Radius Terminate Capture
These scenarios show different acct-terminate-causes that are sent by OSDx devices when 802.1x sessions end.
Test 802.1x User Request Cause
Description
This scenario shows how to stop an 802.1x session using
operational command supplicant disconnect.
Accounting RADIUS stop messages should contain the
following attribute: acct-terminate-cause=1.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 192.168.200.1/24 set interfaces ethernet eth1 address 10.215.168.64/24 set interfaces ethernet eth1 traffic nat destination rule 1 address 192.168.200.2 set interfaces ethernet eth1 traffic nat source rule 1 address masquerade set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.200.2/24 set interfaces ethernet eth1 802.1x authenticator aaa accounting list1 set interfaces ethernet eth1 802.1x authenticator aaa authentication list1 set interfaces ethernet eth1 802.1x authenticator reauth-period 0 set interfaces ethernet eth1 address 192.168.100.1/24 set protocols static route 0.0.0.0/0 next-hop 192.168.200.1 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX19JzaW3ocET9sYGsMXwnDGmfHG1dCoCr47+R7FiTEdnEZOGHEnLiq/z6pXu8wRqhD9I0kEO+Wc1Xw== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=0.946 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.946/0.946/0.946/0.000 ms
Step 4: Set the following configuration in DUT1 :
set interfaces ethernet eth1 802.1x supplicant encrypted-password U2FsdGVkX1/pJAri2iH1fKnuU4AT5W9ZQBAgIp0UUs4= set interfaces ethernet eth1 802.1x supplicant username testing set interfaces ethernet eth1 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 5: Run command interfaces ethernet eth1 802.1x supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 6: Run command interfaces ethernet eth1 802.1x supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 7: Run command interfaces ethernet eth1 802.1x authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1Show output
--------------------------------- Field Value --------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Reauthenticate FALSE Reauthenticate Period 0 Session Time 1 Session User Name testing
Step 8: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.504 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.504/0.504/0.504/0.000 ms
Note
Start packet capture in DUT2 to filter RADIUS stop messages (e.g., traffic dump monitor interface eth0 detail filter "udp port 1813" packets 1).
Step 9: Run command interfaces ethernet eth1 802.1x supplicant disconnect at DUT1 and expect this output:
Show output
OK
Step 10: Run command interfaces ethernet eth1 802.1x authenticator show status at DUT0 and check if output contains the following tokens:
Current status: UnauthorizedShow output
Current status: Unauthorized
Note
Stop packet capture in DUT0 and expect
the following RADIUS messages:
Show output
eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 12:56:59.431061 de:ad:be:ef:6c:00 > de:ad:be:ef:6c:20, ethertype IPv4 (0x0800), length 195: (tos 0x0, ttl 64, id 16110, offset 0, flags [none], proto UDP (17), length 181) 192.168.200.2.37783 > 10.215.168.1.1813: [bad udp cksum 0x3c36 -> 0xda40!] RADIUS, length: 153 Accounting-Request (4), id: 0x0c, Authenticator: 285798fc9e597a071d39ce62f5174ea0 Acct-Status-Type Attribute (40), length: 6, Value: Stop 0x0000: 0000 0002 Acct-Authentic Attribute (45), length: 6, Value: RADIUS 0x0000: 0000 0001 User-Name Attribute (1), length: 9, Value: testing 0x0000: 7465 7374 696e 67 Called-Station-Id Attribute (30), length: 20, Value: DE-AD-BE-EF-6C-01: 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d30 0x0010: 313a Service-Type Attribute (6), length: 6, Value: Framed 0x0000: 0000 0002 Calling-Station-Id Attribute (31), length: 19, Value: DE-AD-BE-EF-6C-11 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d31 0x0010: 31 Acct-Session-Id Attribute (44), length: 18, Value: C9B7DA2AA87027B5 0x0000: 4339 4237 4441 3241 4138 3730 3237 4235 NAS-Port-Type Attribute (61), length: 6, Value: Ethernet 0x0000: 0000 000f Connect-Info Attribute (77), length: 13, Value: Unsupported 0x0000: 556e 7375 7070 6f72 7465 64 NAS-Port-Id Attribute (87), length: 6, Value: eth1 0x0000: 6574 6831 Event-Timestamp Attribute (55), length: 6, Value: Mon Jul 28 12:56:59 2025 0x0000: 6887 739b Acct-Delay-Time Attribute (41), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Session-Time Attribute (46), length: 6, Value: 01 secs 0x0000: 0000 0001 Acct-Terminate-Cause Attribute (49), length: 6, Value: User Request 0x0000: 0000 0001 1 packet captured
Test 802.1x Lost Carrier Cause
Description
This scenario shows how an 802.1x session is stopped
after a link down event in DUT0 eth1.
Accounting RADIUS stop messages should contain the
following attribute: acct-terminate-cause=2.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 192.168.200.1/24 set interfaces ethernet eth1 address 10.215.168.64/24 set interfaces ethernet eth1 traffic nat destination rule 1 address 192.168.200.2 set interfaces ethernet eth1 traffic nat source rule 1 address masquerade set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.200.2/24 set interfaces ethernet eth1 802.1x authenticator aaa accounting list1 set interfaces ethernet eth1 802.1x authenticator aaa authentication list1 set interfaces ethernet eth1 802.1x authenticator coa client 10.215.168.1 set interfaces ethernet eth1 802.1x authenticator coa encrypted-secret U2FsdGVkX185u1XrULmcdEmlJqa9WI+eWr4PQXOijg4= set interfaces ethernet eth1 802.1x authenticator reauth-period 0 set interfaces ethernet eth1 address 192.168.100.1/24 set protocols static route 0.0.0.0/0 next-hop 192.168.200.1 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+3m6AlWJMyojJS17+hqhHiteysrQymhKnX01JtxVj5sCxMlRVD+aMRYuIeT1baISB9XRwGZsVo7w== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=0.835 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.835/0.835/0.835/0.000 ms
Step 4: Set the following configuration in DUT1 :
set interfaces ethernet eth1 802.1x supplicant encrypted-password U2FsdGVkX199lzUErEkS0SNK4po+1u5Jx6DQ102YrnU= set interfaces ethernet eth1 802.1x supplicant username testing set interfaces ethernet eth1 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 5: Run command interfaces ethernet eth1 802.1x supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 6: Run command interfaces ethernet eth1 802.1x supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 7: Run command interfaces ethernet eth1 802.1x authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1Show output
--------------------------------- Field Value --------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User Name testing
Step 8: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.749 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.749/0.749/0.749/0.000 ms
Note
Start packet capture in DUT2 to filter RADIUS stop messages (e.g., traffic dump monitor interface eth0 detail filter "udp port 1813" packets 1).
Note
Remove the link between DUT0 and DUT1 to provoke a link-down event.
