cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
536
Views
3
Helpful
1
Replies

802.1x auth failing due to NPS jumbo packets Win Server2008-2012 issue

svelev
Cisco Employee
Cisco Employee

Hello all,

 

Just putting this here to help out anyone that might have issues with inconsistent client AUTH between:

C9800-L 17.6.5 as WLC + Windows Server 2008-2012 NPS as AAA

I had a problem with CUs wireless clients failing auth.

Some client devices were able to auth without issues, others were not.

Issue was not exclusive to a certain manufacturer (Android/ Microsoft/ Apple etc.)

 

The NPS was replying with jumbo packets 1500+ MTU. Any reply of that size packet wise was a failed connection with 

Client time-out reasoning.

 

On the RA traces, we saw that the client was initiating auth, found the AAA server, conversation began and then client deletion was scheduled due to timeout, no reply from client.

 

Once the MTU size was reduced from the NPS to below 1450, all clients were able to connect without problems.

Run a PCAP on the NPS, check the MTU size and if you see 1500+ MTU, reduce it from the NPS and check if clients are able to connect. This issue is not even documented by Microsoft, it was found in a random Palo Forum.

1 Reply 1

Thank you for documenting it & share with us in the community

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: