Security

Reply
Highlighted
Occasional Contributor II

Can ClearPass send a RADIUS framed-mtu value to wireless client?

Can ClearPass send a RADIUS framed-mtu value to wireless clients at the beginning of the EAP-TLS session?

 

In some integrations we see that firewalls drop fragmented UDP (RADIUS) and in ClearPass the Access Tracker tells us that the wireless client did not complete the EAP-TLS transaction. In this scenario I am seeing EAP-TLS Client Hello frames above 1600 Bytes from my Aruba IAP virtual controller. These large frames get fragmented by the infrastrcuture and dropped by a firewall policy. Consequently, ClearPass and the wireless client do not complete EAP-TLS.

 

I know that Microsoft NPS can send a Framed-MTU as part of a Network Policy [https://community.arubanetworks.com/t5/Wireless-Access/Tutorial-EAP-TLS-Configuration-Guide/td-p/78592]. 


Accepted Solutions
Highlighted
Moderator

Re: Can ClearPass send a RADIUS framed-mtu value to wireless client?

Please ask for your case to be escalated.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

View solution in original post


All Replies
Highlighted
Moderator

Re: Can ClearPass send a RADIUS framed-mtu value to wireless client?

Administration » Server Manager » Server Configuration > Service Parameters > RADIUS: EAP-TLS Fragment Size


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Occasional Contributor II

Re: Can ClearPass send a RADIUS framed-mtu value to wireless client?

Hi Tim,

 

Thank you for the quick response. The default EAP-TLS Fragment Size on ClearPass is 1024. My wireless clients still send EAP-TLS client hello messages in excess of 1600 Bytes.

Highlighted
Moderator

Re: Can ClearPass send a RADIUS framed-mtu value to wireless client?

Please work with Aruba TAC.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Occasional Contributor II

Re: Can ClearPass send a RADIUS framed-mtu value to wireless client?

I took my query there before coming here. The ClearPass and Wireless Aruba TAC teams did not have a solution.

Highlighted
Moderator

Re: Can ClearPass send a RADIUS framed-mtu value to wireless client?

Please ask for your case to be escalated.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

View solution in original post

Highlighted
Occasional Contributor II

Re: Can ClearPass send a RADIUS framed-mtu value to wireless client?

Thanks Tim.

Highlighted
New Contributor

Re: Can ClearPass send a RADIUS framed-mtu value to wireless client?

Hi Col,

 

Experiencing same issue in our environment as well.  Did you make any progress with your escalation?

Highlighted
All-Decade MVP 2020

Re: Can ClearPass send a RADIUS framed-mtu value to wireless client?

likewise i'd be keen to hear resolution as i'm having similar client issues.

 

wondering if windows updates could be responsble for change in client behaviour.  

 

Highlighted
New Contributor

Re: Can ClearPass send a RADIUS framed-mtu value to wireless client?

Any Luck on this.  I have been fighting this for a year with no answers.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: