Radius Terminate Capture
These scenarios show different acct-terminate-causes that are sent by OSDx devices when 802.1x sessions end.
Test 802.1x User Request Cause
Description
This scenario shows how to stop an 802.1x session using
operational command supplicant disconnect.
Accounting RADIUS stop messages should contain the
following attribute: acct-terminate-cause=1.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 192.168.200.1/24 set interfaces ethernet eth1 address 10.215.168.64/24 set interfaces ethernet eth1 traffic nat destination rule 1 address 192.168.200.2 set interfaces ethernet eth1 traffic nat source rule 1 address masquerade set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.200.2/24 set interfaces ethernet eth1 802.1x authenticator aaa accounting list1 set interfaces ethernet eth1 802.1x authenticator aaa authentication list1 set interfaces ethernet eth1 802.1x authenticator reauth-period 0 set interfaces ethernet eth1 address 192.168.100.1/24 set protocols static route 0.0.0.0/0 next-hop 192.168.200.1 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+Pz0BkW93HX1fbXcuiRL1vjgGjnsaFlzrAQs9NWY1iK//507/IXjXmTjRReyZlRiFsql4Pc3BvfQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=0.454 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.454/0.454/0.454/0.000 ms
Step 4: Set the following configuration in DUT1 :
set interfaces ethernet eth1 802.1x supplicant encrypted-password U2FsdGVkX18cmShEdbzz0iOetRFZuhhViv3Y1/E71+o= set interfaces ethernet eth1 802.1x supplicant username testing set interfaces ethernet eth1 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 5: Run command interfaces ethernet eth1 802.1x supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 6: Run command interfaces ethernet eth1 802.1x supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 7: Run command interfaces ethernet eth1 802.1x authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1Show output
--------------------------------- Field Value --------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User Name testing
Step 8: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.376 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.376/0.376/0.376/0.000 ms
Note
Start packet capture in DUT2 to filter RADIUS stop messages (e.g., traffic dump monitor interface eth0 detail filter "udp port 1813" packets 1).
Step 9: Run command interfaces ethernet eth1 802.1x supplicant disconnect at DUT1 and expect this output:
Show output
OK
Step 10: Run command interfaces ethernet eth1 802.1x authenticator show status at DUT0 and check if output contains the following tokens:
Current status: UnauthorizedShow output
Current status: Unauthorized
Note
Stop packet capture in DUT0 and expect
the following RADIUS messages:
Show output
eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 18:42:58.384855 de:ad:be:ef:6c:00 > de:ad:be:ef:6c:20, ethertype IPv4 (0x0800), length 195: (tos 0x0, ttl 64, id 10671, offset 0, flags [none], proto UDP (17), length 181) 192.168.200.2.57409 > 10.215.168.1.1813: [bad udp cksum 0x3c36 -> 0x81f4!] RADIUS, length: 153 Accounting-Request (4), id: 0x0c, Authenticator: c5cb91ffc1a2db4fd6a1df4f1718bcb7 Acct-Status-Type Attribute (40), length: 6, Value: Stop 0x0000: 0000 0002 Acct-Authentic Attribute (45), length: 6, Value: RADIUS 0x0000: 0000 0001 User-Name Attribute (1), length: 9, Value: testing 0x0000: 7465 7374 696e 67 Called-Station-Id Attribute (30), length: 20, Value: DE-AD-BE-EF-6C-01: 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d30 0x0010: 313a Service-Type Attribute (6), length: 6, Value: Framed 0x0000: 0000 0002 Calling-Station-Id Attribute (31), length: 19, Value: DE-AD-BE-EF-6C-11 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d31 0x0010: 31 Acct-Session-Id Attribute (44), length: 18, Value: 5DB917C536196FF5 0x0000: 3544 4239 3137 4335 3336 3139 3646 4635 NAS-Port-Type Attribute (61), length: 6, Value: Ethernet 0x0000: 0000 000f Connect-Info Attribute (77), length: 13, Value: Unsupported 0x0000: 556e 7375 7070 6f72 7465 64 NAS-Port-Id Attribute (87), length: 6, Value: eth1 0x0000: 6574 6831 Event-Timestamp Attribute (55), length: 6, Value: Tue May 13 18:42:58 2025 0x0000: 6823 92b2 Acct-Delay-Time Attribute (41), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Session-Time Attribute (46), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Terminate-Cause Attribute (49), length: 6, Value: User Request 0x0000: 0000 0001 1 packet captured
Test 802.1x Lost Carrier Cause
Description
This scenario shows how an 802.1x session is stopped
after a link down event in DUT0 eth1.
