Security

 View Only
last person joined: 22 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Can ClearPass send a RADIUS framed-mtu value to wireless client?

Jump to Best Answer
This thread has been viewed 20 times
  • 1.  Can ClearPass send a RADIUS framed-mtu value to wireless client?

    Posted Feb 06, 2019 08:08 PM

    Can ClearPass send a RADIUS framed-mtu value to wireless clients at the beginning of the EAP-TLS session?

     

    In some integrations we see that firewalls drop fragmented UDP (RADIUS) and in ClearPass the Access Tracker tells us that the wireless client did not complete the EAP-TLS transaction. In this scenario I am seeing EAP-TLS Client Hello frames above 1600 Bytes from my Aruba IAP virtual controller. These large frames get fragmented by the infrastrcuture and dropped by a firewall policy. Consequently, ClearPass and the wireless client do not complete EAP-TLS.

     

    I know that Microsoft NPS can send a Framed-MTU as part of a Network Policy [https://community.arubanetworks.com/t5/Wireless-Access/Tutorial-EAP-TLS-Configuration-Guide/td-p/78592]. 



  • 2.  RE: Can ClearPass send a RADIUS framed-mtu value to wireless client?

    EMPLOYEE
    Posted Feb 06, 2019 09:36 PM
    Administration » Server Manager » Server Configuration > Service Parameters > RADIUS: EAP-TLS Fragment Size


  • 3.  RE: Can ClearPass send a RADIUS framed-mtu value to wireless client?

    Posted Feb 06, 2019 09:38 PM

    Hi Tim,

     

    Thank you for the quick response. The default EAP-TLS Fragment Size on ClearPass is 1024. My wireless clients still send EAP-TLS client hello messages in excess of 1600 Bytes.



  • 4.  RE: Can ClearPass send a RADIUS framed-mtu value to wireless client?

    EMPLOYEE
    Posted Feb 06, 2019 09:40 PM
    Please work with Aruba TAC.


  • 5.  RE: Can ClearPass send a RADIUS framed-mtu value to wireless client?

    Posted Feb 06, 2019 09:50 PM

    I took my query there before coming here. The ClearPass and Wireless Aruba TAC teams did not have a solution.



  • 6.  RE: Can ClearPass send a RADIUS framed-mtu value to wireless client?
    Best Answer

    EMPLOYEE
    Posted Feb 07, 2019 12:08 AM
    Please ask for your case to be escalated.


  • 7.  RE: Can ClearPass send a RADIUS framed-mtu value to wireless client?

    Posted Feb 07, 2019 12:09 AM

    Thanks Tim.



  • 8.  RE: Can ClearPass send a RADIUS framed-mtu value to wireless client?

    Posted May 07, 2019 07:15 PM

    Hi Col,

     

    Experiencing same issue in our environment as well.  Did you make any progress with your escalation?



  • 9.  RE: Can ClearPass send a RADIUS framed-mtu value to wireless client?

    Posted Oct 31, 2019 12:57 AM

    likewise i'd be keen to hear resolution as i'm having similar client issues.

     

    wondering if windows updates could be responsble for change in client behaviour.  

     



  • 10.  RE: Can ClearPass send a RADIUS framed-mtu value to wireless client?

    Posted Feb 27, 2020 02:51 PM

    Any Luck on this.  I have been fighting this for a year with no answers.



  • 11.  RE: Can ClearPass send a RADIUS framed-mtu value to wireless client?

    Posted Jun 21, 2022 11:06 AM
    No updates in two years? Does anyone have any workaround on how to set the maximum fragment size for an EAP packet on the client?


  • 12.  RE: Can ClearPass send a RADIUS framed-mtu value to wireless client?

    EMPLOYEE
    Posted 20 days ago
    You are responding to a very old discussion. Please open a new discussion with a description of your issue, client, NADs in use, version numbers.
    This is not a common issue as far as I know, so please open a TAC case if you have this issue.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------