Fun stuff here...
When Windows sends a certificate to a RADIUS server as part of an 802.1X logon sequence, it does not fragment the EAP/EAPOL traffic.
It. Does. Not. Fragment.
:badass:
That's right, set that MTU wherever you want, it won't fragment. Set it too low, in fact, and Windows won't even send it at all! In the Cisco technote describing this, they noted that they saw cert packets as large as 2000 bytes! When the AP gets the EAP/EAPOL traffic, it has to convert it to RADIUS traffic and send it on to the WLC. Therefore, that AP has to fragment the traffic because Windows is a honey badger and it don't care.
This is Windows: :steamtroll: and this is the Cisco AP: :jackie-chan: