Re: Cisco WLC EAP-TLS fragmentation issue

sturm62 · ‎04-02-2019

We have an issue with EAP-TLS fragmentation on our wireless lan controllers.
The controller generates authentication packets which are to large (1631 bytes
of data, system mtu on the switch is 1500) and reports successful transmission.
In the packet log on the controller and in the tcpdump on the ISE we only see
the first fragment of the packet. The second part is missing. Despite the fact,
authentication on ISE succeeds. But we have some checkpoint firewalls between the
controllers and ISE, and in the new release (R80.20) fragmented packets are
dropped if they are not received completely by the firewall.

On the WLCs we were running 8.2.160, but tried 8.2.170 and even 8.5.140, but
the problem persists. ISE version is 2.4.0.357, patch 6

Any ideas?

debug aaa all (on WLC):

*aaaQueueReader: Apr 01 10:04:20.059: Found a server : xx.xxx.x.xxx from the WLAN server list of radius server index 2
*aaaQueueReader: Apr 01 10:04:20.059: xx:xx:xx:xx:xx:xx Send Radius Auth Request with pktId:45 into qid:4 of server at index:1
*aaaQueueReader: Apr 01 10:04:20.060: xx:xx:xx:xx:xx:xx Sending the packet to v4 host xx.xxx.x.xxx:1812
*aaaQueueReader: Apr 01 10:04:20.060: xx:xx:xx:xx:xx:xx Successful transmission of Authentication Packet (pktId 45) to xx.xxx.x.xxx:1812 from server queue 4, proxy state xx:xx:xx:xx:xx:xx-03:07
*aaaQueueReader: Apr 01 10:04:20.062: 00000000: 01 2d 07 4a b7 7c a4 76 20 44 21 4f 94 f4 9d e5 .-.J.|.v.D!O....
*aaaQueueReader: Apr 01 10:04:20.062: 00000010: 00 8d c9 9b 01 20 68 6f 73 74 2f FF FF FF FF FF ......host/XXXXX
*aaaQueueReader: Apr 01 10:04:20.062: 00000020: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF XXXXXXXXXXXXXXXX
...
*aaaQueueReader: Apr 01 10:04:20.063: 00000630: 50 03 f7 c4 03 dd 57 5b a2 3c 3a 36 c9 57 da ad P.....W[.<:6.W..
*aaaQueueReader: Apr 01 10:04:20.063: 00000640: 0b 4c 72 04 c8 15 d4 fa 8a e5 82 76 44 db f6 62 .Lr........vD..b
*aaaQueueReader: Apr 01 10:04:20.063: 00000650: 04 a7 d8 83 28 b1 08 82 24 c1 e3 78 95 49 c0 a7 ....(...$..x.I..

data length: 0x65F -> 1631 byte

debug packet logging (on WLC):

tx len=1442, encap=n/a, port=1
0000 00 00 0C 9F F0 C0 84 78 AC B2 73 60 08 00 45 00 ....p@.x,2s`..E.
0010 05 94 36 2D 00 00 40 11 C1 CD 0A 0c 46 08 0A 64 ..6-..@.AM..F..d
0020 02 E7 80 06 07 14 07 50 51 23 01 1a 07 48 07 D6 .g.....PQ#...H.V
0030 CB 0F 13 6A 2D A9 E8 4B 48 0D 58 a5 17 60 01 20 K..j-)hKH.X%.`..
0040 68 6F 73 74 2F FF FF FF FF FF FF FF FF FF FF FF host/XXXXXXXXXXX
...
0580 65 3F 62 61 73 65 3F 6F 62 6A 65 63 74 43 6C 61 e?base?objectCla
0590 73 73 3D 63 65 72 74 69 66 69 63 61 74 69 6F 6E ss=certification
05A0 41 75 Au

packet length: 0x5A2 -> 1442 byte

The packet has the ip header flag 'more fragmnets' set, but the second
fragment is never been sent. (Does not appear in the packet log on the
controller and does not appear in the tcpdump captured on ISE, too)

Wondering why ISE still accepts the packet and completes the authentication.

paul · ‎07-29-2019

Post the step data of where ISE is authenticating this session. I have dealt with fragmented packet issues many times and I have never seen ISE authenticate the session when fragments are dropped. You will usually get the client restarted session errors in ISE because the certificate is never fully received from the client and the client perceives it as a timeout.

Galaga1981 · ‎08-22-2019

Our organization is experiencing something similar. I believe it's EAP fragmentation too from the behavior ISE displays below.

Driving us nuts! In our scenario we relay RADIUS to MS NPS servers.

The network device is a Cisco WLC using 802.1x EAP\TLS

My question is at what points should I measure MTU and WLC to Switch? ISE o NPS?

Our ISE nodes are VM so would there be values to tweak in the virtual switch?