This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

EAP-TLS/RADSEC over WAN FabricEngine+Control

EAP-TLS/RADSEC over WAN FabricEngine+Control

Hedi
New Contributor

a week ago

Hello,

For a customer we want to implement EAP-TLS for WIRED clients.
They have 200+ sites. Some are L2  and other are WAN links.

L2 seems to work fine, L3 we have a mix of clients/locations where EAP-TLS works and does not work.
When we take a capture the server sends the certificate chain to the client, The client in response wants to send their certificate and that fails and does not reach the server resulting in a timeout of the authentication. In some rare cases it does work, varies from location to location.
I'm thinking there is a fragmentation /MTU issue.

It seems that Fabric Engine does not have any EAP-TLS fragmentation support and it does not seem that will come soon after asking Extreme.


As an alternative i was thinking to use RADSEC but according to this Control does not support RADSEC?

https://extreme-networks.my.site.com/ExtrArticleDetail?an=000122558&q=radsec


How do you handle EAP-TLS over WAN with CONTROL + Fabric Engine? 
I'm out of idea's.
Thanks!



0 Kudos
3 REPLIES 3

sachin_7
Visitor

18 hours ago

Hello,

From your observation in the server-side capture- "The client in response wants to send their certificate and that fails and does not reach the server resulting in a timeout of the authentication."  But, did you get a chance to do a port mirror of the uplink in the authenticator(fabric engine) switch as well? The packet capture on the uplink would confirm whether the RADIUS packets from the switch to the servers are being sent out or not. It could help to rule out any potential drops over the path between the switch and the NAC.

There was an instance where the WAN circuits were dropping the fragmented packets in one of the GTAC cases:

Reference: https://extreme-networks.my.site.com/ExtrArticleDetail?an=000122465

Overall, it would be best to get all the data and open a GTAC for detailed analysis.

 

 

 

0 Kudos

Hedi
New Contributor
In response to sachin_7

13 hours ago

Hello,
Thank you for the reply.
That is  indeed the case where i have captures of the client/nac  but not yet of the switch. Actually a good idea and i will bring it together for a case.
Next step would also be as a test to use a smaller certificate-chain as a test.



0 Kudos

Yoann_Jonard
New Contributor III

Friday

Never faced the same issue unfortunately, but if RADSEC would solve your issue, could you use Control as a proxy to forward RADSEC request to a RADSEC server ?

But this looks more like a consequence of your fragmentation/MTU root cause. I would focus on this first.


Yoann Jonard
SIER SARL
Switzerland
0 Kudos
GTM-P2G8KFN