Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Multiple Authenticiation issue -Question on 'maximum EAPTLS fragment size'


I am troubleshooting an issue regarding users authentication issue.

Users are authenticating through EAPOL then the WLC forwards the auth requests to Radius Server (within Internet).

When WLC is configured with Radius server A, it is OK, no authentication problem. When the Radius server B is selected, then ALL users are only able to connect at the 3rd – 4th sometimes after the 5th attempt.

At this time we have disable Radius server B and auth occurs at first try.

Within the WLC debugs, we can see an Access-Reject is received from the Radius with code (-4).


*radiusTransportThread: Nov 27 10:52:37.469: aa:bb:cc:dd:ee:ff Access-Reject received from RADIUS server X.X.X.X for mobile aa:bb:cc:dd:ee:ff receiveId = 27

*radiusTransportThread: Nov 27 10:52:37.469: aa:bb:cc:dd:ee:ff [Error] Client requested no retries for mobile aa:bb:cc:dd:ee:ff

*radiusTransportThread: Nov 27 10:52:37.469: aa:bb:cc:dd:ee:ff Returning AAA Error 'Authentication Failed' (-4) for mobile aa:bb:cc:dd:ee:ff

*radiusTransportThread: Nov 27 10:52:37.469: AuthorizationResponse: 0x40962984

*radiusTransportThread: Nov 27 10:52:37.469:   structureSize................................32

*radiusTransportThread: Nov 27 10:52:37.469:   resultCode...................................-4

*radiusTransportThread: Nov 27 10:52:37.469:   protocolUsed.................................0xffffffff

*radiusTransportThread: Nov 27 10:52:37.469:   proxyState...................................aa:bb:cc:dd:ee:ff-1B:06

*radiusTransportThread: Nov 07 10:52:37.469:   Packet contains 0 AVPs:

*Dot1x_NW_MsgTask_4: Nov 07 10:52:37.469: aa:bb:cc:dd:ee:ff Processing Access-Reject for mobile aa:bb:cc:dd:ee:ff


We have been working with the Radius team and on their side they receive :


Thu Nov 27 10:52:34 2013 122160: DEBUG: EAP TTLS data, 3, 8, 8

Thu Nov 27 10:52:34 2013 122692: DEBUG: EAP result: 1, EAP TTLS read failed:

Thu Nov 27 10:52:34 2013 123086: DEBUG: AuthBy SQL result: REJECT, EAP TTLS read failed

Thu Nov 27 10:52:34 2013 123496: INFO: Access rejected for WiFi@AL: EAP TTLS read failed:


They suggested that it is maybe in relation to the EAPTLS Maximum Fragment Size. That this value can vary and specific vendors are restricted, so we need to check what our maximum size is. 


5.18.34 EAPTLS_MaxFragmentSize 

For TLS based EAP types such as TLS, TTLS and PEAP, this optional parameter specifies the maximum size in octets permitted for each TLS message fragment. Defaults to 2048, but many EAP clients, routers and wireless Access Points have limitations that require EAPTLS_MaxFragmentSize to be set as low as 1000 or less. Setting this number too small can result in excessive Radius request round trips during EAP TLS authentication, slowing down the authentication process. Setting this number too large can result in failure to complete TLS authentication for some types of clients and devices.


Question :

It is asked to me to check the "Maximum EAPTLS fragment size" on my WLC / Access Points. I am not able to find this information, do you know where I can find it ??

WLC AP : 1602i, 1142N

Thank you!


Everyone's tags (3)

Re: Multiple Authenticiation issue -Question on 'maximum EAPTLS

I'd be asking what the difference is with Radius Server B myself. Type of server, patches, config, path etc. of the WLC works with server A it shouldn't be an issue with its config


Sent from Cisco Technical Support iPhone App

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

Re: Multiple Authenticiation issue -Question on 'maximum EAPTLS

Hi Steve,

Thanks for your feedback.

Radius teams indicates that both server A & B are configured exactly the same way.

The only difference being the location within the Internet (server A and B having different public IP addresses), meaning it is maybe due to the something on the path.

Reason why we are searching for the "Maximum EAPTLS fragment size" on WLC / Access Points.

Do you know where I can find this information (if it exists) ??

Best regards.