Solved: Re: How to force a client to use specific MTU when using ISE EAP-TLS Auth

Grendizer · ‎08-12-2020

My client is using EAP-TLS Fragment as 1486, i configured the Authorization profile to push accept with RADIUS Attribute Framed-MTU = 1002 but the client is not using that obviously with EAP TLS communication to fragment the large packet. Wireshark showing that ISE is pushing that 1002 MTU with the Access-Accept packet that’s mean all the EAP-TLS is using the default client 1486 MTU, so how can I configure ISE to force the client to use that MTU when they doing the EAP-TLS authentication?

reference: https://community.cisco.com/t5/network-access-control/radius-framed-mtu-attribute/m-p/3542070

thomas · ‎08-12-2020

Reading throught the article you quoted, the ISE enhancement request CSCvf52213 was applied to ISE 2.6 and 2.4.0.357-Patch2 (and later) and provided CLI option in the ISE console to set the MTU size manually per node:

interface GigabitEthernet 0
ip address 10.77.124.38 255.255.255.0
ip mtu 1300
! 
interface GigabitEthernet 1
ipv6 address autoconfig
ip mtu 1300

View solution in original post

Grendizer · ‎08-19-2020

Thanks ajc, but it is the same link i listed with my question...no worries, i think we can't force the client to use specific MTU using the AuthZ profile for the EAP-TLS session until it ends and then we can send it with the Access-Accept to use that specified MTU.

View solution in original post

marce1000 · ‎08-12-2020

- Check if this thread can help you :

https://community.cisco.com/t5/network-access-control/radius-framed-mtu-attribute/m-p/3542066

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Grendizer · ‎08-12-2020

Thanks marce, but it is the same link i listed in the reference, wanted to know how

thomas · ‎08-12-2020

Reading throught the article you quoted, the ISE enhancement request CSCvf52213 was applied to ISE 2.6 and 2.4.0.357-Patch2 (and later) and provided CLI option in the ISE console to set the MTU size manually per node:

interface GigabitEthernet 0
ip address 10.77.124.38 255.255.255.0
ip mtu 1300
! 
interface GigabitEthernet 1
ipv6 address autoconfig
ip mtu 1300

Grendizer · ‎08-13-2020

Thanks thomas, it seems the lowest we can go with this config per interface is 1300B which is fine in most cases, so just wondering what’s the benefit of using Radius attribute 12 “Framed-MTU” in the AuthZ profile. Is it just to push that to the users after the Authentication or we can use it somehow while the user is authenticating with ISE?

poongarg · ‎08-15-2020

For details on Framed-MTU attribute refer below document:

https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/118634-technote-eap-00.html#anc9

Grendizer · ‎08-18-2020

Well, people are keep referring me to the same link that I listed in my question, the (EAP Fragmentation Implementations and Behavior) Doc was mentioned as a link in the posted link that I listed in my question, if that was helpful then I will not need to raise the question. Again my question is how can I configure ISE to force the client to use that MTU when they doing the EAP-TLS authentication?

ajc · ‎08-19-2020

wondering if the following link could help

https://community.cisco.com/t5/network-access-control/radius-framed-mtu-attribute/m-p/3542066

Grendizer · ‎08-19-2020

Thanks ajc, but it is the same link i listed with my question...no worries, i think we can't force the client to use specific MTU using the AuthZ profile for the EAP-TLS session until it ends and then we can send it with the Access-Accept to use that specified MTU.

Romzy · ‎10-08-2020

So what is the use of RADIUS Attribute Framed-MTU =###; if we can't force a client to use it?

Grendizer · ‎10-08-2020

Actually we can use it but after the authentication, so after successful auth the client will use that MTU

Ciscouserz · ‎01-13-2021

That is a catch 22, cant auth due to mtu, cant use framed-mtu to lower mtu until authed.

rrsstefano · ‎01-17-2021

Hi all so this is the xact point....we have same issue...in our case we have a wan infrastructure WITH GRE encapsulation and WITH switch 2960x using a framed mtu of 1500 bytes and eap tls packet exchange for sending client certificate is dropped on F5 LB...the is no manner to change framed mtu on the switch...while switch 9200L is sending out a framed mtu lower....in next months we will face a different scenario were gre infrastructure will be replaced by Sdwan WITH ipsec encapsulation so overhead will grow and probably different tuning on F5 LB will be' needed

Ciscouserz · ‎12-14-2021

Do you have any transport with higher mtu ? you could stear the eap traffic over that interface.

marco.merlo · ‎10-07-2022

Hi,

might you be so kind to tell me how setting a lower mtu on the PSN can affect the way the remote supplicant handles his own mtu for eap tls frames?

Regards

Marco