Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
13652
Views
12
Helpful
14
Replies

How to force a client to use specific MTU when using ISE EAP-TLS Auth

Go to solution
Grendizer
Cisco Employee
Cisco Employee

‎08-12-2020 08:58 AM

My client is using EAP-TLS Fragment as 1486, i configured the Authorization profile to push accept with RADIUS Attribute Framed-MTU = 1002 but the client is not using that obviously with EAP TLS communication to fragment the large packet. Wireshark showing that ISE is pushing that 1002 MTU with the Access-Accept packet that’s mean all the EAP-TLS is using the default client 1486 MTU, so how can I configure ISE to force the client to use that MTU when they doing the EAP-TLS authentication?

reference: https://community.cisco.com/t5/network-access-control/radius-framed-mtu-attribute/m-p/3542070

1 person had this problem
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee
In response to Grendizer

‎08-12-2020 01:33 PM

Reading throught the article you quoted, the ISE enhancement request CSCvf52213  was applied to ISE 2.6 and 2.4.0.357-Patch2 (and later) and provided CLI option in the ISE console to set the MTU size manually per node:

 

interface GigabitEthernet 0
ip address 10.77.124.38 255.255.255.0
ip mtu 1300
! 
interface GigabitEthernet 1
ipv6 address autoconfig
ip mtu 1300

 

View solution in original post

Go to solution
Grendizer
Cisco Employee
Cisco Employee
In response to ajc

‎08-19-2020 01:32 PM

Thanks ajc, but it is the same link i listed with my question...no worries, i think we can't force the client to use specific MTU using the AuthZ profile for the EAP-TLS session until it ends and then we can send it with the Access-Accept to use that specified MTU.

View solution in original post

0 Helpful
14 Replies 14

Go to solution
marce1000
VIP
VIP

‎08-12-2020 10:11 AM

 

 - Check if this thread can help you :

          https://community.cisco.com/t5/network-access-control/radius-framed-mtu-attribute/m-p/3542066

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

Go to solution
Grendizer
Cisco Employee
Cisco Employee
In response to marce1000

‎08-12-2020 10:28 AM

Thanks marce, but it is the same link i listed in the reference, wanted to know how

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee
In response to Grendizer

‎08-12-2020 01:33 PM

Reading throught the article you quoted, the ISE enhancement request CSCvf52213  was applied to ISE 2.6 and 2.4.0.357-Patch2 (and later) and provided CLI option in the ISE console to set the MTU size manually per node:

 

interface GigabitEthernet 0
ip address 10.77.124.38 255.255.255.0
ip mtu 1300
! 
interface GigabitEthernet 1
ipv6 address autoconfig
ip mtu 1300

 

Go to solution
Grendizer
Cisco Employee
Cisco Employee
In response to thomas

‎08-13-2020 08:13 AM

Thanks thomas, it seems the lowest we can go with this config per interface is 1300B which is fine in most cases, so just wondering what’s the benefit of using Radius attribute 12 “Framed-MTU” in the AuthZ profile. Is it just to push that to the users after the Authentication or we can use it somehow while the user is authenticating with ISE?

0 Helpful

Go to solution
poongarg
Cisco Employee
Cisco Employee
In response to Grendizer

‎08-15-2020 10:02 PM

For details on Framed-MTU attribute refer below document:

https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/118634-technote-eap-00.html#anc9

 

0 Helpful

Go to solution
Grendizer
Cisco Employee
Cisco Employee
In response to poongarg

‎08-18-2020 07:01 AM - edited ‎08-18-2020 07:06 AM

Well, people are keep referring me to the same link that I listed in my question, the (EAP Fragmentation Implementations and Behavior) Doc was mentioned as a link in the posted link that I listed in my question, if that was helpful then I will not need to raise the question. Again my question is how can I configure ISE to force the client to use that MTU when they doing the EAP-TLS authentication?

0 Helpful

Go to solution
Grendizer
Cisco Employee
Cisco Employee
In response to ajc

‎08-19-2020 01:32 PM

Thanks ajc, but it is the same link i listed with my question...no worries, i think we can't force the client to use specific MTU using the AuthZ profile for the EAP-TLS session until it ends and then we can send it with the Access-Accept to use that specified MTU.

0 Helpful

Go to solution
Romzy
Cisco Employee
Cisco Employee
In response to Grendizer

‎10-08-2020 07:14 PM

So what is the use of RADIUS Attribute Framed-MTU =###; if we can't force a client to use it?

0 Helpful

Go to solution
Grendizer
Cisco Employee
Cisco Employee
In response to Romzy

‎10-08-2020 07:56 PM

Actually we can use it but after the authentication, so after successful auth the client will use that MTU

 

0 Helpful

Go to solution
Ciscouserz
Level 1
Level 1
In response to Grendizer

‎01-13-2021 12:03 AM

That is a catch 22, cant auth due to mtu, cant use framed-mtu to lower mtu until authed.

Go to solution
rrsstefano
Level 1
Level 1
In response to Ciscouserz

‎01-17-2021 01:44 AM

Hi all so this is the xact point....we have same issue...in our case we have a wan infrastructure WITH GRE encapsulation and WITH switch 2960x using a framed mtu of 1500 bytes and eap  tls packet exchange for sending client certificate is dropped on F5 LB...the is no manner to change framed mtu on the switch...while switch 9200L is sending out a framed mtu lower....in next months we will face a different scenario were gre infrastructure will be replaced by Sdwan WITH ipsec encapsulation so overhead will grow and probably different tuning on F5 LB will be' needed 

Go to solution
Ciscouserz
Level 1
Level 1
In response to rrsstefano

‎12-14-2021 02:50 PM

Do you have any transport with higher mtu ? you could stear the eap traffic over that interface.

0 Helpful

Go to solution
marco.merlo
Level 1
Level 1
In response to thomas

‎10-07-2022 06:24 AM

Hi,

might you be so kind to tell me how setting a lower mtu on the PSN can affect the way the remote supplicant handles his own mtu for eap tls frames?

Regards

Marco 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents