Showing results for 
Search instead for 
Did you mean: 

Load Balancing 802.1x RADIUS traffic to NAC.

Load Balancing 802.1x RADIUS traffic to NAC.

New Contributor III
Hi there,

I'm having some issues using LSNAT load balancing with 802.1x RADIUS requests on the S Series or N Series to some NAC appliances at the back end.

With my client switch configured to send RADIUS requests to the VIP address on the S Series, 802.1x auth fails, but MAC auth is fine. The LSNAT load balancing is configured with four NAC appliances as real servers, though only one is "in service" to aid troubleshooting at the moment.

The VIP address of the load balancers are configured as load balancers in NAC manager.

With my client switch configured to send RADIUS requests direct to real IP address of the single NAC appliance the load balancer was configured to use, 802.1x and MAC auth are successful.

I've tried this using B series and D series as client switches, and tried the same LSNAT configuration on the S Series and N Series with identical results. When using the VIP address, 802.1x fails but MAC auth is fine.

NAC Manager shows the following error message when 802.1x auth fails:
“Authentication request became stale, challenge sent, no response received from client (switch”

Wireshark proves no packets are being dropped between NAC and switch. The final challenge (before the failure) that is sent out by NAC reaches the uplink port on the switch.

It appears that the EAP-TLS communication between client PC and NAC is breaking down some how.

Has anyone has seen similar issues?



Extreme Employee

After boning up a bit on the lsnat app:
one shot deletes the binding after 1 second. Perfect for access level DNS for example. Normally tearing down a NAT binding would not be an issue to radius but in the radius load balance application a client needs to stick with the real server used for initial radius auth - there is no sharing of info from one real to another.
So one shot operation is the opposite of what is called for here.

Try sticky type sip with a timeout of 65k.
(Not tested)


Extreme Employee
Hello Jeremy,
Why oneshot? Can you test without this?

I think you guys are on the right track regarding tying the reals to a specific client. There is no distributed database - so while its udp, the real server initially auth'ing the client needs to stay with them. Auth has never been my sharpest skill but it seems like the auth process needs to hold at least some state for updates or challenges or other auth magic.


Not yet. I will test it more tomorrow when I get back in.

New Contributor III
have you tried the leastConnections command in the LSNAT?

I think it should give a more one to one rather than a multiple hit or round robin