Security

Hey guys,

right now we are trying to implement 802.1x for the wired environment. Let me give you a short summery of our infrastructure:
-2 Clearpass VM´s on esxi 6.7u3
-2 redundant Aruba 5400R zl2 as our core switches
-4 edge switch stacks (all stack members are 2930f switches)
-Mobility Master, Controllers and Aruba EAPs
---> all of these are in the the same vlan (let´s call it the ARUBA vlan)
-Clearpass is the Radius Server
-Clearpass is connected to the Windows AD
-Clearpass and all clients have certificates from our Windows CA

We already have WPA2 Enterprise with EAP-TLS working for the wifi environment. It is rock solid. After some troubleshooting I could get EAP-TLS to work on the wired environment. For a week we were not able to understand why we were getting EAP-timeouts when a client(windows 10 laptops) tried to authenticate into the network. It was the random error: Client did not complete EAP transaction.

But today I was able to pinpoint the issue: MTU & Jumbo frames. After I deactivated Jumbo frames on the ARUBA vlan of the edge switches, the authentication was successful. Well but now I get errors on my edge switches that say that there are oversized packets. So the goal has not been reached.

So guys, can you help me out with this one? But should I do?
What I tried so far:
-disable Jumbo Frames on the edge switches --->  oversized packets error
-set the MTU value on the clearpass instances to 9000 for the management and data(Aruba vlan on all switches had Jumbo frames) --> EAP timeout
-the above + MTU value 9000 on vswitch on vmware ---> EAP-timeout
-set the EAP-TLS fragment on clearpass to 1500 ---> EAP-error

Here another example of my infrastructure:
WinClient --> RJ45 -->Edge Switch Stack --> 10 Gbit SFP+ LACP --> Core Switch --> 10 Gbit SFP+ --> VMWare Host --> Clearpass as Radius Server <--> Windows AS and Windows CA

------------------------------
Kevin
------------------------------

Hello Kevin,

did you found a resolution for your problem?
I encounter a similar issue

Kind regards,
Thomas

------------------------------
Thomas
------------------------------

Original Message:
Sent: Jul 29, 2021 04:43 PM
From: Kevin Janetzko
Subject: Wired 802.1X + Jumpo frames --> EAP-timeout

Hey guys,

right now we are trying to implement 802.1x for the wired environment. Let me give you a short summery of our infrastructure:
-2 Clearpass VM´s on esxi 6.7u3
-2 redundant Aruba 5400R zl2 as our core switches
-4 edge switch stacks (all stack members are 2930f switches)
-Mobility Master, Controllers and Aruba EAPs
---> all of these are in the the same vlan (let´s call it the ARUBA vlan)
-Clearpass is the Radius Server
-Clearpass is connected to the Windows AD
-Clearpass and all clients have certificates from our Windows CA

We already have WPA2 Enterprise with EAP-TLS working for the wifi environment. It is rock solid. After some troubleshooting I could get EAP-TLS to work on the wired environment. For a week we were not able to understand why we were getting EAP-timeouts when a client(windows 10 laptops) tried to authenticate into the network. It was the random error: Client did not complete EAP transaction.

But today I was able to pinpoint the issue: MTU & Jumbo frames. After I deactivated Jumbo frames on the ARUBA vlan of the edge switches, the authentication was successful. Well but now I get errors on my edge switches that say that there are oversized packets. So the goal has not been reached.

So guys, can you help me out with this one? But should I do?
What I tried so far:
-disable Jumbo Frames on the edge switches --->  oversized packets error
-set the MTU value on the clearpass instances to 9000 for the management and data(Aruba vlan on all switches had Jumbo frames) --> EAP timeout
-the above + MTU value 9000 on vswitch on vmware ---> EAP-timeout
-set the EAP-TLS fragment on clearpass to 1500 ---> EAP-error

Here another example of my infrastructure:
WinClient --> RJ45 -->Edge Switch Stack --> 10 Gbit SFP+ LACP --> Core Switch --> 10 Gbit SFP+ --> VMWare Host --> Clearpass as Radius Server <--> Windows AS and Windows CA

------------------------------
Kevin
------------------------------

Hey Thomas,

yep I got it working. I just simply disabled jumbo frames on my ARUBA VLAN. The oversized packets were sent by the APs. I had to disable Jumbo frames on the APs. Those Aruba APs don´t even use jumbos for the actual communication. There seems to be some kind of lookup/scan/debug modul in the APs that will scan for jumbos. So there is nothing to loose my disabling those.

Hope this helps you.

