Cisco 3750 802.1x – Invalid Eapol Packet Length Issue

Having a tough time here getting EAP-TLS to work. I am converting from a EAP-PEAP solution to EAP-TLS and have done the steps required for PKI so as to be not a certificate issue. (server and client certs signed by same CA)

I believe there is an issue with MTU sizes based on the logs below and the following Cisco Forums I've found. Listed below are the posts. However after performing the Framed-MTU = 1344 and changing it to different sizes, I see no difference on the Cisco 3750s logs. Always errors with Invalid Eapol Packet length = 1492.

Has anyone run into this before? I am using Win2008R2 NPS

Framed-MTU workaround = https://technet.microsoft.com/en-us/library/cc771164%28WS.10%29.aspx and https://supportforums.cisco.com/discussion/11087011/eap-tls-authentication-failure

Why I'm thinking this is a Fragmentation issue = http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/118634-technote-eap-00.html#anc18

Basically my set-up = http://networklessons.com/wireless/peap-and-eap-tls-on-server-2008-and-cisco-wlc/

Mar 10 17:33:08.889: dot1x-packet(Gi1/0/7): Received an EAPOL frame
Mar 10 17:33:08.889: dot1x-ev(Gi1/0/7): Received pkt saddr =f0de.f17b.4d9f , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.0006
Mar 10 17:33:08.889: dot1x-packet(Gi1/0/7): Received an EAP packet
Mar 10 17:33:08.889: EAPOL pak dump rx
Mar 10 17:33:08.889: EAPOL Version: 0x1  type: 0x0  length: 0x0006
Mar 10 17:33:08.889: dot1x-packet(Gi1/0/7): Received an EAP packet from f0de.f17b.4d9f
Mar 10 17:33:08.889: dot1x-ev(Gi1/0/7): dot1x_sendRespToServer: Response sent to the server from 0x9C000260 (f0de.f17b.4d9f)
Mar 10 17:33:08.897: dot1x-ev(Gi1/0/7): Sending EAPOL packet to f0de.f17b.4d9f
Mar 10 17:33:08.897: dot1x-ev(Gi1/0/7): Role determination not required
Mar 10 17:33:08.897: dot1x-ev(Gi1/0/7): Sending out EAPOL packet
Mar 10 17:33:08.897: EAPOL pak dump Tx
Mar 10 17:33:08.897: EAPOL Version: 0x3  type: 0x0  length: 0x029B
Mar 10 17:33:08.897: EAP code: 0x1  id: 0x5  length: 0x029B type: 0xD
Mar 10 17:33:08.897: dot1x-packet(Gi1/0/7): EAPOL packet sent to client 0x9C000260 (f0de.f17b.4d9f)
Mar 10 17:33:08.923: dot1x-ev(Gi1/0/7): Role determination not required
Mar 10 17:33:08.923: dot1x-packet(Gi1/0/7): Queuing an EAPOL pkt on Authenticator Q
Mar 10 17:33:08.923: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
Mar 10 17:33:08.923: EAPOL pak dump rx
Mar 10 17:33:08.923: EAPOL Version: 0x1  type: 0x0  length: 0x05D4
Mar 10 17:33:08.923: dot1x-ev:
dot1x_auth_queue_event: Int Gi1/0/7 CODE= 2,TYPE= 13,LEN= 1492

Mar 10 17:33:08.923: dot1x-packet(Gi1/0/7): Received an EAPOL frame
Mar 10 17:33:08.923: dot1x-ev(Gi1/0/7): Received pkt saddr =f0de.f17b.4d9f , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.05d4
Mar 10 17:33:08.923: dot1x-err(Gi1/0/7): Invalid Eapol packet length = 1492

Best Answer

Could you test this out, after hours, requires a switch reboot?

Switch Config:

conf t
!
system mtu jumbo 9000

Windows Server 2008R2 config:

adjust MTU to 9000

This may help. Take a look at this article if you haven't already figured this out: http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/118634-technote-eap-00.html

Best Answer

Related Solutions

Cisco – Using RADIUS to restrict SSID on Cisco Aironet

Cisco 3750 Switch – Troubleshooting RADIUS Server Communication

Related Topic