Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Fragmentation Radius responses

This thread has been viewed 24 times

  • 1.  Fragmentation Radius responses

    Posted Nov 29, 2018 09:51 AM

    We use Clearpass for EAP-TLS authentication.

    One of our WAN suppliers does not allow fragmented packets.

    On this branch we cannot get EAP-TLS to function.

    The MTU settings we made on our VM500:

    Data port MTU 1300

    EAP-TLS fragment MTU 1300 (default 1024)

    (management port = default MTU 1500)

     

    In tracker we see timeouts for EAP-TLS clients. EAP-PEAP no problem.

     

    In wireshark we see that the packets are send by Clearpass that are  fragmented on the IP layer. (protocol IPv4)

    I expected the fragmentation - not on the IP layer but - in EAP-TLS. (all packets protocol RADIUS).

     

    How can i change the behaviour of Clearpass to not fragment on IP layer but fragment in EAP-TLS protocol?



  • 2.  RE: Fragmentation Radius responses

    Posted Jan 03, 2019 08:55 AM

    Bump



  • 3.  RE: Fragmentation Radius responses

    Posted Mar 18, 2021 03:33 PM
    Did you manage to resolve this issue? Looks like i am having similar challenges where a wifi client is using EAP-TLS to authenticate against ClearPass. The Virtual Controller does the hand off to CPPPM server and i get a Timeout. Using sniffer software i see the packet being Fragmented and the the server never see the last fragmented packet so issues a retry. I actually have Aruba TAC involved in this and they cannot see m to help me solve. Thanks in advance.

    ------------------------------
    Nicolas Oakes
    ------------------------------

    Original Message