802.1x/EAP-TLS Fragmentation across VPN tunnel

Unanswered Question
May 8th, 2012

I am having an issue authenticating users via 802.1x/EAP-TLS across an IPSec tunnel. I am using route-based VPN with SVTI configuration on a 2921 and 1941. I have the following settings defined:

- Under the tunnel interfaces:

- MTU 1390

- MSS 1350

- PMTUD

- Under the ingress LAN interface

- route-map to set the DNF bit to 0

- On the RADIUS Server (2008 NPS)

- Framed-MTU: 1300

This had been working for months until I got a call last week about users not being able to authenticate to our secured SSID. I fired up wireshark and also used my client monitor tool in my wireless NMS to watch what is going on. I see all of the access-request and access-challenge exchanges, but the final exchange never happens. In both captures you can see messages with id's 77-81, but message id 82 isn't shown in the wireshark capture, only fragments are. In the client monitor capture you can see that message id 82 is 1726 bytes in length. Now, if I capture packets on my local LAN, the 1726 byte packet is properly fragmented and users can authenticate just fine.

What am I missing with this?? I have scoured the Internet trying to find a setting that I must have missed, but I can't. I've tried adjusting the Framed-MTU, all the way down to 1100.

Thanks for you help.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
unclerico Thu, 05/10/2012 - 07:45

I figured I would post back with my results. I ended up removing my mtu value from the tunnel interfaces and then fired up wireshark again. This time I found a crap load of ICMP time-exceeded messages which told me that PMTUD is not working properly across the tunnel. From there I simply re-applied my previous MTU numbers back into the tunnel configs and all of the sudden EAP-TLS started flowing fine. I do not know why removing and re-applying the MTU would make things start working again so I assume that I'll be dealing with this again sometime in the future.

Actions

Login or Register to take actions

This Discussion

Posted May 8, 2012 at 7:40 AM
Stats:
Replies:1 Avg. Rating:
Views:688 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard