Operating Notes

  • Due to the fragmentation process in a switch, there is a delay in response to Access-Challenge packet from the RADIUS server. The time delay is due to size of the client and server certificates.

  • The certificate size must be less than 64k bytes as there is a limitation on the size of the certificate during EAP TLS authentication.

  • The fragmentation size of a certificate must not exceed 1001 bytes.

  • Debug messages of fragmentation of packets on a switch are entered in the debug console log. You can enable debug logs by executing following commands in the switch:
    • debug destination session

    • debug security port-access authenticator

    • debug security radius-server

    Example showing the debug messages of fragmentation of packets on a switch:
    0000:04:23:36.39 1X   m8021xCtrl:Port 2: Response packet, Fragmented bit
       set(eap_flag = 192) in EAP ID #29 to 005056-bd38d7. Re-assemble the packet,
       total client certificate length 15113
    0000:04:23:36.59 1X   m8021xCtrl:Port 2: Response re-assembly, Re-assembled
       length = 3100 for EAP ID #29 to 005056-bd38d7. Total Length re-assembled =
       3100.
    0000:04:23:36.77 1X   m8021xCtrl:Port 2: Response re-assembly, Send request ACK
       with EAP ID #30 to 005056-bd38d7.
    0000:04:23:36.89 1X   m8021xCtrl:Port 2: received type 13 EAP response #30 from
       005056-bd38d7.
    0000:04:23:37.00 1X   m8021xCtrl:Port 2: Response re-assembly, Re-assembled
       length = 3100 for EAP ID #30 to 005056-bd38d7. Total Length re-assembled =
       6200.
    
  • When the supplicant, and a server certificate size is large, or the EAP size configured on the supplicant, and the server is small, there are more rounds of EAP TLS handshake. The client, and server support maximum of 50 complete EAP request-response rounds. If EAP request-response rounds exceed 50, the EAP TLS authentication fails.

    Example 1

    Client Cert-size  = 40K or less(Jumbo enabled)
    EAP supplicant size      = 8K
    RADIUS  Cert-size        = less than 3k 
    EAP RADIUS size          = 3k
    
    Calculate the round for the above configuration
    
    EAP Identity                          = 1 round 
    EAP Method                            = 1 round
    Client hello+ server cert             = 1 round
    Client cert to switch                 = 40/8 rounds = 5 rounds
    Switch to RADIUS                      = 40 rounds
    Cipher spec + success                 = 2 rounds   
    -------------------------------------------------
    Total                                 = 50 rounds                                                     
    
    
    Example 2
    Client Cert-size    = 6K or more(Jumbo enabled)
    EAP supplicant size        = 300 Bytes
    RADIUS  Cert-size          = less than 3k 
    EAP RADIUS size            = 3k
    
    Calculate the round for the above configuration
    
    EAP Identity                          = 1 round 
    EAP Method                            = 1 round
    Client hello+ server cert             = 1 round
    Client cert to switch                 = 60/3 rounds = 20 rounds
    Switch to RADIUS                      = 20 rounds
    Cipher spec + success                 = 2 rounds   
    -------------------------------------------------
    Total                                 = 45 rounds