3.8.17. EAPTLS_MaxFragmentSize Previous topic Parent topic Child topic Next topic

For TLS-based EAP types, such as TLS, TTLS, and PEAP, this optional parameter specifies the maximum size in octets permitted for each TLS message fragment. The fefault value is 2048, but many EAP clients, routers, and wireless Access Points have limitations that require EAPTLS_MaxFragmentSize to be set as low as 1000 or less. Setting this number too small can result in excessive RADIUS request round trips during EAP TLS authentication. This slows down the authentication process. Setting this number too large can result in failure to complete TLS authentication for some types of clients and devices. Many customers find that 1300 is a good compromise.
The EAP packet that is encapsulated inside EAP-Message and all other radius attributes must not exceed one Ethernet frame because EAP does not support fragmentation.
Depending on the number of other RADIUS attributes your switches or WLAN controllers send to the RADIUS servers, you can increase EAPTLS_MaxFragmentSize, which may result in fewer RADIUS requests in the EAP conversation which reduces the authentication time and lowers to load on both the RADIUS client (switch, WLAN controller) and RADIUS server.
If incoming RADIUS requests have Framed-MTU that is less than EAPTLS_MaxFragmentSize, then Radiator uses the reported Framed-MTU to limit fragment size when doing TLS, TTLS, PEAP, and PSK.
Special characters are supported.