Security

Can ClearPass send a RADIUS framed-mtu value to wireless clients at the beginning of the EAP-TLS session?

 

In some integrations we see that firewalls drop fragmented UDP (RADIUS) and in ClearPass the Access Tracker tells us that the wireless client did not complete the EAP-TLS transaction. In this scenario I am seeing EAP-TLS Client Hello frames above 1600 Bytes from my Aruba IAP virtual controller. These large frames get fragmented by the infrastrcuture and dropped by a firewall policy. Consequently, ClearPass and the wireless client do not complete EAP-TLS.

 

I know that Microsoft NPS can send a Framed-MTU as part of a Network Policy [https://community.arubanetworks.com/t5/Wireless-Access/Tutorial-EAP-TLS-Configuration-Guide/td-p/78592]. 

Administration » Server Manager » Server Configuration > Service Parameters > RADIUS: EAP-TLS Fragment Size

Hi Tim,

 

Thank you for the quick response. The default EAP-TLS Fragment Size on ClearPass is 1024. My wireless clients still send EAP-TLS client hello messages in excess of 1600 Bytes.

Please work with Aruba TAC.

I took my query there before coming here. The ClearPass and Wireless Aruba TAC teams did not have a solution.

Please ask for your case to be escalated.

Thanks Tim.

Hi Col,

 

Experiencing same issue in our environment as well.  Did you make any progress with your escalation?

likewise i'd be keen to hear resolution as i'm having similar client issues.

 

wondering if windows updates could be responsble for change in client behaviour.  

 

Any Luck on this.  I have been fighting this for a year with no answers.

No updates in two years? Does anyone have any workaround on how to set the maximum fragment size for an EAP packet on the client?
Original Message:
Sent: Feb 27, 2020 02:50 PM
From: David Andersen
Subject: Can ClearPass send a RADIUS framed-mtu value to wireless client?

Any Luck on this.  I have been fighting this for a year with no answers.

You are responding to a very old discussion. Please open a new discussion with a description of your issue, client, NADs in use, version numbers.
This is not a common issue as far as I know, so please open a TAC case if you have this issue.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jun 21, 2022 09:16 AM
From: Pat Badger
Subject: Can ClearPass send a RADIUS framed-mtu value to wireless client?

No updates in two years? Does anyone have any workaround on how to set the maximum fragment size for an EAP packet on the client?
Original Message:
Sent: Feb 27, 2020 02:50 PM
From: David Andersen
Subject: Can ClearPass send a RADIUS framed-mtu value to wireless client?

Any Luck on this.  I have been fighting this for a year with no answers.