Some 802.1x/EAPOL authenticator implementations expect to find the RADIUS “State” attribute in any RADIUS response from the server. Some RADIUS servers use the State attribute to maintain sessions and some RADIUS clients check for it. However, when these implementations do not find the State attribute, the RADIUS packet may be dropped.
The packet trace would look as follows:
INFO(setup): 16:41:36' Sending EAP-Start to initiate authorization process
O>>>(lan): 16:41:36' 00:15:e9:30:8b:7e 00:0c:41:6d:e8:09 EAPOL EAPOL-Start
INFO(setup): 16:41:36' Starting DHCP client on LAN interface eth2
O>>>(lan): 16:41:36' 0.0.0.0 255.255.255.255 DHCP DHCPDISCOVER - Transaction ID 0xbfcf4c75
I<<<(lan): 16:41:36' 00:0c:41:6d:e8:09 00:15:e9:30:8b:7e EAPOL EAP Request Identity ID 0
O>>>(lan): 16:41:36' 00:15:e9:30:8b:7e 00:0c:41:6d:e8:09 EAPOL EAP Response Identity ID 0
I<<<(wan): 16:41:36' 192.168.200.2 3.3.3.3 RADIUS Access-Request ID=0 len=123
O>>>(wan): 16:41:36' 3.3.3.3 192.168.200.2 RADIUS Access-Challenge ID=0 len=46
O>>>(lan): 16:41:41' 0.0.0.0 255.255.255.255 DHCP DHCPDISCOVER - Transaction ID 0xc01bd51b
O>>>(lan): 16:41:46' 0.0.0.0 255.255.255.255 DHCP DHCPDISCOVER - Transaction ID 0xc06847bf
I<<<(wan): 16:41:48' 00:0c:41:6d:e8:08 00:e0:15:05:22:65 PPP/LCP Echo-Request (ID=1)
O>>>(wan): 16:41:48' 00:e0:15:05:22:65 00:0c:41:6d:e8:08 PPP/LCP Echo-Reply (ID=1)As a possible work-around, you can configure CDRouter to send a State attribute in its RADIUS response.