Security

Reply
Contributor I

Framed-MTU RADIUS attribute operation clarification

Hello All,

 

This might be a simple one, but l cannot figure out how this attribute works and what exactly it does? As per Microsoft KB:

-------------------------------------------------------------------------------------------------

Framed MTU is used with EAP authentication to notify the RADIUS server about the Maximum Transmission Unit (MTU) negotiation with the client.

-------------------------------------------------------------------------------------------------

In the PCAP l can see that this attribute is included in the Access-Request  packet sent by the AP but the attribute parameter is actually configured on the RADIUS:

Screenshot 2019-01-06 at 14.25.33.png

The value also never honored by the AP, no matter which MTU size I set on the RADIUS, AP always sends it as 1400. I am not sure how AP can even be aware of that value.

 

Thanks,

Myky

 

Guru Elite

Re: Framed-MTU RADIUS attribute operation clarification

What problem are you trying to solve?


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor I

Re: Framed-MTU RADIUS attribute operation clarification

@Tim thanks for your response. 

 

My question is more around to get a better understanding of how the Framed-MTU attribute works. I have an access point (non-Aruba) using EAP-PEAP authentication for SSID which does not work until Framed-MTU changed.  Taking PCAP from RADIUS (NPS server), l see Client Hello message (packet 5, PCAP attached), server responses with another Access-Challenge (packet 6) but there is no Server Hello. Changing Framed-MTU on the NPS server resolves the issue but l don't know why.

 

Thanks,

Myky

Col
Occasional Contributor II

Re: Framed-MTU RADIUS attribute operation clarification

ClearPass is my RADIUS server, its configured and operating with 1024.

 

I am seeing EAP-TLS Client Hello frames above 1600 Bytes from my Aruba IAP virtual controller. These large frames get fragmented by the infrastrcuture and dropped by a firewall policy. Consequently, ClearPass and the wireless client do not complete EAP-TLS.

 

I know that Microsoft NPS can send a Framed-MTU as part of a Network Policy [https://community.arubanetworks.com/t5/Wireless-Access/Tutorial-EAP-TLS-Configuration-Guide/td-p/78592]. How would I do the same sort of Framed-MTU in ClearPass? 

 

EDIT: Updated this post after reading the link.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: