Skip to main content
AndrewX
Staff
AndrewX
Staff
October 24, 2024

Technical Tip: EAP TLS Authentication does not work over IPSec Overlay

  • October 24, 2024
  • 0 replies
  • 4865 views
Description

This article describes how to make sure EAP TLS authentication working properly over IPSec Overlay.
Scope

FortiGate, FortiAuthenticator, FortiAP, FortiSwitch.
Solution

Background:

 

1. Network diagram.jpg

 

  • FortiGate 200F HA cluster in the branch.
  • FortiAP and FortiSwitch are enabled with 802.1X EAP TLS profiles.
  • FortiGate VM deployed in Azure - SD-WAN Hub.
  • FortiAuthenticator VM deployed behind the Azure FortiGate- Authentication server.

 

Solution:

  1. Spin up the FortiAuthenticator server in the branch site with the same policy as the production server, the user tries to log in to the Wifi, the EAP TLS authentication works properly.
  2. Capture the traffic then found some of the large Radius (UDP) packets sent from the branch, however, it was not received at the Hub: As per the following captures in the branch capture (captured from the IPSec tunnel), the packet 27 with 1875 length was missing in the Hub capture.

 

2. Branch capture.png

 

2. Hub capture.png 

  1. In the FortiGate branch, enable 'set ip-fragmentation pre-encapsulation' in the IPsec phase 1:

 

3. Set ip-fragmentation pre-encapsulation.png

 

  1. In the FortiGate branch, enable MTU to override in the IPSec tunnel interface and set the MTU to 1300:

 

4. Set mtu-ovverride and set mtu 1300.png

 

  1. All the packets sent from the branch are received from the hub site. EAP TLS authentication works properly.

 

Related article

Technical Tip: IP Packet fragmentation over IPSec tunnel interface explained
    Terms & ConditionsAccessibility statement