Thanks for the quick reply Scott!
We're using a Controller-based solution with AOS 8.9 so it's not quite the same setup, but it's AOS so... After looking a fair bit around in the Controller GUI I found the setting! It's a global setting so will affect the entire controller/level you add the value on.
Authentication -> Advanced -> EAP Fragmentation IP MTU
Currently it's empty, and when I do "show dot1x eap-frag-mtu" it shows me nothing.
Will let you know how that works out for us :)
------------------------------
John-Egil Solberg |
ACMX | ACCX
------------------------------
Original Message:
Sent: Nov 08, 2022 02:35 PM
From: Scott Doorey
Subject: ClearPass in Azure - Azure Load Balancer for RADIUS
Hey John-Egil,
I sure did and i've been meaning to update this post so thanks for the prompt.
The issue was that the client certificate response from the AP was sent with a paylod size that exceeded the MTU causing IP level fragmentation.
I was able to work with TAC to implement a fix in AOS 10 using API calls to change the group config.
There is a command "dot1x eap-frag-mtu <IPMTU> which can be applied to the AP to reduce the size of the EAP response. I set this to 1100 and the EAP packets were fragmented within the RADIUS packets, rather than at the IP level, this allowed them to pass through the Azure load balancer no problem!
This setting is not available via Aruba Central GUI so i had to use API to push this to the group config. For this is used the Aruba central automation studio (Thanks Aaron!) which is here: https://central.wifidownunder.com/
Original Message:
Sent: Nov 08, 2022 04:50 AM
From: John Solberg
Subject: ClearPass in Azure - Azure Load Balancer for RADIUS
Hi Scott
Did you figure this out? We're not using loadbalancer, just a single CPPM deployed in Azure. EAP-TLS isn't going through, and we see the same as you. More googling points to fragmentation and thus Azure discards the traffic due to ddos prevention.
I'm looking at doing RADSEC to bypass this issue as it encapsulates the traffic within TLS, but if that is the case I would've hoped this was mentioned in a CPPM guide.. Changing MTU in the AP-GROUP isn't doing it..
------------------------------
John-Egil Solberg |
ACMX | ACCX
Original Message:
Sent: Oct 02, 2022 11:52 PM
From: Scott Doorey
Subject: ClearPass in Azure - Azure Load Balancer for RADIUS
Hi Airheads,
Just putting the call out to see if anybody has successfully deployed ClearPass into Azure using the standard Azure Load balancer to distribute RADIUS across servers?
I've got a client with a 3 node cluster in Azure. We're using AOS 10 so can only select 2 RADIUS servers for each WLAN so I have put the two primary DC servers behind an Azure Load Balancer and pointed the RADIUS to this as the primary authentication server.
Everything seems to work ok for MSCHAP based auth, however we're seeing timeouts for TLS which i suspect is related to fragmentation. Checked the load balancer config and ensure the session affinity is based on source IP Address so all requests from a single AP are consistently sent to the same backend server but still we're seeing issues.
PCAPS show the EAP-TLS server handshake complete (from clearpass end) but never see the client response. I've found some articles online referencing UDP fragmentation being a problem in azure. Has anybody got any experience to share in this space?
Thanks in advance
Scott