MTU for NPS radius and radius client

Question

MTU for NPS radius and radius client

Janus Bariñan 1,126

Hi,

According to microsoft the default for NPS radius is 1500 and it may be fragmented in the router or firewall side that sits in between the nps and radius client.

I checked our radius clients and their default is 1500.
I already set NPS radius MTU to 1344 and still get the EAP error "Authentication failed due to an EAP session timeout; the EAP session with the access client was incomplete."

Should the MTU of the NPS Radius and radius client be the same?

Accepted answer

1 additional answer

Your answer

Answer 1

Anonymous

Hi,

Thanks for posting in Q&A platform.

Please run the following command to double confirm if the MTU was set 1344 on Radius server.
netsh interface ipv4 show subinterfaces

For error message "Authentication failed due to an EAP session timeout; the EAP session with the access client was incomplete", it is always caused by EAP payload size is large. I would suggest you could try to configure the Framed-MTU value lower than 1344 or equal to 1200 for test.

As for Radius client side, you could set MTU to 1344 or lower than 1344 for test.

If it still doesn't work, We need to collect network traffic to find the cause of Authentication failed. However, analysis of network traffic is beyond our forum support level.

If you want to find the root cause, I would suggest you open a case with Microsoft where more in-depth investigation can be done so that you would get a more satisfying explanation and solution to this issue.

You may find phone number for your region accordingly from the link below:

Global Customer Service phone numbers

Best Regards,
Sunny

----------

If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Janus Bariñan 1,126 Reputation points

2021-01-07T03:44:35.033+00:00

Hi,

As checked the interface mtu is 1500, even though it was set on the nps radius side. I will try to change the interface mtu to 1344 and observe what happens.
Janus Bariñan 1,126 Reputation points

2021-01-10T02:54:18.207+00:00

Tried changing the nps mtu as well as the nic mtu. I stoll got eap incomplete errors. I changed it from 1344 to 1400 since 1400 was what i saw in the netmon. I will try to change values to to see if it works. Meanwhile i will accept your latest response as answer.
Anonymous

2021-01-11T01:57:52.217+00:00

@Janus Bariñan Thank you very much for your feedback. Will waiting for your good news.
Ned Ramsay 1 Reputation point

2021-09-08T19:13:35.657+00:00

Hi JanusBarinan,

Did you ever get this working, we are having the same issue.
I have changed the Framed-MTU size on the NPS server to a lower MTU but still getting the same timeouts meaning users have to sometimes try 2 or 3 times to verify with the authenticator.

Much appreciated.
Janus Bariñan 1,126 Reputation points

2021-09-09T02:09:08.8+00:00

II still got the issue. The only thing left to try out is in the switch or router side to change the mtu. But I guess that is not happening as it might affect other users. So long as there is no major issues reported I'll just stick to this.
Ned Ramsay 1 Reputation point

2021-09-09T02:49:59.29+00:00

I actually just created a loopback interface on our firewall with a lower MTU and sent RADIUS out of that. I get the same issue.
From what I was reading this is due to how Microsoft handle traffic, they dont allow re-submits to prevent Denial of Service attacks.

See here https://learn.microsoft.com/en-us/answers/questions/329662/problem-with-fragmentation-nps-won39t-authenticate.html

The VPN will connect, but it wont connect first time always, sometimes it will take 3 attempts and authentications to go through.
Im giving up, putting the MTU back to 1500 and accepting that its just a dumb technology.

Answer 2

I hit this issue recently when changing the MTU on some campus switches. These were Cisco C3560X, C3750X, C3560CX & C3650 switches. All except the C3650 allow you to set the system MTU to 9100 and leave the IPv4/IPv6 routing MTU to 1500. The C3650 just allows the system MTU to be set and then you can configure the individual routed SVI interfaces to be 1500.
The problem seems to be the reassembly on the switch side since EAPoL isn't an IPv4/IPv6 frame. NPS will fragment frames if it generates them and they are bigger than 1500, regardless of the MTU of its Ethernet interface. The switch reassembles these frames and because it can send large non-IP Ethernet frames, it does and the client (unless its configured for Jumbo MTUs) drops them.
This is an issue with NPS as it attempts to send up to 2000-byte packets that have to be fragmented assuming a standard IP MTU of 1500.
The workaround is to set the 'Framed-MTU' attribute in the NPS policy to be lower than 1500. The switch receives this and only attempts to send EAPoL packets of this size to the 802.1x client. I'm currently using 1344.
In my testing some Windows clients were accepting the jumbo frames and it was working, others weren't so it was a bit difficult to troubleshoot - seems to be a NIC driver issue. However setting the 'Framed-MTU=1344' in the NPS policy has fixed this for me for all 802.1x clients.

Cisco ISE doesn't behave like this so it never appears when you use ISE for RADIUS. There is a good tech note on CCO here - https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/118634-technote-eap-00.html

Cheers
Andy

Share via

MTU for NPS radius and radius client

1 additional answer

Your answer