When you add the IP address for the testing, do not include /32. At least some older versions of ClearPass behaved a bit strange if a network device was added with the /32 notation instead of just the IP address.
At the moment I do not remember exactly what happened, but I think ClearPass couldn't find the entry and instead utilized the larger subnet.
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------
Original Message:
Sent: Feb 21, 2024 10:31 AM
From: nchiharb
Subject: ClearPass Fragmentation - Auth
Thanks Herman. If I check 'Enable RadSec' for my Access Devices in CP (my APs) will it stop accepting RADIUS traffic and only accept RADSEC? I am looking to pilot this change before we move it to production.
Right now I have all my APs defined by a Device Group via their subnet, so to pilot I planned to create a one-off Access Device entry for one AP using its /32 and enable RadSec here, ideally not affecting my other APs during testing. I would pilot off this AP then make the change for my entire Access Device subnet when we cut over.
I am planning to have everything tested her by end-of-week.
Original Message:
Sent: Feb 21, 2024 07:36 AM
From: Herman Robers
Subject: ClearPass Fragmentation - Auth
Not sure what you are looking for. RadSec is RADIUS encapsulated in a TLS/SSL tunnel, so there is no real difference in the protocol or attributes, just the transport is different. For clients or for your policy, it's all the same.
If you want to block traditional RADIUS, set the RADIUS secret to some random/garbage value. Or block RADIUS traffic somewhere in a firewall or router in between the switch and ClearPass.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Feb 20, 2024 04:22 PM
From: nchiharb
Subject: ClearPass Fragmentation - Auth
I noticed there are no RADSEC specific attributes for related services in ClearPass. Is the idea here just to leverage RADIUS attributes and services, but make sure my AP's have RADSEC enabled and are using a RADSEC enabled wireless network?
I've already confirmed RADSEC services are running in CP.
Original Message:
Sent: Feb 13, 2024 09:07 AM
From: Herman Robers
Subject: ClearPass Fragmentation - Auth
RadSec may be the most realiable fix. But you can for EAP-TLS configure the EAP fragment size:
And many network devices allow you to configure the eap fragment size as well. But when using load-balancers, using RadSec also resolves challenges around CoA. I think I heard issues before with the AWS load balancer.
Did you get further already?
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Feb 05, 2024 12:11 PM
From: nchiharb
Subject: ClearPass Fragmentation - Auth
Afternoon-
We are experiencing timeouts with ClearPass authentication requests over our new AWS based network. We have isolated the issue itself to our Gateway Load Balancers in AWS as when static VPN routes are setup to bypass the GWLB authentication runs without issue. We believe we are experiencing issues related to fragmentation.
Our ClearPass instance has been running on AWS EC2 for months now without issue, however we ran into issues when recently migrating to our new network topology.
| Error Code: | 9002 |
| Error Category: | RADIUS protocol |
| Error Message: | Request timed out |
| RADIUS | Last EAP Packet Processing Time = 3 ms |
| RADIUS | Client did not complete EAP transaction |
| 2024-02-01 19:34:24,222 | [Th 19 Req 56654 SessId R00002c7e-01-65bc46a0] INFO RadiusServer.Radius - rlm_eap_tls: Initiate |
| 2024-02-01 19:34:24,222 | [Th 19 Req 56654 SessId R00002c7e-01-65bc46a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 48:88:C8-34-8E-22-49-36:AOkAHQBKAH9O3QAAacBgJ9UNwTEcvtUwOd+b7A== |
| 2024-02-01 19:35:19,527 | [main SessId R00002c7e-01-65bc46a0] ERROR RadiusServer.Radius - reqst_clean_list: Deleting request sessid - R00002c7e-01-65bc46a0, state - AOkAHQBKAH9O3QAAacBgJ9UNwTEcvtUwOd+b7A= |
| 2024-02-01 19:35:19,527 | [main SessId R00002c7e-01-65bc46a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 48:391:88:C8-34-8E-22-49-36 recv 1706837664.218780 - resp 1706837664.222118 |
| 2024-02-01 19:35:19,527 | [main SessId R00002c7e-01-65bc46a0] INFO RadiusServer.Radius - Last EAP Packet Processing Time = 3 ms |
We cannot adjust MTU values as again our instance is running on EC2 and the commands have been removed. Default MTU I believe is 9001 which I understand Amazon manages, jumbo frames. Auth leverages RADIUS and I am starting to explore RadSec as this should hopefully resolve the timeout issues we are seeing.
I have an active support case that seems to be dragging a bit, hoping someone in the community has experienced this or has thoughts of a potential fix.
-N