Operating Notes

  • Due to the fragmentation process in a switch, there is a delay in response to Access-Challenge packet from the RADIUS server. The time delay is due to size of the client and server certificates.

  • The certificate size must be less than 64k bytes as there is a limitation on the size of the certificate during EAP TLS authentication.

  • The fragmentation size of a certificate must not exceed 1001 bytes.

  • Debug messages of fragmentation of packets on a switch are entered in the debug console log. You can enable debug logs by executing following commands in the switch:

    • debug destination session

    • debug security port-access authenticator

    • debug security radius-server

    Example showing the debug messages of fragmentation of packets on a switch: 
    0000:04:23:36.39 1X   m8021xCtrl:Port 2: Response packet, Fragmented bit
   set(eap_flag = 192) in EAP ID #29 to 005056-bd38d7. Re-assemble the packet,
   total client certificate length 15113
0000:04:23:36.59 1X   m8021xCtrl:Port 2: Response re-assembly, Re-assembled
   length = 3100 for EAP ID #29 to 005056-bd38d7. Total Length re-assembled =
   3100.
0000:04:23:36.77 1X   m8021xCtrl:Port 2: Response re-assembly, Send request ACK
   with EAP ID #30 to 005056-bd38d7.
0000:04:23:36.89 1X   m8021xCtrl:Port 2: received type 13 EAP response #30 from
   005056-bd38d7.
0000:04:23:37.00 1X   m8021xCtrl:Port 2: Response re-assembly, Re-assembled
   length = 3100 for EAP ID #30 to 005056-bd38d7. Total Length re-assembled =
   6200.

  • When the supplicant, and a server certificate size is large, or the EAP size configured on the supplicant, and the server is small, there are more rounds of EAP TLS handshake. The client, and server support maximum of 50 complete EAP request-response rounds. If EAP request-response rounds exceed 50, the EAP TLS authentication fails.

    Example 1 

    Client Cert-size  = 40K or less(Jumbo enabled)
EAP supplicant size      = 8K
RADIUS  Cert-size        = less than 3k 
EAP RADIUS size          = 3k

Calculate the round for the above configuration

EAP Identity                          = 1 round 
EAP Method                            = 1 round
Client hello+ server cert             = 1 round
Client cert to switch                 = 40/8 rounds = 5 rounds
Switch to RADIUS                      = 40 rounds
Cipher spec + success                 = 2 rounds   
-------------------------------------------------
Total                                 = 50 rounds
    Example 2
    Client Cert-size    = 6K or more(Jumbo enabled)
EAP supplicant size        = 300 Bytes
RADIUS  Cert-size          = less than 3k 
EAP RADIUS size            = 3k

Calculate the round for the above configuration

EAP Identity                          = 1 round 
EAP Method                            = 1 round
Client hello+ server cert             = 1 round
Client cert to switch                 = 60/3 rounds = 20 rounds
Switch to RADIUS                      = 20 rounds
Cipher spec + success                 = 2 rounds   
-------------------------------------------------
Total                                 = 45 rounds