Why do we see "Dropping EAPOL packet sent by Station" errors on the controller?

Aruba Employee
Q:

Why do we see "Dropping EAPOL packet sent by Station" errors on the controller? 

How does the controller handle "EAPOL-Logoff" messages from clients? 

 



A:

EAPOL-logoff is ideally sent by the client when it wants to logoff from a dot1x session. We have a knob "Handle EAPOL-Logoff" in the dot1x profile that is disabled by default. Since we drop the logoff packet (as logoff handling is off), we have an error debug print for it saying, "Dropping EAPOL packet sent by Station" when EAPOL-Logoff from the client is dropped.

 

Example logs: 

Sep  2 10:53:26  authmgr[3791]: <132030> <ERRS> |authmgr|  Dropping EAPOL packet sent by Station 84:3a:4b:7c:eb:0a d8:c7:c8:33:cb:b0
Sep  2 10:53:27  authmgr[3791]: <132030> <ERRS> |authmgr|  Dropping EAPOL packet sent by Station 94:e9:6a:ae:17:00 d8:c7:c8:37:fa:f0

 

"Handle EAPOL-Logoff" knob in the dot1x profile: 

(Master-7210) #show aaa authentication dot1x default

802.1X Authentication Profile "default"
---------------------------------------
Parameter                                                  Value
---------                                                  -----
Max authentication failures                                0
Enforce Machine Authentication                             Disabled
Machine Authentication: Default Machine Role               guest
Machine Authentication Cache Timeout                       24 hr(s)
Blacklist on Machine Authentication Failure                Disabled
Machine Authentication: Default User Role                  guest
Interval between Identity Requests                         5 sec
Quiet Period after Failed Authentication                   30 sec
Reauthentication Interval                                  86400 sec
Use Server provided Reauthentication Interval              Disabled
Use the termination-action attribute from the Server       Disabled
Multicast Key Rotation Time Interval                       1800 sec
Unicast Key Rotation Time Interval                         900 sec
Authentication Server Retry Interval                       5 sec
Authentication Server Retry Count                          3
Framed MTU                                                 1100 bytes
Max number of requests sent during an Auth attempt         5
Max Number of Reauthentication Attempts                    3
Maximum number of times Held State can be bypassed         0
Dynamic WEP Key Message Retry Count                        1
Dynamic WEP Key Size                                       128 bits
Interval between WPA/WPA2 Key Messages                     1000 msec
Delay between EAP-Success and WPA2 Unicast Key Exchange    0 msec
Delay between WPA/WPA2 Unicast Key and Group Key Exchange  0 msec
Time interval after which the PMKSA will be deleted        8 hr(s)
Delete Keycache upon user deletion                         Disabled
WPA/WPA2 Key Message Retry Count                           3
Multicast Key Rotation                                     Disabled
Unicast Key Rotation                                       Disabled
Reauthentication                                           Disabled
Opportunistic Key Caching                                  Enabled
Validate PMKID                                             Enabled
Use Session Key                                            Disabled
Use Static Key                                             Disabled
xSec MTU                                                   1300 bytes
Termination                                                Disabled
Termination EAP-Type                                       N/A
Termination Inner EAP-Type                                 N/A
Token Caching                                              Disabled
Token Caching Period                                       24 hr(s)
CA-Certificate                                             N/A
Server-Certificate                                         N/A
TLS Guest Access                                           Disabled
TLS Guest Role                                             guest
Ignore EAPOL-START after authentication                    Disabled
Handle EAPOL-Logoff                                        Disabled    <---------- 
Ignore EAP ID during negotiation.                          Disabled
WPA-Fast-Handover                                          Disabled
Disable rekey and reauthentication for clients on call     Disabled
Check certificate common name against AAA server           Enabled
Version history
Revision #:
2 of 2
Last update:
‎03-29-2017 12:09 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: