Radius Authentication via wireless controller fails after deploying ION at a branch site
3522
Created On 05/17/24 22:17 PM - Last Modified 09/25/24 22:55 PM
Symptom
- Radius Authentication via wireless controller fails after deploying ION at a branch site
- No accept messages from the radius server in the packet captures
- The packet length of the challenge message from the radius server is greater than 1300
0:43:23.603752 IP 10.218.110.50.1812 > 10.214.0.60.32771: RADIUS, Access-Challenge (11), id: 0x96 length: 1390 20:43:25.200062 IP 10.214.0.60.32774 > 10.218.110.50.1812: RADIUS, Access-Request (1), id: 0xc8 length: 444 20:43:25.203379 IP 10.218.110.50.1812 > 10.214.0.60.32774: RADIUS, Access-Challenge (11), id: 0xc8 length: 1390
Environment
- Prisma SDWAN
- Cisco wireless Controller
- Radius Authentication
Cause
- When packet length is greater than 1300 the ION fragments the packets
- This Fragmentation breaks Radius Authentication
Resolution
Reduce the MTU size on the Cisco wireless controller at the branch site to a size lesser than or equal to 1000
Additional Information
After setting MTU to 1000 on the wireless controller Access-challenge packets are lesser in length
0:45:56.104219 IP 10.218.110.50.1812 > 10.214.0.60.32773: RADIUS, Access-Challenge (11), id: 0xee length: 90 20:45:56.141801 IP 10.214.0.60.32773 > 10.218.110.50.1812: RADIUS, Access-Request (1), id: 0xef length: 441 20:45:56.155349 IP 10.218.110.50.1812 > 10.214.0.60.32773: RADIUS, Access-Challenge (11), id: 0xef length: 1188 20:45:56.185041 IP 10.214.0.60.32773 > 10.218.110.50.1812: RADIUS, Access-Request (1), id: 0xf0 length: 286