Multiple Authenticiation issue -Question on 'maximum EAPTLS fragment size'
I am troubleshooting an issue regarding users authentication issue.
Users are authenticating through EAPOL then the WLC forwards the auth requests to Radius Server (within Internet).
When WLC is configured with Radius server A, it is OK, no authentication problem. When the Radius server B is selected, then ALL users are only able to connect at the 3rd – 4th sometimes after the 5th attempt.
At this time we have disable Radius server B and auth occurs at first try.
Within the WLC debugs, we can see an Access-Reject is received from the Radius with code (-4).
For TLS based EAP types such as TLS, TTLS and PEAP, this optional parameter specifies the maximum size in octets permitted for each TLS message fragment. Defaults to 2048, but many EAP clients, routers and wireless Access Points have limitations that require EAPTLS_MaxFragmentSize to be set as low as 1000 or less. Setting this number too small can result in excessive Radius request round trips during EAP TLS authentication, slowing down the authentication process. Setting this number too large can result in failure to complete TLS authentication for some types of clients and devices.