[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [AAA-DOCTORS] [Dime] FEDAUTH BOF request
On Sun, 6 Jun 2010, Bernard Aboba wrote:
Previous tests have shown problems with use of RADIUS/EAP over UDP in
federated scenarios:
http://www.cesnet.cz/doc/techzpravy/2008/eduroam-authentication-over-jammed-
network/
As noted in the above paper, once packet loss is introduced, completing the
multiple roundtrips of EAP authentication becomes increasingly difficult.
This paper has some crazy figures.. look at the data for packet loss.
40% packet loss (client to server) = 78% success rate for PEAP-MSCHAPv2
40% packet loss (server to client) = 20% success rate for PEAP-MSCHAPv2
There is a footnote on this issue "The more favorable results for
client-to-server jamming are caused by the aggressive packet re-sending
strategy of wpa_supplicant compared to the behavior of Radiator."
If the server did not receive client request or client did not receive
server response the knowledge available and avenue for response by the
client is the same in either case. The figures appear to reflect a
substantial implementation artifact in the servers tx side retransmit.
regards,
Peter
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>