Security

Hello All,

This might be a simple one, but l cannot figure out how this attribute works and what exactly it does? As per Microsoft KB:

-------------------------------------------------------------------------------------------------

Framed MTU is used with EAP authentication to notify the RADIUS server about the Maximum Transmission Unit (MTU) negotiation with the client.

-------------------------------------------------------------------------------------------------

In the PCAP l can see that this attribute is included in the Access-Request  packet sent by the AP but the attribute parameter is actually configured on the RADIUS:

The value also never honored by the AP, no matter which MTU size I set on the RADIUS, AP always sends it as 1400. I am not sure how AP can even be aware of that value.

Thanks,

Myky

What problem are you trying to solve?

@Tim thanks for your response. 

My question is more around to get a better understanding of how the Framed-MTU attribute works. I have an access point (non-Aruba) using EAP-PEAP authentication for SSID which does not work until Framed-MTU changed.  Taking PCAP from RADIUS (NPS server), l see Client Hello message (packet 5, PCAP attached), server responses with another Access-Challenge (packet 6) but there is no Server Hello. Changing Framed-MTU on the NPS server resolves the issue but l don't know why.

Thanks,

Myky

ClearPass is my RADIUS server, its configured and operating with 1024.

I am seeing EAP-TLS Client Hello frames above 1600 Bytes from my Aruba IAP virtual controller. These large frames get fragmented by the infrastrcuture and dropped by a firewall policy. Consequently, ClearPass and the wireless client do not complete EAP-TLS.

I know that Microsoft NPS can send a Framed-MTU as part of a Network Policy [https://community.arubanetworks.com/t5/Wireless-Access/Tutorial-EAP-TLS-Configuration-Guide/td-p/78592]. How would I do the same sort of Framed-MTU in ClearPass? 

EDIT: Updated this post after reading the link.