Security

Hi Airheads

I have approx 25 branch offive running Aruba 215 AP with Instant Cluster config. They have exactly the same config and they also have the same HP PC clients with the same Windows10 image. I am authenticating with 802.1x against Clearpass server using same certificate platform. All PC's in most branch office works really fine exept PC's in two office. The failure is when they try to authenticate they  got TIMEOUT in clearpass with error message "Client did not complete EAP transaction" If if i take one PC from the office that is not working and connects it in an office that is working the PC authenticates OK, so the problem it's not related to the PC I guess. Can someone help to find out why I got TIMEOUT and what could cause this.

Kind regards,

Stefan Klaesson

Hi Cappalli

We are using EAP-PEAP with source our Microsoft AD. Yes, the supplicant are managed via centralized GPO.

//Stefan

It's public signed

//Stefan

Either the clients aren't configured correctly or their drivers need to be updated.

no, I don't think this is due to client problems. If I take a client from one of those office that don't work and connect it to a office that works, the client is working OK! It's particular problems from 2 Instant Cluster from this sites.

//Stefan

How sensitive is a EAP over a GRE tunnel for fragmentation of packet? Maybe my problem is due to this! As I believe ther is a MTU size of 1500 standard for a Aruba Instant cluster. Therer are many providers involved in my WAN connection and maybe one of these are destroying my packet!. How can I change MTU in my Aruba Instant environment? Do I change in the AP itself or do I change in the Controller?

//Stefan

I have seen similar issues where some components in the path between AP and RADIUS server did not allow the large packets to come through. I have seen such issues solved by changing the vSwitch in VMware to allow jumbo-frames.

What appears to be happening is that the EAP RADIUS packets are dropped when they need to be fragmented (or are fragmented); I first saw these issues appear when certificates no longer supported MD5 signatures. In your case, it is probably the RADIUS server certificate that gets fragmented/dropped, as EAP-PEAP (MSCHAPv2) does not send large frames from client to server. 

What you can try to do is reduce the MTU on your RADIUS server, to prevent the RADIUS packets being fragmented on their way to the AP.

It may be wise to do some packet captures in order to find out where the packet is lost/fragmented. If you can solve the fragmentation, that may be the better solution versus tweaking MTU on servers.

Hi Herman

Thank you for your information. I'm in to the same ideas as yours, there must be something with MTU size and fragmentation. Do you know how I change the MTU in RADIUS server, I'm running Clearpass server.

//Stefan

It appears to be possible through the CLI:

[appadmin@cppm]# configure mtu

Usage:
    configure mtu <mgmt|data> <mtu-value>

I have not tested this, and if this is a production environment, I would consult Aruba TAC before making this change.