Can ClearPass send a RADIUS framed-mtu value to wireless clients at the beginning of the EAP-TLS session?
In some integrations we see that firewalls drop fragmented UDP (RADIUS) and in ClearPass the Access Tracker tells us that the wireless client did not complete the EAP-TLS transaction. In this scenario I am seeing EAP-TLS Client Hello frames above 1600 Bytes from my Aruba IAP virtual controller. These large frames get fragmented by the infrastrcuture and dropped by a firewall policy. Consequently, ClearPass and the wireless client do not complete EAP-TLS.
I know that Microsoft NPS can send a Framed-MTU as part of a Network Policy [https://community.arubanetworks.com/t5/Wireless-Access/Tutorial-EAP-TLS-Configuration-Guide/td-p/78592].
Thank you for the quick response. The default EAP-TLS Fragment Size on ClearPass is 1024. My wireless clients still send EAP-TLS client hello messages in excess of 1600 Bytes.
I took my query there before coming here. The ClearPass and Wireless Aruba TAC teams did not have a solution.
Experiencing same issue in our environment as well. Did you make any progress with your escalation?
likewise i'd be keen to hear resolution as i'm having similar client issues.
wondering if windows updates could be responsble for change in client behaviour.
Any Luck on this. I have been fighting this for a year with no answers.
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.