Basic

This scenario shows how to configure an 802.1x supplicant.

../../../../../_images/topology24.svg

Test 802.1x Basic Supplicant

Description

DUT1 is configured with an 802.1x authenticated interface. DUT0 is later configured to perform authentication.

Scenario

Step 1: Set the following configuration in DUT1:

set interfaces ethernet eth0 address 10.215.168.65/24
set interfaces ethernet eth1 802.1x authenticator aaa authentication list1
set interfaces ethernet eth1 802.1x authenticator reauth-period 0
set interfaces ethernet eth1 address 192.168.100.1/24
set system aaa group radius radgroup1 server serv1
set system aaa list list1 method 1 group radius radgroup1
set system aaa server radius serv1 address 10.215.168.1
set system aaa server radius serv1 encrypted-key U2FsdGVkX1+0IGQUmuh3M7uwYyFE48s5wbfWR+cMK2nUUZZ3v/0oxl2XeM16l4C2bg7wyf4Q9CgYrzxna+lS9g==
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Ping IP address 10.215.168.1 from DUT1:

admin@DUT1$ ping 10.215.168.1 count 1 size 56 timeout 1
Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data.
64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.194 ms

--- 10.215.168.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.194/0.194/0.194/0.000 ms

Step 3: Set the following configuration in DUT0:

set interfaces ethernet eth1 802.1x supplicant encrypted-password U2FsdGVkX187W4hCrf8sv7UnNoL14560BkLPuNrBTdU=
set interfaces ethernet eth1 802.1x supplicant username testing
set interfaces ethernet eth1 address 192.168.100.2/24
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 4: Run command interfaces ethernet eth1 802.1x supplicant show status at DUT0 and check if output contains the following tokens:

Authorized
Show output
---------------------------------------------------
        Field                      Value
---------------------------------------------------
EAP State                                   SUCCESS
EAP TLS Cipher          ECDHE-RSA-AES256-GCM-SHA384
EAP TLS Version                             TLSv1.2
PAE State                             AUTHENTICATED
Supplicant Port Status                   Authorized
WPA State                                 COMPLETED

Step 5: Run command interfaces ethernet eth1 802.1x supplicant show stats at DUT0 and check if output matches the following regular expressions:

Port Status\s+Authorized
Show output
-------------------------------
       Field           Value
-------------------------------
EAPoL Frames (Rx)            11
EAPoL Frames (Tx)            11
Invalid Frames (Rx)           0
Logoff Frames (Tx)            0
Port Status          Authorized
Req Frames (Rx)               9
Req ID Frames (Rx)            1
Resp Frames (Tx)             10
Start Frames (Tx)             1

Step 6: Run command interfaces ethernet eth1 802.1x authenticator show stats at DUT1 and check if output matches the following regular expressions:

Authentication Successes\s+1
Show output
---------------------------------
         Field             Value
---------------------------------
Access Challenges               9
Authentication Backend     RADIUS
Authentication Failures         0
Authentication Successes        1
EAPoL frames (Rx)              11
EAPoL frames (Tx)              11
Reauthenticate              FALSE
Reauthenticate Period           0
Session Time                    0
Session User Name         testing

Step 7: Ping IP address 192.168.100.1 from DUT0:

admin@DUT0$ ping 192.168.100.1 count 1 size 56 timeout 1
Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data.
64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.322 ms

--- 192.168.100.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.322/0.322/0.322/0.000 ms