Why will RadSec fix the issue? From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Tim Cappalli <tim.cappa...@microsoft.com> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Date: Monday, September 13, 2021 at 12:27 PM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Cisco EAP-TLS fragmentation with active/active firewalls
Switch to RadSec between your controllers and RADIUS server. Should eliminate the issue if you don't have any other config options. From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Lee Weers <wee...@central.edu> Date: Monday, September 13, 2021 at 18:25 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Cisco EAP-TLS fragmentation with active/active firewalls Look at the load balancing on the firewalls. Depending on how it is setup, there is a way that all the traffic is sent to one firewall vs the other per session. I know this can be done at the interface level. I don’t remember what they called it off the top of my head. From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Turpin, Max Sent: Monday, September 13, 2021 11:09 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Cisco EAP-TLS fragmentation with active/active firewalls Hey everyone, Hoping everyone is having a peaceful start of the semester. Reaching out because we’re dealing with a doozy of a problem and hoping someone else may have dealt with this and can help. We are running several pairs of Cisco 5520 controllers running 8.5.171 code. We have recently done a complete rebuild of our Clearpass environment split across two data centers and those are running 6.9.6. What we have found is that when sending traffic to this new cluster, some packets are greater than 1500 bytes and are getting fragmented in the environment. That would be all well and fine except our perimeter firewalls are active/active so in some cases, fragment 1 goes to FW-A and fragment 2 goes to FW-B. Palo alto will drop fragments if does not have all parts. So these fragments are getting dropped and thus the EAP exchange is timing out. 1. As far as I’ve gotten from Cisco, 5520 controllers do not support jumbo frames 2. There is no support from Cisco on specifying an EAP-TLS fragment size (unlike Aruba) 3. I cannot move all the controllers inside the data centers as there are some remote controllers as part of this environment. The only solution I can think of right now is to point the traffic to one firewall with policy routes with SLA tracking but that’s an administratively burdensome solution and frankly, kind of kludgy. Have any of you dealt with this sort of issue? Any thoughts on this would be appreciated. Thanks, Max ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__nam06.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwww.educause.edu-252Fcommunity-26data-3D04-257C01-257Ctim.cappalli-2540MICROSOFT.COM-257C95baac46bfbe4fbd445d08d976d314e2-257C72f988bf86f141af91ab2d7cd011db47-257C1-257C0-257C637671471268908152-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C3000-26sdata-3DUbn20rOFYRyYWaWLz8hlhWzAbeWGRj9rX9ZExWR2Mf4-253D-26reserved-3D0&d=DwMF-g&c=G2MiLlal7SXE3PeSnG8W6_JBU6FcdVjSsBSbw6gcR0U&r=zobI7d8a-PnWsDxhdheA-Pkovo0vk-DVRBlpbuIQ8mE&m=z8STE2vHGTWY4lHzB1ludq3RWLUA9RQhWhFAff82Da8&s=bYknutz_e69ijK-QpUcThQtaKDKHbWizz6N0kk5pPbk&e=> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__nam06.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwww.educause.edu-252Fcommunity-26data-3D04-257C01-257Ctim.cappalli-2540MICROSOFT.COM-257C95baac46bfbe4fbd445d08d976d314e2-257C72f988bf86f141af91ab2d7cd011db47-257C1-257C0-257C637671471268918145-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C3000-26sdata-3DR7Db5W-252FbB2V1LoPCSYkBmn11M6JaybznRg9FhRtebDg-253D-26reserved-3D0&d=DwMF-g&c=G2MiLlal7SXE3PeSnG8W6_JBU6FcdVjSsBSbw6gcR0U&r=zobI7d8a-PnWsDxhdheA-Pkovo0vk-DVRBlpbuIQ8mE&m=z8STE2vHGTWY4lHzB1ludq3RWLUA9RQhWhFAff82Da8&s=fHGwESRqj5hQtBHbcAT8PSPYrpBELJ6CXFaEAVol3wA&e=> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_community&d=DwMF-g&c=G2MiLlal7SXE3PeSnG8W6_JBU6FcdVjSsBSbw6gcR0U&r=zobI7d8a-PnWsDxhdheA-Pkovo0vk-DVRBlpbuIQ8mE&m=z8STE2vHGTWY4lHzB1ludq3RWLUA9RQhWhFAff82Da8&s=T4P_nin2nJUwxUQhyUcZncLm0Zf0znWIWFNHTrKAUdk&e=> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community