CDRouter Support

Why does my 802.1x RADIUS session stop after the first packet?

knowledge-base version 13.3

Some 802.1x/EAPOL authenticator implementations expect to find the RADIUS “State” attribute in any RADIUS response from the server. Some RADIUS servers use the State attribute to maintain sessions and some RADIUS clients check for it. However, when these implementations do not find the State attribute, the RADIUS packet may be dropped.

The packet trace will looks as follows:

INFO(setup): 16:41:36| Sending EAP-Start to initiate authorization process
O>>>(lan): 16:41:36|         00:15:e9:30:8b:7e  00:0c:41:6d:e8:09  EAPOL     EAPOL-Start
INFO(setup): 16:41:36| Starting DHCP client on LAN interface eth2
O>>>(lan): 16:41:36|      DHCP      DHCPDISCOVER - Transaction ID 0xbfcf4c75
I<<<(lan): 16:41:36|         00:0c:41:6d:e8:09  00:15:e9:30:8b:7e  EAPOL     EAP Request Identity ID 0
O>>>(lan): 16:41:36|         00:15:e9:30:8b:7e  00:0c:41:6d:e8:09  EAPOL     EAP Response Identity ID 0
I<<<(wan): 16:41:36|            RADIUS    Access-Request ID=0 len=123
O>>>(wan): 16:41:36|        RADIUS    Access-Challenge ID=0 len=46
O>>>(lan): 16:41:41|      DHCP      DHCPDISCOVER - Transaction ID 0xc01bd51b
O>>>(lan): 16:41:46|      DHCP      DHCPDISCOVER - Transaction ID 0xc06847bf
I<<<(wan): 16:41:48|         00:0c:41:6d:e8:08  00:e0:15:05:22:65  PPP/LCP   Echo-Request (ID=1)
O>>>(wan): 16:41:48|         00:e0:15:05:22:65  00:0c:41:6d:e8:08  PPP/LCP   Echo-Reply (ID=1)

As a possible work-around, you can configure CDRouter to send a State attribute in its RADIUS response. See this support note on configuring additional RADIUS attributes.



About CDRouter

QA Cafe CDRouter is a comprehensive and powerful test automation solution focused on feature, security, and performance testing for broadband and enterprise edge gateways, Wi-Fi and mesh systems, and other CPE.

Get in touch via our Contact page or by following us on your favorite service: