Issues with 802.1x/EAP-TLS Fragmentation across VPN tunnel
I need another pair of eyes here, because I am going nuts.
I am having an issue authenticating users via 802.1x/EAP-TLS across an IPSec tunnel. I am using route-based VPN between a 2921 and a 1941. I have the following settings defined:
- Under the tunnel interfaces:
- MTU 1390
- MSS 1350
- PMTUD
- Under the ingress LAN interface
- route-map to set the DF bit to 0
- On the RADIUS Server (2008 NPS)
- Framed-MTU: 1300
This had been working for months until I got a call last week about users not being able to authenticate to our secure SSID. I fired up wireshark and also used my client monitor tool in my wireless NMS to watch what is going on. I see all of the access-request and access-challenge exchanges, but the final exchange never seems to take place. In both captures you can see messages with id's 77-81, but message id 82 isn't shown in the wireshark capture, only fragments are. In the client monitor capture you can see that message id 82 is 1726 bytes in length. Now, if I capture packets on my local LAN, the 1726 byte packet is properly fragmented and users can authenticate just fine.
What am I missing with this?? I have scoured the Internet trying to find a setting that I must have missed, but I can't. I've tried adjusting the Framed-MTU RADIUS attribute all the way down to 1100.
I am having an issue authenticating users via 802.1x/EAP-TLS across an IPSec tunnel. I am using route-based VPN between a 2921 and a 1941. I have the following settings defined:
- Under the tunnel interfaces:
- MTU 1390
- MSS 1350
- PMTUD
- Under the ingress LAN interface
- route-map to set the DF bit to 0
- On the RADIUS Server (2008 NPS)
- Framed-MTU: 1300
This had been working for months until I got a call last week about users not being able to authenticate to our secure SSID. I fired up wireshark and also used my client monitor tool in my wireless NMS to watch what is going on. I see all of the access-request and access-challenge exchanges, but the final exchange never seems to take place. In both captures you can see messages with id's 77-81, but message id 82 isn't shown in the wireshark capture, only fragments are. In the client monitor capture you can see that message id 82 is 1726 bytes in length. Now, if I capture packets on my local LAN, the 1726 byte packet is properly fragmented and users can authenticate just fine.
What am I missing with this?? I have scoured the Internet trying to find a setting that I must have missed, but I can't. I've tried adjusting the Framed-MTU RADIUS attribute all the way down to 1100.
Client Monitor capture: 05/07/2012 11:27:35 0024D78708B4 001977668F92 AP1 DETAIL Send message to RADIUS Server(172.16.20.95): code=1 (Access-Request) identifier=77 length=219, User-Name=user@mydomain.com NAS-IP-Address=172.16.72.225 Called-Station-Id=00-19-77-66-8F-92:SECURE_SSID Calling-Station-Id=00-24-D7-87-08-B4 05/07/2012 11:27:35 0024D78708B4 001977668F92 AP1 DETAIL Receive message from RADIUS Server: code=11 (Access-Challenge) identifier=77 length=90 05/07/2012 11:27:35 0024D78708B4 001977668F92 AP1 DETAIL Sending EAP Packet to STA: code=1 (EAP-Request) identifier=9 length=6 05/07/2012 11:27:36 0024D78708B4 001977668F92 AP1 DETAIL received EAP packet (code=2 id=9 len=105) from STA: EAP Reponse-TLS (13) 05/07/2012 11:27:36 0024D78708B4 001977668F92 AP1 DETAIL Send message to RADIUS Server(172.16.20.95): code=1 (Access-Request) identifier=78 length=329, User-Name=user@mydomain.com NAS-IP-Address=172.16.72.225 Called-Station-Id=00-19-77-66-8F-92:SECURE_SSID Calling-Station-Id=00-24-D7-87-08-B4 05/07/2012 11:27:36 0024D78708B4 001977668F92 AP1 DETAIL Receive message from RADIUS Server: code=11 (Access-Challenge) identifier=78 length=1390 05/07/2012 