SSH to the NAC Appliance you wish to run the tcpdump command on
For ALL examples, use Control-C
to stop the packet capture. To limit capture size, read Additional notes below.
For issues with Radius or Authentication coming from a source switch or wireless controller use the below as example
tcpdump -i eth0 -s 0 port 1812 and port 1813 -w radius.pcap
Note that it may be easier if you know the target device sending the radius packets. In that case, add the IP address into that command.
tcpdump -i eth0 -s 0 port 1812 or port 1813 and host 18.104.22.168 -w radius.pcap
If one omits the -w radius.pcap
, the information will print to the screen with limited detail. It is often used to see if one sees any traffic at all prior to capturing to a file.
tcpdump -i eth0 -s 0 port 1812 or port 3799 and host 22.214.171.124 -w radiusW3799.pcap
If one is troubleshooting wireless and wants to get some RFC3576 Information add in port 3799
For issues with the NAC Captive Portal
here is a common example
tcpdump -i eth0 -s 0 port 80 and port 445 and host <host IP of connecting device to portal> -w portal trace.
For issues with LDAP Authentication
tcpdump -i eth0 -s 0 port 389 or port 636