------------------------------
Kevin
------------------------------

Original Message:
Sent: Sep 14, 2021 06:26 AM
From: Thomas De Smedt
Subject: Wired 802.1X + Jumpo frames --> EAP-timeout

Hello Kevin,

did you found a resolution for your problem?
I encounter a similar issue

Kind regards,
Thomas

------------------------------
Thomas

Original Message:
Sent: Jul 29, 2021 04:43 PM
From: Kevin Janetzko
Subject: Wired 802.1X + Jumpo frames --> EAP-timeout

Hey guys,

right now we are trying to implement 802.1x for the wired environment. Let me give you a short summery of our infrastructure:
-2 Clearpass VM´s on esxi 6.7u3
-2 redundant Aruba 5400R zl2 as our core switches
-4 edge switch stacks (all stack members are 2930f switches)
-Mobility Master, Controllers and Aruba EAPs
---> all of these are in the the same vlan (let´s call it the ARUBA vlan)
-Clearpass is the Radius Server
-Clearpass is connected to the Windows AD
-Clearpass and all clients have certificates from our Windows CA

We already have WPA2 Enterprise with EAP-TLS working for the wifi environment. It is rock solid. After some troubleshooting I could get EAP-TLS to work on the wired environment. For a week we were not able to understand why we were getting EAP-timeouts when a client(windows 10 laptops) tried to authenticate into the network. It was the random error: Client did not complete EAP transaction.

But today I was able to pinpoint the issue: MTU & Jumbo frames. After I deactivated Jumbo frames on the ARUBA vlan of the edge switches, the authentication was successful. Well but now I get errors on my edge switches that say that there are oversized packets. So the goal has not been reached.

So guys, can you help me out with this one? But should I do?
What I tried so far:
-disable Jumbo Frames on the edge switches --->  oversized packets error
-set the MTU value on the clearpass instances to 9000 for the management and data(Aruba vlan on all switches had Jumbo frames) --> EAP timeout
-the above + MTU value 9000 on vswitch on vmware ---> EAP-timeout
-set the EAP-TLS fragment on clearpass to 1500 ---> EAP-error

Here another example of my infrastructure:
WinClient --> RJ45 -->Edge Switch Stack --> 10 Gbit SFP+ LACP --> Core Switch --> 10 Gbit SFP+ --> VMWare Host --> Clearpass as Radius Server <--> Windows AS and Windows CA

------------------------------
Kevin
------------------------------

Just adding some info that may help you. 

2930F - Per documentation, Jumbo being enabled on the vlan just allows the switch to receive jumbo packets. The vlan can always transmit jumbo even when its disabled. Your edge switch has the error as its just a notification saying that jumbo packets are being sent. 

The BSSID will also change for the MTU once end-to-end 9kb packets are successful between the AP and controller. When the environment is fully supported for jumbo it just allows the aggregation for MSDU/MPDU's without fragmenting.

Since a normal frame is 1514 bytes, the MTU of the BSSID happens to be 1500 by default. Depending on how frames are being sent there could be additional fragmentation between the AP and controller. When using jumbo this will just allow the packets inside the GRE tunnel to not be fragmented. 

Probably disabling Jumbo on the edge switch was the easiest solution. You will add more fragmentation between the AP and controller but you will most likely never notice. It sounds like there could be a software related issue somewhere, but that could spend some extensive time chasing your tail with TAC and trying to prove the bug or issue exists. 

Good luck, 
Justin

------------------------------
Justin Kwasnik
------------------------------

Original Message:
Sent: Jul 29, 2021 04:43 PM
From: Kevin Janetzko
Subject: Wired 802.1X + Jumpo frames --> EAP-timeout

Hey guys,

right now we are trying to implement 802.1x for the wired environment. Let me give you a short summery of our infrastructure:
-2 Clearpass VM´s on esxi 6.7u3
-2 redundant Aruba 5400R zl2 as our core switches
-4 edge switch stacks (all stack members are 2930f switches)
-Mobility Master, Controllers and Aruba EAPs
---> all of these are in the the same vlan (let´s call it the ARUBA vlan)
-Clearpass is the Radius Server
-Clearpass is connected to the Windows AD
-Clearpass and all clients have certificates from our Windows CA

We already have WPA2 Enterprise with EAP-TLS working for the wifi environment. It is rock solid. After some troubleshooting I could get EAP-TLS to work on the wired environment. For a week we were not able to understand why we were getting EAP-timeouts when a client(windows 10 laptops) tried to authenticate into the network. It was the random error: Client did not complete EAP transaction.

But today I was able to pinpoint the issue: MTU & Jumbo frames. After I deactivated Jumbo frames on the ARUBA vlan of the edge switches, the authentication was successful. Well but now I get errors on my edge switches that say that there are oversized packets. So the goal has not been reached.

So guys, can you help me out with this one? But should I do?
What I tried so far:
-disable Jumbo Frames on the edge switches --->  oversized packets error
-set the MTU value on the clearpass instances to 9000 for the management and data(Aruba vlan on all switches had Jumbo frames) --> EAP timeout
-the above + MTU value 9000 on vswitch on vmware ---> EAP-timeout
-set the EAP-TLS fragment on clearpass to 1500 ---> EAP-error

Here another example of my infrastructure:
WinClient --> RJ45 -->Edge Switch Stack --> 10 Gbit SFP+ LACP --> Core Switch --> 10 Gbit SFP+ --> VMWare Host --> Clearpass as Radius Server <--> Windows AS and Windows CA

------------------------------
Kevin
------------------------------