Security

 View Only

  • 1.  Wired Dot1X authentication with eap-tls only working when Jumbo frames are enabled

    Posted 7 days ago

    Hi all,

    We recently started setting up our Clearpass server and testing some scenarios. During these tests we noticed that only when  jumbo frames are enabled 'mtu 9198' on the access interface, client certificates are reaching the gateway. When we remove the setting we see an eap-tls transaction which times out after the clients 'stops' responding, but in reality, the certificate is being send by the client. The length of the packet is 3779 according to my packet capture on the client itself. When I set the MTU to 4000 for example the Dot1X authentication again succeeds. 

    I wanted to investigate this issue because on top of this, Dot1X with mtu 9198 is failing when there is an extra component between switch and PC. For example: docking stations, phones, etc... It is possible that because these devices don't support jumbo, the packet requires fragmentation. Whenever the certificate requires fragmentation before reaching the firewall, the authentication fails. Between firewalls we can see the packet being fragmented and reassembled without problems.

    Any experiences similar to the issue I am having?

    Regards



  • 2.  RE: Wired Dot1X authentication with eap-tls only working when Jumbo frames are enabled

    Posted 7 days ago
      |   view attached

    This is a bit more complex topic to explain via this post. A short summary.

    802.1x with certificate based authentication can result in larger data frames and hence fragmentation. This because the certificate size itself is larger then >1500 bytes. When the IP MTU between the access switch (management IP of the switch) is higher then 1500 bytes the switch will transmit packet larger frames during RADIUS authentication.

    I've attached a presentation about this topic. Please check from slide 30.

    Which switches are you using? On the Aruba CX and AOS-S switches it easy the configuration fragmentation for EAP-TLS.

    For CX switches

    aaa authentication port-access dot1x authenticator eap-tls-fragment towards-server <mtu>

    For AOS-S switches

    aaa port-access authenticator eap-tls-fragment towards-server <mtu>


    ------------------------------
    Willem Bargeman
    Systems Engineer Aruba
    ACEX #125
    ------------------------------

    Attachment(s)

    pdf
    ARU1181BRO_V_Bargeman_2.pdf   2.50 MB 1 version


  • 3.  RE: Wired Dot1X authentication with eap-tls only working when Jumbo frames are enabled

    Posted yesterday

    Hi Willem,

    Thank you for taking the time and providing me with the MTU presentation.

    Changing the EAP Fragment size to 1024 while using MTU 4000 on the switch-port resulted in a clean fragmentation towards Clearpass.
    The problem again appeared after removing the MTU 4000 from the switch-port. 

    I was able to resolve the issue by removing the jumbo frame option on the ethernet interface of the client. Apparently the client and switch don't negotiate MTU before the eapol transaction. The client provided it's certificate in one packet (3800) which required the switch to use a higher MTU as well.

    Regards


    Original Message


Related Content