Question: What does EAP ID mismatch mean in the auth tracebuf?
Product and Software: This article applies to all Aruba controllers and ArubaOS 3.3.2.X and later.
"EAP ID mismatch" in the auth tracebuf means that the EAP ID that was received from the client is different from what Auth expected it to be.
With each exchange, the ID normally gets incremented.
To disable this check in the dot1x authentication profile, issue the following command:
aaa authentication dot1x <profile-name>
The authenticator sends an EAP ID in each request and increments it with each request sent. (In the case of a termination or RADIUS server, the authenticator is a controller.) The authenticator uses this ID to match the EAP response from the client.
If, for example, the authenticator sent an EAP request with a particular ID that didn't make it to the client and the client re-transmitted it's earlier response, you can end up in this mismatch scenario. If a mismatch is detected, that packet is dropped unless the "ignore-eap-id-match" knob is turned on.
If you see this issue frequently with this client, examine the packet captures at both the ends. EAP ID mismatches are never good.