Step 9: Run command interfaces ethernet eth1 802.1x authenticator show status at DUT0 and expect this output:
Show output
Error: no supplicant found CLI Error: Command error
Note
Stop packet capture in DUT0 and expect
the following RADIUS messages:
Show output
eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 12:57:22.893645 de:ad:be:ef:6c:00 > de:ad:be:ef:6c:20, ethertype IPv4 (0x0800), length 195: (tos 0x0, ttl 64, id 4586, offset 0, flags [none], proto UDP (17), length 181) 192.168.200.2.54931 > 10.215.168.1.1813: [bad udp cksum 0x3c36 -> 0x6c6e!] RADIUS, length: 153 Accounting-Request (4), id: 0x0c, Authenticator: 624b3357548048c84040a78b168dc993 Acct-Status-Type Attribute (40), length: 6, Value: Stop 0x0000: 0000 0002 Acct-Authentic Attribute (45), length: 6, Value: RADIUS 0x0000: 0000 0001 User-Name Attribute (1), length: 9, Value: testing 0x0000: 7465 7374 696e 67 Called-Station-Id Attribute (30), length: 20, Value: DE-AD-BE-EF-6C-01: 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d30 0x0010: 313a Service-Type Attribute (6), length: 6, Value: Framed 0x0000: 0000 0002 Calling-Station-Id Attribute (31), length: 19, Value: DE-AD-BE-EF-6C-11 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d31 0x0010: 31 Acct-Session-Id Attribute (44), length: 18, Value: F2F1B6E8E3FB8F1A 0x0000: 4632 4631 4236 4538 4533 4642 3846 3141 NAS-Port-Type Attribute (61), length: 6, Value: Ethernet 0x0000: 0000 000f Connect-Info Attribute (77), length: 13, Value: Unsupported 0x0000: 556e 7375 7070 6f72 7465 64 NAS-Port-Id Attribute (87), length: 6, Value: eth1 0x0000: 6574 6831 Event-Timestamp Attribute (55), length: 6, Value: Mon Jul 28 12:57:23 2025 0x0000: 6887 73b3 Acct-Delay-Time Attribute (41), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Session-Time Attribute (46), length: 6, Value: 01 secs 0x0000: 0000 0001 Acct-Terminate-Cause Attribute (49), length: 6, Value: Lost Carrier 0x0000: 0000 0002 1 packet captured
Test 802.1x Idle Timeout Cause
Description
This scenario shows how an 802.1x session is stopped
after a reauthentication timeout.
Accounting RADIUS stop messages should contain the
following attribute: acct-terminate-cause=4.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 192.168.200.1/24 set interfaces ethernet eth1 address 10.215.168.64/24 set interfaces ethernet eth1 traffic nat destination rule 1 address 192.168.200.2 set interfaces ethernet eth1 traffic nat source rule 1 address masquerade set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.200.2/24 set interfaces ethernet eth1 802.1x authenticator aaa accounting list1 set interfaces ethernet eth1 802.1x authenticator aaa authentication list1 set interfaces ethernet eth1 802.1x authenticator max-retransmissions 2 set interfaces ethernet eth1 802.1x authenticator reauth-period 15 set interfaces ethernet eth1 address 192.168.100.1/24 set protocols static route 0.0.0.0/0 next-hop 192.168.200.1 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX188myArAruuUYEZbpxYoO3PElSC6Zs7Po0JAPxCtiqd43RFn0iQdHyu8wfbMT3IM/IpaBe/asAH0Q== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=4.89 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 4.892/4.892/4.892/0.000 ms
Step 4: Set the following configuration in DUT1 :
set interfaces ethernet eth1 802.1x supplicant encrypted-password U2FsdGVkX1+YJeVavQK8RQU9Cv6hDg+kqT/2aN1SqWg= set interfaces ethernet eth1 802.1x supplicant username testing set interfaces ethernet eth1 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 5: Run command interfaces ethernet eth1 802.1x supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 6: Run command interfaces ethernet eth1 802.1x supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 7: Run command interfaces ethernet eth1 802.1x authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1Show output
--------------------------------- Field Value --------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Reauthenticate TRUE Reauthenticate Period 15 Session Time 1 Session User Name testing
Step 8: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=2.46 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 2.462/2.462/2.462/0.000 ms
Note
Start packet capture in DUT2 to filter RADIUS stop messages (e.g., traffic dump monitor interface eth0 detail filter "udp port 1813" packets 1).
Note
Disable DUT1 interface or remove address configuration to prevent the device from responding EAP requests.
