02-12-2019 05:25 AM
ISE 2.3 patch 5
I'm hitting this weird issue with ISE trying to get EAP-TLS with machine authentication working.
During the initial eap-tls flow, ISE receives the client hello access-request packet from the NAD, then responds with the access-challenge that contains the server hello/certificate/server key exchange/etc. This is over 5 eap-tls fragments (5 IP packets). The NAD acknowledges these with access-requests without issue. Next the NAD sends an access-request with its certificate/client key exchange/change cipher spec/etc. At a radius level the access-request looks to be fragmented over multiple packets, but the first fragment is fragmented at IP level as well with 1518 bytes on wire and another 419 bytes on the wire - this makes up the first access-request. Packet capture on the upstream device from ISE shows it forwarding both these packets, however packet capture on the ISE shows only the first Fragmented IP protocol packet. The remaining 419 byte packet needed to reassemble to get the access-request is not seen in the capture. Looks like the ISE is silently dropping this? Hence eap-tls times out and fails.
The first fragment of the access-request is more than 1500 bytes, is this the issue? It funny that the larger fragmented packet is received but the following 419 byte one is not.
The data portion (radius stuff) of the first fragment is 1480 bytes. Now when you add the IP and ethernet headers it will be at least 1514 bytes. Not sure why the NAD will send it this big when the MTU on the interface and globally is set to 1500 bytes.
02-12-2019 05:28 AM
Are the PSNs behind an F5 load balancer? If so this is a known issue with the F5s. The F5s will drop packet fragments if they are too small.
02-12-2019 05:38 AM - edited 02-12-2019 05:39 AM
No they are not. I took a capture right in front of the PSN's on ACI EPG where the PSN VM's reside. And that capture shows both fragmented packets being forwarded, but PSN never gets the 2nd fragment.
02-16-2019 09:35 AM
Adding to what said Damien Miller and paul,
I believe ISE will drop the 2nd packets if DF bit set.
02-12-2019 08:52 AM
02-12-2019 09:38 AM
01-10-2022 08:46 AM
Hi, and sorry for asking this, but did you configure "IP MTU" on the SVI that is used as source-interface for RADIUS?
I had the same issue and this was fixed in 5 minutes with this command.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide