topic Re: Client authentication issue with large certificates in Wireless

Client authentication issue with large certificates

schulcz — Mon, 14 Jul 2025 23:42:13 GMT

Hi!

We have a strange issue. We use 9800-40 WLCs in HA-SSO deployment model. There is an WLAN network, clients authenticated by an external RADIUS server using certificates. If administrators use small certificate chains, authentication works perfectly. If they use longer chain, packets needs to be fragmented and authentication not works, packets don't arrive to the RADIUS server.

We did some packet capture on the client and saw that if they use the small certificate chain the fragments flag was set to 0. If they use the big certificate chain the fragments flag was set to 1 and the packet didn't reach RADIUS server.

What can be the problem, what should we check? Is that issue can be related to WLC configuration? Maybe related to capwap or MTU configuration?

Using small cert, auth works:

Using large cert, auth not works, packet don't arrive to RADIUS server:

Thanks!

Re: Client authentication issue with large certificates

Mark Elsen — Tue, 15 Jul 2025 06:21:03 GMT

- @schulcz Review this document : https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/222920-understand-radius-mtu-and-fragmentation.html

Re: Client authentication issue with large certificates

MHM Cisco World — Tue, 15 Jul 2025 06:44:19 GMT

what is radius you use is it ISE ?
MHM

Re: Client authentication issue with large certificates

Saikat Nandy — Tue, 15 Jul 2025 13:17:22 GMT

In addition to what @Mark Elsen shared, you can have a look into CSCwo58100 as well.

Re: Client authentication issue with large certificates

eglinsky2012 — Tue, 15 Jul 2025 14:58:08 GMT

@Saikat Nandy - Thank you for sharing that bug. It says it's fixed, but no releases are specified. Can you share information about which version(s) it's fixed in? Also does it affect all 17.12.x versions/service packs at least up to 17.12.4 APSP8, and will it affect local mode as well or specifically flex/central auth?

Re: Client authentication issue with large certificates

Saikat Nandy — Tue, 15 Jul 2025 17:45:14 GMT

Yeah pretty much all the 17.12.x are affected. 17.12.6 where the fix has been added. APSP on top of 17.12.5 is in progress.

Re: Client authentication issue with large certificates

eglinsky2012 — Tue, 15 Jul 2025 20:14:06 GMT

@Saikat Nandy Thank you! I forgot to ask, does it only occur in FlexConnect mode with central auth, or will local mode be affected also?

Re: Client authentication issue with large certificates

Saikat Nandy — Wed, 16 Jul 2025 17:04:20 GMT

Yes..apparently that's what have been observed so far - Flex: central auth+local switching.

Re: Client authentication issue with large certificates

MHM Cisco World — Wed, 16 Jul 2025 21:59:55 GMT

I would to share this doc from Cisco explain some workaround to deal with fragment of radius frame

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/222920-understand-radius-mtu-and-fragmentation.html

One workaround which I see solution for his issue is using specific source interface to connect to server instead of wmi which is defualt select by wlc.

This interface have mtu 1500 where wmi have less mtu than 1500 and this lead to fragment and drop of frame

Thanks for all

Have a nice day

MHM