This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
public:how_to_deal_with_fragmentation_of_eap_packets [2022/12/06 10:32] admin [Cause] |
public:how_to_deal_with_fragmentation_of_eap_packets [2022/12/06 11:02] admin [Solutions] |
||
---|---|---|---|
Line 19: | Line 19: | ||
Doing this means that during an authentication the minimum (one server cert and one client cert) are passed around rather than a number of client, server and intermediates. However, the number of certificates, | Doing this means that during an authentication the minimum (one server cert and one client cert) are passed around rather than a number of client, server and intermediates. However, the number of certificates, | ||
+ | |||
+ | The key length used to encrypt the certificates can impact the certificate sizes. So using 4096 results in a file bigger than if using 2048. There are arguments for and against using 4096 over 2048. If there are certificate size issues then you're not compromising security by running 2048 rather than 4096 and the smaller key lengths have much less impact on CPU. | ||
======Solutions====== | ======Solutions====== | ||
Line 26: | Line 28: | ||
* Disable packet fragmentation checks/ | * Disable packet fragmentation checks/ | ||
* Ensure only the minimum number of certs are sent in the auth and that as much of the chain as possible is installed on the client and server. | * Ensure only the minimum number of certs are sent in the auth and that as much of the chain as possible is installed on the client and server. | ||
+ | * Change from a public CA to a private CA and just have a Root and client/ | ||
+ | * Use 2048 rather than 4096 for the key length | ||
* Set Framed-MTU to 1100 | * Set Framed-MTU to 1100 | ||
The last option is somewhat of a last resort because it's not universally respected by RADIUS servers. However, what it does do is to pass a hint to a RADIUS server to request that the RADIUS server use a maximum of 1100 bytes for the RADIUS packet. This would mean that, with the additional headers provided by the TCP stack that the packets should never be fragmented. | The last option is somewhat of a last resort because it's not universally respected by RADIUS servers. However, what it does do is to pass a hint to a RADIUS server to request that the RADIUS server use a maximum of 1100 bytes for the RADIUS packet. This would mean that, with the additional headers provided by the TCP stack that the packets should never be fragmented. | ||
- | The caveat is, as stated, that different RADIUS | + | The caveat is, as stated, that different RADIUS |
+ | |||
+ | Cisco ISE has a maximum MTU size of 1002 bytes, this can not be changed and ISE doesn' | ||
+ | |||
+ | Aruba Clearpass has a default maximum MTU size of 1100, which should be fine. The value can be changed. Clearpass will send a Framed-MTU attribute out to authentication servers. | ||
+ | |||
+ | Microsoft NPS has a default MTU size of 1500, which is too big, and does not respond to the Framed-MTU if it receives it. You can add a Framed-MTU attribute and set its value via the Network Policy that is handling the authentication of your users - and that Framed-MTU will be used by NPS to manage the size of the packets sent back to your remote user. We suggest setting it to 1100. | ||
- | <insert info about RADIUS server support for Framed-MTU> | ||