cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4036
Views
10
Helpful
5
Replies

802.1x not (always) working with jumbo frames

marccollard
Level 1
Level 1

Because of L2TP (QinQ) we have to increase the MTU size (at least to 1504) on our access switches. 

Unfortunatly we ran into a problem with 802.1x.

 

It turns out that our windows clients (using certificates) are unable to succesfully authenticate when we configure our switches with a higher MTU size than 1500.
 

Our freeradius server is configured with MTU size 1500.

We use Cisco 3750 and Cisco 3650 as access switches.

 

- Access switch with MTU default 1500

  Windows PC with MTU size default (1500) --> 802.1x works

  Windows PC with MTU size Jumbo (9000) --> 802.1x works

 

- Access switch with MTU Jumbo (1501-9000)

  Windows PC with MTU size default (1500) --> 802.1x FAILS

  Windows PC with MTU size Jumbo (9000) --> 802.1x works

 

I think the access switch (with jumbo frames configured) is sending a frame larger than 1500bytes to the Windows PC. Which the Windows PC can not handle.

We are not able to change the MTU size on all the PC's.

 

Has anybody an idea how we can resolve this on the network infrastructure?

 

 

802.1x configuration on the switch:

aaa authentication dot1x default group RADIUS
dot1x system-auth-control
dot1x logging verbose
dot1x guest-vlan supplicant

 

interface GigabitEthernet1/0/18
 switchport access vlan 480
 switchport mode access
 authentication event fail action authorize vlan 480
 authentication event no-response action authorize vlan 480
 authentication port-control auto
 dot1x pae authenticator
 dot1x timeout tx-period 3
 spanning-tree bpduguard enable

 

5 Replies 5

jan.nielsen
Level 7
Level 7

I have not had much practical experience with this, other than once finding out that radius sets the DF bit, and so i have had problems with radius servers that where on ports with >1500 byte mtu, talking to switches on mtu 1500 or less, as packets are just dropped, so you can get i situation where parts of a certificate is sent in the eap negotiation, but not all of it. You should do some sniffing to see if you are getting radius packet dropped.

 

Also this link talks about eap fragmentation and other fun stuff :

http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/118634-technote-eap-00.html.

Hello Jan

 

Our freeradius server is on a different subnet and is routed. The MTU size of the radiusserver is 1500. The MTU size of the access switch management interface is also 1500. The whole L3 path between de access switch and the radius server is 1500. And part of the L2 networkpath between te radius server and the windows pc is also just 1500.

Since the certificate is larger than 1500bytes it has to be fragmentend in all cases.

We experience only an issue when the MTU size of the PC is 1500.

 

Communication to the radius server is done by the switch and not the PC. The PC only communicates directly with the switch. I would say that changing te MTU size on the PC changes the behaviour between the access switch and the PC and not to the radius server. 

 

I've used your link as well to figure out how it should work.  However I'm still lost.

 

Your suggestion to look into the sniffing files might be the best way forward for now. 

I've made some captures on the PC:

 

- Switch MTU 1500 and PC MTU 1500

The PC received the certificate (3823 bytes) in 3 fragments: 1486 bytes, 1490 bytes and 847 bytes.

Result: succes

 

- Switch MTU 9000 and PC MTU 9000

The PC received the certificate (3823 bytes) in 2 fragments: 2034bytes and 1789 bytes

Result: success

 

- Switch MTU 9000 and PC MTU 1500

The PC didn't receive any part of the certificate. The last 802.1x frame is the one just before the frames with the certificates would have been sent.

I suppose the frames where sent by the switch but the PC just dropped them because they where to large.

Result: Fail

 

Does anybody know how to tell(trick) the switch not to send EAPoL frames larger than 1500 bytes?

 

Interesting, did you snif on that radius communication between the switch and the radius server? Isn't your radius server located in a port that has mtu 1500 ? just wondering how you are getting packets over 1500 bytes from it ? or when you say fragments of 2034bytes, are you not talking about packet size ?
 

With the sniffer I haven't seen any packets larger than 1500bytes between the freeradius server and the management interface of the switch. Also the router in between has its router interfaces on 1500bytes.

 

I'm also curious why the switch, when it can handle jumbo frames, sents two smaller certificate frames (2034 bytes and 1789 bytes) instead of one frame of 3823 bytes.

 

I've also added a screenshot of the sniffer with both the PC and switch on Jumbo frames.

 

802.1x communication between the switch and the radiusserver happens at layer 3.

802.1x communication between the switch and the PC is at layer 2.

On layer 3 everthing seems fine. I've done some tweaking on the radiusserver but without any result...