Usage of Framed MTU in dot1x profile


Usage of Framed MTU in Dot1x profile.


The option framed MTU in the dot1x profile is to allow the radius server to fragment large packets during the dot1x exchange and it is not for the Controller to fragment. In the below scenario, Framed MTU of szie 500 is used. The authentication server used is CPPM​ and authentication Method is EAP-TLS.


  1. The Client sends “Access request packets” setting the famed MTU of size 500 as configured in the dot1x profile.


     2. The Controller forwards the packet and the radius server replays with “Access challenge”(in our case CPPM); start EAP TLS.


     3. The client starts the secure connections by sending “client hello”.



     4. Following that, CPPM server sends server hello and the certificate. The certificate is fragmented using the framed MTU values (500) set in the “Access Request”. Also, the CPPM server is asking for the client certificate in packet 13 as the server cert is fragmented till packet 12.


      5. The client sends the certificate which is fragmented at 1480 as below after which the authentication is successful.



The option Framed MTU in the dot1x profile is requesting the server to fragment the larger packets during radius authentication and not used by the Controller.

Version history
Revision #:
2 of 2
Last update:
‎07-16-2019 04:01 PM
Updated by:
Labels (1)


Thank you for the the detailed article. Can you please confirm that this use case is for a dot1x Profile on a Mobility Controller?