Overview

EAP-TLS (Extensible Authentication Protocol-Transport Layer Security) is one of the preferred authentication methods in enterprise business. EAP-TLS provides secured certificate-based mutual authentication of the client and the network.

EAP-TLS authentication has three components:

  • The Supplicant, or client is a device requesting access to the network.
  • Authenticator, or switch is a network device providing link between the supplicant and a RADIUS server. It can allow or block network traffic between the supplicant and server.
  • RADIUS, or EAP server validates and authenticates the client.

Currently, EAP-TLS support on Aruba switch allows a client or a EAP/RADIUS server to exchange data packets of standard Maximum Transmission Unit (MTU) size. When jumbo is enabled on a switch, the client and the EAP server can send data packets up to MTU size of 9 KB. But, the maximum MTU size allowed between the switch and the RADIUS server is 3 KB. A RADIUS server cannot process any inbound packet greater than 3 KB, thus the switch fails to complete the EAP authentication process.

Aruba switch supports an internal EAP fragmentation for EAP-TLS to exchange the RADIUS packets between a client and a RADIUS server. By default, if the packet size is greater than 3 KB, the packet will be fragmented into smaller packets of size 1011 bytes. With EAP-TLS fragmentation, you can enable jumbo and EAP-TLS authentication together on the switch. This feature supports high-size chain certificates on both Windows and Linux clients.

The IP fragmentation must be enabled between the switch and the RADIUS server. The IP MTU size must be set appropriately to handle the RADIUS packets. The switch performs the following functions for a successful exchange of RADIUS packets between the client and the RADIUS server:

  • Fragments the EAP Request data during a server-client key exchange.
  • Fragments the EAP Response data during a supplicant-client key exchange.
  • Re-assembles the fragmented EAP Request data.
  • Re-assembles the fragmented EAP Response data.

When the size of the EAP data received by the switch for authentication is less than 3 KB, the switch does not perform EAP-TLS fragmentation before sending the EAP data to the RADIUS server. In some deployments, firewalls or gateways are deployed between the RADIUS server and the switch. If the size of the RADIUS packet is above the default MTU, there is a chance that the RADIUS packet is fragmented in the network and dropped by the firewall. As a result, the switch fails to complete the EAP authentication process. To avoid packet drops, you can configure the EAP-TLS fragment size sent to the RADIUS server.