Eap Server
This scenario shows how to enable the local 802.1X EAP server to authenticate users.
Test Successful Local 802.1x Authentication
Description
DUT0 is configured to perform 802.1x authentication using a local database with usernames and passwords. DUT1 uses the correct username and password.
Scenario
Note
Execute the following operational commands in DUT0 to
generate the required x509 files:
Show output
pki generate private-key running://ca.key rsa pki generate certificate running://ca.crt x509 private-key running://ca.key days 365 pki generate private-key running://server.key rsa pki generate csr running://server.csr private-key running://server.key pki sign running://server.crt csr running://server.csr certificate running://ca.crt private-key running://ca.key days 365
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 authenticator 802.1x eap-server username testing encrypted-password U2FsdGVkX1/Fj/nIJ3Y4DkluivTx3HCXwhPA4fjagbw= set interfaces ethernet eth1 authenticator 802.1x eap-server x509 ca-cert 'running://ca.crt' set interfaces ethernet eth1 authenticator 802.1x eap-server x509 server-cert 'running://server.crt' set interfaces ethernet eth1 authenticator 802.1x eap-server x509 server-key 'running://server.key' set interfaces ethernet eth1 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth1 authenticator aaa authentication list1 set interfaces ethernet eth1 authenticator log-level debug set interfaces ethernet eth1 authenticator mode only-802.1x set interfaces ethernet eth1 authenticator quiet-period 60 set interfaces ethernet eth1 authenticator reauth-period 0 set system aaa list list1 method 1 local set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.603 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.603/0.603/0.603/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces ethernet eth1 supplicant encrypted-password U2FsdGVkX1/1gkx3l2pM+PTTVRwcwU3m46XCGmBVA6c= set interfaces ethernet eth1 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run the command interfaces ethernet eth1 supplicant show status on DUT1 and check whether the output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run the command interfaces ethernet eth1 supplicant show stats on DUT1 and check whether the output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 9 EAPoL Frames (Tx) 9 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 7 Req ID Frames (Rx) 1 Resp Frames (Tx) 8 Start Frames (Tx) 1
Step 6: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Successes\s+([^0]\d*) Authentication Backend\s+Local Server Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 7 Authentication Backend Local Server Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 9 EAPoL frames (Tx) 9 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:11 Session User Name testing
Step 7: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.300 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.300/0.300/0.300/0.000 ms
Test Unsuccessful Local 802.1x Authentication
Description
DUT0 is configured to perform authentication using a local database with usernames and passwords. DUT1 uses an incorrect username.
Scenario
Note
Execute the following operational commands in DUT0 to
generate the required x509 files:
Show output
pki generate private-key running://ca.key rsa pki generate certificate running://ca.crt x509 private-key running://ca.key days 365 pki generate private-key running://server.key rsa pki generate csr running://server.csr private-key running://server.key pki sign running://server.crt csr running://server.csr certificate running://ca.crt private-key running://ca.key days 365
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 authenticator 802.1x eap-server username testing encrypted-password U2FsdGVkX18REhOstNLowebujLlb2nyN/FZ1bMUDRKY= set interfaces ethernet eth1 authenticator 802.1x eap-server x509 ca-cert 'running://ca.crt' set interfaces ethernet eth1 authenticator 802.1x eap-server x509 server-cert 'running://server.crt' set interfaces ethernet eth1 authenticator 802.1x eap-server x509 server-key 'running://server.key' set interfaces ethernet eth1 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth1 authenticator aaa authentication list1 set interfaces ethernet eth1 authenticator log-level debug set interfaces ethernet eth1 authenticator mode only-802.1x set interfaces ethernet eth1 authenticator quiet-period 60 set interfaces ethernet eth1 authenticator reauth-period 0 set system aaa list list1 method 1 local set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.195 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.195/0.195/0.195/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces ethernet eth1 supplicant encrypted-password U2FsdGVkX1/4VCMSxde80ZsAKILUuBckohxmuHQPIrw= set interfaces ethernet eth1 supplicant username bad_username set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run the command interfaces ethernet eth1 supplicant show stats on DUT1 and check whether the output matches the following regular expressions:
Port Status\s+UnauthorizedShow output
--------------------------------- Field Value --------------------------------- EAPoL Frames (Rx) 0 EAPoL Frames (Tx) 0 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Unauthorized Req Frames (Rx) 0 Req ID Frames (Rx) 0 Resp Frames (Tx) 0 Start Frames (Tx) 0
Step 5: Run the command interfaces ethernet eth1 supplicant show stats on DUT1 and check whether the output matches the following regular expressions:
Port Status\s+UnauthorizedShow output
--------------------------------- Field Value --------------------------------- EAPoL Frames (Rx) 7 EAPoL Frames (Tx) 7 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Unauthorized Req Frames (Rx) 5 Req ID Frames (Rx) 1 Resp Frames (Tx) 6 Start Frames (Tx) 1
Step 6: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 5 Authentication Backend Local Server Authentication Failures 1 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 7 EAPoL frames (Tx) 7 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:11 Session User Name N/A
Step 7: Expect a failure in the following command:
Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Test 802.1x Authentication Failover
Description
DUT0 is configured to perform authentication using two different methods: remote RADIUS server and local database. When the remote server is not reachable, it failovers and uses the local database.
Scenario
Note
Execute the following operational commands in DUT0 to
generate the required x509 files:
Show output
pki generate private-key running://ca.key rsa pki generate certificate running://ca.crt x509 private-key running://ca.key days 365 pki generate private-key running://server.key rsa pki generate csr running://server.csr private-key running://server.key pki sign running://server.crt csr running://server.csr certificate running://ca.crt private-key running://ca.key days 365
Note
The following configuration lines are added to drop RADIUS UDP packets sent to the authentication server.
Show output
set interfaces eth0 traffic policy out DROP_UDP set traffic policy DROP_UDP rule 1 selector SEL_UDP set traffic policy DROP_UDP rule 1 action drop set traffic selector SEL_UDP rule 1 protocol udp
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic policy out DROP_UDP set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 authenticator 802.1x eap-server username testing encrypted-password U2FsdGVkX1+vf/pnY9jpeRblSom4E3hOS80/vkg2UoI= set interfaces ethernet eth1 authenticator 802.1x eap-server x509 ca-cert 'running://ca.crt' set interfaces ethernet eth1 authenticator 802.1x eap-server x509 server-cert 'running://server.crt' set interfaces ethernet eth1 authenticator 802.1x eap-server x509 server-key 'running://server.key' set interfaces ethernet eth1 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth1 authenticator aaa authentication list1 set interfaces ethernet eth1 authenticator log-level debug set interfaces ethernet eth1 authenticator mode only-802.1x set interfaces ethernet eth1 authenticator quiet-period 60 set interfaces ethernet eth1 authenticator reauth-period 15 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa list list1 method 2 local set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/Z8U4Mt+Cn51kv9iERhgwjyHnq2it8b3aDVoOSJvSr7FgjLwII9btXWaJTVOyPST46vEveERNtPg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy DROP_UDP rule 1 action drop set traffic policy DROP_UDP rule 1 selector SEL_UDP set traffic selector SEL_UDP rule 1 protocol udp
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.252 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.252/0.252/0.252/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces ethernet eth1 supplicant encrypted-password U2FsdGVkX1+rHUodf4g4Xm9sKN9ZFNOCn2OfQRHi49Y= set interfaces ethernet eth1 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run the command interfaces ethernet eth1 supplicant show status on DUT1 and check whether the output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run the command interfaces ethernet eth1 supplicant show stats on DUT1 and check whether the output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 10 EAPoL Frames (Tx) 10 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 8 Req ID Frames (Rx) 1 Resp Frames (Tx) 9 Start Frames (Tx) 1
Step 6: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Successes\s+([^0]\d*) Authentication Backend\s+Local Server Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 7 Authentication Backend Local Server Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 10 EAPoL frames (Tx) 10 Quiet Period 60 Reauthenticate TRUE Reauthenticate Period 15 Session Time 0 Session User MAC de:ad:be:ef:6c:11 Session User Name testing
Step 7: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.376 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.376/0.376/0.376/0.000 ms
Note
Delete this configuration line to restore connectivity to
to the RADIUS server and ensure the Authentication Backend
changed from Local Server to RADIUS.
Show output
del interfaces eth0 traffic
Step 8: Modify the following configuration lines in DUT0 :
delete interfaces ethernet eth0 traffic
Step 9: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Successes\s+([^0]\d*) Authentication Backend\s+RADIUSShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 16 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 2 EAPoL frames (Rx) 20 EAPoL frames (Tx) 21 Quiet Period 60 Reauthenticate TRUE Reauthenticate Period 15 Session Time 0 Session User MAC de:ad:be:ef:6c:11 Session User Name testing
Test 802.1x Authentication Failopen
Description
DUT0 is configured to perform 802.1x authentication using a local database with usernames and passwords and the fail-open policy is enabled as well. DUT1 uses an incorrect username and password, thus triggering the fail-open policy.
Scenario
Note
Execute the following operational commands in DUT0 to
generate the required x509 files:
Show output
pki generate private-key running://ca.key rsa pki generate certificate running://ca.crt x509 private-key running://ca.key days 365 pki generate private-key running://server.key rsa pki generate csr running://server.csr private-key running://server.key pki sign running://server.crt csr running://server.csr certificate running://ca.crt private-key running://ca.key days 365
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 authenticator 802.1x eap-server username testing encrypted-password U2FsdGVkX1+TtjJHS/8MnxKp+gUI2ybSAhOm9ocvMZk= set interfaces ethernet eth1 authenticator 802.1x eap-server x509 ca-cert 'running://ca.crt' set interfaces ethernet eth1 authenticator 802.1x eap-server x509 server-cert 'running://server.crt' set interfaces ethernet eth1 authenticator 802.1x eap-server x509 server-key 'running://server.key' set interfaces ethernet eth1 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth1 authenticator aaa authentication list1 set interfaces ethernet eth1 authenticator fail-open true set interfaces ethernet eth1 authenticator log-level debug set interfaces ethernet eth1 authenticator mode only-802.1x set interfaces ethernet eth1 authenticator quiet-period 60 set interfaces ethernet eth1 authenticator reauth-period 3600 set system aaa list list1 method 1 local set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.439 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.439/0.439/0.439/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces ethernet eth1 supplicant encrypted-password U2FsdGVkX187P2CadwAeoQCLK7cpwjjfcQmeFm2UR+Q= set interfaces ethernet eth1 supplicant username bad_username set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run the command interfaces ethernet eth1 supplicant show status on DUT1 and check whether the output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run the command interfaces ethernet eth1 supplicant show stats on DUT1 and check whether the output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 8 EAPoL Frames (Tx) 8 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 6 Req ID Frames (Rx) 1 Resp Frames (Tx) 7 Start Frames (Tx) 1
Step 6: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Successes\s+([^0]\d*) Authentication Backend\s+Fail-open Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 6 Authentication Backend Fail-open Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 8 EAPoL frames (Tx) 8 Quiet Period 60 Reauthenticate TRUE Reauthenticate Period 3600 Session Time 0 Session User MAC de:ad:be:ef:6c:11 Session User Name default
Step 7: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.571 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.571/0.571/0.571/0.000 ms
Test 802.1x Authentication Failopen Local Success
Description
DUT0 is configured to perform 802.1x authentication using a local database with usernames and passwords and the fail-open policy is enabled as well. DUT1 uses the correct username and password.