Accounting RADIUS stop messages should contain the
following attribute: acct-terminate-cause=2.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 192.168.200.1/24 set interfaces ethernet eth1 address 10.215.168.64/24 set interfaces ethernet eth1 traffic nat destination rule 1 address 192.168.200.2 set interfaces ethernet eth1 traffic nat source rule 1 address masquerade set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.200.2/24 set interfaces ethernet eth1 802.1x authenticator aaa accounting list1 set interfaces ethernet eth1 802.1x authenticator aaa authentication list1 set interfaces ethernet eth1 802.1x authenticator coa client 10.215.168.1 set interfaces ethernet eth1 802.1x authenticator coa encrypted-secret U2FsdGVkX19V+brLTqPpfZbb+DVwMJ+mETQluisWw/g= set interfaces ethernet eth1 802.1x authenticator reauth-period 0 set interfaces ethernet eth1 address 192.168.100.1/24 set protocols static route 0.0.0.0/0 next-hop 192.168.200.1 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+0PRhmozf/krggLzcfTY0OfSyc7S59uuPpDzyKfT8whbZSzyKCoMgshybJsKMHPaVEgXy71e13Rg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=0.404 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.404/0.404/0.404/0.000 ms
Step 4: Set the following configuration in DUT1 :
set interfaces ethernet eth1 802.1x supplicant encrypted-password U2FsdGVkX1/mc9cuu7FbJpjALUbLJ8mwH0mupeOnJWg= set interfaces ethernet eth1 802.1x supplicant username testing set interfaces ethernet eth1 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 5: Run command interfaces ethernet eth1 802.1x supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 6: Run command interfaces ethernet eth1 802.1x supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 7: Run command interfaces ethernet eth1 802.1x authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1Show output
--------------------------------- Field Value --------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User Name testing
Step 8: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.263 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.263/0.263/0.263/0.000 ms
Note
Start packet capture in DUT2 to filter RADIUS stop messages (e.g., traffic dump monitor interface eth0 detail filter "udp port 1813" packets 1).
Note
Remove the link between DUT0 and DUT1 to provoke a link-down event.
Step 9: Run command interfaces ethernet eth1 802.1x authenticator show status at DUT0 and expect this output:
Show output
Error: no supplicant found CLI Error: Command error
Note
Stop packet capture in DUT0 and expect
the following RADIUS messages:
Show output
eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 18:43:11.578200 de:ad:be:ef:6c:00 > de:ad:be:ef:6c:20, ethertype IPv4 (0x0800), length 195: (tos 0x0, ttl 64, id 28014, offset 0, flags [none], proto UDP (17), length 181) 192.168.200.2.56911 > 10.215.168.1.1813: [bad udp cksum 0x3c36 -> 0x82bd!] RADIUS, length: 153 Accounting-Request (4), id: 0x0c, Authenticator: de68b5bff47e63f53288707d5f026e27 Acct-Status-Type Attribute (40), length: 6, Value: Stop 0x0000: 0000 0002 Acct-Authentic Attribute (45), length: 6, Value: RADIUS 0x0000: 0000 0001 User-Name Attribute (1), length: 9, Value: testing 0x0000: 7465 7374 696e 67 Called-Station-Id Attribute (30), length: 20, Value: DE-AD-BE-EF-6C-01: 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d30 0x0010: 313a Service-Type Attribute (6), length: 6, Value: Framed 0x0000: 0000 0002 Calling-Station-Id Attribute (31), length: 19, Value: DE-AD-BE-EF-6C-11 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d31 0x0010: 31 Acct-Session-Id Attribute (44), length: 18, Value: B2712B11FD70E2B3 0x0000: 4232 3731 3242 3131 4644 3730 4532 4233 NAS-Port-Type Attribute (61), length: 6, Value: Ethernet 0x0000: 0000 000f Connect-Info Attribute (77), length: 13, Value: Unsupported 0x0000: 556e 7375 7070 6f72 7465 64 NAS-Port-Id Attribute (87), length: 6, Value: eth1 0x0000: 6574 6831 Event-Timestamp Attribute (55), length: 6, Value: Tue May 13 18:43:11 2025 0x0000: 6823 92bf Acct-Delay-Time Attribute (41), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Session-Time Attribute (46), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Terminate-Cause Attribute (49), length: 6, Value: Lost Carrier 0x0000: 0000 0002 1 packet captured
Test 802.1x Idle Timeout Cause
Description
This scenario shows how an 802.1x session is stopped
after a reauthentication timeout.
