Radius Terminate Capture
These scenarios show different acct-terminate-causes that are sent by OSDx devices when 802.1x sessions end.
Test 802.1x User Request Cause
Description
This scenario shows how to stop an 802.1x session using
operational command supplicant disconnect.
Accounting RADIUS stop messages should contain the
following attribute: acct-terminate-cause=1.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 10.215.168.66/24 set interfaces ethernet eth0 traffic nat destination rule 1 address 192.168.200.2 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 address 192.168.200.1/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT2:
admin@DUT2$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.625 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.625/0.625/0.625/0.000 ms
Step 3: Set the following configuration in DUT0 :
set interfaces ethernet eth1 address 192.168.200.2/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa accounting list1 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode only-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set protocols static route 0.0.0.0/0 next-hop 192.168.200.1 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/a74bO9hnH10dQjU+isfO4JxiYBpStCG/DcgzPCZfhZrD8cqbC1OBE7urg07XuqJ11hf+RJ8fzTg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=0.623 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.623/0.623/0.623/0.000 ms
Step 5: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX19DLuKGqXoZQMl0kFUtkmtipFbxATevFkw= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 6: Run command interfaces ethernet eth2 supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 7: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 8: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name testing
Step 9: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.446 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.446/0.446/0.446/0.000 ms
Note
Start packet capture in DUT2 to filter RADIUS stop messages (e.g., traffic dump monitor interface eth0 detail filter "udp port 1813" packets 1).
Step 10: Run command interfaces ethernet eth2 supplicant disconnect at DUT1 and expect this output:
Show output
OK
Step 11: Run command interfaces ethernet eth2 authenticator show status at DUT0 and check if output contains the following tokens:
Current status: UnauthorizedShow output
Current status: Unauthorized
Note
Stop packet capture in DUT0 and expect
the following RADIUS messages:
Show output
eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 14:08:14.482952 de:ad:be:ef:6c:20 > fe:5d:9a:c7:06:d7, ethertype IPv4 (0x0800), length 195: (tos 0x0, ttl 63, id 1995, offset 0, flags [none], proto UDP (17), length 181) 10.215.168.66.35628 > 10.215.168.1.1813: [bad udp cksum 0x66a4 -> 0x813a!] RADIUS, length: 153 Accounting-Request (4), id: 0x0c, Authenticator: 7e9a51ead891527804cccea9ba5b571e Acct-Status-Type Attribute (40), length: 6, Value: Stop 0x0000: 0000 0002 Acct-Authentic Attribute (45), length: 6, Value: RADIUS 0x0000: 0000 0001 User-Name Attribute (1), length: 9, Value: testing 0x0000: 7465 7374 696e 67 Called-Station-Id Attribute (30), length: 20, Value: DE-AD-BE-EF-6C-02: 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d30 0x0010: 323a Service-Type Attribute (6), length: 6, Value: Framed 0x0000: 0000 0002 Calling-Station-Id Attribute (31), length: 19, Value: DE-AD-BE-EF-6C-12 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d31 0x0010: 32 Acct-Session-Id Attribute (44), length: 18, Value: F5BF9A457D999DBB 0x0000: 4635 4246 3941 3435 3744 3939 3944 4242 NAS-Port-Type Attribute (61), length: 6, Value: Ethernet 0x0000: 0000 000f Connect-Info Attribute (77), length: 13, Value: Unsupported 0x0000: 556e 7375 7070 6f72 7465 64 NAS-Port-Id Attribute (87), length: 6, Value: eth2 0x0000: 6574 6832 Event-Timestamp Attribute (55), length: 6, Value: Thu Dec 11 14:08:14 2025 0x0000: 693a d04e Acct-Delay-Time Attribute (41), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Session-Time Attribute (46), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Terminate-Cause Attribute (49), length: 6, Value: User Request 0x0000: 0000 0001 1 packet captured
Test 802.1x Lost Carrier Cause
Description
This scenario shows how an 802.1x session is stopped
after a link down event in DUT0 eth2.
Accounting RADIUS stop messages should contain the
following attribute: acct-terminate-cause=2.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 10.215.168.66/24 set interfaces ethernet eth0 traffic nat destination rule 1 address 192.168.200.2 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 address 192.168.200.1/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT2:
admin@DUT2$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.225 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.225/0.225/0.225/0.000 ms
Step 3: Set the following configuration in DUT0 :
set interfaces ethernet eth1 address 192.168.200.2/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa accounting list1 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator coa client 10.215.168.1 set interfaces ethernet eth2 authenticator coa encrypted-secret U2FsdGVkX1/VTAQ6eL/+0y40EzSOHP2harPui8CA8Ys= set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode only-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set protocols static route 0.0.0.0/0 next-hop 192.168.200.1 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18+VgJgzOQWqr6fN0vknd4lTxDJHBPCTl4r/YI1HVhMogZu3v6TH2RsiAvO40rrlV9y6orPMOBITA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=0.481 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.481/0.481/0.481/0.000 ms
Step 5: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1+Fk/NcMWCZmeysCB4oEuomJlYx27T+Tqc= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 6: Run command interfaces ethernet eth2 supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 7: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 8: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name testing
Step 9: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.800 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.800/0.800/0.800/0.000 ms
Note
Start packet capture in DUT2 to filter RADIUS stop messages (e.g., traffic dump monitor interface eth0 detail filter "udp port 1813" packets 1).
Note
Remove the link between DUT0 and DUT1 to provoke a link-down event.
Step 10: Run command interfaces ethernet eth2 authenticator show status at DUT0 and expect this output:
Show output
Error: no supplicant found CLI Error: Command error
Note
Stop packet capture in DUT0 and expect
the following RADIUS messages:
Show output
eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 14:08:29.628226 de:ad:be:ef:6c:20 > fe:5d:9a:c7:06:d7, ethertype IPv4 (0x0800), length 195: (tos 0x0, ttl 63, id 48843, offset 0, flags [none], proto UDP (17), length 181) 10.215.168.66.34395 > 10.215.168.1.1813: [bad udp cksum 0x66a4 -> 0x5af8!] RADIUS, length: 153 Accounting-Request (4), id: 0x0c, Authenticator: 12fb1f9e0bb5f0f7d4da3c6ffb97d685 Acct-Status-Type Attribute (40), length: 6, Value: Stop 0x0000: 0000 0002 Acct-Authentic Attribute (45), length: 6, Value: RADIUS 0x0000: 0000 0001 User-Name Attribute (1), length: 9, Value: testing 0x0000: 7465 7374 696e 67 Called-Station-Id Attribute (30), length: 20, Value: DE-AD-BE-EF-6C-02: 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d30 0x0010: 323a Service-Type Attribute (6), length: 6, Value: Framed 0x0000: 0000 0002 Calling-Station-Id Attribute (31), length: 19, Value: DE-AD-BE-EF-6C-12 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d31 0x0010: 32 Acct-Session-Id Attribute (44), length: 18, Value: 8233B3003D1FBCEC 0x0000: 3832 3333 4233 3030 3344 3146 4243 4543 NAS-Port-Type Attribute (61), length: 6, Value: Ethernet 0x0000: 0000 000f Connect-Info Attribute (77), length: 13, Value: Unsupported 0x0000: 556e 7375 7070 6f72 7465 64 NAS-Port-Id Attribute (87), length: 6, Value: eth2 0x0000: 6574 6832 Event-Timestamp Attribute (55), length: 6, Value: Thu Dec 11 14:08:29 2025 0x0000: 693a d05d Acct-Delay-Time Attribute (41), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Session-Time Attribute (46), length: 6, Value: 01 secs 0x0000: 0000 0001 Acct-Terminate-Cause Attribute (49), length: 6, Value: Lost Carrier 0x0000: 0000 0002 1 packet captured
Test MAB Lost Carrier Cause
Description
This scenario shows how a MAB authenticated session is
stopped after a link down event in DUT0 eth2.
Accounting RADIUS stop messages should contain the
following attribute: acct-terminate-cause=2.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 10.215.168.66/24 set interfaces ethernet eth0 traffic nat destination rule 1 address 192.168.200.2 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 address 192.168.200.1/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT2:
admin@DUT2$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.470 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.470/0.470/0.470/0.000 ms
Step 3: Set the following configuration in DUT0 :
set interfaces ethernet eth1 address 192.168.200.2/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator aaa accounting list1 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator coa client 10.215.168.1 set interfaces ethernet eth2 authenticator coa encrypted-secret U2FsdGVkX1/f90WxRT1ww/rUTElWdGx1S6+3MK/FFOw= set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode only-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set protocols static route 0.0.0.0/0 next-hop 192.168.200.1 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX19nN0gfsiLJvEWqWiYH1vQSYZ/OG81WyerFBwAd3z9pgVhelUlYoKgiwQ/3xvQmecXBJK/KXdlk3w== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=0.480 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.480/0.480/0.480/0.000 ms
Step 5: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.361 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.361/0.361/0.361/0.000 ms
Step 7: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 0 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 3 Session User MAC de:ad:be:ef:6c:12 Session User Name N/A
Step 8: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.323 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.323/0.323/0.323/0.000 ms
Step 9: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.273 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.273/0.273/0.273/0.000 ms
Note
Start packet capture in DUT2 to filter RADIUS stop messages (e.g., traffic dump monitor interface eth0 detail filter "udp port 1813" packets 1).
Note
Remove the link between DUT0 and DUT1 to provoke a link-down event.
Step 10: Run command interfaces ethernet eth2 authenticator show status at DUT0 and expect this output:
Show output
Error: no supplicant found CLI Error: Command error
Note
Stop packet capture in DUT0 and expect
the following RADIUS messages:
Show output
eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 14:08:48.339216 de:ad:be:ef:6c:20 > fe:5d:9a:c7:06:d7, ethertype IPv4 (0x0800), length 205: (tos 0x0, ttl 63, id 25764, offset 0, flags [none], proto UDP (17), length 191) 10.215.168.66.48779 > 10.215.168.1.1813: [bad udp cksum 0x66ae -> 0x2aae!] RADIUS, length: 163 Accounting-Request (4), id: 0x02, Authenticator: 5ec38b4e3354d555c41370cd85e824e1 Acct-Status-Type Attribute (40), length: 6, Value: Stop 0x0000: 0000 0002 Acct-Authentic Attribute (45), length: 6, Value: Local 0x0000: 0000 0002 User-Name Attribute (1), length: 19, Value: de:ad:be:ef:6c:12 0x0000: 6465 3a61 643a 6265 3a65 663a 3663 3a31 0x0010: 32 Called-Station-Id Attribute (30), length: 20, Value: DE-AD-BE-EF-6C-02: 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d30 0x0010: 323a Service-Type Attribute (6), length: 6, Value: Framed 0x0000: 0000 0002 Calling-Station-Id Attribute (31), length: 19, Value: DE-AD-BE-EF-6C-12 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d31 0x0010: 32 Acct-Session-Id Attribute (44), length: 18, Value: 1D70EED0F470F9FB 0x0000: 3144 3730 4545 4430 4634 3730 4639 4642 NAS-Port-Type Attribute (61), length: 6, Value: Ethernet 0x0000: 0000 000f Connect-Info Attribute (77), length: 13, Value: Unsupported 0x0000: 556e 7375 7070 6f72 7465 64 NAS-Port-Id Attribute (87), length: 6, Value: eth2 0x0000: 6574 6832 Event-Timestamp Attribute (55), length: 6, Value: Thu Dec 11 14:08:48 2025 0x0000: 693a d070 Acct-Delay-Time Attribute (41), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Session-Time Attribute (46), length: 6, Value: 04 secs 0x0000: 0000 0004 Acct-Terminate-Cause Attribute (49), length: 6, Value: Lost Carrier 0x0000: 0000 0002 1 packet captured
Test 802.1x Idle Timeout Cause
Description
This scenario shows how an 802.1x session is stopped
after a reauthentication timeout.
Accounting RADIUS stop messages should contain the
following attribute: acct-terminate-cause=4.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 10.215.168.66/24 set interfaces ethernet eth0 traffic nat destination rule 1 address 192.168.200.2 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 address 192.168.200.1/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT2:
admin@DUT2$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=7.75 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 7.750/7.750/7.750/0.000 ms
Step 3: Set the following configuration in DUT0 :
set interfaces ethernet eth1 address 192.168.200.2/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa accounting list1 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode only-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 30 set protocols static route 0.0.0.0/0 next-hop 192.168.200.1 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18tAP3rq5rimuaPD0+q/3By0RZd6XdUa5Nbv/X3evgpiy8VZ4ZkaNCivlGxCWTYU5GxwfazuDhPVQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=0.395 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.395/0.395/0.395/0.000 ms
Step 5: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX18mTFiE3by9VF2sc5z5+TLkSCFKDBPzNVM= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 6: Run command interfaces ethernet eth2 supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 7: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 8: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate TRUE Reauthenticate Period 30 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name testing
Step 9: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.294 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.294/0.294/0.294/0.000 ms
Note
Start packet capture in DUT2 to filter RADIUS stop messages (e.g., traffic dump monitor interface eth0 detail filter "udp port 1813" packets 1).
Note
Disable DUT1 interface or remove address configuration to prevent the device from responding EAP requests.
Step 10: Modify the following configuration lines in DUT1 :
set interfaces ethernet eth2 disable
Step 11: Run command interfaces ethernet eth2 authenticator show status at DUT0 and check if output contains the following tokens:
Current status: UnauthorizedShow output
Current status: Unauthorized
Note
Stop packet capture in DUT0 and expect
the following RADIUS messages:
Show output
eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 14:09:55.924724 de:ad:be:ef:6c:20 > fe:5d:9a:c7:06:d7, ethertype IPv4 (0x0800), length 195: (tos 0x0, ttl 63, id 41152, offset 0, flags [none], proto UDP (17), length 181) 10.215.168.66.57747 > 10.215.168.1.1813: [bad udp cksum 0x66a4 -> 0x0cb1!] RADIUS, length: 153 Accounting-Request (4), id: 0x0c, Authenticator: 5fe170fb8a8e1d1fa93914c62e9b09a1 Acct-Status-Type Attribute (40), length: 6, Value: Stop 0x0000: 0000 0002 Acct-Authentic Attribute (45), length: 6, Value: RADIUS 0x0000: 0000 0001 User-Name Attribute (1), length: 9, Value: testing 0x0000: 7465 7374 696e 67 Called-Station-Id Attribute (30), length: 20, Value: DE-AD-BE-EF-6C-02: 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d30 0x0010: 323a Service-Type Attribute (6), length: 6, Value: Framed 0x0000: 0000 0002 Calling-Station-Id Attribute (31), length: 19, Value: DE-AD-BE-EF-6C-12 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d31 0x0010: 32 Acct-Session-Id Attribute (44), length: 18, Value: 6D4E4488E2DEC032 0x0000: 3644 3445 3434 3838 4532 4445 4330 3332 NAS-Port-Type Attribute (61), length: 6, Value: Ethernet 0x0000: 0000 000f Connect-Info Attribute (77), length: 13, Value: Unsupported 0x0000: 556e 7375 7070 6f72 7465 64 NAS-Port-Id Attribute (87), length: 6, Value: eth2 0x0000: 6574 6832 Event-Timestamp Attribute (55), length: 6, Value: Thu Dec 11 14:09:55 2025 0x0000: 693a d0b3 Acct-Delay-Time Attribute (41), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Session-Time Attribute (46), length: 6, Value: 51 secs 0x0000: 0000 0033 Acct-Terminate-Cause Attribute (49), length: 6, Value: Idle Timeout 0x0000: 0000 0004 1 packet captured
Test 802.1x Admin Reset Cause
Description
This scenario shows how to stop an 802.1x session using
operational command authenticator disassociate.
Accounting RADIUS stop messages should contain the
following attribute: acct-terminate-cause=6.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 10.215.168.66/24 set interfaces ethernet eth0 traffic nat destination rule 1 address 192.168.200.2 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 address 192.168.200.1/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT2:
admin@DUT2$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.204 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.204/0.204/0.204/0.000 ms
Step 3: Set the following configuration in DUT0 :
set interfaces ethernet eth1 address 192.168.200.2/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa accounting list1 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode only-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set protocols static route 0.0.0.0/0 next-hop 192.168.200.1 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18oAIsG+B+MPkS0kMFCkbicZMyU/wqGB8haKM4/eaW41NYhV5/EG85aI3UrwuDRn8xiZc7IzUQHrQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=0.366 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.366/0.366/0.366/0.000 ms
Step 5: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1/WV1frnLRChT5Y2fcOpc6rYV2AzqlcuTA= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 6: Run command interfaces ethernet eth2 supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 7: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 8: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name testing
Step 9: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.422 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.422/0.422/0.422/0.000 ms
Note
Start packet capture in DUT2 to filter RADIUS stop messages (e.g., traffic dump monitor interface eth0 detail filter "udp port 1813" packets 1).
Step 10: Run command interfaces ethernet eth2 authenticator disassociate at DUT0 and expect this output:
Show output
OK
Step 11: Run command interfaces ethernet eth2 authenticator show status at DUT0 and check if output contains the following tokens:
Current status: UnauthorizedShow output
Current status: Unauthorized
Note
Stop packet capture in DUT0 and expect
the following RADIUS messages:
Show output
eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 14:10:10.196852 de:ad:be:ef:6c:20 > fe:5d:9a:c7:06:d7, ethertype IPv4 (0x0800), length 195: (tos 0x0, ttl 63, id 61122, offset 0, flags [none], proto UDP (17), length 181) 10.215.168.66.44770 > 10.215.168.1.1813: [bad udp cksum 0x66a4 -> 0x36fb!] RADIUS, length: 153 Accounting-Request (4), id: 0x0c, Authenticator: 89bdff7bc48a66115e055259550609de Acct-Status-Type Attribute (40), length: 6, Value: Stop 0x0000: 0000 0002 Acct-Authentic Attribute (45), length: 6, Value: RADIUS 0x0000: 0000 0001 User-Name Attribute (1), length: 9, Value: testing 0x0000: 7465 7374 696e 67 Called-Station-Id Attribute (30), length: 20, Value: DE-AD-BE-EF-6C-02: 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d30 0x0010: 323a Service-Type Attribute (6), length: 6, Value: Framed 0x0000: 0000 0002 Calling-Station-Id Attribute (31), length: 19, Value: DE-AD-BE-EF-6C-12 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d31 0x0010: 32 Acct-Session-Id Attribute (44), length: 18, Value: 3F2A3343FE9B0906 0x0000: 3346 3241 3333 3433 4645 3942 3039 3036 NAS-Port-Type Attribute (61), length: 6, Value: Ethernet 0x0000: 0000 000f Connect-Info Attribute (77), length: 13, Value: Unsupported 0x0000: 556e 7375 7070 6f72 7465 64 NAS-Port-Id Attribute (87), length: 6, Value: eth2 0x0000: 6574 6832 Event-Timestamp Attribute (55), length: 6, Value: Thu Dec 11 14:10:10 2025 0x0000: 693a d0c2 Acct-Delay-Time Attribute (41), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Session-Time Attribute (46), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Terminate-Cause Attribute (49), length: 6, Value: Admin Reset 0x0000: 0000 0006 1 packet captured
Test MAB Admin Reset Cause
Description
This scenario shows how to stop a MAB authenticated session
using operational command authenticator disassociate.
Accounting RADIUS stop messages should contain the
following attribute: acct-terminate-cause=6.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 10.215.168.66/24 set interfaces ethernet eth0 traffic nat destination rule 1 address 192.168.200.2 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 address 192.168.200.1/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT2:
admin@DUT2$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.223 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.223/0.223/0.223/0.000 ms
Step 3: Set the following configuration in DUT0 :
set interfaces ethernet eth1 address 192.168.200.2/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator aaa accounting list1 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode only-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set protocols static route 0.0.0.0/0 next-hop 192.168.200.1 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18I8JZf5texymE+4qELr6ItUNz/FLEcAd7TUuLwWOP0lgyR+UaGJucM/MjSA0n9QnKuU6gTSRma6Q== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=0.387 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.387/0.387/0.387/0.000 ms
Step 5: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.282 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.282/0.282/0.282/0.000 ms
Note
Start packet capture in DUT2 to filter RADIUS stop messages (e.g., traffic dump monitor interface eth0 detail filter "udp port 1813" packets 1).
Step 7: Run command interfaces ethernet eth2 authenticator disassociate at DUT0 and expect this output:
Show output
OK
Step 8: Run command interfaces ethernet eth2 authenticator show status at DUT0 and check if output contains the following tokens:
Current status: UnauthorizedShow output
Current status: Unauthorized
Note
Stop packet capture in DUT0 and expect
the following RADIUS messages:
Show output
eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 14:10:26.156546 de:ad:be:ef:6c:20 > fe:5d:9a:c7:06:d7, ethertype IPv4 (0x0800), length 205: (tos 0x0, ttl 63, id 65138, offset 0, flags [none], proto UDP (17), length 191) 10.215.168.66.51485 > 10.215.168.1.1813: [bad udp cksum 0x66ae -> 0xfbbb!] RADIUS, length: 163 Accounting-Request (4), id: 0x02, Authenticator: 663a9ddcffc79937f5cb215498e97a8b Acct-Status-Type Attribute (40), length: 6, Value: Stop 0x0000: 0000 0002 Acct-Authentic Attribute (45), length: 6, Value: Local 0x0000: 0000 0002 User-Name Attribute (1), length: 19, Value: de:ad:be:ef:6c:12 0x0000: 6465 3a61 643a 6265 3a65 663a 3663 3a31 0x0010: 32 Called-Station-Id Attribute (30), length: 20, Value: DE-AD-BE-EF-6C-02: 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d30 0x0010: 323a Service-Type Attribute (6), length: 6, Value: Framed 0x0000: 0000 0002 Calling-Station-Id Attribute (31), length: 19, Value: DE-AD-BE-EF-6C-12 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d31 0x0010: 32 Acct-Session-Id Attribute (44), length: 18, Value: 448FA69E10EA2E88 0x0000: 3434 3846 4136 3945 3130 4541 3245 3838 NAS-Port-Type Attribute (61), length: 6, Value: Ethernet 0x0000: 0000 000f Connect-Info Attribute (77), length: 13, Value: Unsupported 0x0000: 556e 7375 7070 6f72 7465 64 NAS-Port-Id Attribute (87), length: 6, Value: eth2 0x0000: 6574 6832 Event-Timestamp Attribute (55), length: 6, Value: Thu Dec 11 14:10:26 2025 0x0000: 693a d0d2 Acct-Delay-Time Attribute (41), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Session-Time Attribute (46), length: 6, Value: 01 secs 0x0000: 0000 0001 Acct-Terminate-Cause Attribute (49), length: 6, Value: Admin Reset 0x0000: 0000 0006 1 packet captured
Test 802.1x Admin Restart Cause
Description
This scenario shows how to restart an 802.1x session using
operational command authenticator restart.
Accounting RADIUS stop messages should contain the
following attribute: acct-terminate-cause=6.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 10.215.168.66/24 set interfaces ethernet eth0 traffic nat destination rule 1 address 192.168.200.2 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 address 192.168.200.1/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT2:
admin@DUT2$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.195 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.195/0.195/0.195/0.000 ms
Step 3: Set the following configuration in DUT0 :
set interfaces ethernet eth1 address 192.168.200.2/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa accounting list1 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode only-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set protocols static route 0.0.0.0/0 next-hop 192.168.200.1 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/4V+KhJ5Q0CfWltq8WWOphyADAmdZGDbbIFLoxamlK/6Eap2Pja9998zOQsfgWY89fVqkI0VNEhw== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=0.617 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.617/0.617/0.617/0.000 ms
Step 5: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1/3rNXHTNIjhTaAedm77MoYUx7g3ZtGrdE= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 6: Run command interfaces ethernet eth2 supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 7: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 8: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name testing
Step 9: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.433 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.433/0.433/0.433/0.000 ms
Note
Start packet capture in DUT2 to filter RADIUS stop messages (e.g., traffic dump monitor interface eth0 detail filter "udp port 1813" packets 1).