Scenario
Note
Execute the following operational commands in DUT0 to
generate the required x509 files:
Show output
pki generate private-key running://ca.key rsa pki generate certificate running://ca.crt x509 private-key running://ca.key days 365 pki generate private-key running://server.key rsa pki generate csr running://server.csr private-key running://server.key pki sign running://server.crt csr running://server.csr certificate running://ca.crt private-key running://ca.key days 365
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 authenticator 802.1x eap-server username testing encrypted-password U2FsdGVkX1/SL0J+cYDLSfvrLSIYaJR/V67fzOjHGfQ= set interfaces ethernet eth1 authenticator 802.1x eap-server x509 ca-cert 'running://ca.crt' set interfaces ethernet eth1 authenticator 802.1x eap-server x509 server-cert 'running://server.crt' set interfaces ethernet eth1 authenticator 802.1x eap-server x509 server-key 'running://server.key' set interfaces ethernet eth1 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth1 authenticator aaa authentication list1 set interfaces ethernet eth1 authenticator fail-open true set interfaces ethernet eth1 authenticator log-level debug set interfaces ethernet eth1 authenticator mode only-802.1x set interfaces ethernet eth1 authenticator quiet-period 60 set interfaces ethernet eth1 authenticator reauth-period 0 set system aaa list list1 method 1 local set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.422 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.422/0.422/0.422/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces ethernet eth1 supplicant encrypted-password U2FsdGVkX19a/m5meLU10Obp6r9NlQcKYKVsSxKkEK8= set interfaces ethernet eth1 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run the command interfaces ethernet eth1 supplicant show status on DUT1 and check whether the output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run the command interfaces ethernet eth1 supplicant show stats on DUT1 and check whether the output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 9 EAPoL Frames (Tx) 9 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 7 Req ID Frames (Rx) 1 Resp Frames (Tx) 8 Start Frames (Tx) 1
Step 6: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Successes\s+([^0]\d*) Authentication Backend\s+Local Server Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 7 Authentication Backend Local Server Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 9 EAPoL frames (Tx) 9 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:11 Session User Name testing
Step 7: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.575 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.575/0.575/0.575/0.000 ms
Test 802.1x Authentication Failopen RADIUS Success
Description
DUT0 is configured to perform authentication using two different methods: a remote RADIUS server and a local database. It is also configured to authorise the port by default if the RADIUS servers are not reachable. As the remote RADIUS server is reachable, the fail-open policy should not be triggered.
Scenario
Note
Execute the following operational commands in DUT0 to
generate the required x509 files:
Show output
pki generate private-key running://ca.key rsa pki generate certificate running://ca.crt x509 private-key running://ca.key days 365 pki generate private-key running://server.key rsa pki generate csr running://server.csr private-key running://server.key pki sign running://server.crt csr running://server.csr certificate running://ca.crt private-key running://ca.key days 365
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 authenticator 802.1x eap-server x509 ca-cert 'running://ca.crt' set interfaces ethernet eth1 authenticator 802.1x eap-server x509 server-cert 'running://server.crt' set interfaces ethernet eth1 authenticator 802.1x eap-server x509 server-key 'running://server.key' set interfaces ethernet eth1 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth1 authenticator aaa authentication list1 set interfaces ethernet eth1 authenticator fail-open true set interfaces ethernet eth1 authenticator log-level debug set interfaces ethernet eth1 authenticator mode only-802.1x set interfaces ethernet eth1 authenticator quiet-period 60 set interfaces ethernet eth1 authenticator reauth-period 15 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa list list1 method 2 local set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/ydJ786oMV0q6ZspBm88r/dTzdzGH8IlSOqWClCKnpHBorjeOwMR/j2UIQln8Cc72flHHjkF2CQQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.280 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.280/0.280/0.280/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces ethernet eth1 supplicant encrypted-password U2FsdGVkX1/O2gal6pGL4cbIGlBfksOoCC5QPKw5zig= set interfaces ethernet eth1 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run the command interfaces ethernet eth1 supplicant show status on DUT1 and check whether the output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run the command interfaces ethernet eth1 supplicant show stats on DUT1 and check whether the output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 6: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Successes\s+([^0]\d*) Authentication Backend\s+RADIUS Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate TRUE Reauthenticate Period 15 Session Time 0 Session User MAC de:ad:be:ef:6c:11 Session User Name testing
Step 7: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.325 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.325/0.325/0.325/0.000 ms
Test 802.1x Authentication Failopen RADIUS Failure
Description
DUT0 is configured to perform authentication using two different methods: a remote RADIUS server and a local database. It is also configured to authorise the port by default if the RADIUS servers are not reachable. As the remote RADIUS server is reachable, the fail-open policy should not be triggered.
