Why do we see "Dropping EAPOL packet sent by Station" errors on the controller?
How does the controller handle "EAPOL-Logoff" messages from clients?
EAPOL-logoff is ideally sent by the client when it wants to logoff from a dot1x session. We have a knob "Handle EAPOL-Logoff" in the dot1x profile that is disabled by default. Since we drop the logoff packet (as logoff handling is off), we have an error debug print for it saying, "Dropping EAPOL packet sent by Station" when EAPOL-Logoff from the client is dropped.
Sep 2 10:53:26 authmgr: <132030> <ERRS> |authmgr| Dropping EAPOL packet sent by Station 84:3a:4b:7c:eb:0a d8:c7:c8:33:cb:b0 Sep 2 10:53:27 authmgr: <132030> <ERRS> |authmgr| Dropping EAPOL packet sent by Station 94:e9:6a:ae:17:00 d8:c7:c8:37:fa:f0
"Handle EAPOL-Logoff" knob in the dot1x profile:
(Master-7210) #show aaa authentication dot1x default 802.1X Authentication Profile "default" --------------------------------------- Parameter Value --------- ----- Max authentication failures 0 Enforce Machine Authentication Disabled Machine Authentication: Default Machine Role guest Machine Authentication Cache Timeout 24 hr(s) Blacklist on Machine Authentication Failure Disabled Machine Authentication: Default User Role guest Interval between Identity Requests 5 sec Quiet Period after Failed Authentication 30 sec Reauthentication Interval 86400 sec Use Server provided Reauthentication Interval Disabled Use the termination-action attribute from the Server Disabled Multicast Key Rotation Time Interval 1800 sec Unicast Key Rotation Time Interval 900 sec Authentication Server Retry Interval 5 sec Authentication Server Retry Count 3 Framed MTU 1100 bytes Max number of requests sent during an Auth attempt 5 Max Number of Reauthentication Attempts 3 Maximum number of times Held State can be bypassed 0 Dynamic WEP Key Message Retry Count 1 Dynamic WEP Key Size 128 bits Interval between WPA/WPA2 Key Messages 1000 msec Delay between EAP-Success and WPA2 Unicast Key Exchange 0 msec Delay between WPA/WPA2 Unicast Key and Group Key Exchange 0 msec Time interval after which the PMKSA will be deleted 8 hr(s) Delete Keycache upon user deletion Disabled WPA/WPA2 Key Message Retry Count 3 Multicast Key Rotation Disabled Unicast Key Rotation Disabled Reauthentication Disabled Opportunistic Key Caching Enabled Validate PMKID Enabled Use Session Key Disabled Use Static Key Disabled xSec MTU 1300 bytes Termination Disabled Termination EAP-Type N/A Termination Inner EAP-Type N/A Token Caching Disabled Token Caching Period 24 hr(s) CA-Certificate N/A Server-Certificate N/A TLS Guest Access Disabled TLS Guest Role guest Ignore EAPOL-START after authentication Disabled Handle EAPOL-Logoff Disabled <---------- Ignore EAP ID during negotiation. Disabled WPA-Fast-Handover Disabled Disable rekey and reauthentication for clients on call Disabled Check certificate common name against AAA server Enabled