Step 10: Run command interfaces ethernet eth2 authenticator restart at DUT0 and expect this output:
Step 11: Run command interfaces ethernet eth2 authenticator show status at DUT0 and expect this output:
Show output
Error: no supplicant found CLI Error: Command error
Note
Stop packet capture in DUT0 and expect
the following RADIUS messages:
Show output
eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 14:10:40.387545 de:ad:be:ef:6c:20 > fe:5d:9a:c7:06:d7, ethertype IPv4 (0x0800), length 195: (tos 0x0, ttl 63, id 64109, offset 0, flags [none], proto UDP (17), length 181) 10.215.168.66.52443 > 10.215.168.1.1813: [bad udp cksum 0x66a4 -> 0xa9a4!] RADIUS, length: 153 Accounting-Request (4), id: 0x0c, Authenticator: fb40efd1c3ba50e5c7cef9c9ad0d9120 Acct-Status-Type Attribute (40), length: 6, Value: Stop 0x0000: 0000 0002 Acct-Authentic Attribute (45), length: 6, Value: RADIUS 0x0000: 0000 0001 User-Name Attribute (1), length: 9, Value: testing 0x0000: 7465 7374 696e 67 Called-Station-Id Attribute (30), length: 20, Value: DE-AD-BE-EF-6C-02: 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d30 0x0010: 323a Service-Type Attribute (6), length: 6, Value: Framed 0x0000: 0000 0002 Calling-Station-Id Attribute (31), length: 19, Value: DE-AD-BE-EF-6C-12 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d31 0x0010: 32 Acct-Session-Id Attribute (44), length: 18, Value: B98797ED03483C1F 0x0000: 4239 3837 3937 4544 3033 3438 3343 3146 NAS-Port-Type Attribute (61), length: 6, Value: Ethernet 0x0000: 0000 000f Connect-Info Attribute (77), length: 13, Value: Unsupported 0x0000: 556e 7375 7070 6f72 7465 64 NAS-Port-Id Attribute (87), length: 6, Value: eth2 0x0000: 6574 6832 Event-Timestamp Attribute (55), length: 6, Value: Thu Dec 11 14:10:40 2025 0x0000: 693a d0e0 Acct-Delay-Time Attribute (41), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Session-Time Attribute (46), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Terminate-Cause Attribute (49), length: 6, Value: Admin Reset 0x0000: 0000 0006 1 packet captured
Test MAB Admin Restart Cause
Description
This scenario shows how to restart a MAB authenticated session
using operational command authenticator restart.
Accounting RADIUS stop messages should contain the
following attribute: acct-terminate-cause=6.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 10.215.168.66/24 set interfaces ethernet eth0 traffic nat destination rule 1 address 192.168.200.2 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 address 192.168.200.1/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT2:
admin@DUT2$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.523 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.523/0.523/0.523/0.000 ms
Step 3: Set the following configuration in DUT0 :
set interfaces ethernet eth1 address 192.168.200.2/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator aaa accounting list1 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode only-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set protocols static route 0.0.0.0/0 next-hop 192.168.200.1 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+vkyHQJPchm09x9vjOWaaueo612IRVC2bU2z/ThtPuCfOx1dph7ql9uIFjvBUfFhec3mJrXlN0vw== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=0.793 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.793/0.793/0.793/0.000 ms
Step 5: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.606 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.606/0.606/0.606/0.000 ms
Note
Start packet capture in DUT2 to filter RADIUS stop messages (e.g., traffic dump monitor interface eth0 detail filter "udp port 1813" packets 1).
Step 7: Run command interfaces ethernet eth2 authenticator restart at DUT0 and expect this output:
Step 8: Run command interfaces ethernet eth2 authenticator show status at DUT0 and expect this output:
Show output
Error: no supplicant found CLI Error: Command error
Note
Stop packet capture in DUT0 and expect
the following RADIUS messages:
Show output
eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 14:10:55.949779 de:ad:be:ef:6c:20 > fe:5d:9a:c7:06:d7, ethertype IPv4 (0x0800), length 205: (tos 0x0, ttl 63, id 41238, offset 0, flags [none], proto UDP (17), length 191) 10.215.168.66.43219 > 10.215.168.1.1813: [bad udp cksum 0x66ae -> 0xe49d!] RADIUS, length: 163 Accounting-Request (4), id: 0x02, Authenticator: 3841714930bceb17ff98fbcfdabd2a91 Acct-Status-Type Attribute (40), length: 6, Value: Stop 0x0000: 0000 0002 Acct-Authentic Attribute (45), length: 6, Value: Local 0x0000: 0000 0002 User-Name Attribute (1), length: 19, Value: de:ad:be:ef:6c:12 0x0000: 6465 3a61 643a 6265 3a65 663a 3663 3a31 0x0010: 32 Called-Station-Id Attribute (30), length: 20, Value: DE-AD-BE-EF-6C-02: 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d30 0x0010: 323a Service-Type Attribute (6), length: 6, Value: Framed 0x0000: 0000 0002 Calling-Station-Id Attribute (31), length: 19, Value: DE-AD-BE-EF-6C-12 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d31 0x0010: 32 Acct-Session-Id Attribute (44), length: 18, Value: 4AFF3844B1DCC37F 0x0000: 3441 4646 3338 3434 4231 4443 4333 3746 NAS-Port-Type Attribute (61), length: 6, Value: Ethernet 0x0000: 0000 000f Connect-Info Attribute (77), length: 13, Value: Unsupported 0x0000: 556e 7375 7070 6f72 7465 64 NAS-Port-Id Attribute (87), length: 6, Value: eth2 0x0000: 6574 6832 Event-Timestamp Attribute (55), length: 6, Value: Thu Dec 11 14:10:56 2025 0x0000: 693a d0f0 Acct-Delay-Time Attribute (41), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Session-Time Attribute (46), length: 6, Value: 01 secs 0x0000: 0000 0001 Acct-Terminate-Cause Attribute (49), length: 6, Value: Admin Reset 0x0000: 0000 0006 1 packet captured
Test 802.1x NAS Request Cause
Description
This scenario shows how to stop an 802.1x session from
the authentication server using a CoA message.