Scenario
Note
Execute the following operational commands in DUT0 to
generate the required x509 files:
Show output
pki generate private-key running://ca.key rsa pki generate certificate running://ca.crt x509 private-key running://ca.key days 365 pki generate private-key running://server.key rsa pki generate csr running://server.csr private-key running://server.key pki sign running://server.crt csr running://server.csr certificate running://ca.crt private-key running://ca.key days 365
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 authenticator 802.1x eap-server x509 ca-cert 'running://ca.crt' set interfaces ethernet eth1 authenticator 802.1x eap-server x509 server-cert 'running://server.crt' set interfaces ethernet eth1 authenticator 802.1x eap-server x509 server-key 'running://server.key' set interfaces ethernet eth1 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth1 authenticator aaa authentication list1 set interfaces ethernet eth1 authenticator fail-open true set interfaces ethernet eth1 authenticator log-level debug set interfaces ethernet eth1 authenticator mode only-802.1x set interfaces ethernet eth1 authenticator quiet-period 60 set interfaces ethernet eth1 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa list list1 method 2 local set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX194Qv1wHUyE/MArbGy22ZP/A/JgAMJxp5NsB5e68UxUtklIv9kh7/WBJ29k9EhRuU+j6uEFkG6QDw== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.216 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.216/0.216/0.216/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces ethernet eth1 supplicant encrypted-password U2FsdGVkX1/koqkxHNLBTnDoYPc83S2CtCJkGCmGmWI= set interfaces ethernet eth1 supplicant username bad_username set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run the command interfaces ethernet eth1 supplicant show stats on DUT1 and check whether the output matches the following regular expressions:
Port Status\s+UnauthorizedShow output
--------------------------------- Field Value --------------------------------- EAPoL Frames (Rx) 0 EAPoL Frames (Tx) 0 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Unauthorized Req Frames (Rx) 0 Req ID Frames (Rx) 0 Resp Frames (Tx) 0 Start Frames (Tx) 0
Step 5: Run the command interfaces ethernet eth1 supplicant show stats on DUT1 and check whether the output matches the following regular expressions:
Port Status\s+UnauthorizedShow output
--------------------------------- Field Value --------------------------------- EAPoL Frames (Rx) 9 EAPoL Frames (Tx) 10 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Unauthorized Req Frames (Rx) 8 Req ID Frames (Rx) 1 Resp Frames (Tx) 9 Start Frames (Tx) 1
Step 6: Run the command interfaces ethernet eth1 supplicant show stats on DUT1 and check whether the output matches the following regular expressions:
Port Status\s+UnauthorizedShow output
--------------------------------- Field Value --------------------------------- EAPoL Frames (Rx) 10 EAPoL Frames (Tx) 10 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Unauthorized Req Frames (Rx) 8 Req ID Frames (Rx) 1 Resp Frames (Tx) 9 Start Frames (Tx) 1
Step 7: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 8 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 10 EAPoL frames (Tx) 10 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:11 Session User Name N/A
Step 8: Expect a failure in the following command:
Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Test 802.1x Authentication RADIUS Success Fallback to Failopen
Description
DUT0 is configured to perform authentication using two different methods: a remote RADIUS server and local database. It is also configured to authorise the port by default if the RADIUS servers are not reachable. Initially, when the RADIUS server is reachable the user should be authenticated based on its decision. When the RADIUS server becomes unreachable, the failover policy triggers. As the provided identity is not found in the local database, the fail-open policy triggers and authenticates the port.
