Radius Terminate Capture
These scenarios show different acct-terminate-causes that are sent by OSDx devices when 802.1x sessions end.
Test 802.1x User Request Cause
Description
This scenario shows how to stop an 802.1x session using
operational command supplicant disconnect.
Accounting RADIUS stop messages should contain the
following attribute: acct-terminate-cause=1.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 192.168.200.1/24 set interfaces ethernet eth1 address 10.215.168.64/24 set interfaces ethernet eth1 traffic nat destination rule 1 address 192.168.200.2 set interfaces ethernet eth1 traffic nat source rule 1 address masquerade set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.200.2/24 set interfaces ethernet eth1 802.1x authenticator aaa accounting list1 set interfaces ethernet eth1 802.1x authenticator aaa authentication list1 set interfaces ethernet eth1 802.1x authenticator reauth-period 0 set interfaces ethernet eth1 address 192.168.100.1/24 set protocols static route 0.0.0.0/0 next-hop 192.168.200.1 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX19hquUt/BadgRkWPWL5WeH1Am+r02areusZ7dlFMA+uWtvsX23o3oNRgX/ovv2m5/ACgDsrSRLeIw== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=0.523 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.523/0.523/0.523/0.000 ms
Step 4: Set the following configuration in DUT1 :
set interfaces ethernet eth1 802.1x supplicant encrypted-password U2FsdGVkX182A1ub/754TLY4KMpKHBhiHTaIz5aXcy8= set interfaces ethernet eth1 802.1x supplicant username testing set interfaces ethernet eth1 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 5: Run command interfaces ethernet eth1 802.1x supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 6: Run command interfaces ethernet eth1 802.1x supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 7: Run command interfaces ethernet eth1 802.1x authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1Show output
--------------------------------- Field Value --------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User Name testing
Step 8: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.329 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.329/0.329/0.329/0.000 ms
Note
Start packet capture in DUT2 to filter RADIUS stop messages (e.g., traffic dump monitor interface eth0 detail filter "udp port 1813" packets 1).
Step 9: Run command interfaces ethernet eth1 802.1x supplicant disconnect at DUT1 and expect this output:
Show output
OK
Step 10: Run command interfaces ethernet eth1 802.1x authenticator show status at DUT0 and check if output contains the following tokens:
Current status: UnauthorizedShow output
Current status: Unauthorized
Note
Stop packet capture in DUT0 and expect
the following RADIUS messages:
Show output
eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 12:23:31.398131 de:ad:be:ef:6c:00 > de:ad:be:ef:6c:20, ethertype IPv4 (0x0800), length 195: (tos 0x0, ttl 64, id 48244, offset 0, flags [none], proto UDP (17), length 181) 192.168.200.2.50457 > 10.215.168.1.1813: [bad udp cksum 0x3c36 -> 0x66d3!] RADIUS, length: 153 Accounting-Request (4), id: 0x0c, Authenticator: 1ac5d7bd7916d522a70fc137c4b540eb Acct-Status-Type Attribute (40), length: 6, Value: Stop 0x0000: 0000 0002 Acct-Authentic Attribute (45), length: 6, Value: RADIUS 0x0000: 0000 0001 User-Name Attribute (1), length: 9, Value: testing 0x0000: 7465 7374 696e 67 Called-Station-Id Attribute (30), length: 20, Value: DE-AD-BE-EF-6C-01: 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d30 0x0010: 313a Service-Type Attribute (6), length: 6, Value: Framed 0x0000: 0000 0002 Calling-Station-Id Attribute (31), length: 19, Value: DE-AD-BE-EF-6C-11 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d31 0x0010: 31 Acct-Session-Id Attribute (44), length: 18, Value: F85C639B9543522A 0x0000: 4638 3543 3633 3942 3935 3433 3532 3241 NAS-Port-Type Attribute (61), length: 6, Value: Ethernet 0x0000: 0000 000f Connect-Info Attribute (77), length: 13, Value: Unsupported 0x0000: 556e 7375 7070 6f72 7465 64 NAS-Port-Id Attribute (87), length: 6, Value: eth1 0x0000: 6574 6831 Event-Timestamp Attribute (55), length: 6, Value: Wed Aug 20 12:23:31 2025 0x0000: 68a5 be43 Acct-Delay-Time Attribute (41), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Session-Time Attribute (46), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Terminate-Cause Attribute (49), length: 6, Value: User Request 0x0000: 0000 0001 1 packet captured
Test 802.1x Lost Carrier Cause
Description
This scenario shows how an 802.1x session is stopped
after a link down event in DUT0 eth1.
Accounting RADIUS stop messages should contain the
following attribute: acct-terminate-cause=2.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 192.168.200.1/24 set interfaces ethernet eth1 address 10.215.168.64/24 set interfaces ethernet eth1 traffic nat destination rule 1 address 192.168.200.2 set interfaces ethernet eth1 traffic nat source rule 1 address masquerade set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.200.2/24 set interfaces ethernet eth1 802.1x authenticator aaa accounting list1 set interfaces ethernet eth1 802.1x authenticator aaa authentication list1 set interfaces ethernet eth1 802.1x authenticator coa client 10.215.168.1 set interfaces ethernet eth1 802.1x authenticator coa encrypted-secret U2FsdGVkX1+/pVu/661TgwuCSjEecr8vtzXJKmmNp8s= set interfaces ethernet eth1 802.1x authenticator reauth-period 0 set interfaces ethernet eth1 address 192.168.100.1/24 set protocols static route 0.0.0.0/0 next-hop 192.168.200.1 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18s/fUqVAlAZneL2knA+GfdOfReJujKQAEqH6UW8OdvU28oBDxs25tqplFQ7QFUQ03eksQFPtUj1g== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=0.423 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.423/0.423/0.423/0.000 ms
Step 4: Set the following configuration in DUT1 :
set interfaces ethernet eth1 802.1x supplicant encrypted-password U2FsdGVkX1+dWRS86G9M2VFFtYBJuST0M/3ha6/4W1c= set interfaces ethernet eth1 802.1x supplicant username testing set interfaces ethernet eth1 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 5: Run command interfaces ethernet eth1 802.1x supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 6: Run command interfaces ethernet eth1 802.1x supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 7: Run command interfaces ethernet eth1 802.1x authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1Show output
--------------------------------- Field Value --------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User Name testing
Step 8: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.321 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.321/0.321/0.321/0.000 ms
Note
Start packet capture in DUT2 to filter RADIUS stop messages (e.g., traffic dump monitor interface eth0 detail filter "udp port 1813" packets 1).
Note
Remove the link between DUT0 and DUT1 to provoke a link-down event.
Step 9: Run command interfaces ethernet eth1 802.1x authenticator show status at DUT0 and expect this output:
Show output
Error: no supplicant found CLI Error: Command error
Note
Stop packet capture in DUT0 and expect
the following RADIUS messages:
Show output
eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 12:23:43.339541 de:ad:be:ef:6c:00 > de:ad:be:ef:6c:20, ethertype IPv4 (0x0800), length 195: (tos 0x0, ttl 64, id 21645, offset 0, flags [none], proto UDP (17), length 181) 192.168.200.2.38337 > 10.215.168.1.1813: [bad udp cksum 0x3c36 -> 0xe539!] RADIUS, length: 153 Accounting-Request (4), id: 0x0c, Authenticator: ea24ee68dfe9730488a2226dcef38e14 Acct-Status-Type Attribute (40), length: 6, Value: Stop 0x0000: 0000 0002 Acct-Authentic Attribute (45), length: 6, Value: RADIUS 0x0000: 0000 0001 User-Name Attribute (1), length: 9, Value: testing 0x0000: 7465 7374 696e 67 Called-Station-Id Attribute (30), length: 20, Value: DE-AD-BE-EF-6C-01: 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d30 0x0010: 313a Service-Type Attribute (6), length: 6, Value: Framed 0x0000: 0000 0002 Calling-Station-Id Attribute (31), length: 19, Value: DE-AD-BE-EF-6C-11 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d31 0x0010: 31 Acct-Session-Id Attribute (44), length: 18, Value: F1654E0CA059F1AE 0x0000: 4631 3635 3445 3043 4130 3539 4631 4145 NAS-Port-Type Attribute (61), length: 6, Value: Ethernet 0x0000: 0000 000f Connect-Info Attribute (77), length: 13, Value: Unsupported 0x0000: 556e 7375 7070 6f72 7465 64 NAS-Port-Id Attribute (87), length: 6, Value: eth1 0x0000: 6574 6831 Event-Timestamp Attribute (55), length: 6, Value: Wed Aug 20 12:23:43 2025 0x0000: 68a5 be4f Acct-Delay-Time Attribute (41), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Session-Time Attribute (46), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Terminate-Cause Attribute (49), length: 6, Value: Lost Carrier 0x0000: 0000 0002 1 packet captured
Test 802.1x Idle Timeout Cause
Description
This scenario shows how an 802.1x session is stopped
after a reauthentication timeout.
Accounting RADIUS stop messages should contain the
following attribute: acct-terminate-cause=4.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 192.168.200.1/24 set interfaces ethernet eth1 address 10.215.168.64/24 set interfaces ethernet eth1 traffic nat destination rule 1 address 192.168.200.2 set interfaces ethernet eth1 traffic nat source rule 1 address masquerade set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.200.2/24 set interfaces ethernet eth1 802.1x authenticator aaa accounting list1 set interfaces ethernet eth1 802.1x authenticator aaa authentication list1 set interfaces ethernet eth1 802.1x authenticator max-retransmissions 2 set interfaces ethernet eth1 802.1x authenticator reauth-period 15 set interfaces ethernet eth1 address 192.168.100.1/24 set protocols static route 0.0.0.0/0 next-hop 192.168.200.1 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+PSWDHRW8Ixve9mqXkdUR3ZT0Tw7mjnrdjLRVvpGwcXzihIiu0krjM5mJtnPsa1geZlc38e/E+1g== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=0.366 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.366/0.366/0.366/0.000 ms
Step 4: Set the following configuration in DUT1 :
set interfaces ethernet eth1 802.1x supplicant encrypted-password U2FsdGVkX18+hZsn8keUgtRbtdEP/7rLGVbC6SZHJtA= set interfaces ethernet eth1 802.1x supplicant username testing set interfaces ethernet eth1 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 5: Run command interfaces ethernet eth1 802.1x supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 6: Run command interfaces ethernet eth1 802.1x supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 7: Run command interfaces ethernet eth1 802.1x authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1Show output
--------------------------------- Field Value --------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Reauthenticate TRUE Reauthenticate Period 15 Session Time 0 Session User Name testing
Step 8: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.325 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.325/0.325/0.325/0.000 ms
Note
Start packet capture in DUT2 to filter RADIUS stop messages (e.g., traffic dump monitor interface eth0 detail filter "udp port 1813" packets 1).
Note
Disable DUT1 interface or remove address configuration to prevent the device from responding EAP requests.
Step 9: Modify the following configuration lines in DUT1 :
set interfaces ethernet eth1 disable
Step 10: Run command interfaces ethernet eth1 802.1x authenticator show status at DUT0 and check if output contains the following tokens:
Current status: UnauthorizedShow output
Current status: Unauthorized
Note
Stop packet capture in DUT0 and expect
the following RADIUS messages:
Show output
eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 12:24:37.249955 de:ad:be:ef:6c:00 > de:ad:be:ef:6c:20, ethertype IPv4 (0x0800), length 195: (tos 0x0, ttl 64, id 45316, offset 0, flags [none], proto UDP (17), length 181) 192.168.200.2.53836 > 10.215.168.1.1813: [bad udp cksum 0x3c36 -> 0x2daf!] RADIUS, length: 153 Accounting-Request (4), id: 0x0c, Authenticator: 1bad56e2ce6ab5c6d02403844c174c1a Acct-Status-Type Attribute (40), length: 6, Value: Stop 0x0000: 0000 0002 Acct-Authentic Attribute (45), length: 6, Value: RADIUS 0x0000: 0000 0001 User-Name Attribute (1), length: 9, Value: testing 0x0000: 7465 7374 696e 67 Called-Station-Id Attribute (30), length: 20, Value: DE-AD-BE-EF-6C-01: 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d30 0x0010: 313a Service-Type Attribute (6), length: 6, Value: Framed 0x0000: 0000 0002 Calling-Station-Id Attribute (31), length: 19, Value: DE-AD-BE-EF-6C-11 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d31 0x0010: 31 Acct-Session-Id Attribute (44), length: 18, Value: F1D86F8B05885136 0x0000: 4631 4438 3646 3842 3035 3838 3531 3336 NAS-Port-Type Attribute (61), length: 6, Value: Ethernet 0x0000: 0000 000f Connect-Info Attribute (77), length: 13, Value: Unsupported 0x0000: 556e 7375 7070 6f72 7465 64 NAS-Port-Id Attribute (87), length: 6, Value: eth1 0x0000: 6574 6831 Event-Timestamp Attribute (55), length: 6, Value: Wed Aug 20 12:24:37 2025 0x0000: 68a5 be85 Acct-Delay-Time Attribute (41), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Session-Time Attribute (46), length: 6, Value: 41 secs 0x0000: 0000 0029 Acct-Terminate-Cause Attribute (49), length: 6, Value: Idle Timeout 0x0000: 0000 0004 1 packet captured
Test 802.1x Admin Reset Cause
Description
This scenario shows how to stop an 802.1x session using
operational command authenticator disassociate.
