Radius Terminate Capture
These scenarios show different acct-terminate-causes that are sent by OSDx devices when 802.1x sessions end.
Test 802.1x User Request Cause
Description
This scenario shows how to stop an 802.1x session using
operational command supplicant disconnect.
Accounting RADIUS stop messages should contain the
following attribute: acct-terminate-cause=1.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 10.215.168.66/24 set interfaces ethernet eth0 traffic nat destination rule 1 address 192.168.200.2 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 address 192.168.200.1/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT2:
admin@DUT2$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.608 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.608/0.608/0.608/0.000 ms
Step 3: Set the following configuration in DUT0 :
set interfaces ethernet eth1 address 192.168.200.2/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa accounting list1 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode only-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set protocols static route 0.0.0.0/0 next-hop 192.168.200.1 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+ElbBl4T4IUs63Cebcz0HA85Jx+eB+boOBUUEAPYSVvNj1IAyodgX0AnZV3QzpFzYcoS/RQdw9Yg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=0.557 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.557/0.557/0.557/0.000 ms
Step 5: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1+DbnFyQEhQeCNgbt8ZhkG2bi+SzKPj2wY= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 6: Run command interfaces ethernet eth2 supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 7: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 8: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name testing
Step 9: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.391 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.391/0.391/0.391/0.000 ms
Note
Start packet capture in DUT2 to filter RADIUS stop messages (e.g., traffic dump monitor interface eth0 detail filter "udp port 1813" packets 1).
Step 10: Run command interfaces ethernet eth2 supplicant disconnect at DUT1 and expect this output:
Show output
OK
Step 11: Run command interfaces ethernet eth2 authenticator show status at DUT0 and check if output contains the following tokens:
Current status: UnauthorizedShow output
Current status: Unauthorized
Note
Stop packet capture in DUT0 and expect
the following RADIUS messages:
Show output
eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 18:17:43.848476 de:ad:be:ef:6c:20 > fe:04:aa:25:a3:32, ethertype IPv4 (0x0800), length 195: (tos 0x0, ttl 63, id 16184, offset 0, flags [none], proto UDP (17), length 181) 10.215.168.66.38540 > 10.215.168.1.1813: [bad udp cksum 0x66a4 -> 0x4392!] RADIUS, length: 153 Accounting-Request (4), id: 0x0c, Authenticator: 110e390af62e3a7c51e06578e22bdd7a Acct-Status-Type Attribute (40), length: 6, Value: Stop 0x0000: 0000 0002 Acct-Authentic Attribute (45), length: 6, Value: RADIUS 0x0000: 0000 0001 User-Name Attribute (1), length: 9, Value: testing 0x0000: 7465 7374 696e 67 Called-Station-Id Attribute (30), length: 20, Value: DE-AD-BE-EF-6C-02: 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d30 0x0010: 323a Service-Type Attribute (6), length: 6, Value: Framed 0x0000: 0000 0002 Calling-Station-Id Attribute (31), length: 19, Value: DE-AD-BE-EF-6C-12 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d31 0x0010: 32 Acct-Session-Id Attribute (44), length: 18, Value: 3432881DCDD8CB0E 0x0000: 3334 3332 3838 3144 4344 4438 4342 3045 NAS-Port-Type Attribute (61), length: 6, Value: Ethernet 0x0000: 0000 000f Connect-Info Attribute (77), length: 13, Value: Unsupported 0x0000: 556e 7375 7070 6f72 7465 64 NAS-Port-Id Attribute (87), length: 6, Value: eth2 0x0000: 6574 6832 Event-Timestamp Attribute (55), length: 6, Value: Mon May 4 18:17:44 2026 0x0000: 69f8 e2c8 Acct-Delay-Time Attribute (41), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Session-Time Attribute (46), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Terminate-Cause Attribute (49), length: 6, Value: User Request 0x0000: 0000 0001 1 packet captured
Test 802.1x Lost Carrier Cause
Description
This scenario shows how an 802.1x session is stopped
after a link down event in DUT0 eth2.
Accounting RADIUS stop messages should contain the
following attribute: acct-terminate-cause=2.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 10.215.168.66/24 set interfaces ethernet eth0 traffic nat destination rule 1 address 192.168.200.2 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 address 192.168.200.1/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT2:
admin@DUT2$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.494 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.494/0.494/0.494/0.000 ms
Step 3: Set the following configuration in DUT0 :
set interfaces ethernet eth1 address 192.168.200.2/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa accounting list1 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator coa client 10.215.168.1 set interfaces ethernet eth2 authenticator coa encrypted-secret U2FsdGVkX19YdJfyjKdRs5tSYILScZyYr6P+5+liynk= set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode only-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set protocols static route 0.0.0.0/0 next-hop 192.168.200.1 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/fpSWmJVJXXAw6UWcJOJ98s/6TjVusj3TcJInHjeOX7M28lfgnoiIw3Ula8qVy2kXuBYljZcIHlw== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=0.406 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.406/0.406/0.406/0.000 ms
Step 5: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX19bQxcTmg3WDRwAh6woyCvnDyQtyQPT9/A= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 6: Run command interfaces ethernet eth2 supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 7: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 8: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name testing
Step 9: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.858 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.858/0.858/0.858/0.000 ms
Note
Start packet capture in DUT2 to filter RADIUS stop messages (e.g., traffic dump monitor interface eth0 detail filter "udp port 1813" packets 1).
Note
Remove the link between DUT0 and DUT1 to provoke a link-down event.
Step 10: Run command interfaces ethernet eth2 authenticator show status at DUT0 and expect this output:
Show output
Error: no supplicant found CLI Error: Command error
Note
Stop packet capture in DUT0 and expect
the following RADIUS messages:
Show output
eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 18:18:05.050463 de:ad:be:ef:6c:20 > fe:04:aa:25:a3:32, ethertype IPv4 (0x0800), length 195: (tos 0x0, ttl 63, id 22620, offset 0, flags [none], proto UDP (17), length 181) 10.215.168.66.50208 > 10.215.168.1.1813: [bad udp cksum 0x66a4 -> 0x1a4d!] RADIUS, length: 153 Accounting-Request (4), id: 0x0c, Authenticator: 75c21498d3c7f8bebdc994e3f5803488 Acct-Status-Type Attribute (40), length: 6, Value: Stop 0x0000: 0000 0002 Acct-Authentic Attribute (45), length: 6, Value: RADIUS 0x0000: 0000 0001 User-Name Attribute (1), length: 9, Value: testing 0x0000: 7465 7374 696e 67 Called-Station-Id Attribute (30), length: 20, Value: DE-AD-BE-EF-6C-02: 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d30 0x0010: 323a Service-Type Attribute (6), length: 6, Value: Framed 0x0000: 0000 0002 Calling-Station-Id Attribute (31), length: 19, Value: DE-AD-BE-EF-6C-12 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d31 0x0010: 32 Acct-Session-Id Attribute (44), length: 18, Value: 56F67A77637C5087 0x0000: 3536 4636 3741 3737 3633 3743 3530 3837 NAS-Port-Type Attribute (61), length: 6, Value: Ethernet 0x0000: 0000 000f Connect-Info Attribute (77), length: 13, Value: Unsupported 0x0000: 556e 7375 7070 6f72 7465 64 NAS-Port-Id Attribute (87), length: 6, Value: eth2 0x0000: 6574 6832 Event-Timestamp Attribute (55), length: 6, Value: Mon May 4 18:18:05 2026 0x0000: 69f8 e2dd Acct-Delay-Time Attribute (41), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Session-Time Attribute (46), length: 6, Value: 10 secs 0x0000: 0000 000a Acct-Terminate-Cause Attribute (49), length: 6, Value: Lost Carrier 0x0000: 0000 0002 1 packet captured
Test MAB Lost Carrier Cause
Description
This scenario shows how a MAB-authenticated session is
stopped after a link-down event in DUT0 eth2.
Accounting RADIUS stop messages should contain the
following attribute: acct-terminate-cause=2.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 10.215.168.66/24 set interfaces ethernet eth0 traffic nat destination rule 1 address 192.168.200.2 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 address 192.168.200.1/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT2:
admin@DUT2$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.651 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.651/0.651/0.651/0.000 ms
Step 3: Set the following configuration in DUT0 :
set interfaces ethernet eth1 address 192.168.200.2/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator aaa accounting list1 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator coa client 10.215.168.1 set interfaces ethernet eth2 authenticator coa encrypted-secret U2FsdGVkX1+8c/r5g4t+slHxBmInjWe3sQpkFHfXQAU= set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode only-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set protocols static route 0.0.0.0/0 next-hop 192.168.200.1 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+2xPt0P2kecdCzWbzQdVqe/wb0yXI7knNIKd8b68vr4zAmJ/1j65LP59Yju4VmlIv/hqtOAZYRbA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=0.787 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.787/0.787/0.787/0.000 ms
Step 5: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=1.21 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.206/1.206/1.206/0.000 ms
Step 7: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 0 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 3 Session User MAC de:ad:be:ef:6c:12 Session User Name N/A
Step 8: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.342 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.342/0.342/0.342/0.000 ms
Step 9: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.255 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.255/0.255/0.255/0.000 ms
Note
Start packet capture in DUT2 to filter RADIUS stop messages (e.g., traffic dump monitor interface eth0 detail filter "udp port 1813" packets 1).
Note
Remove the link between DUT0 and DUT1 to provoke a link-down event.
Step 10: Run command interfaces ethernet eth2 authenticator show status at DUT0 and expect this output:
Show output
Error: no supplicant found CLI Error: Command error
Note
Stop packet capture in DUT0 and expect
the following RADIUS messages:
Show output
eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 18:18:30.789807 de:ad:be:ef:6c:20 > fe:04:aa:25:a3:32, ethertype IPv4 (0x0800), length 205: (tos 0x0, ttl 63, id 14557, offset 0, flags [none], proto UDP (17), length 191) 10.215.168.66.35082 > 10.215.168.1.1813: [bad udp cksum 0x66ae -> 0x04cf!] RADIUS, length: 163 Accounting-Request (4), id: 0x02, Authenticator: 176284c0198e14d498bdf263fc95877f Acct-Status-Type Attribute (40), length: 6, Value: Stop 0x0000: 0000 0002 Acct-Authentic Attribute (45), length: 6, Value: Local 0x0000: 0000 0002 User-Name Attribute (1), length: 19, Value: de:ad:be:ef:6c:12 0x0000: 6465 3a61 643a 6265 3a65 663a 3663 3a31 0x0010: 32 Called-Station-Id Attribute (30), length: 20, Value: DE-AD-BE-EF-6C-02: 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d30 0x0010: 323a Service-Type Attribute (6), length: 6, Value: Framed 0x0000: 0000 0002 Calling-Station-Id Attribute (31), length: 19, Value: DE-AD-BE-EF-6C-12 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d31 0x0010: 32 Acct-Session-Id Attribute (44), length: 18, Value: 3DF5C9F3DDD0E057 0x0000: 3344 4635 4339 4633 4444 4430 4530 3537 NAS-Port-Type Attribute (61), length: 6, Value: Ethernet 0x0000: 0000 000f Connect-Info Attribute (77), length: 13, Value: Unsupported 0x0000: 556e 7375 7070 6f72 7465 64 NAS-Port-Id Attribute (87), length: 6, Value: eth2 0x0000: 6574 6832 Event-Timestamp Attribute (55), length: 6, Value: Mon May 4 18:18:30 2026 0x0000: 69f8 e2f6 Acct-Delay-Time Attribute (41), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Session-Time Attribute (46), length: 6, Value: 10 secs 0x0000: 0000 000a Acct-Terminate-Cause Attribute (49), length: 6, Value: Lost Carrier 0x0000: 0000 0002 1 packet captured
Test 802.1x Idle Timeout Cause
Description
This scenario shows how an 802.1x session is stopped
after a reauthentication timeout.
Accounting RADIUS stop messages should contain the
following attribute: acct-terminate-cause=4.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 10.215.168.66/24 set interfaces ethernet eth0 traffic nat destination rule 1 address 192.168.200.2 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 address 192.168.200.1/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT2:
admin@DUT2$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.126 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.126/0.126/0.126/0.000 ms
Step 3: Set the following configuration in DUT0 :
set interfaces ethernet eth1 address 192.168.200.2/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa accounting list1 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode only-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 30 set protocols static route 0.0.0.0/0 next-hop 192.168.200.1 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18wr+xxQCU0p5fGlQZRr0UMfgM4wMtH3GjxPwXV7atX8DnXOPK0Bf/YTNhr0DevRB5ipMM4QpuhfA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=0.854 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.854/0.854/0.854/0.000 ms
Step 5: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX185sdB6mWt3Xl45+o4qijz0mtgN46VecmI= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 6: Run command interfaces ethernet eth2 supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 7: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 8: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate TRUE Reauthenticate Period 30 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name testing
Step 9: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.622 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.622/0.622/0.622/0.000 ms
Note
Start packet capture in DUT2 to filter RADIUS stop messages (e.g., traffic dump monitor interface eth0 detail filter "udp port 1813" packets 1).
Note
Disable DUT1 interface or remove address configuration to prevent the device from responding EAP requests.
Step 10: Modify the following configuration lines in DUT1 :
set interfaces ethernet eth2 disable
Step 11: Run command interfaces ethernet eth2 authenticator show status at DUT0 and check if output contains the following tokens:
Current status: UnauthorizedShow output
Current status: Unauthorized
Note
Stop packet capture in DUT0 and expect
the following RADIUS messages:
Show output
eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 18:19:33.893863 de:ad:be:ef:6c:20 > fe:04:aa:25:a3:32, ethertype IPv4 (0x0800), length 195: (tos 0x0, ttl 63, id 1604, offset 0, flags [none], proto UDP (17), length 181) 10.215.168.66.44292 > 10.215.168.1.1813: [bad udp cksum 0x66a4 -> 0xace4!] RADIUS, length: 153 Accounting-Request (4), id: 0x0c, Authenticator: bb07ef52339c0f751176e465e70a09a2 Acct-Status-Type Attribute (40), length: 6, Value: Stop 0x0000: 0000 0002 Acct-Authentic Attribute (45), length: 6, Value: RADIUS 0x0000: 0000 0001 User-Name Attribute (1), length: 9, Value: testing 0x0000: 7465 7374 696e 67 Called-Station-Id Attribute (30), length: 20, Value: DE-AD-BE-EF-6C-02: 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d30 0x0010: 323a Service-Type Attribute (6), length: 6, Value: Framed 0x0000: 0000 0002 Calling-Station-Id Attribute (31), length: 19, Value: DE-AD-BE-EF-6C-12 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d31 0x0010: 32 Acct-Session-Id Attribute (44), length: 18, Value: 8B08791C4FDF94B2 0x0000: 3842 3038 3739 3143 3446 4446 3934 4232 NAS-Port-Type Attribute (61), length: 6, Value: Ethernet 0x0000: 0000 000f Connect-Info Attribute (77), length: 13, Value: Unsupported 0x0000: 556e 7375 7070 6f72 7465 64 NAS-Port-Id Attribute (87), length: 6, Value: eth2 0x0000: 6574 6832 Event-Timestamp Attribute (55), length: 6, Value: Mon May 4 18:19:34 2026 0x0000: 69f8 e336 Acct-Delay-Time Attribute (41), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Session-Time Attribute (46), length: 6, Value: 51 secs 0x0000: 0000 0033 Acct-Terminate-Cause Attribute (49), length: 6, Value: Idle Timeout 0x0000: 0000 0004 1 packet captured
Test 802.1x Admin Reset Cause
Description
This scenario shows how to stop an 802.1x session using
operational command authenticator disassociate.