11:27:36 0024D78708B4 001977668F92 AP1 DETAIL Sending EAP Packet to STA: code=1 (EAP-Request) identifier=10 length=1296 05/07/2012 11:27:36 0024D78708B4 001977668F92 AP1 DETAIL received EAP packet (code=2 id=10 len=6) from STA: EAP Reponse-TLS (13) 05/07/2012 11:27:36 0024D78708B4 001977668F92 AP1 DETAIL Send message to RADIUS Server(172.16.20.95): code=1 (Access-Request) identifier=79 length=230, User-Name=user@mydomain.com NAS-IP-Address=172.16.72.225 Called-Station-Id=00-19-77-66-8F-92:SECURE_SSID Calling-Station-Id=00-24-D7-87-08-B4 05/07/2012 11:27:36 0024D78708B4 001977668F92 AP1 DETAIL Receive message from RADIUS Server: code=11 (Access-Challenge) identifier=79 length=1390 05/07/2012 11:27:36 0024D78708B4 001977668F92 AP1 DETAIL Sending EAP Packet to STA: code=1 (EAP-Request) identifier=11 length=1296 05/07/2012 11:27:36 0024D78708B4 001977668F92 AP1 DETAIL Sending EAP Packet to STA: code=1 (EAP-Request) identifier=11 length=1296 05/07/2012 11:27:36 0024D78708B4 001977668F92 AP1 DETAIL Sending EAP Packet to STA: code=1 (EAP-Request) identifier=11 length=1296 05/07/2012 11:27:36 0024D78708B4 001977668F92 AP1 DETAIL received EAP packet (code=2 id=11 len=6) from STA: EAP Reponse-TLS (13) 05/07/2012 11:27:36 0024D78708B4 001977668F92 AP1 DETAIL received EAP packet (code=2 id=11 len=6) from STA: EAP Reponse-TLS (13) 05/07/2012 11:27:36 0024D78708B4 001977668F92 AP1 DETAIL received EAP packet (code=2 id=11 len=6) from STA: EAP Reponse-TLS (13) 05/07/2012 11:27:36 0024D78708B4 001977668F92 AP1 DETAIL Send message to RADIUS Server(172.16.20.95): code=1 (Access-Request) identifier=80 length=230, User-Name=user@mydomain.com NAS-IP-Address=172.16.72.225 Called-Station-Id=00-19-77-66-8F-92:SECURE_SSID Calling-Station-Id=00-24-D7-87-08-B4 05/07/2012 11:27:36 0024D78708B4 001977668F92 AP1 DETAIL Send message to RADIUS Server(172.16.20.95): code=1 (Access-Request) identifier=80 length=230, User-Name=user@mydomain.com NAS-IP-Address=172.16.72.225 Called-Station-Id=00-19-77-66-8F-92:SECURE_SSID Calling-Station-Id=00-24-D7-87-08-B4 05/07/2012 11:27:36 0024D78708B4 001977668F92 AP1 DETAIL Send message to RADIUS Server(172.16.20.95): code=1 (Access-Request) identifier=80 length=230, User-Name=user@mydomain.com NAS-IP-Address=172.16.72.225 Called-Station-Id=00-19-77-66-8F-92:SECURE_SSID Calling-Station-Id=00-24-D7-87-08-B4 05/07/2012 11:27:36 0024D78708B4 001977668F92 AP1 DETAIL Receive message from RADIUS Server: code=11 (Access-Challenge) identifier=80 length=1390 05/07/2012 11:27:36 0024D78708B4 001977668F92 AP1 DETAIL Sending EAP Packet to STA: code=1 (EAP-Request) identifier=12 length=1296 05/07/2012 11:27:36 0024D78708B4 001977668F92 AP1 DETAIL received EAP packet (code=2 id=12 len=6) from STA: EAP Reponse-TLS (13) 05/07/2012 11:27:36 0024D78708B4 001977668F92 AP1 DETAIL Send message to RADIUS Server(172.16.20.95): code=1 (Access-Request) identifier=81 length=230, User-Name=user@mydomain.com NAS-IP-Address=172.16.72.225 Called-Station-Id=00-19-77-66-8F-92:SECURE_SSID Calling-Station-Id=00-24-D7-87-08-B4 05/07/2012 11:27:36 0024D78708B4 001977668F92 AP1 DETAIL Receive message from RADIUS Server: code=11 (Access-Challenge) identifier=81 length=609 05/07/2012 11:27:36 0024D78708B4 001977668F92 AP1 DETAIL Sending EAP Packet to STA: code=1 (EAP-Request) identifier=13 length=521 05/07/2012 11:27:36 0024D78708B4 001977668F92 AP1 DETAIL received EAP packet (code=2 id=13 len=1492) from STA: EAP Reponse-TLS (13) 05/07/2012 11:27:36 0024D78708B4 001977668F92 AP1 DETAIL Send message to RADIUS Server(172.16.20.95): code=1 (Access-Request) identifier=82 length=1726, User-Name=user@mydomain.com NAS-IP-Address=172.16.72.225 Called-Station-Id=00-19-77-66-8F-92:SECURE_SSID Calling-Station-Id=00-24-D7-87-08-B4
Preparing for CCIE Written