Scenario
Note
Execute the following operational commands in DUT0 to
generate the required x509 files:
Show output
pki generate private-key running://ca.key rsa pki generate certificate running://ca.crt x509 private-key running://ca.key days 365 pki generate private-key running://server.key rsa pki generate csr running://server.csr private-key running://server.key pki sign running://server.crt csr running://server.csr certificate running://ca.crt private-key running://ca.key days 365
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 authenticator 802.1x eap-server x509 ca-cert 'running://ca.crt' set interfaces ethernet eth1 authenticator 802.1x eap-server x509 server-cert 'running://server.crt' set interfaces ethernet eth1 authenticator 802.1x eap-server x509 server-key 'running://server.key' set interfaces ethernet eth1 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth1 authenticator aaa authentication list1 set interfaces ethernet eth1 authenticator fail-open true set interfaces ethernet eth1 authenticator log-level debug set interfaces ethernet eth1 authenticator mode only-802.1x set interfaces ethernet eth1 authenticator quiet-period 60 set interfaces ethernet eth1 authenticator reauth-period 15 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa list list1 method 2 local set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+NEM/K40rmViTtH73vu1yj1EGf50qYWuSy1Eavp9MQQk943ofU+mKBOkNqbkHjfmYYHGWnWZ4vpQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.322 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.322/0.322/0.322/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces ethernet eth1 supplicant encrypted-password U2FsdGVkX18i9FpNl5mWG886br27OwBBSpWGxKRRKpE= set interfaces ethernet eth1 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run the command interfaces ethernet eth1 supplicant show status on DUT1 and check whether the output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run the command interfaces ethernet eth1 supplicant show stats on DUT1 and check whether the output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 6: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Successes\s+([^0]\d*) Authentication Backend\s+RADIUS Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate TRUE Reauthenticate Period 15 Session Time 0 Session User MAC de:ad:be:ef:6c:11 Session User Name testing
Step 7: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.383 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.383/0.383/0.383/0.000 ms
Note
The following configuration lines are added to drop RADIUS UDP packets sent to the authentication server.
Show output
set interfaces eth0 traffic policy out DROP_UDP set traffic policy DROP_UDP rule 1 selector SEL_UDP set traffic policy DROP_UDP rule 1 action drop set traffic selector SEL_UDP rule 1 protocol udp
Step 8: Modify the following configuration lines in DUT0 :
set interfaces ethernet eth0 traffic policy out DROP_UDP set traffic policy DROP_UDP rule 1 action drop set traffic policy DROP_UDP rule 1 selector SEL_UDP set traffic selector SEL_UDP rule 1 protocol udp
Step 9: Run the command interfaces ethernet eth1 supplicant show status on DUT1 and check whether the output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 10: Run the command interfaces ethernet eth1 supplicant show stats on DUT1 and check whether the output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 11: Run the command interfaces ethernet eth1 supplicant show status on DUT1 and check whether the output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 12: Run the command interfaces ethernet eth1 supplicant show stats on DUT1 and check whether the output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 13: Run the command interfaces ethernet eth1 supplicant show status on DUT1 and check whether the output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 14: Run the command interfaces ethernet eth1 supplicant show stats on DUT1 and check whether the output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 15: Run the command interfaces ethernet eth1 supplicant show status on DUT1 and check whether the output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 16: Run the command interfaces ethernet eth1 supplicant show stats on DUT1 and check whether the output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 17: Run the command interfaces ethernet eth1 supplicant show status on DUT1 and check whether the output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 18: Run the command interfaces ethernet eth1 supplicant show stats on DUT1 and check whether the output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 19: Run the command interfaces ethernet eth1 supplicant show status on DUT1 and check whether the output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 20: Run the command interfaces ethernet eth1 supplicant show stats on DUT1 and check whether the output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 21: Run the command interfaces ethernet eth1 supplicant show status on DUT1 and check whether the output contains the following tokens:
