> If the supplicant doesn't know what the local L2 MTU is, it's > completely broken. The issue is more about the supplicant knowing its MTU, sending the maximum payload possible (typically, in EAP-TLS where the supplicant has a lot to say), the authenticator encapsulating that in a RADIUS packet, which grows larger than the MTU on its own uplink, leading to fragmentation of the UDP packet. That is not in principle a problem, but practical experience has shown that too many firewalls drop the fragments and auth doesn't work. It would be desirable to be able to tell the supplicant that it should send *less* than its own MTU to prevent that from happening. On the server side, EAP fragment size is statically configured, and is often a lot less than what supplicant could handle (1024 is a common default). Thus, sending less payload than would be possible means that a server has to split the EAP conversation in more RADIUS packets than need be, meaning more round-trips and longer time-to-auth. greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: stefan.winter@restena.lu Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473
Attachment:
signature.asc
Description: This is a digitally signed message part.