Accounting RADIUS stop messages should contain the
following attribute: acct-terminate-cause=10.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 10.215.168.66/24 set interfaces ethernet eth0 traffic nat destination rule 1 address 192.168.200.2 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 address 192.168.200.1/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT2:
admin@DUT2$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.213 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.213/0.213/0.213/0.000 ms
Step 3: Set the following configuration in DUT0 :
set interfaces ethernet eth1 address 192.168.200.2/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa accounting list1 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator coa client 10.215.168.1 set interfaces ethernet eth2 authenticator coa encrypted-secret U2FsdGVkX1/6KB3MJdP0TIxPebSLj0LuY5HvEMVB2a0= set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode only-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set protocols static route 0.0.0.0/0 next-hop 192.168.200.1 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18X9QSEm0F4X4WaoHF9qsSrvePnx55phd8NVFaRnrf5Nj5+7GySAlmKdr++4PDVBlGvgWsKDtiSUQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=0.579 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.579/0.579/0.579/0.000 ms
Step 5: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX18dnnzJGaCCfxaAfUEz5E3bstBO1uaTdYY= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 6: Run command interfaces ethernet eth2 supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 7: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 8: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name testing
Step 9: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.485 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.485/0.485/0.485/0.000 ms
Note
Start packet capture in DUT2 to filter RADIUS stop messages (e.g., traffic dump monitor interface eth0 detail filter "udp port 1813" packets 1).
Note
Send a CoA/Disconnect request from the RADIUS server
On Linux, the FreeRADIUS package includes the utility
radtest that can be used to send these messages:
Show output
$ cat /osdx-tests/utils/dot1x/auth_dot1x.req User-Name = "testing" $ radclient -s -t 1 -r 1 10.215.168.66:3799 disconnect coa_secret -f /osdx-tests/utils/dot1x/auth_dot1x.req Sent Disconnect-Request Id 241 from 0.0.0.0:50461 to 10.215.168.66:3799 length 29 Received Disconnect-ACK Id 241 from 10.215.168.66:3799 to 10.215.168.1:50461 length 44 Packet summary: Accepted : 1 Rejected : 0 Lost : 0 Passed filter : 1 Failed filter : 0
Step 10: Run command interfaces ethernet eth2 authenticator show status at DUT0 and check if output contains the following tokens:
Current status: UnauthorizedShow output
Current status: Unauthorized
Note
Stop packet capture in DUT0 and expect
the following RADIUS messages:
Show output
eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 14:11:09.074076 de:ad:be:ef:6c:20 > fe:5d:9a:c7:06:d7, ethertype IPv4 (0x0800), length 195: (tos 0x0, ttl 63, id 51764, offset 0, flags [none], proto UDP (17), length 181) 10.215.168.66.44596 > 10.215.168.1.1813: [bad udp cksum 0x66a4 -> 0xdb48!] RADIUS, length: 153 Accounting-Request (4), id: 0x0c, Authenticator: 3404e41d0323447af35fb4c6d8a4e607 Acct-Status-Type Attribute (40), length: 6, Value: Stop 0x0000: 0000 0002 Acct-Authentic Attribute (45), length: 6, Value: RADIUS 0x0000: 0000 0001 User-Name Attribute (1), length: 9, Value: testing 0x0000: 7465 7374 696e 67 Called-Station-Id Attribute (30), length: 20, Value: DE-AD-BE-EF-6C-02: 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d30 0x0010: 323a Service-Type Attribute (6), length: 6, Value: Framed 0x0000: 0000 0002 Calling-Station-Id Attribute (31), length: 19, Value: DE-AD-BE-EF-6C-12 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d31 0x0010: 32 Acct-Session-Id Attribute (44), length: 18, Value: 862F7835C01D76F6 0x0000: 3836 3246 3738 3335 4330 3144 3736 4636 NAS-Port-Type Attribute (61), length: 6, Value: Ethernet 0x0000: 0000 000f Connect-Info Attribute (77), length: 13, Value: Unsupported 0x0000: 556e 7375 7070 6f72 7465 64 NAS-Port-Id Attribute (87), length: 6, Value: eth2 0x0000: 6574 6832 Event-Timestamp Attribute (55), length: 6, Value: Thu Dec 11 14:11:09 2025 0x0000: 693a d0fd Acct-Delay-Time Attribute (41), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Session-Time Attribute (46), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Terminate-Cause Attribute (49), length: 6, Value: NAS Request 0x0000: 0000 000a 1 packet captured
Test MAB NAS Request Cause
Description
This scenario shows how to stop a MAB authenticated session
from the authentication server using a CoA message.
Accounting RADIUS stop messages should contain the
following attribute: acct-terminate-cause=10.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 10.215.168.66/24 set interfaces ethernet eth0 traffic nat destination rule 1 address 192.168.200.2 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 address 192.168.200.1/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT2:
admin@DUT2$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.188 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.188/0.188/0.188/0.000 ms
Step 3: Set the following configuration in DUT0 :
set interfaces ethernet eth1 address 192.168.200.2/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator aaa accounting list1 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator coa client 10.215.168.1 set interfaces ethernet eth2 authenticator coa encrypted-secret U2FsdGVkX1+STIUq7OnRvYL/6gFXCvPc7w5pzgD7aGY= set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode only-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set protocols static route 0.0.0.0/0 next-hop 192.168.200.1 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+91N7xnJS4LuUn0BJ9p8DVCay+4tALREAb3n988SgaRIOqwKzzyG3wdoiH2Aj2TYJQepg+gWHK8Q== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=0.519 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.519/0.519/0.519/0.000 ms
Step 5: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.287 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.287/0.287/0.287/0.000 ms
Note
Start packet capture in DUT2 to filter RADIUS stop messages (e.g., traffic dump monitor interface eth0 detail filter "udp port 1813" packets 1).
Note
Send a CoA/Disconnect request from the RADIUS server
On Linux, the FreeRADIUS package includes the utility
radtest that can be used to send these messages:
Show output
$ cat /osdx-tests/utils/dot1x/auth_mab.req User-Name = "de:ad:be:ef:6c:12" $ radclient -s -t 1 -r 1 10.215.168.66:3799 disconnect coa_secret -f /osdx-tests/utils/dot1x/auth_mab.req Sent Disconnect-Request Id 237 from 0.0.0.0:41413 to 10.215.168.66:3799 length 39 Received Disconnect-ACK Id 237 from 10.215.168.66:3799 to 10.215.168.1:41413 length 44 Packet summary: Accepted : 1 Rejected : 0 Lost : 0 Passed filter : 1 Failed filter : 0
Step 7: Run command interfaces ethernet eth2 authenticator show status at DUT0 and check if output contains the following tokens:
Current status: UnauthorizedShow output
Current status: Unauthorized
Note
Stop packet capture in DUT0 and expect
the following RADIUS messages:
Show output
eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 14:11:24.949216 de:ad:be:ef:6c:20 > fe:5d:9a:c7:06:d7, ethertype IPv4 (0x0800), length 205: (tos 0x0, ttl 63, id 23588, offset 0, flags [none], proto UDP (17), length 191) 10.215.168.66.48694 > 10.215.168.1.1813: [bad udp cksum 0x66ae -> 0x3dfb!] RADIUS, length: 163 Accounting-Request (4), id: 0x02, Authenticator: b2325335e57d2416f1b4a20d0bdbafc1 Acct-Status-Type Attribute (40), length: 6, Value: Stop 0x0000: 0000 0002 Acct-Authentic Attribute (45), length: 6, Value: Local 0x0000: 0000 0002 User-Name Attribute (1), length: 19, Value: de:ad:be:ef:6c:12 0x0000: 6465 3a61 643a 6265 3a65 663a 3663 3a31 0x0010: 32 Called-Station-Id Attribute (30), length: 20, Value: DE-AD-BE-EF-6C-02: 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d30 0x0010: 323a Service-Type Attribute (6), length: 6, Value: Framed 0x0000: 0000 0002 Calling-Station-Id Attribute (31), length: 19, Value: DE-AD-BE-EF-6C-12 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d31 0x0010: 32 Acct-Session-Id Attribute (44), length: 18, Value: 761E7C379B79B566 0x0000: 3736 3145 3743 3337 3942 3739 4235 3636 NAS-Port-Type Attribute (61), length: 6, Value: Ethernet 0x0000: 0000 000f Connect-Info Attribute (77), length: 13, Value: Unsupported 0x0000: 556e 7375 7070 6f72 7465 64 NAS-Port-Id Attribute (87), length: 6, Value: eth2 0x0000: 6574 6832 Event-Timestamp Attribute (55), length: 6, Value: Thu Dec 11 14:11:24 2025 0x0000: 693a d10c Acct-Delay-Time Attribute (41), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Session-Time Attribute (46), length: 6, Value: 01 secs 0x0000: 0000 0001 Acct-Terminate-Cause Attribute (49), length: 6, Value: NAS Request 0x0000: 0000 000a 1 packet captured