Thanks for the reply , I will execute a packet capture on the  switch .

My bet - an issue on the Windows side.  Anything appearing in the event viewer in Windows?

In the Windows WiFi configuration - has the root CA been ticked under the trusted section?  It is the right hand most option in this screen shot.

I'm calling MTU on this problem too.

I had a similar issue where a couple of our WAN sites would not receive the accept response, and would appear as a Radius timeout error in the dashboard logs, but the request was being received by the radius server. 

We use SDWan where the WAN traffic is encrypted, add this to using EAP/TLS client certificate authentication, and the packets were too big for the MTU packet size at these sites, hence were being fragmented.

You can try pinging the sites (using the -f and -l and mtu size (1180 in this example) switches e.g 

ping 10.8.6.1 -f -l 1180

and check if the packet size needs to be lower at your affected sites before fragmentation (change the value (1180) up and down until you get a reply that is not fragmented), compared to your working sites

You made be able to change the MTU on your routers/switches etc at the remote site, or change the MTU size in the ISE radius config for these sites (radius connection/auth policies)

You could also try sending the requests via the Meraki cloud radius and then into your on-prem radius (put the affected AP's into a different network and change the radius destination to the Meraki cloud radius), these requests will then go out/back in unencrypted (lower packet size), which may prove if it is MTU related or not.

You can also try setting up a different authentication method, say MSCHAP, and try authenticating with client username/password only (no EAP/TLS certs), if this works then it's also most likely MTU/defragmentation

good luck

You can add "IP MTU 1500" on the radius source SVI. This will cause the radius packets to be fragmented at the IP layer. This will resolve the issue.

Thanks to both . Looks likely to be MTU related .I will try and let you know how it went 

Hi All . 

Sorry for the delayed answer . I have lowered  the MTU onto the switch the APs are connected to but that hasn't made  a difference .However, I just noticed that   that the APs Radius requests are experiencing some packet drops as they hit our Onprem firewall ( yes there s a firewall indeed ),   any idea why ?  

The packet capture in attachment has been obtained from the firewall.

Thanks in advance for all you input 

Thanks

same problem here. my setup is MX67W (17.10.2) -> MR33. Both of them are configured with 802.1x SSID. Clients use EAP-TLS. Everything works on MR33 but doesn't work on MX67W (it worked before). EAP-PEAP works on both of them. 

Hello,

You can try to enable "RADIUS Proxy" on the SSID, i think that might be helpful to solve the issue you are facing.

Hi All

Just to let you know  the matter is now solved . Our on Prem Firewall had a Zone protection profile  with a setting instructing  the firewall to drop fragmented traffic .

Once  that setting was updated it worked .

Thanks all for your contributions