Training

Why does my 802.1x RADIUS session stop after the first packet?

1 min read

Some 802.1x/EAPOL authenticator implementations expect to find the RADIUS “State” attribute in any RADIUS response from the server. Some RADIUS servers use the State attribute to maintain sessions and some RADIUS clients check for it. However, when these implementations do not find the State attribute, the RADIUS packet may be dropped.

The packet trace would look as follows:

    INFO(setup): 16:41:36' Sending EAP-Start to initiate authorization process
    O>>>(lan): 16:41:36'         00:15:e9:30:8b:7e  00:0c:41:6d:e8:09  EAPOL     EAPOL-Start
    INFO(setup): 16:41:36' Starting DHCP client on LAN interface eth2
    O>>>(lan): 16:41:36'         0.0.0.0            255.255.255.255    DHCP      DHCPDISCOVER - Transaction ID 0xbfcf4c75
    I<<<(lan): 16:41:36'         00:0c:41:6d:e8:09  00:15:e9:30:8b:7e  EAPOL     EAP Request Identity ID 0
    O>>>(lan): 16:41:36'         00:15:e9:30:8b:7e  00:0c:41:6d:e8:09  EAPOL     EAP Response Identity ID 0
    I<<<(wan): 16:41:36'         192.168.200.2      3.3.3.3            RADIUS    Access-Request ID=0 len=123
    O>>>(wan): 16:41:36'         3.3.3.3            192.168.200.2      RADIUS    Access-Challenge ID=0 len=46
    O>>>(lan): 16:41:41'         0.0.0.0            255.255.255.255    DHCP      DHCPDISCOVER - Transaction ID 0xc01bd51b
    O>>>(lan): 16:41:46'         0.0.0.0            255.255.255.255    DHCP      DHCPDISCOVER - Transaction ID 0xc06847bf
    I<<<(wan): 16:41:48'         00:0c:41:6d:e8:08  00:e0:15:05:22:65  PPP/LCP   Echo-Request (ID=1)
    O>>>(wan): 16:41:48'         00:e0:15:05:22:65  00:0c:41:6d:e8:08  PPP/LCP   Echo-Reply (ID=1)

As a possible work-around, you can configure CDRouter to send a State attribute in its RADIUS response.

Get articles like this in your inbox: