Did you test/know already the end-to-end MTU?
Try to find the maximum value for the icmp payload, which typically will be somewhere between 1000-1450 over WAN/VPN.
If you know the maximum MTU, then go 50 or 100 bytes below that for your eap-fragmentation setting on switches/APs. ClearPass has a default of 1024 bytes EAP fragmentation size for sending, but is configurable.
If you can move to RadSec, that would completely evade this issue.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Feb 10, 2025 08:40 AM
From: Paul Wheeler
Subject: suddenly getting timeouts on authentications
We have similar issues with network fragmentation, to what size dd you reduce the mtu?
Original Message:
Sent: Jul 16, 2022 03:58 PM
From: erpankajbhargava@gmail.com
Subject: suddenly getting timeouts on authentications
Hi
We had similar issue in our environment that user authentication request were getting timeout on clearpass & users were not access any services.
During investigation, we found radius server were sending access challenges request to user but there were not repose from user side.
However, we then found packets are getting fragmented in network. Then, on controller side, we reduced the mtu size for corporate ssid, after which we started seeing user authentication on clearpass side.
Regards
Pankaj
Original Message:
Sent: Jul 15, 2022 01:35 PM
From: Walter Reynolds
Subject: suddenly getting timeouts on authentications
I am not so sure this is a client issue. We have the same problems though we do use EAP-PEAP
On the good connections, we (usually) see an auth method os EAP-PEAP,EAP-MSChapv2. The bad ones show just EAP-PEAP mostly. It appears that if completes the outer method but never finished the MSCHapv2 auth. We also see the same error in the logs
| 2022-07-15 13:10:58,047 | [main SessId R0009aad9-18-62d19f71] ERROR RadiusServer.Radius - reqst_clean_list |
I am told that this is most likely an issue with transient users being in marginal signal errors. That seems unlikely to me as the authentication time is so quick that a person walking would most likely have time to connect. Possible they are in a weak signal or maybe they are on a bus that is going by fast enough. But I still think we have way too many timeouts for that to be the case but on a large campus that is in the middle of the city, it very well may be.
Original Message:
Sent: Jul 15, 2022 10:08 AM
From: Unknown User
Subject: suddenly getting timeouts on authentications
This sounds 100% like a client issue. I would recommend ensuring all client NIC card and wireless drivers are up to date.
Original Message:
Sent: Jul 15, 2022 09:28 AM
From: Jan-Aart vd Akker
Subject: suddenly getting timeouts on authentications
Hi,
No changes have been made to the certificates recently. And I have been testing the pilot location again and everything is working just fine now.
It's pretty baffling that there is nothing that i can find that might explain the behaviour i am seeing.
Could you let me know the best way forward if i see this again? Would a wireshark be the best option, or should i also enable other debugs? I could make a TAC case but i guess i have not enough information for the tac team to work with and i would like to be able to send them as much information as possible as soon as this happens again!
Thanks in advance!
Original Message:
Sent: Jul 14, 2022 12:18 PM
From: Colin Joseph
Subject: suddenly getting timeouts on authentications
Did you change the radius server certificate recently?
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
Original Message:
Sent: Jul 14, 2022 02:10 AM
From: Jan-Aart vd Akker
Subject: suddenly getting timeouts on authentications
Hi,
It sounded like that to me as well, but I need to be able to understand what is going wrong. We are not the sysadmins for the supplicants, we just do the wifi/networking part. Strange is that it has been working on a few sites for weeks just fine. I can't find a reason as to why the supplicant would not specify a proper EAP method for authentication when it has been doing this for weeks and in this case, this site was successful for an hour or two.
It's also weird that we see this issue on wired and wireless clients. Both worked fine and suddenly everything is timing out on the clearpass server.
I guess I should be making a trace as soon as this issue is there again to see if the Clearpass is sending back traffic to the NAD successfully. I'm pretty sure the NAD's are sending the authentications to the Clearpass server since I'm getting timeouts. It could be multiple issues but it still baffles me that the supplicant is sending a request based on EAP and not EAP-TLS, maybe someone can explain why I am seeing that?
Original Message:
Sent: Jul 13, 2022 03:22 PM
From: Unknown User
Subject: suddenly getting timeouts on authentications
This sounds like a client issue. The main things that come to mind are an improperly designed or degraded wireless deployment, a mis-configured supplicant, or a driver issue.
Original Message:
Sent: Jul 13, 2022 10:07 AM
From: Unknown User
Subject: suddenly getting timeouts on authentications
Hi All,
I have been migrating a site to be secured through clearpass today and after a minute or 15, I had everything working just fine. We use EAP-TLS on the clients. At some point, I suddenly started receiving TIMEOUTs and with that a Deny Access Profile. There has not been any change since we migrated over and started seeing the timeouts. These timeouts were the same on the Wireless service and on the wired portion of the network. I am not able to find why this would happen so suddenly, it's not even one location but all locations that have been working just fine.
The only difference I can find is in the Authentication Method. A working authentication would have EAP-TLS as the method, and authentication with a timeout would have only EAP as the Authentication Method. I have never seen this before. I cant think of any reason why the method would not be EAP-TLS but only EAP without any addition like -TLS.
Does anyone know what could be the cause of this? Would this be a supplicant issue, or could this be a clearpass-related issue? No other changes have been made by me or other engineers when I was doing the migration and testing. the Alert for the failing requests is:
| Error Code: | 9002 |
| Error Category: | RADIUS protocol |
| Error Message: | Request timed out |
| RADIUS | Client did not complete EAP transaction |
When i check the logs of one of the authentications that timedout i only see the following that looks out of the ordinary:
| 2022-07-13 11:29:11,764 | [main SessId R00000509-01-62ce902d] ERROR RadiusServer.Radius - reqst_clean_list: |
Anyone that might be able to point me in the right direction? For now i just disabled dot1x on the network (it's still kind of pilot so not a very big issue there)
Kind regards!