We are trying to solidify our 802.1x configurations on ACS pending a migration to ISE. We have a Cisco 3750x running 15.2-4E5, talking to a Cisco Access Control Server 5.2 over a WAN that can carry UDP at 1256 bytes. Anything greater is dropped. EAP-TLS is failing because the switch is sending packets that are too large (verified by captures).
Question surrounds Radius-IETF attribute 12 (Framed-MTU). There is much documentation out there how to fix Microsoft NPS and even FreeRadius. Is there a simple way to fix this problem from either the Authenticator (3750x) or the Authentication Server (Cisco ACS) perspective?
We have already included attribute 12 in all authorization profiles on ACS, and set static to value 1200. However all "access-challenge" packets from ACS do not have the attribute included (again verified by captures). We have also verified the switch is not honoring the "system mtu" (currently 1500) and even firing packets at greater than that. Any assistance would be sincerely appreciated.