Accounting RADIUS stop messages should contain the
following attribute: acct-terminate-cause=4.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 192.168.200.1/24 set interfaces ethernet eth1 address 10.215.168.64/24 set interfaces ethernet eth1 traffic nat destination rule 1 address 192.168.200.2 set interfaces ethernet eth1 traffic nat source rule 1 address masquerade set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.200.2/24 set interfaces ethernet eth1 802.1x authenticator aaa accounting list1 set interfaces ethernet eth1 802.1x authenticator aaa authentication list1 set interfaces ethernet eth1 802.1x authenticator max-retransmissions 2 set interfaces ethernet eth1 802.1x authenticator reauth-period 15 set interfaces ethernet eth1 address 192.168.100.1/24 set protocols static route 0.0.0.0/0 next-hop 192.168.200.1 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18bOPKWLyIbVclt9AhJeAaW3tvGPYYiU0pZctaOw9u/VTPiOYUqRrMyDexuFwi2hE4xS4KTkdlgqg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=0.509 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.509/0.509/0.509/0.000 ms
Step 4: Set the following configuration in DUT1 :
set interfaces ethernet eth1 802.1x supplicant encrypted-password U2FsdGVkX195N/bNW4uWGvGaTCOLN4erKLc3jKMqY8w= set interfaces ethernet eth1 802.1x supplicant username testing set interfaces ethernet eth1 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 5: Run command interfaces ethernet eth1 802.1x supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 6: Run command interfaces ethernet eth1 802.1x supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 7: Run command interfaces ethernet eth1 802.1x authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1Show output
--------------------------------- Field Value --------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Reauthenticate TRUE Reauthenticate Period 15 Session Time 0 Session User Name testing
Step 8: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.314 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.314/0.314/0.314/0.000 ms
Note
Start packet capture in DUT2 to filter RADIUS stop messages (e.g., traffic dump monitor interface eth0 detail filter "udp port 1813" packets 1).
Note
Disable DUT1 interface or remove address configuration to prevent the device from responding EAP requests.
Step 9: Modify the following configuration lines in DUT1 :
set interfaces ethernet eth1 disable
Step 10: Run command interfaces ethernet eth1 802.1x authenticator show status at DUT0 and check if output contains the following tokens:
Current status: UnauthorizedShow output
Current status: Unauthorized
Note
Stop packet capture in DUT0 and expect
the following RADIUS messages:
Show output
eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 18:44:04.691058 de:ad:be:ef:6c:00 > de:ad:be:ef:6c:20, ethertype IPv4 (0x0800), length 195: (tos 0x0, ttl 64, id 33381, offset 0, flags [none], proto UDP (17), length 181) 192.168.200.2.46189 > 10.215.168.1.1813: [bad udp cksum 0x3c36 -> 0xa3c1!] RADIUS, length: 153 Accounting-Request (4), id: 0x0c, Authenticator: ed5428363438d3e405b5fb4e8a5574a3 Acct-Status-Type Attribute (40), length: 6, Value: Stop 0x0000: 0000 0002 Acct-Authentic Attribute (45), length: 6, Value: RADIUS 0x0000: 0000 0001 User-Name Attribute (1), length: 9, Value: testing 0x0000: 7465 7374 696e 67 Called-Station-Id Attribute (30), length: 20, Value: DE-AD-BE-EF-6C-01: 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d30 0x0010: 313a Service-Type Attribute (6), length: 6, Value: Framed 0x0000: 0000 0002 Calling-Station-Id Attribute (31), length: 19, Value: DE-AD-BE-EF-6C-11 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d31 0x0010: 31 Acct-Session-Id Attribute (44), length: 18, Value: 683227B08E71D994 0x0000: 3638 3332 3237 4230 3845 3731 4439 3934 NAS-Port-Type Attribute (61), length: 6, Value: Ethernet 0x0000: 0000 000f Connect-Info Attribute (77), length: 13, Value: Unsupported 0x0000: 556e 7375 7070 6f72 7465 64 NAS-Port-Id Attribute (87), length: 6, Value: eth1 0x0000: 6574 6831 Event-Timestamp Attribute (55), length: 6, Value: Tue May 13 18:44:03 2025 0x0000: 6823 92f3 Acct-Delay-Time Attribute (41), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Session-Time Attribute (46), length: 6, Value: 41 secs 0x0000: 0000 0029 Acct-Terminate-Cause Attribute (49), length: 6, Value: Idle Timeout 0x0000: 0000 0004 1 packet captured
Test 802.1x Admin Reset Cause
Description
This scenario shows how to stop an 802.1x session using
operational command authenticator disassociate.
Accounting RADIUS stop messages should contain the
following attribute: acct-terminate-cause=6.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 192.168.200.1/24 set interfaces ethernet eth1 address 10.215.168.64/24 set interfaces ethernet eth1 traffic nat destination rule 1 address 192.168.200.2 set interfaces ethernet eth1 traffic nat source rule 1 address masquerade set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.200.2/24 set interfaces ethernet eth1 802.1x authenticator aaa accounting list1 set interfaces ethernet eth1 802.1x authenticator aaa authentication list1 set interfaces ethernet eth1 802.1x authenticator reauth-period 0 set interfaces ethernet eth1 address 192.168.100.1/24 set protocols static route 0.0.0.0/0 next-hop 192.168.200.1 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX19xjp8p/0+vuKTZkrH7ztFGp2xB/zX/0/DP3Q4tn/pZz4CxsfjeQC2dNcdFVOW05Sp5Pbt9w2tMvg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=0.455 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.455/0.455/0.455/0.000 ms
Step 4: Set the following configuration in DUT1 :
set interfaces ethernet eth1 802.1x supplicant encrypted-password U2FsdGVkX1+y3l9LPT49VvEAQtc3Nx62YoVB611DcOA= set interfaces ethernet eth1 802.1x supplicant username testing set interfaces ethernet eth1 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 5: Run command interfaces ethernet eth1 802.1x supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 6: Run command interfaces ethernet eth1 802.1x supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 7: Run command interfaces ethernet eth1 802.1x authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1Show output
--------------------------------- Field Value --------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User Name testing
Step 8: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.316 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.316/0.316/0.316/0.000 ms
Note
Start packet capture in DUT2 to filter RADIUS stop messages (e.g., traffic dump monitor interface eth0 detail filter "udp port 1813" packets 1).
Step 9: Run command interfaces ethernet eth1 802.1x authenticator disassociate at DUT0 and expect this output:
Show output
OK
Step 10: Run command interfaces ethernet eth1 802.1x authenticator show status at DUT0 and check if output contains the following tokens:
Current status: UnauthorizedShow output
Current status: Unauthorized
Note
Stop packet capture in DUT0 and expect
the following RADIUS messages:
Show output
eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 18:44:16.354171 de:ad:be:ef:6c:00 > de:ad:be:ef:6c:20, ethertype IPv4 (0x0800), length 195: (tos 0x0, ttl 64, id 38056, offset 0, flags [none], proto UDP (17), length 181) 192.168.200.2.38487 > 10.215.168.1.1813: [bad udp cksum 0x3c36 -> 0x2c8a!] RADIUS, length: 153 Accounting-Request (4), id: 0x0c, Authenticator: 643d0a0bfa602a1f6b7929a9917e0f7d Acct-Status-Type Attribute (40), length: 6, Value: Stop 0x0000: 0000 0002 Acct-Authentic Attribute (45), length: 6, Value: RADIUS 0x0000: 0000 0001 User-Name Attribute (1), length: 9, Value: testing 0x0000: 7465 7374 696e 67 Called-Station-Id Attribute (30), length: 20, Value: DE-AD-BE-EF-6C-01: 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d30 0x0010: 313a Service-Type Attribute (6), length: 6, Value: Framed 0x0000: 0000 0002 Calling-Station-Id Attribute (31), length: 19, Value: DE-AD-BE-EF-6C-11 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d31 0x0010: 31 Acct-Session-Id Attribute (44), length: 18, Value: 23F056A9B95B810B 0x0000: 3233 4630 3536 4139 4239 3542 3831 3042 NAS-Port-Type Attribute (61), length: 6, Value: Ethernet 0x0000: 0000 000f Connect-Info Attribute (77), length: 13, Value: Unsupported 0x0000: 556e 7375 7070 6f72 7465 64 NAS-Port-Id Attribute (87), length: 6, Value: eth1 0x0000: 6574 6831 Event-Timestamp Attribute (55), length: 6, Value: Tue May 13 18:44:16 2025 0x0000: 6823 9300 Acct-Delay-Time Attribute (41), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Session-Time Attribute (46), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Terminate-Cause Attribute (49), length: 6, Value: Admin Reset 0x0000: 0000 0006 1 packet captured
Test 802.1x NAS Request Cause
Description
This scenario shows how to stop an 802.1x session from
the authentication server using a CoA message.
