Symptom

Radius Authentications to ISE may fail with the Network Access Device (Access Point or Switch) claiming no responses were seen from the ISE server , but with no visible failed authentication logs on ISE. This can be due to the Radius packet becoming fragmented and packets arriving out of order to the Azure networking stack which will drop those out of order frames by default. https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-tcpip-performance-tuning#azure-and-fragmentation This would not occur with most on-premises ISE deployments because traditional network switches will allow out of order fragments to pass without dropping them, and ISE could receive and reassemble the out of order fragments.

Conditions

- ISE hosted in Azure public cloud - Radius packets large enough to be fragmented (normally seen with specific EAP types like EAP-TLS which involve Certificates and tend to lead to larger packets) - Fragments arrive in Azure out of order (not always the case with fragmentation but can be seen with general Internet transmission issues, or due to IOS-XE's fragmentation engine which is documented to potentially cause fragments to be transmitted out of order)

Workaround

- Lowering the MTU of the Network Access Device (Access Point, Switch) that is originating the Radius packet can eliminate double fragmentation further in the network path and mitigate the issue. - Enabling Azure setting "enable-udp-fragment-reordering" via Microsoft Support Case

Further Problem Description