Controller-less WLANs

Probable reason for Server timeout on IAP for client connecting using EAP-TLS

by on ‎07-14-2014 04:16 PM

Question: How to identify the reason for the client unable to authenticate with reason "server timeout" on the IAP

 

Environment Information :

 

rtaImage.png

 

In above example we could see that the IAP is sending the RADIUS packet to the controller and it forwards the RADIUS packet to the server. In EAP-TLS phase 3, Client sends the certificate. Due to bigger length of the certificate the CLIENT CERTIFICATE is fragmented and sent to the server. For example

1.       Working authentication Example :
 
i.     Packet #107 and Packet#108 are the first fragment of the “CLIENT CERTIFICATE”.
ii.    EAP-TLS length is 3323, so it would fit in three fragments.
iii.   After each fragment (#107 and Packet#108 ), RADIUS server should send the “RADIUS ACCESS CHALLENGE” to ACKNOWLEDGE that it has received the fragment.
iv.    If no ACK received CLIENT  will retransmitt the packet.

rtaImage.png
2.   Non Working authentication Example :

If we use filter “radius || ip.flags.mf == 1, it shows all the RADIUS packets, fragments from IAP to the controller.

i. After the fragment the next packet should be from the server  “RADIUS ACCESS CHALLENGE”. However, there is no response from the authentication server causing the retransmission of the client certificate #236 and #239.

rtaImage.png


we have noticed that the firewall drops the fragments causing the authentication server to assume that the client is not sending the data and client assume that the server is not responding, causing the serer timeout

Comments
ivan@access2networks.com

How did you end up resolving the issue, did you have to make a change on the firewall in order to stop droping fragmants? I am having the exact same setup and am experiancing the same issue.

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.