Accounting RADIUS stop messages should contain the
following attribute: acct-terminate-cause=10.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 192.168.200.1/24 set interfaces ethernet eth1 address 10.215.168.64/24 set interfaces ethernet eth1 traffic nat destination rule 1 address 192.168.200.2 set interfaces ethernet eth1 traffic nat source rule 1 address masquerade set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.200.2/24 set interfaces ethernet eth1 802.1x authenticator aaa accounting list1 set interfaces ethernet eth1 802.1x authenticator aaa authentication list1 set interfaces ethernet eth1 802.1x authenticator coa client 10.215.168.1 set interfaces ethernet eth1 802.1x authenticator coa encrypted-secret U2FsdGVkX1+dTp4nvL2h7vS1UDOa/37tdMwkI0ZEI+0= set interfaces ethernet eth1 802.1x authenticator reauth-period 0 set interfaces ethernet eth1 address 192.168.100.1/24 set protocols static route 0.0.0.0/0 next-hop 192.168.200.1 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18gg1UG/Nk07Hpnze7BgxUkaBBa9bMEO4kntYQmFpCUZ6u2SUNPBkW450J5NK5F+TbSF9eiIjAckA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=0.438 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.438/0.438/0.438/0.000 ms
Step 4: Set the following configuration in DUT1 :
set interfaces ethernet eth1 802.1x supplicant encrypted-password U2FsdGVkX18o0UMbO/D5py/DOZJasXp3DrE8tiuTOUE= set interfaces ethernet eth1 802.1x supplicant username testing set interfaces ethernet eth1 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 5: Run command interfaces ethernet eth1 802.1x supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 6: Run command interfaces ethernet eth1 802.1x supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 7: Run command interfaces ethernet eth1 802.1x authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1Show output
--------------------------------- Field Value --------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User Name testing
Step 8: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.324 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.324/0.324/0.324/0.000 ms
Note
Start packet capture in DUT2 to filter RADIUS stop messages (e.g., traffic dump monitor interface eth0 detail filter "udp port 1813" packets 1).
Note
Send a CoA/Disconnect request from the RADIUS server
On Linux, the FreeRADIUS package includes the utility
radtest that can be used to send these messages:
Show output
$ cat /osdx-tests/utils/dot1x/auth.req User-Name = "testing" $ radclient -s -t 1 -r 1 10.215.168.64:3799 disconnect coa_secret -f /osdx-tests/utils/dot1x/auth.req Sent Disconnect-Request Id 48 from 0.0.0.0:40435 to 10.215.168.64:3799 length 29 Received Disconnect-ACK Id 48 from 10.215.168.64:3799 to 10.215.168.1:40435 length 44 Packet summary: Accepted : 1 Rejected : 0 Lost : 0 Passed filter : 1 Failed filter : 0
Step 9: Run command interfaces ethernet eth1 802.1x authenticator show status at DUT0 and check if output contains the following tokens:
Current status: UnauthorizedShow output
Current status: Unauthorized
Note
Stop packet capture in DUT0 and expect
the following RADIUS messages:
Show output
eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 18:44:29.385204 de:ad:be:ef:6c:00 > de:ad:be:ef:6c:20, ethertype IPv4 (0x0800), length 195: (tos 0x0, ttl 64, id 35398, offset 0, flags [none], proto UDP (17), length 181) 192.168.200.2.57546 > 10.215.168.1.1813: [bad udp cksum 0x3c36 -> 0xb80b!] RADIUS, length: 153 Accounting-Request (4), id: 0x0c, Authenticator: 0a12392304e8a59821cc82b3e695900c Acct-Status-Type Attribute (40), length: 6, Value: Stop 0x0000: 0000 0002 Acct-Authentic Attribute (45), length: 6, Value: RADIUS 0x0000: 0000 0001 User-Name Attribute (1), length: 9, Value: testing 0x0000: 7465 7374 696e 67 Called-Station-Id Attribute (30), length: 20, Value: DE-AD-BE-EF-6C-01: 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d30 0x0010: 313a Service-Type Attribute (6), length: 6, Value: Framed 0x0000: 0000 0002 Calling-Station-Id Attribute (31), length: 19, Value: DE-AD-BE-EF-6C-11 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d31 0x0010: 31 Acct-Session-Id Attribute (44), length: 18, Value: 86204A045D8E724D 0x0000: 3836 3230 3441 3034 3544 3845 3732 3444 NAS-Port-Type Attribute (61), length: 6, Value: Ethernet 0x0000: 0000 000f Connect-Info Attribute (77), length: 13, Value: Unsupported 0x0000: 556e 7375 7070 6f72 7465 64 NAS-Port-Id Attribute (87), length: 6, Value: eth1 0x0000: 6574 6831 Event-Timestamp Attribute (55), length: 6, Value: Tue May 13 18:44:29 2025 0x0000: 6823 930d Acct-Delay-Time Attribute (41), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Session-Time Attribute (46), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Terminate-Cause Attribute (49), length: 6, Value: NAS Request 0x0000: 0000 000a 1 packet captured