Probable reason for Server timeout on IAP for client connecting using EAP-TLS
Question: How to identify the reason for the client unable to authenticate with reason "server timeout" on the IAP
Environment Information :
In above example we could see that the IAP is sending the RADIUS packet to the controller and it forwards the RADIUS packet to the server. In EAP-TLS phase 3, Client sends the certificate. Due to bigger length of the certificate the CLIENT CERTIFICATE is fragmented and sent to the server. For example
1. Working authentication Example :
i. Packet #107 and Packet#108 are the first fragment of the “CLIENT CERTIFICATE”.
ii. EAP-TLS length is 3323, so it would fit in three fragments.
iii. After each fragment (#107 and Packet#108 ), RADIUS server should send the “RADIUS ACCESS CHALLENGE” to ACKNOWLEDGE that it has received the fragment.
iv. If no ACK received CLIENT will retransmitt the packet.
2. Non Working authentication Example :
If we use filter “radius || ip.flags.mf == 1, it shows all the RADIUS packets, fragments from IAP to the controller.
i. After the fragment the next packet should be from the server “RADIUS ACCESS CHALLENGE”. However, there is no response from the authentication server causing the retransmission of the client certificate #236 and #239.
we have noticed that the firewall drops the fragments causing the authentication server to assume that the client is not sending the data and client assume that the server is not responding, causing the serer timeout