‎04-28-2022 04:12 AM
‎05-26-2022 03:57 PM
‎05-15-2022 09:21 PM
Hello
Typically "Session Detected" means that we've received a RADIUS accounting packet for that end system.
If you take a tcpdump on control and look for port 1812/1813 can you find any packets for that end system that have the uplink port defined in the RADIUS AVPs?
tcpdump -i eth0 -s 0 -w nactrace.pcap port 1812 or port 1813
Leave it running and have an end system get a few of those "Session Detected" messages.
Once completed search the trace for any RADIUS packets for the affected client.
You can use search filters for calling-station-id which will capture MAB/802.1x authentication, or by username for 802.1x. Once you find packets check the RADIUS AVPs to make sure the uplink isn't there.
Also, I notice that there is a "Kerberos" event. Are you doing any mirroring to get Kerberos traffic to the NAC? NAC can snoop Kerberos packets to get the username, but since you're doing 802.1x NAC can get the username without Kerberos snooping.
You can right click the NAC --> Engine Settings --> Username Resolution --> Disable "Kerberos Username Resolution"
Thanks
-Ryan