Step 9: Modify the following configuration lines in DUT1 :
set interfaces ethernet eth1 disable
Step 10: Run command interfaces ethernet eth1 802.1x authenticator show status at DUT0 and check if output contains the following tokens:
Current status: UnauthorizedShow output
Current status: Unauthorized
Note
Stop packet capture in DUT0 and expect
the following RADIUS messages:
Show output
eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 12:58:26.610230 de:ad:be:ef:6c:00 > de:ad:be:ef:6c:20, ethertype IPv4 (0x0800), length 195: (tos 0x0, ttl 64, id 15289, offset 0, flags [none], proto UDP (17), length 181) 192.168.200.2.45966 > 10.215.168.1.1813: [bad udp cksum 0x3c36 -> 0x4626!] RADIUS, length: 153 Accounting-Request (4), id: 0x0c, Authenticator: 4bbfbbf66278ae85f9dae06e2bbbf062 Acct-Status-Type Attribute (40), length: 6, Value: Stop 0x0000: 0000 0002 Acct-Authentic Attribute (45), length: 6, Value: RADIUS 0x0000: 0000 0001 User-Name Attribute (1), length: 9, Value: testing 0x0000: 7465 7374 696e 67 Called-Station-Id Attribute (30), length: 20, Value: DE-AD-BE-EF-6C-01: 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d30 0x0010: 313a Service-Type Attribute (6), length: 6, Value: Framed 0x0000: 0000 0002 Calling-Station-Id Attribute (31), length: 19, Value: DE-AD-BE-EF-6C-11 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d31 0x0010: 31 Acct-Session-Id Attribute (44), length: 18, Value: 41A9EDDC13DB0818 0x0000: 3431 4139 4544 4443 3133 4442 3038 3138 NAS-Port-Type Attribute (61), length: 6, Value: Ethernet 0x0000: 0000 000f Connect-Info Attribute (77), length: 13, Value: Unsupported 0x0000: 556e 7375 7070 6f72 7465 64 NAS-Port-Id Attribute (87), length: 6, Value: eth1 0x0000: 6574 6831 Event-Timestamp Attribute (55), length: 6, Value: Mon Jul 28 12:58:25 2025 0x0000: 6887 73f1 Acct-Delay-Time Attribute (41), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Session-Time Attribute (46), length: 6, Value: 41 secs 0x0000: 0000 0029 Acct-Terminate-Cause Attribute (49), length: 6, Value: Idle Timeout 0x0000: 0000 0004 1 packet captured
Test 802.1x Admin Reset Cause
Description
This scenario shows how to stop an 802.1x session using
operational command authenticator disassociate.
Accounting RADIUS stop messages should contain the
following attribute: acct-terminate-cause=6.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 192.168.200.1/24 set interfaces ethernet eth1 address 10.215.168.64/24 set interfaces ethernet eth1 traffic nat destination rule 1 address 192.168.200.2 set interfaces ethernet eth1 traffic nat source rule 1 address masquerade set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.200.2/24 set interfaces ethernet eth1 802.1x authenticator aaa accounting list1 set interfaces ethernet eth1 802.1x authenticator aaa authentication list1 set interfaces ethernet eth1 802.1x authenticator reauth-period 0 set interfaces ethernet eth1 address 192.168.100.1/24 set protocols static route 0.0.0.0/0 next-hop 192.168.200.1 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+gEbg2v/8pLCaYoQ3ADz1YICt6xTz37Y14iD66p5ljVpbtVk1QU4d0OLls+rJbtEhejmgCXfoggw== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=0.955 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.955/0.955/0.955/0.000 ms
Step 4: Set the following configuration in DUT1 :
set interfaces ethernet eth1 802.1x supplicant encrypted-password U2FsdGVkX194mXfHotiSUS0QPNu6tcWAebbxYti/NB8= set interfaces ethernet eth1 802.1x supplicant username testing set interfaces ethernet eth1 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 5: Run command interfaces ethernet eth1 802.1x supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 6: Run command interfaces ethernet eth1 802.1x supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 7: Run command interfaces ethernet eth1 802.1x authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1Show output
--------------------------------- Field Value --------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User Name testing
Step 8: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=8.33 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 8.331/8.331/8.331/0.000 ms
Note
Start packet capture in DUT2 to filter RADIUS stop messages (e.g., traffic dump monitor interface eth0 detail filter "udp port 1813" packets 1).
Step 9: Run command interfaces ethernet eth1 802.1x authenticator disassociate at DUT0 and expect this output:
Show output
OK
Step 10: Run command interfaces ethernet eth1 802.1x authenticator show status at DUT0 and check if output contains the following tokens:
Current status: UnauthorizedShow output
Current status: Unauthorized
Note
Stop packet capture in DUT0 and expect
the following RADIUS messages:
Show output
eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 12:58:47.927755 de:ad:be:ef:6c:00 > de:ad:be:ef:6c:20, ethertype IPv4 (0x0800), length 195: (tos 0x0, ttl 64, id 57320, offset 0, flags [none], proto UDP (17), length 181) 192.168.200.2.55725 > 10.215.168.1.1813: [bad udp cksum 0x3c36 -> 0x3c64!] RADIUS, length: 153 Accounting-Request (4), id: 0x0c, Authenticator: 730926644ae6c9a80622d59bc4ffacf0 Acct-Status-Type Attribute (40), length: 6, Value: Stop 0x0000: 0000 0002 Acct-Authentic Attribute (45), length: 6, Value: RADIUS 0x0000: 0000 0001 User-Name Attribute (1), length: 9, Value: testing 0x0000: 7465 7374 696e 67 Called-Station-Id Attribute (30), length: 20, Value: DE-AD-BE-EF-6C-01: 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d30 0x0010: 313a Service-Type Attribute (6), length: 6, Value: Framed 0x0000: 0000 0002 Calling-Station-Id Attribute (31), length: 19, Value: DE-AD-BE-EF-6C-11 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d31 0x0010: 31 Acct-Session-Id Attribute (44), length: 18, Value: EBF64869CD4A867F 0x0000: 4542 4636 3438 3639 4344 3441 3836 3746 NAS-Port-Type Attribute (61), length: 6, Value: Ethernet 0x0000: 0000 000f Connect-Info Attribute (77), length: 13, Value: Unsupported 0x0000: 556e 7375 7070 6f72 7465 64 NAS-Port-Id Attribute (87), length: 6, Value: eth1 0x0000: 6574 6831 Event-Timestamp Attribute (55), length: 6, Value: Mon Jul 28 12:58:47 2025 0x0000: 6887 7407 Acct-Delay-Time Attribute (41), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Session-Time Attribute (46), length: 6, Value: 01 secs 0x0000: 0000 0001 Acct-Terminate-Cause Attribute (49), length: 6, Value: Admin Reset 0x0000: 0000 0006 1 packet captured
Test 802.1x NAS Request Cause
Description
This scenario shows how to stop an 802.1x session from
the authentication server using a CoA message.
Accounting RADIUS stop messages should contain the
following attribute: acct-terminate-cause=10.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 192.168.200.1/24 set interfaces ethernet eth1 address 10.215.168.64/24 set interfaces ethernet eth1 traffic nat destination rule 1 address 192.168.200.2 set interfaces ethernet eth1 traffic nat source rule 1 address masquerade set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.200.2/24 set interfaces ethernet eth1 802.1x authenticator aaa accounting list1 set interfaces ethernet eth1 802.1x authenticator aaa authentication list1 set interfaces ethernet eth1 802.1x authenticator coa client 10.215.168.1 set interfaces ethernet eth1 802.1x authenticator coa encrypted-secret U2FsdGVkX187cH4tg9y7OHyaTZS8DB4w+EPxaMVR1Vg= set interfaces ethernet eth1 802.1x authenticator reauth-period 0 set interfaces ethernet eth1 address 192.168.100.1/24 set protocols static route 0.0.0.0/0 next-hop 192.168.200.1 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18HvcuyDpy5kWfWihrSVDaUUeYN2P0gwn2MXBw1PAliS/Uraack/JnY+Gp4NDIXtA75GgwFK+w/pg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=2.70 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 2.702/2.702/2.702/0.000 ms
Step 4: Set the following configuration in DUT1 :
set interfaces ethernet eth1 802.1x supplicant encrypted-password U2FsdGVkX1/gFA3M9A90LWHGjUwvUzUC9zhrWL6rKGg= set interfaces ethernet eth1 802.1x supplicant username testing set interfaces ethernet eth1 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 5: Run command interfaces ethernet eth1 802.1x supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 6: Run command interfaces ethernet eth1 802.1x supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 7: Run command interfaces ethernet eth1 802.1x authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1Show output
--------------------------------- Field Value --------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User Name testing
Step 8: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.756 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.756/0.756/0.756/0.000 ms
Note
Start packet capture in DUT2 to filter RADIUS stop messages (e.g., traffic dump monitor interface eth0 detail filter "udp port 1813" packets 1).
Note
Send a CoA/Disconnect request from the RADIUS server
On Linux, the FreeRADIUS package includes the utility
radtest that can be used to send these messages:
Show output
$ cat /osdx-tests/utils/dot1x/auth.req User-Name = "testing" $ radclient -s -t 1 -r 1 10.215.168.64:3799 disconnect coa_secret -f /osdx-tests/utils/dot1x/auth.req Sent Disconnect-Request Id 131 from 0.0.0.0:48421 to 10.215.168.64:3799 length 29 Received Disconnect-ACK Id 131 from 10.215.168.64:3799 to 10.215.168.1:48421 length 44 Packet summary: Accepted : 1 Rejected : 0 Lost : 0 Passed filter : 1 Failed filter : 0
Step 9: Run command interfaces ethernet eth1 802.1x authenticator show status at DUT0 and check if output contains the following tokens:
Current status: UnauthorizedShow output
Current status: Unauthorized
Note
Stop packet capture in DUT0 and expect
the following RADIUS messages:
Show output
eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 12:59:08.499906 de:ad:be:ef:6c:00 > de:ad:be:ef:6c:20, ethertype IPv4 (0x0800), length 195: (tos 0x0, ttl 64, id 62804, offset 0, flags [none], proto UDP (17), length 181) 192.168.200.2.37474 > 10.215.168.1.1813: [bad udp cksum 0x3c36 -> 0xce27!] RADIUS, length: 153 Accounting-Request (4), id: 0x0c, Authenticator: 8a12a20b29cecb9e7685c8331b6d34b9 Acct-Status-Type Attribute (40), length: 6, Value: Stop 0x0000: 0000 0002 Acct-Authentic Attribute (45), length: 6, Value: RADIUS 0x0000: 0000 0001 User-Name Attribute (1), length: 9, Value: testing 0x0000: 7465 7374 696e 67 Called-Station-Id Attribute (30), length: 20, Value: DE-AD-BE-EF-6C-01: 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d30 0x0010: 313a Service-Type Attribute (6), length: 6, Value: Framed 0x0000: 0000 0002 Calling-Station-Id Attribute (31), length: 19, Value: DE-AD-BE-EF-6C-11 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d31 0x0010: 31 Acct-Session-Id Attribute (44), length: 18, Value: 7ABB00E263009654 0x0000: 3741 4242 3030 4532 3633 3030 3936 3534 NAS-Port-Type Attribute (61), length: 6, Value: Ethernet 0x0000: 0000 000f Connect-Info Attribute (77), length: 13, Value: Unsupported 0x0000: 556e 7375 7070 6f72 7465 64 NAS-Port-Id Attribute (87), length: 6, Value: eth1 0x0000: 6574 6831 Event-Timestamp Attribute (55), length: 6, Value: Mon Jul 28 12:59:08 2025 0x0000: 6887 741c Acct-Delay-Time Attribute (41), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Session-Time Attribute (46), length: 6, Value: 02 secs 0x0000: 0000 0002 Acct-Terminate-Cause Attribute (49), length: 6, Value: NAS Request 0x0000: 0000 000a 1 packet captured