Solved: CSCwo97886 - EAP - TLS failing on 17.5.3 and 17.5.4 - 9800

n-singh · ‎09-03-2025

Workarounds 1 and 2 mentioned in the bug description didn't work for us.

Workaround 3 is kind of mis-leading or we can says it's incomplete. The default value of MTU is 1500 for both L2 and L3 level MTU.

9800(config-if)# mtu <bytes>

!! Layer 2 MTU

9800(config-if)# ip mtu <bytes>

!! Layer 3 MTU

> In pCaps, there were no packets corresponding to step 5b of the EAP-TLS flow chart.

> We changed the ip mtu to 1400. And everything worked. EAP-TLS was successful.

> I have requested our end customer to do the packet capture for working scenario as well.

MHM Cisco World · ‎09-03-2025

Bug for AutoQoS' are you use it?

I think issue is fragment

Cisco have good doc about this

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/222920-understand-radius-mtu-and-fragmentation.html

MHM

View solution in original post

MHM Cisco World · ‎09-03-2025

Bug for AutoQoS' are you use it?

I think issue is fragment

Cisco have good doc about this

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/222920-understand-radius-mtu-and-fragmentation.html

MHM

n-singh · ‎09-03-2025

Thank you, this document is well-drafted and was a good read. Everything makes much more sense now.

The issue was indeed with the fragmentation. I saw the same thing in packet captures as mentioned in the document. ISE was sending its certificate information, and then the client was supposed to send its own certificate. But I never saw the client sending its own certificate in pCaps, moreover, I saw multiple CAPWAP malformed packets. I only had embedded pCaps, over the air pCaps were not feasible at the moment.

MHM Cisco World · ‎09-03-2025

You are so welcome

We are here try help as much as we can

Have a nice day

MHM