Radius Capture

This scenario shows how to capture and filter RADIUS accounting messages after 802.1x authentication.

../../../../../../../_images/topology23.svg

Test 802.1x RADIUS Accounting

Description

DUT0 is configured with an 802.1x authenticated interface and DUT1 acts as an 802.1x supplicant. RADIUS accounting messages are captured in DUT0.

Scenario

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set interfaces ethernet eth1 802.1x authenticator aaa accounting list1
set interfaces ethernet eth1 802.1x authenticator aaa authentication list1
set interfaces ethernet eth1 802.1x authenticator reauth-period 0
set interfaces ethernet eth1 address 192.168.100.1/24
set system aaa group radius radgroup1 server serv1
set system aaa list list1 method 1 group radius radgroup1
set system aaa server radius serv1 address 10.215.168.1
set system aaa server radius serv1 encrypted-key U2FsdGVkX1/bbLjPun0CemyyqGBctBaIQvGh93QPBLWwZ8v0wPXzONn6xrY0ejN9u1yAZyzjv+LEvSYhYOcVxw==
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Ping IP address 10.215.168.1 from DUT0:

admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1
Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data.
64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.210 ms

--- 10.215.168.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.210/0.210/0.210/0.000 ms

Note

Start packet capture in DUT0 to filter RADIUS messages

Step 3: Set the following configuration in DUT1:

set interfaces ethernet eth1 802.1x supplicant encrypted-password U2FsdGVkX1+WN7qGge7zJ7M0eTotNnYagFI1WaKpBAY=
set interfaces ethernet eth1 802.1x supplicant username testing
set interfaces ethernet eth1 address 192.168.100.2/24
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 4: Run command interfaces ethernet eth1 802.1x supplicant show status at DUT1 and check if output contains the following tokens:

Authorized
Show output
---------------------------------------------------
        Field                      Value
---------------------------------------------------
EAP State                                   SUCCESS
EAP TLS Cipher          ECDHE-RSA-AES256-GCM-SHA384
EAP TLS Version                             TLSv1.2
PAE State                             AUTHENTICATED
Supplicant Port Status                   Authorized
WPA State                                 COMPLETED

Step 5: Ping IP address 192.168.100.1 from DUT1:

admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1
Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data.
64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.297 ms

--- 192.168.100.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.297/0.297/0.297/0.000 ms

Note

Stop packet capture in DUT0 and expect the following RADIUS messages:

Show output
tcpdump: listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
10:02:47.279047 de:ad:be:ef:6c:10 > fe:2e:df:6f:ce:49, ethertype IPv4 (0x0800), length 187: (tos 0x0, ttl 64, id 29236, offset 0, flags [none], proto UDP (17), length 173)
    10.215.168.64.40362 > 10.215.168.1.1813: [bad udp cksum 0x669a -> 0x66b4!] RADIUS, length: 145
        Accounting-Request (4), id: 0x0b, Authenticator: 63579313c266f55560b472e5e7f2a04a
          Acct-Status-Type Attribute (40), length: 6, Value: Start
            0x0000:  0000 0001
          Acct-Authentic Attribute (45), length: 6, Value: RADIUS
            0x0000:  0000 0001
          User-Name Attribute (1), length: 9, Value: testing
            0x0000:  7465 7374 696e 67
          Called-Station-Id Attribute (30), length: 20, Value: DE-AD-BE-EF-6C-11:
            0x0000:  4445 2d41 442d 4245 2d45 462d 3643 2d31
            0x0010:  313a
          NAS-Port-Type Attribute (61), length: 6, Value: Wireless - IEEE 802.11
            0x0000:  0000 0013
          Service-Type Attribute (6), length: 6, Value: Framed
            0x0000:  0000 0002
          Calling-Station-Id Attribute (31), length: 19, Value: DE-AD-BE-EF-6C-21
            0x0000:  4445 2d41 442d 4245 2d45 462d 3643 2d32
            0x0010:  31
          Connect-Info Attribute (77), length: 23, Value: CONNECT 0Mbps 802.11b
            0x0000:  434f 4e4e 4543 5420 304d 6270 7320 3830
            0x0010:  322e 3131 62
          Acct-Session-Id Attribute (44), length: 18, Value: 1A091080934FA18B
            0x0000:  3141 3039 3130 3830 3933 3446 4131 3842
          Event-Timestamp Attribute (55), length: 6, Value: Mon Oct  7 10:02:47 2024
            0x0000:  6703 b1c7
          Acct-Delay-Time Attribute (41), length: 6, Value: 00 secs
            0x0000:  0000 0000
1 packet captured
2 packets received by filter
0 packets dropped by kernel
admin@osdx$