Hey guys,
right now we are trying to implement 802.1x for the wired environment. Let me give you a short summery of our infrastructure:
-2 Clearpass VM´s on esxi 6.7u3
-2 redundant Aruba 5400R zl2 as our core switches
-4 edge switch stacks (all stack members are 2930f switches)
-Mobility Master, Controllers and Aruba EAPs
---> all of these are in the the same vlan (let´s call it the ARUBA vlan)
-Clearpass is the Radius Server
-Clearpass is connected to the Windows AD
-Clearpass and all clients have certificates from our Windows CA
We already have WPA2 Enterprise with EAP-TLS working for the wifi environment. It is rock solid. After some troubleshooting I could get EAP-TLS to work on the wired environment. For a week we were not able to understand why we were getting EAP-timeouts when a client(windows 10 laptops) tried to authenticate into the network. It was the random error:
Client did not complete EAP transaction.
But today I was able to pinpoint the issue: MTU & Jumbo frames. After I deactivated Jumbo frames on the ARUBA vlan of the edge switches, the authentication was successful. Well but now I get errors on my edge switches that say that there are oversized packets. So the goal has not been reached.
So guys, can you help me out with this one? But should I do?
What I tried so far:
-disable Jumbo Frames on the edge switches ---> oversized packets error
-set the MTU value on the clearpass instances to 9000 for the management and data(Aruba vlan on all switches had Jumbo frames) --> EAP timeout
-the above + MTU value 9000 on vswitch on vmware ---> EAP-timeout
-set the EAP-TLS fragment on clearpass to 1500 ---> EAP-error
Here another example of my infrastructure:
WinClient --> RJ45 -->Edge Switch Stack --> 10 Gbit SFP+ LACP --> Core Switch --> 10 Gbit SFP+ --> VMWare Host --> Clearpass as Radius Server <--> Windows AS and Windows CA
------------------------------
Kevin
------------------------------