Accounting RADIUS stop messages should contain the
following attribute: acct-terminate-cause=6.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 192.168.200.1/24 set interfaces ethernet eth1 address 10.215.168.64/24 set interfaces ethernet eth1 traffic nat destination rule 1 address 192.168.200.2 set interfaces ethernet eth1 traffic nat source rule 1 address masquerade set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.200.2/24 set interfaces ethernet eth1 802.1x authenticator aaa accounting list1 set interfaces ethernet eth1 802.1x authenticator aaa authentication list1 set interfaces ethernet eth1 802.1x authenticator reauth-period 0 set interfaces ethernet eth1 address 192.168.100.1/24 set protocols static route 0.0.0.0/0 next-hop 192.168.200.1 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/yE5NJ3tQSAyHd83J06x4zoQVGIZ/MUxhfUsC9kF/CKewmtE0iNluh8Aum5XhooR8BCggEIEIbng== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=0.433 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.433/0.433/0.433/0.000 ms
Step 4: Set the following configuration in DUT1 :
set interfaces ethernet eth1 802.1x supplicant encrypted-password U2FsdGVkX18w0IeUokM+dejHqDC+CNPBasGvgBIECs0= set interfaces ethernet eth1 802.1x supplicant username testing set interfaces ethernet eth1 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 5: Run command interfaces ethernet eth1 802.1x supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 6: Run command interfaces ethernet eth1 802.1x supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 7: Run command interfaces ethernet eth1 802.1x authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1Show output
--------------------------------- Field Value --------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User Name testing
Step 8: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.311 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.311/0.311/0.311/0.000 ms
Note
Start packet capture in DUT2 to filter RADIUS stop messages (e.g., traffic dump monitor interface eth0 detail filter "udp port 1813" packets 1).
Step 9: Run command interfaces ethernet eth1 802.1x authenticator disassociate at DUT0 and expect this output:
Show output
OK
Step 10: Run command interfaces ethernet eth1 802.1x authenticator show status at DUT0 and check if output contains the following tokens:
Current status: UnauthorizedShow output
Current status: Unauthorized
Note
Stop packet capture in DUT0 and expect
the following RADIUS messages:
Show output
eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 12:24:48.798435 de:ad:be:ef:6c:00 > de:ad:be:ef:6c:20, ethertype IPv4 (0x0800), length 195: (tos 0x0, ttl 64, id 42733, offset 0, flags [none], proto UDP (17), length 181) 192.168.200.2.59234 > 10.215.168.1.1813: [bad udp cksum 0x3c36 -> 0xb205!] RADIUS, length: 153 Accounting-Request (4), id: 0x0c, Authenticator: 5dd30ebb8bd20f475a91804600840532 Acct-Status-Type Attribute (40), length: 6, Value: Stop 0x0000: 0000 0002 Acct-Authentic Attribute (45), length: 6, Value: RADIUS 0x0000: 0000 0001 User-Name Attribute (1), length: 9, Value: testing 0x0000: 7465 7374 696e 67 Called-Station-Id Attribute (30), length: 20, Value: DE-AD-BE-EF-6C-01: 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d30 0x0010: 313a Service-Type Attribute (6), length: 6, Value: Framed 0x0000: 0000 0002 Calling-Station-Id Attribute (31), length: 19, Value: DE-AD-BE-EF-6C-11 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d31 0x0010: 31 Acct-Session-Id Attribute (44), length: 18, Value: F58FE1320C504657 0x0000: 4635 3846 4531 3332 3043 3530 3436 3537 NAS-Port-Type Attribute (61), length: 6, Value: Ethernet 0x0000: 0000 000f Connect-Info Attribute (77), length: 13, Value: Unsupported 0x0000: 556e 7375 7070 6f72 7465 64 NAS-Port-Id Attribute (87), length: 6, Value: eth1 0x0000: 6574 6831 Event-Timestamp Attribute (55), length: 6, Value: Wed Aug 20 12:24:49 2025 0x0000: 68a5 be91 Acct-Delay-Time Attribute (41), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Session-Time Attribute (46), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Terminate-Cause Attribute (49), length: 6, Value: Admin Reset 0x0000: 0000 0006 1 packet captured
Test 802.1x NAS Request Cause
Description
This scenario shows how to stop an 802.1x session from
the authentication server using a CoA message.
Accounting RADIUS stop messages should contain the
following attribute: acct-terminate-cause=10.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 192.168.200.1/24 set interfaces ethernet eth1 address 10.215.168.64/24 set interfaces ethernet eth1 traffic nat destination rule 1 address 192.168.200.2 set interfaces ethernet eth1 traffic nat source rule 1 address masquerade set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.200.2/24 set interfaces ethernet eth1 802.1x authenticator aaa accounting list1 set interfaces ethernet eth1 802.1x authenticator aaa authentication list1 set interfaces ethernet eth1 802.1x authenticator coa client 10.215.168.1 set interfaces ethernet eth1 802.1x authenticator coa encrypted-secret U2FsdGVkX1/YRePQwieky5NZ7Nq296tkGCYiWkgROOk= set interfaces ethernet eth1 802.1x authenticator reauth-period 0 set interfaces ethernet eth1 address 192.168.100.1/24 set protocols static route 0.0.0.0/0 next-hop 192.168.200.1 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18GbS/NO/wcPz7xfy2ECr2ExZujRVOoCs05S984RxO50z4P1AwJRetczFsyrLSKHSc3NesOuWTM9A== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=0.401 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.401/0.401/0.401/0.000 ms
Step 4: Set the following configuration in DUT1 :
set interfaces ethernet eth1 802.1x supplicant encrypted-password U2FsdGVkX1/33/vmyqmY+YpWFLudny01D+djf6hdFe8= set interfaces ethernet eth1 802.1x supplicant username testing set interfaces ethernet eth1 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 5: Run command interfaces ethernet eth1 802.1x supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 6: Run command interfaces ethernet eth1 802.1x supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 7: Run command interfaces ethernet eth1 802.1x authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1Show output
--------------------------------- Field Value --------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User Name testing
Step 8: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.374 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.374/0.374/0.374/0.000 ms
Note
Start packet capture in DUT2 to filter RADIUS stop messages (e.g., traffic dump monitor interface eth0 detail filter "udp port 1813" packets 1).
Note
Send a CoA/Disconnect request from the RADIUS server
On Linux, the FreeRADIUS package includes the utility
radtest that can be used to send these messages:
Show output
$ cat /osdx-tests/utils/dot1x/auth.req User-Name = "testing" $ radclient -s -t 1 -r 1 10.215.168.64:3799 disconnect coa_secret -f /osdx-tests/utils/dot1x/auth.req Sent Disconnect-Request Id 81 from 0.0.0.0:44167 to 10.215.168.64:3799 length 29 Received Disconnect-ACK Id 81 from 10.215.168.64:3799 to 10.215.168.1:44167 length 44 Packet summary: Accepted : 1 Rejected : 0 Lost : 0 Passed filter : 1 Failed filter : 0
Step 9: Run command interfaces ethernet eth1 802.1x authenticator show status at DUT0 and check if output contains the following tokens:
Current status: UnauthorizedShow output
Current status: Unauthorized
Note
Stop packet capture in DUT0 and expect
the following RADIUS messages:
Show output
eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 12:25:00.956466 de:ad:be:ef:6c:00 > de:ad:be:ef:6c:20, ethertype IPv4 (0x0800), length 195: (tos 0x0, ttl 64, id 26524, offset 0, flags [none], proto UDP (17), length 181) 192.168.200.2.35147 > 10.215.168.1.1813: [bad udp cksum 0x3c36 -> 0xdafc!] RADIUS, length: 153 Accounting-Request (4), id: 0x0c, Authenticator: cfba2196867e9fcea4541204fc0b3a0a Acct-Status-Type Attribute (40), length: 6, Value: Stop 0x0000: 0000 0002 Acct-Authentic Attribute (45), length: 6, Value: RADIUS 0x0000: 0000 0001 User-Name Attribute (1), length: 9, Value: testing 0x0000: 7465 7374 696e 67 Called-Station-Id Attribute (30), length: 20, Value: DE-AD-BE-EF-6C-01: 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d30 0x0010: 313a Service-Type Attribute (6), length: 6, Value: Framed 0x0000: 0000 0002 Calling-Station-Id Attribute (31), length: 19, Value: DE-AD-BE-EF-6C-11 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d31 0x0010: 31 Acct-Session-Id Attribute (44), length: 18, Value: A62FBB3EED9F7F04 0x0000: 4136 3246 4242 3345 4544 3946 3746 3034 NAS-Port-Type Attribute (61), length: 6, Value: Ethernet 0x0000: 0000 000f Connect-Info Attribute (77), length: 13, Value: Unsupported 0x0000: 556e 7375 7070 6f72 7465 64 NAS-Port-Id Attribute (87), length: 6, Value: eth1 0x0000: 6574 6831 Event-Timestamp Attribute (55), length: 6, Value: Wed Aug 20 12:25:01 2025 0x0000: 68a5 be9d Acct-Delay-Time Attribute (41), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Session-Time Attribute (46), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Terminate-Cause Attribute (49), length: 6, Value: NAS Request 0x0000: 0000 000a 1 packet captured