Security

Reply
Col
Occasional Contributor II

Can ClearPass send a RADIUS framed-mtu value to wireless client?

Can ClearPass send a RADIUS framed-mtu value to wireless clients at the beginning of the EAP-TLS session?

 

In some integrations we see that firewalls drop fragmented UDP (RADIUS) and in ClearPass the Access Tracker tells us that the wireless client did not complete the EAP-TLS transaction. In this scenario I am seeing EAP-TLS Client Hello frames above 1600 Bytes from my Aruba IAP virtual controller. These large frames get fragmented by the infrastrcuture and dropped by a firewall policy. Consequently, ClearPass and the wireless client do not complete EAP-TLS.

 

I know that Microsoft NPS can send a Framed-MTU as part of a Network Policy [https://community.arubanetworks.com/t5/Wireless-Access/Tutorial-EAP-TLS-Configuration-Guide/td-p/78592]. 

Guru Elite

Re: Can ClearPass send a RADIUS framed-mtu value to wireless client?

Administration » Server Manager » Server Configuration > Service Parameters > RADIUS: EAP-TLS Fragment Size

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Col
Occasional Contributor II

Re: Can ClearPass send a RADIUS framed-mtu value to wireless client?

Hi Tim,

 

Thank you for the quick response. The default EAP-TLS Fragment Size on ClearPass is 1024. My wireless clients still send EAP-TLS client hello messages in excess of 1600 Bytes.

Guru Elite

Re: Can ClearPass send a RADIUS framed-mtu value to wireless client?

Please work with Aruba TAC.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Col
Occasional Contributor II

Re: Can ClearPass send a RADIUS framed-mtu value to wireless client?

I took my query there before coming here. The ClearPass and Wireless Aruba TAC teams did not have a solution.

Guru Elite

Re: Can ClearPass send a RADIUS framed-mtu value to wireless client?

Please ask for your case to be escalated.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Col
Occasional Contributor II

Re: Can ClearPass send a RADIUS framed-mtu value to wireless client?

Thanks Tim.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: