Security

last person joined: 6 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Wired 802.1X + Jumpo frames --> EAP-timeout

This thread has been viewed 21 times
  • 1.  Wired 802.1X + Jumpo frames --> EAP-timeout

    Posted Jul 30, 2021 10:13 AM
    Hey guys,

    right now we are trying to implement 802.1x for the wired environment. Let me give you a short summery of our infrastructure:
    -2 Clearpass VM´s on esxi 6.7u3
    -2 redundant Aruba 5400R zl2 as our core switches
    -4 edge switch stacks (all stack members are 2930f switches)
    -Mobility Master, Controllers and Aruba EAPs
    ---> all of these are in the the same vlan (let´s call it the ARUBA vlan)
    -Clearpass is the Radius Server
    -Clearpass is connected to the Windows AD
    -Clearpass and all clients have certificates from our Windows CA

    We already have WPA2 Enterprise with EAP-TLS working for the wifi environment. It is rock solid. After some troubleshooting I could get EAP-TLS to work on the wired environment. For a week we were not able to understand why we were getting EAP-timeouts when a client(windows 10 laptops) tried to authenticate into the network. It was the random error: Client did not complete EAP transaction.

    But today I was able to pinpoint the issue: MTU & Jumbo frames. After I deactivated Jumbo frames on the ARUBA vlan of the edge switches, the authentication was successful. Well but now I get errors on my edge switches that say that there are oversized packets. So the goal has not been reached.

    So guys, can you help me out with this one? But should I do?
    What I tried so far:
    -disable Jumbo Frames on the edge switches --->  oversized packets error
    -set the MTU value on the clearpass instances to 9000 for the management and data(Aruba vlan on all switches had Jumbo frames) --> EAP timeout
    -the above + MTU value 9000 on vswitch on vmware ---> EAP-timeout
    -set the EAP-TLS fragment on clearpass to 1500 ---> EAP-error

    Here another example of my infrastructure:
    WinClient --> RJ45 -->Edge Switch Stack --> 10 Gbit SFP+ LACP --> Core Switch --> 10 Gbit SFP+ --> VMWare Host --> Clearpass as Radius Server <--> Windows AS and Windows CA

    ------------------------------
    Kevin
    ------------------------------


  • 2.  RE: Wired 802.1X + Jumpo frames --> EAP-timeout

    Posted Sep 14, 2021 06:26 AM
    Hello Kevin,

    did you found a resolution for your problem?
    I encounter a similar issue

    Kind regards,
    Thomas

    ------------------------------
    Thomas
    ------------------------------



  • 3.  RE: Wired 802.1X + Jumpo frames --> EAP-timeout

    Posted Sep 14, 2021 06:38 AM
    Hey Thomas,

    yep I got it working. I just simply disabled jumbo frames on my ARUBA VLAN. The oversized packets were sent by the APs. I had to disable Jumbo frames on the APs. Those Aruba APs don´t even use jumbos for the actual communication. There seems to be some kind of lookup/scan/debug modul in the APs that will scan for jumbos. So there is nothing to loose my disabling those.

    Hope this helps you.

    ------------------------------
    Kevin
    ------------------------------