Contributor I

Framed-MTU RADIUS attribute operation clarification

Hello All,


This might be a simple one, but l cannot figure out how this attribute works and what exactly it does? As per Microsoft KB:


Framed MTU is used with EAP authentication to notify the RADIUS server about the Maximum Transmission Unit (MTU) negotiation with the client.


In the PCAP l can see that this attribute is included in the Access-Request  packet sent by the AP but the attribute parameter is actually configured on the RADIUS:

Screenshot 2019-01-06 at 14.25.33.png

The value also never honored by the AP, no matter which MTU size I set on the RADIUS, AP always sends it as 1400. I am not sure how AP can even be aware of that value.





Guru Elite

Re: Framed-MTU RADIUS attribute operation clarification

What problem are you trying to solve?

| Tim Cappalli | Aruba Security | @timcappalli | |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor I

Re: Framed-MTU RADIUS attribute operation clarification

@Tim thanks for your response. 


My question is more around to get a better understanding of how the Framed-MTU attribute works. I have an access point (non-Aruba) using EAP-PEAP authentication for SSID which does not work until Framed-MTU changed.  Taking PCAP from RADIUS (NPS server), l see Client Hello message (packet 5, PCAP attached), server responses with another Access-Challenge (packet 6) but there is no Server Hello. Changing Framed-MTU on the NPS server resolves the issue but l don't know why.




Occasional Contributor II

Re: Framed-MTU RADIUS attribute operation clarification

ClearPass is my RADIUS server, its configured and operating with 1024.


I am seeing EAP-TLS Client Hello frames above 1600 Bytes from my Aruba IAP virtual controller. These large frames get fragmented by the infrastrcuture and dropped by a firewall policy. Consequently, ClearPass and the wireless client do not complete EAP-TLS.


I know that Microsoft NPS can send a Framed-MTU as part of a Network Policy []. How would I do the same sort of Framed-MTU in ClearPass? 


EDIT: Updated this post after reading the link.

Search Airheads
Showing results for 
Search instead for 
Did you mean: