I am having an issue authenticating users via 802.1x/EAP-TLS across an IPSec tunnel. I am using route-based VPN with SVTI configuration on a 2921 and 1941. I have the following settings defined:
- Under the tunnel interfaces:
- MTU 1390
- MSS 1350
- Under the ingress LAN interface
- route-map to set the DNF bit to 0
- On the RADIUS Server (2008 NPS)
- Framed-MTU: 1300
This had been working for months until I got a call last week about users not being able to authenticate to our secured SSID. I fired up wireshark and also used my client monitor tool in my wireless NMS to watch what is going on. I see all of the access-request and access-challenge exchanges, but the final exchange never happens. In both captures you can see messages with id's 77-81, but message id 82 isn't shown in the wireshark capture, only fragments are. In the client monitor capture you can see that message id 82 is 1726 bytes in length. Now, if I capture packets on my local LAN, the 1726 byte packet is properly fragmented and users can authenticate just fine.
What am I missing with this?? I have scoured the Internet trying to find a setting that I must have missed, but I can't. I've tried adjusting the Framed-MTU, all the way down to 1100.
I figured I would post back with my results. I ended up removing my mtu value from the tunnel interfaces and then fired up wireshark again. This time I found a crap load of ICMP time-exceeded messages which told me that PMTUD is not working properly across the tunnel. From there I simply re-applied my previous MTU numbers back into the tunnel configs and all of the sudden EAP-TLS started flowing fine. I do not know why removing and re-applying the MTU would make things start working again so I assume that I'll be dealing with this again sometime in the future.
saw your comment and thought of asking you for some advice, I am building similar sort of environment as you've metioned above, I am setting up wirless client to be authenticated with eap-tls over an ipsec tunnel. I just had some confusion and was hoping for some help.
Let me know if you have some spare time, would really appreciate it.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...