Technical Tip: EAP TLS Authentication does not work over IPSec Overlay

AndrewX · ‎10-23-2024

Description

This article describes how to make sure EAP TLS authentication working properly over IPSec Overlay.

Scope

FortiGate, FortiAuthenticator, FortiAP, FortiSwitch.

Solution

Background:

1. Network diagram.jpg

FortiGate 200F HA cluster in the branch.
FortiAP and FortiSwitch are enabled with 802.1X EAP TLS profiles.
FortiGate VM deployed in Azure - SDWAN Hub.
FortiAuthentcator VM deployed behind the Azure FortiGate- Authentication server.

Solution：

Spin up the FortiAuthenticator server in the branch site with the same policy as the production server, the user tries to log in to the Wifi, the EAP TLS authentication works properly.
Capture the traffic then found some of the large Radius (UDP) packets sent from the branch, however, it was not received at the Hub: As per the following captures in the branch capture (captured from the IPSec tunnel), the packet 27 with 1875 length was missing in the Hub capture.

In the FortiGate branch, enable 'set ip-fragmentation pre-encapsulation' in the IPsec phase 1:

3. Set ip-fragmentation pre-encapsulation.png

In the FortiGate branch, enable MTU to override in the IPSec tunnel interface and set the MTU to 1300:

4. Set mtu-ovverride and set mtu 1300.png

All the packets sent from the branch are received from the hub site. EAP TLS authentication works properly.