP client might try to figure out that there was a reason for the server to use surprisingly small EAP message for fragmentation purposes and adopt to using a similar fragmentation threshold. This might need to be done separately for each EAP method, though. -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap