Symptom
RADIUS protocol packets (Access-Challenge) received from RADIUS server to 802.1x authenticator are dropped. For every RADIUS Access-Challenge message ICMP port unreachable message is sent.
Conditions
#1. ncs5500/ncs540 platform running 6.6.x/7.0.1/7.1.1 version;
#2. communication b/w RADIUS server and ncs box happens via line card port.
Workaround
use built-in management interface on RP to communicate b/w 802.1x RADIUS client and RADIUS server
Further Problem Description
there is incorrect hw lpts entry created directing received RADIUS packets to RP0 instead of 0/0/cpu0
+++ show lpts pifib hardware entry brief [09:07:50.040 UTC Thu Oct 10 2019] +++
--------------------------------------
Node: 0/0/CPU0
--------------------------------------
G - Global flowtype counters
--------------------------------------
Type DestIP SrcIP Interface vrf L4 LPort/Type RPort npu Flowtype DestNode PuntPrio Accept Drop
---- -------------------- -------------------- -------------- ----- --- ------------ ------ ---- ------------------ ------------ -------- ------ ------
IPv4 any any any 0 17 Port:52305 0 0 RADIUS Dlvr RP0 MEDIUM 41770 0
+++++++ show lpts pifib entry brief [09:07:25.702 UTC Thu Oct 10 2019] ++++++++
* - Any VRF; I - Local Interest;
X - Drop; R - Reassemble;
Type VRF-ID L4 Interface Deliver Local-Address,Port Remote-Address,Port
---------- -------- ------ ------------ ------------ --------------------------------------
IPv4 default UDP any 0/0/CPU0 any,52305 any
