Certificate fragmentation issues

In this topic, you will learn how to address fragmentation issues when onboarding devices onto a network managed by Portnox™ Cloud using certificates.

If certificate-based authentication does not work but credential-based authentication works, check if the packets are being fragmented by firewalls/routers between the NAS and the RADIUS server. You can do this by obtaining a packet capture of the communication between your firewall/router and the Cloud RADIUS server.

Fragmentation happens because Ethernet frames have a maximum size, called the Maximum Transmission Unit (MTU), which is limited to 1500 bytes. Certificates, however, are often much larger than this limit. When a certificate is too big to fit within a single frame, the router or firewall will try to split it into smaller pieces, sending the data across multiple frames. Unfortunately, when the certificate reaches the RADIUS server in these separate pieces, the server isn’t able to put them back together correctly and doesn’t recognize the certificate as valid.

The following are potential options to resolve such fragmentation problems:

  • Reduce the key size of the certificate and eliminate any unnecessary information from the certificate (from fields such as Subject and SAN). If you remove any unnecessary information from the certificate, it may be small enough to fit in a single frame.
  • Set the key size of your certificates to 1024. This value is configured when generating the certificate, for example, in your SCEP profiles if you use Intune, Jamf, or another UEM platform to generate your certificates, and it’s often set to be 2048 or 4096. This will also reduce the packet size, so certificates will fit in a single frame.
  • Use ECC encryption to generate your certificates, not the default RSA, if possible. ECC is better, stronger, and much more efficient (requires fewer bytes) than RSA, so resultant certificates will be smaller and will be more likely to fit within a single frame even with extra information.
  • Use RadSec (secure RADIUS) to communicate to cloud RADIUS servers. RadSec is immune to frame size issues. Unfortunately, while RadSec is quite common, it may be unsupported by some NAS devices, so check manufacturer information for your model.
  • Install a local RADIUS server and use it as a proxy to the cloud RADIUS servers. The local RADIUS server communicates with cloud RADIUS servers using different protocols so the frame size problem does not apply – 802.1X communication happens only within your network.
  • For Palo Alto switches, try this solution.
  • For Cisco Internet SD-WAN connections, packet reassembly might cause the issue, which is resolved by issuing the following command on the interface level: no ip virtual-reassembly-out.
  • For Cisco switches also consider disabling jumbo frames.