Framed-MTU is too high for EAP authentifications

trench3487

Hi,

We're having multiple issues of MTU across multiple remote location using either an AP NWA90AX, or the wireless from their USG 20W or FLEX 100W router.

The ethernet frame from the AP to our radius server (Windows NPS) containing the user certificate is dropped at the router, before going into the IPSec tunnel to where the server is located. I can capture it on the source router, but not on the destination router.

The Radius Access-Request will go over 1400b (value of Framed-MTU on the AP side, on the NPS side, the value is at 1200b) and is divided into two frame of 1514b + 396. We're using PEAP-TLS, and I tried EAP-TLS with no success.

The issue is mainly on one site where all users are impacted, but I've seen some similar issues with specific users on other sites (but has been magically resolved over time, or with a WiFI driver update).

Is there a way to reduce the framed-mtu value from the AP ? To reduce the MTU of an Nebula Managed AP ? Or to fix this and not go back to using user/password auth ?

Zyxel_Melen

Hi @trench3487,

Could you help to provide some detailed information for us to check this issue?

1. Specific scenario of this case. We want to narrow down which function (VPN, captive portal, etc.) has this issue.
2. You NPS configuration.
3. Capture the Radius authentication packets.

You may send these information to me via private message. Thanks!

trench3487

The scenario of the network capture I will send you in PM is the following :
User on Windows 11, using a WLAN profile from our GPO to use PEAP-TLS with our internal CA. They try to auth to a NWA90AX PRO AP to a Windows Server 2019 NPS server, accessible through an IPSec VPN Tunnel (Narrowed, default MSS, AES128-SHA256 DH21, site-to-site on the remote office side, dynamic site-to-site on the server side since the remote office is behind the NAT of the ISP router) from a Flex 100W to a Flex 500.