Accounting RADIUS stop messages should contain the
following attribute: acct-terminate-cause=6.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 10.215.168.66/24 set interfaces ethernet eth0 traffic nat destination rule 1 address 192.168.200.2 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 address 192.168.200.1/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT2:
admin@DUT2$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.400 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.400/0.400/0.400/0.000 ms
Step 3: Set the following configuration in DUT0 :
set interfaces ethernet eth1 address 192.168.200.2/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa accounting list1 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode only-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set protocols static route 0.0.0.0/0 next-hop 192.168.200.1 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/Q5BJD+1+E7UKstzzPU9w28Z5AOyz/qm2UNSfMamEOqclNK7Gla/wG2GeV5WFLxPE38HZ9S2eIfg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=0.568 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.568/0.568/0.568/0.000 ms
Step 5: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1+V/uxBevH0JeqJRtiIrlsKX9GRC9YbBho= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 6: Run command interfaces ethernet eth2 supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 7: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 8: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name testing
Step 9: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.464 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.464/0.464/0.464/0.000 ms
Note
Start packet capture in DUT2 to filter RADIUS stop messages (e.g., traffic dump monitor interface eth0 detail filter "udp port 1813" packets 1).
Step 10: Run command interfaces ethernet eth2 authenticator disassociate at DUT0 and expect this output:
Show output
OK
Step 11: Run command interfaces ethernet eth2 authenticator show status at DUT0 and check if output contains the following tokens:
Current status: UnauthorizedShow output
Current status: Unauthorized
Note
Stop packet capture in DUT0 and expect
the following RADIUS messages:
Show output
eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 18:19:47.597454 de:ad:be:ef:6c:20 > fe:04:aa:25:a3:32, ethertype IPv4 (0x0800), length 195: (tos 0x0, ttl 63, id 52860, offset 0, flags [none], proto UDP (17), length 181) 10.215.168.66.33345 > 10.215.168.1.1813: [bad udp cksum 0x66a4 -> 0x32b8!] RADIUS, length: 153 Accounting-Request (4), id: 0x0c, Authenticator: 05db4e26ba41eb47503d0ccd47b2029b Acct-Status-Type Attribute (40), length: 6, Value: Stop 0x0000: 0000 0002 Acct-Authentic Attribute (45), length: 6, Value: RADIUS 0x0000: 0000 0001 User-Name Attribute (1), length: 9, Value: testing 0x0000: 7465 7374 696e 67 Called-Station-Id Attribute (30), length: 20, Value: DE-AD-BE-EF-6C-02: 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d30 0x0010: 323a Service-Type Attribute (6), length: 6, Value: Framed 0x0000: 0000 0002 Calling-Station-Id Attribute (31), length: 19, Value: DE-AD-BE-EF-6C-12 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d31 0x0010: 32 Acct-Session-Id Attribute (44), length: 18, Value: 561D3887AEDC288A 0x0000: 3536 3144 3338 3837 4145 4443 3238 3841 NAS-Port-Type Attribute (61), length: 6, Value: Ethernet 0x0000: 0000 000f Connect-Info Attribute (77), length: 13, Value: Unsupported 0x0000: 556e 7375 7070 6f72 7465 64 NAS-Port-Id Attribute (87), length: 6, Value: eth2 0x0000: 6574 6832 Event-Timestamp Attribute (55), length: 6, Value: Mon May 4 18:19:46 2026 0x0000: 69f8 e342 Acct-Delay-Time Attribute (41), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Session-Time Attribute (46), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Terminate-Cause Attribute (49), length: 6, Value: Admin Reset 0x0000: 0000 0006 1 packet captured
Test MAB Admin Reset Cause
Description
This scenario shows how to stop a MAB authenticated session
using operational command authenticator disassociate.
Accounting RADIUS stop messages should contain the
following attribute: acct-terminate-cause=6.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 10.215.168.66/24 set interfaces ethernet eth0 traffic nat destination rule 1 address 192.168.200.2 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 address 192.168.200.1/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT2:
admin@DUT2$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.604 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.604/0.604/0.604/0.000 ms
Step 3: Set the following configuration in DUT0 :
set interfaces ethernet eth1 address 192.168.200.2/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator aaa accounting list1 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode only-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set protocols static route 0.0.0.0/0 next-hop 192.168.200.1 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+iPQ962T//0FF+UnyVXCGnrRmJt+EkWfvDSfTf7mGSGJlYk5IzCgMFMMcJy+ELiT29TaaGXQhjXw== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=0.481 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.481/0.481/0.481/0.000 ms
Step 5: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.260 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.260/0.260/0.260/0.000 ms
Note
Start packet capture in DUT2 to filter RADIUS stop messages (e.g., traffic dump monitor interface eth0 detail filter "udp port 1813" packets 1).
Step 7: Run command interfaces ethernet eth2 authenticator disassociate at DUT0 and expect this output:
Show output
OK
Step 8: Run command interfaces ethernet eth2 authenticator show status at DUT0 and check if output contains the following tokens:
Current status: UnauthorizedShow output
Current status: Unauthorized
Note
Stop packet capture in DUT0 and expect
the following RADIUS messages:
Show output
eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 18:20:02.944400 de:ad:be:ef:6c:20 > fe:04:aa:25:a3:32, ethertype IPv4 (0x0800), length 205: (tos 0x0, ttl 63, id 61625, offset 0, flags [none], proto UDP (17), length 191) 10.215.168.66.58020 > 10.215.168.1.1813: [bad udp cksum 0x66ae -> 0x884c!] RADIUS, length: 163 Accounting-Request (4), id: 0x02, Authenticator: 0dbb0f299ca6262f3abaa8b8f73a0426 Acct-Status-Type Attribute (40), length: 6, Value: Stop 0x0000: 0000 0002 Acct-Authentic Attribute (45), length: 6, Value: Local 0x0000: 0000 0002 User-Name Attribute (1), length: 19, Value: de:ad:be:ef:6c:12 0x0000: 6465 3a61 643a 6265 3a65 663a 3663 3a31 0x0010: 32 Called-Station-Id Attribute (30), length: 20, Value: DE-AD-BE-EF-6C-02: 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d30 0x0010: 323a Service-Type Attribute (6), length: 6, Value: Framed 0x0000: 0000 0002 Calling-Station-Id Attribute (31), length: 19, Value: DE-AD-BE-EF-6C-12 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d31 0x0010: 32 Acct-Session-Id Attribute (44), length: 18, Value: CA03108CBBE0DFC7 0x0000: 4341 3033 3130 3843 4242 4530 4446 4337 NAS-Port-Type Attribute (61), length: 6, Value: Ethernet 0x0000: 0000 000f Connect-Info Attribute (77), length: 13, Value: Unsupported 0x0000: 556e 7375 7070 6f72 7465 64 NAS-Port-Id Attribute (87), length: 6, Value: eth2 0x0000: 6574 6832 Event-Timestamp Attribute (55), length: 6, Value: Mon May 4 18:20:03 2026 0x0000: 69f8 e353 Acct-Delay-Time Attribute (41), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Session-Time Attribute (46), length: 6, Value: 01 secs 0x0000: 0000 0001 Acct-Terminate-Cause Attribute (49), length: 6, Value: Admin Reset 0x0000: 0000 0006 1 packet captured
Test 802.1x Admin Restart Cause
Description
This scenario shows how to restart an 802.1x session using
operational command authenticator restart.
Accounting RADIUS stop messages should contain the
following attribute: acct-terminate-cause=6.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 10.215.168.66/24 set interfaces ethernet eth0 traffic nat destination rule 1 address 192.168.200.2 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 address 192.168.200.1/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT2:
admin@DUT2$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.646 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.646/0.646/0.646/0.000 ms
Step 3: Set the following configuration in DUT0 :
set interfaces ethernet eth1 address 192.168.200.2/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa accounting list1 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode only-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set protocols static route 0.0.0.0/0 next-hop 192.168.200.1 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18HSAxnLxKLO/hA4rCcNn5EK4/q8H9iYuFo5Y/BzY4o/cQH4xo2fdn6Wb7nenZ8hXwbXh6RiBcrvw== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=0.690 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.690/0.690/0.690/0.000 ms
Step 5: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1/PeurjJeIhdwszOxRMt3/qEFNQsWKkq6M= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 6: Run command interfaces ethernet eth2 supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 7: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 8: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name testing
Step 9: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.370 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.370/0.370/0.370/0.000 ms
Note
Start packet capture in DUT2 to filter RADIUS stop messages (e.g., traffic dump monitor interface eth0 detail filter "udp port 1813" packets 1).
Step 10: Run command interfaces ethernet eth2 authenticator restart at DUT0 and expect this output:
Step 11: Run command interfaces ethernet eth2 authenticator show status at DUT0 and expect this output:
Show output
Error: no supplicant found CLI Error: Command error
Note
Stop packet capture in DUT0 and expect
the following RADIUS messages:
Show output
eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 18:20:15.454411 de:ad:be:ef:6c:20 > fe:04:aa:25:a3:32, ethertype IPv4 (0x0800), length 195: (tos 0x0, ttl 63, id 46306, offset 0, flags [none], proto UDP (17), length 181) 10.215.168.66.34804 > 10.215.168.1.1813: [bad udp cksum 0x66a4 -> 0x608e!] RADIUS, length: 153 Accounting-Request (4), id: 0x0c, Authenticator: 080a134bd64e5f025144489cb91f9fb2 Acct-Status-Type Attribute (40), length: 6, Value: Stop 0x0000: 0000 0002 Acct-Authentic Attribute (45), length: 6, Value: RADIUS 0x0000: 0000 0001 User-Name Attribute (1), length: 9, Value: testing 0x0000: 7465 7374 696e 67 Called-Station-Id Attribute (30), length: 20, Value: DE-AD-BE-EF-6C-02: 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d30 0x0010: 323a Service-Type Attribute (6), length: 6, Value: Framed 0x0000: 0000 0002 Calling-Station-Id Attribute (31), length: 19, Value: DE-AD-BE-EF-6C-12 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d31 0x0010: 32 Acct-Session-Id Attribute (44), length: 18, Value: 2C61BF7A30BFBD55 0x0000: 3243 3631 4246 3741 3330 4246 4244 3535 NAS-Port-Type Attribute (61), length: 6, Value: Ethernet 0x0000: 0000 000f Connect-Info Attribute (77), length: 13, Value: Unsupported 0x0000: 556e 7375 7070 6f72 7465 64 NAS-Port-Id Attribute (87), length: 6, Value: eth2 0x0000: 6574 6832 Event-Timestamp Attribute (55), length: 6, Value: Mon May 4 18:20:15 2026 0x0000: 69f8 e35f Acct-Delay-Time Attribute (41), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Session-Time Attribute (46), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Terminate-Cause Attribute (49), length: 6, Value: Admin Reset 0x0000: 0000 0006 1 packet captured
Test MAB Admin Restart Cause
Description
This scenario shows how to restart a MAB authenticated session
using operational command authenticator restart.
Accounting RADIUS stop messages should contain the
following attribute: acct-terminate-cause=6.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 10.215.168.66/24 set interfaces ethernet eth0 traffic nat destination rule 1 address 192.168.200.2 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 address 192.168.200.1/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT2:
admin@DUT2$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.577 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.577/0.577/0.577/0.000 ms
Step 3: Set the following configuration in DUT0 :
set interfaces ethernet eth1 address 192.168.200.2/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator aaa accounting list1 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode only-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set protocols static route 0.0.0.0/0 next-hop 192.168.200.1 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX19gsTDGdsh6HhGk5POSLiee9JhsuxaC4sNgGfnntIuB3AQ84+Go/bP2T2WWZE2ajfKKWlZLa21QWA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=0.451 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.451/0.451/0.451/0.000 ms
Step 5: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.280 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.280/0.280/0.280/0.000 ms
Note
Start packet capture in DUT2 to filter RADIUS stop messages (e.g., traffic dump monitor interface eth0 detail filter "udp port 1813" packets 1).
Step 7: Run command interfaces ethernet eth2 authenticator restart at DUT0 and expect this output:
Step 8: Run command interfaces ethernet eth2 authenticator show status at DUT0 and expect this output:
Show output
Error: no supplicant found CLI Error: Command error
Note
Stop packet capture in DUT0 and expect
the following RADIUS messages:
Show output
eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 18:20:30.841100 de:ad:be:ef:6c:20 > fe:04:aa:25:a3:32, ethertype IPv4 (0x0800), length 205: (tos 0x0, ttl 63, id 33303, offset 0, flags [none], proto UDP (17), length 191) 10.215.168.66.40199 > 10.215.168.1.1813: [bad udp cksum 0x66ae -> 0x157e!] RADIUS, length: 163 Accounting-Request (4), id: 0x02, Authenticator: 54a05f185cb234c0a5c069d2fa9f13b5 Acct-Status-Type Attribute (40), length: 6, Value: Stop 0x0000: 0000 0002 Acct-Authentic Attribute (45), length: 6, Value: Local 0x0000: 0000 0002 User-Name Attribute (1), length: 19, Value: de:ad:be:ef:6c:12 0x0000: 6465 3a61 643a 6265 3a65 663a 3663 3a31 0x0010: 32 Called-Station-Id Attribute (30), length: 20, Value: DE-AD-BE-EF-6C-02: 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d30 0x0010: 323a Service-Type Attribute (6), length: 6, Value: Framed 0x0000: 0000 0002 Calling-Station-Id Attribute (31), length: 19, Value: DE-AD-BE-EF-6C-12 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d31 0x0010: 32 Acct-Session-Id Attribute (44), length: 18, Value: CD46E14DE48621D2 0x0000: 4344 3436 4531 3444 4534 3836 3231 4432 NAS-Port-Type Attribute (61), length: 6, Value: Ethernet 0x0000: 0000 000f Connect-Info Attribute (77), length: 13, Value: Unsupported 0x0000: 556e 7375 7070 6f72 7465 64 NAS-Port-Id Attribute (87), length: 6, Value: eth2 0x0000: 6574 6832 Event-Timestamp Attribute (55), length: 6, Value: Mon May 4 18:20:30 2026 0x0000: 69f8 e36e Acct-Delay-Time Attribute (41), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Session-Time Attribute (46), length: 6, Value: 01 secs 0x0000: 0000 0001 Acct-Terminate-Cause Attribute (49), length: 6, Value: Admin Reset 0x0000: 0000 0006 1 packet captured
Test 802.1x NAS Request Cause
Description
This scenario shows how to stop an 802.1x session from
the authentication server using a CoA message.
Accounting RADIUS stop messages should contain the
following attribute: acct-terminate-cause=10.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 10.215.168.66/24 set interfaces ethernet eth0 traffic nat destination rule 1 address 192.168.200.2 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 address 192.168.200.1/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT2:
admin@DUT2$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.491 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.491/0.491/0.491/0.000 ms
Step 3: Set the following configuration in DUT0 :
set interfaces ethernet eth1 address 192.168.200.2/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa accounting list1 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator coa client 10.215.168.1 set interfaces ethernet eth2 authenticator coa encrypted-secret U2FsdGVkX18feLxIFLrbRKzFourl7O6WalyRrRo6jaA= set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode only-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set protocols static route 0.0.0.0/0 next-hop 192.168.200.1 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18nJb167FJZBUZAgB33agZR2z6j/7rbQ6tqDFP4sjVRzHRB6ldIsvoHIvqcrpljA8QZS29cy49Oeg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=0.610 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.610/0.610/0.610/0.000 ms
Step 5: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX19FdgsYQ+5slISy7XMUDS5841kJJXirQf0= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 6: Run command interfaces ethernet eth2 supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 7: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 8: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name testing
Step 9: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.386 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.386/0.386/0.386/0.000 ms
Note
Start packet capture in DUT2 to filter RADIUS stop messages (e.g., traffic dump monitor interface eth0 detail filter "udp port 1813" packets 1).
Note
Send a CoA/Disconnect request from the RADIUS server
On Linux, the FreeRADIUS package includes the
radtest utility, which can be used to send these messages:
Show output
$ cat /osdx-tests/utils/dot1x/auth_dot1x.req User-Name = "testing" $ radclient -s -t 1 -r 1 10.215.168.66:3799 disconnect coa_secret -f /osdx-tests/utils/dot1x/auth_dot1x.req Sent Disconnect-Request Id 240 from 0.0.0.0:37721 to 10.215.168.66:3799 length 29 Received Disconnect-ACK Id 240 from 10.215.168.66:3799 to 10.215.168.1:37721 length 44 Packet summary: Accepted : 1 Rejected : 0 Lost : 0 Passed filter : 1 Failed filter : 0
Step 10: Run command interfaces ethernet eth2 authenticator show status at DUT0 and check if output contains the following tokens:
Current status: UnauthorizedShow output
Current status: Unauthorized
Note
Stop packet capture in DUT0 and expect
the following RADIUS messages:
Show output
eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 18:20:42.846749 de:ad:be:ef:6c:20 > fe:04:aa:25:a3:32, ethertype IPv4 (0x0800), length 195: (tos 0x0, ttl 63, id 53225, offset 0, flags [none], proto UDP (17), length 181) 10.215.168.66.41695 > 10.215.168.1.1813: [bad udp cksum 0x66a4 -> 0xb39b!] RADIUS, length: 153 Accounting-Request (4), id: 0x0c, Authenticator: 40784c51352151609cf29ccccc81a9df Acct-Status-Type Attribute (40), length: 6, Value: Stop 0x0000: 0000 0002 Acct-Authentic Attribute (45), length: 6, Value: RADIUS 0x0000: 0000 0001 User-Name Attribute (1), length: 9, Value: testing 0x0000: 7465 7374 696e 67 Called-Station-Id Attribute (30), length: 20, Value: DE-AD-BE-EF-6C-02: 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d30 0x0010: 323a Service-Type Attribute (6), length: 6, Value: Framed 0x0000: 0000 0002 Calling-Station-Id Attribute (31), length: 19, Value: DE-AD-BE-EF-6C-12 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d31 0x0010: 32 Acct-Session-Id Attribute (44), length: 18, Value: B81D7C702C9AA527 0x0000: 4238 3144 3743 3730 3243 3941 4135 3237 NAS-Port-Type Attribute (61), length: 6, Value: Ethernet 0x0000: 0000 000f Connect-Info Attribute (77), length: 13, Value: Unsupported 0x0000: 556e 7375 7070 6f72 7465 64 NAS-Port-Id Attribute (87), length: 6, Value: eth2 0x0000: 6574 6832 Event-Timestamp Attribute (55), length: 6, Value: Mon May 4 18:20:43 2026 0x0000: 69f8 e37b Acct-Delay-Time Attribute (41), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Session-Time Attribute (46), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Terminate-Cause Attribute (49), length: 6, Value: NAS Request 0x0000: 0000 000a 1 packet captured
Test MAB NAS Request Cause
Description
This scenario shows how to stop a MAB-authenticated session
from the authentication server using a CoA message.
Accounting RADIUS stop messages should contain the
following attribute: acct-terminate-cause=10.
Scenario
Step 1: Set the following configuration in DUT2 :
set interfaces ethernet eth0 address 10.215.168.66/24 set interfaces ethernet eth0 traffic nat destination rule 1 address 192.168.200.2 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 address 192.168.200.1/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT2:
admin@DUT2$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.562 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.562/0.562/0.562/0.000 ms
Step 3: Set the following configuration in DUT0 :
set interfaces ethernet eth1 address 192.168.200.2/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator aaa accounting list1 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator coa client 10.215.168.1 set interfaces ethernet eth2 authenticator coa encrypted-secret U2FsdGVkX19K/tjbgl51TycmQ5VSQ9We62VhSwHNf1E= set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode only-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set protocols static route 0.0.0.0/0 next-hop 192.168.200.1 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX19zF/wUuys68BUWSpsnmkc9N2ixi/gGdkeaoqm6aEI58YXd12VEZ1ZJJL4+LnLp48bWHDfMrkRKNA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=0.594 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.594/0.594/0.594/0.000 ms
Step 5: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.232 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.232/0.232/0.232/0.000 ms
Note
Start packet capture in DUT2 to filter RADIUS stop messages (e.g., traffic dump monitor interface eth0 detail filter "udp port 1813" packets 1).
Note
Send a CoA/Disconnect request from the RADIUS server
On Linux, the FreeRADIUS package includes the
radtest utility, which can be used to send these messages:
Show output
$ cat /osdx-tests/utils/dot1x/auth_mab.req User-Name = "de:ad:be:ef:6c:12" $ radclient -s -t 1 -r 1 10.215.168.66:3799 disconnect coa_secret -f /osdx-tests/utils/dot1x/auth_mab.req Sent Disconnect-Request Id 57 from 0.0.0.0:43553 to 10.215.168.66:3799 length 39 Received Disconnect-ACK Id 57 from 10.215.168.66:3799 to 10.215.168.1:43553 length 44 Packet summary: Accepted : 1 Rejected : 0 Lost : 0 Passed filter : 1 Failed filter : 0
Step 7: Run command interfaces ethernet eth2 authenticator show status at DUT0 and check if output contains the following tokens:
Current status: UnauthorizedShow output
Current status: Unauthorized
Note
Stop packet capture in DUT0 and expect
the following RADIUS messages:
Show output
eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 18:20:57.884136 de:ad:be:ef:6c:20 > fe:04:aa:25:a3:32, ethertype IPv4 (0x0800), length 205: (tos 0x0, ttl 63, id 60244, offset 0, flags [none], proto UDP (17), length 191) 10.215.168.66.39681 > 10.215.168.1.1813: [bad udp cksum 0x66ae -> 0xf299!] RADIUS, length: 163 Accounting-Request (4), id: 0x02, Authenticator: 431d6b8a70a3e664976ce515ee681148 Acct-Status-Type Attribute (40), length: 6, Value: Stop 0x0000: 0000 0002 Acct-Authentic Attribute (45), length: 6, Value: Local 0x0000: 0000 0002 User-Name Attribute (1), length: 19, Value: de:ad:be:ef:6c:12 0x0000: 6465 3a61 643a 6265 3a65 663a 3663 3a31 0x0010: 32 Called-Station-Id Attribute (30), length: 20, Value: DE-AD-BE-EF-6C-02: 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d30 0x0010: 323a Service-Type Attribute (6), length: 6, Value: Framed 0x0000: 0000 0002 Calling-Station-Id Attribute (31), length: 19, Value: DE-AD-BE-EF-6C-12 0x0000: 4445 2d41 442d 4245 2d45 462d 3643 2d31 0x0010: 32 Acct-Session-Id Attribute (44), length: 18, Value: 84F74F871C1572FD 0x0000: 3834 4637 3446 3837 3143 3135 3732 4644 NAS-Port-Type Attribute (61), length: 6, Value: Ethernet 0x0000: 0000 000f Connect-Info Attribute (77), length: 13, Value: Unsupported 0x0000: 556e 7375 7070 6f72 7465 64 NAS-Port-Id Attribute (87), length: 6, Value: eth2 0x0000: 6574 6832 Event-Timestamp Attribute (55), length: 6, Value: Mon May 4 18:20:58 2026 0x0000: 69f8 e38a Acct-Delay-Time Attribute (41), length: 6, Value: 00 secs 0x0000: 0000 0000 Acct-Session-Time Attribute (46), length: 6, Value: 01 secs 0x0000: 0000 0001 Acct-Terminate-Cause Attribute (49), length: 6, Value: NAS Request 0x0000: 0000 000a 1 packet captured