AuthorizedShow output
-------------------------------------- Field Value -------------------------------------- EAP State IDLE PAE State AUTHENTICATING Supplicant Port Status Authorized WPA State COMPLETED
Step 22: Run the command interfaces ethernet eth1 supplicant show stats on DUT1 and check whether the output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 12 EAPoL Frames (Tx) 12 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 2 Resp Frames (Tx) 11 Start Frames (Tx) 1
Step 23: Run the command interfaces ethernet eth1 supplicant show status on DUT1 and check whether the output contains the following tokens:
AuthorizedShow output
-------------------------------------- Field Value -------------------------------------- EAP State IDLE PAE State AUTHENTICATING Supplicant Port Status Authorized WPA State COMPLETED
Step 24: Run the command interfaces ethernet eth1 supplicant show stats on DUT1 and check whether the output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 12 EAPoL Frames (Tx) 12 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 2 Resp Frames (Tx) 11 Start Frames (Tx) 1
Step 25: Run the command interfaces ethernet eth1 supplicant show status on DUT1 and check whether the output contains the following tokens:
AuthorizedShow output
-------------------------------------- Field Value -------------------------------------- EAP State IDLE PAE State AUTHENTICATING Supplicant Port Status Authorized WPA State COMPLETED
Step 26: Run the command interfaces ethernet eth1 supplicant show stats on DUT1 and check whether the output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 12 EAPoL Frames (Tx) 12 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 2 Resp Frames (Tx) 11 Start Frames (Tx) 1
Step 27: Run the command interfaces ethernet eth1 supplicant show status on DUT1 and check whether the output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 28: Run the command interfaces ethernet eth1 supplicant show stats on DUT1 and check whether the output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 31 EAPoL Frames (Tx) 30 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 25 Req ID Frames (Rx) 3 Resp Frames (Tx) 28 Start Frames (Tx) 2
Step 29: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Successes\s+([^0]\d*) Authentication Backend\s+Fail-open Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 6 Authentication Backend Fail-open Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 9 EAPoL frames (Tx) 9 Quiet Period 60 Reauthenticate TRUE Reauthenticate Period 15 Session Time 0 Session User MAC de:ad:be:ef:6c:11 Session User Name default
Step 30: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.513 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.513/0.513/0.513/0.000 ms
Test 802.1x Authentication RADIUS Failure Fallback to Failopen
Description
DUT0 is configured to perform authentication using two different methods: a remote RADIUS server and local database. It is also configured to authorise the port by default if the RADIUS servers are not reachable. Initially, when the RADIUS server is reachable the user should not be authenticated based on its decision. When the RADIUS server becomes unreachable, the failover policy triggers. As the provided identity is not found in the local database, the fail-open policy triggers and authenticates the port.
Scenario
Note
Execute the following operational commands in DUT0 to
generate the required x509 files:
Show output
pki generate private-key running://ca.key rsa pki generate certificate running://ca.crt x509 private-key running://ca.key days 365 pki generate private-key running://server.key rsa pki generate csr running://server.csr private-key running://server.key pki sign running://server.crt csr running://server.csr certificate running://ca.crt private-key running://ca.key days 365
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 authenticator 802.1x eap-server x509 ca-cert 'running://ca.crt' set interfaces ethernet eth1 authenticator 802.1x eap-server x509 server-cert 'running://server.crt' set interfaces ethernet eth1 authenticator 802.1x eap-server x509 server-key 'running://server.key' set interfaces ethernet eth1 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth1 authenticator aaa authentication list1 set interfaces ethernet eth1 authenticator fail-open true set interfaces ethernet eth1 authenticator log-level debug set interfaces ethernet eth1 authenticator mode only-802.1x set interfaces ethernet eth1 authenticator quiet-period 60 set interfaces ethernet eth1 authenticator reauth-period 15 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa list list1 method 2 local set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+GYjGYxOnQC4M/EdP66vtjTFIQL8yJZWl/Lo0hnIwwO8vhuwrXFa+BRfixrqsejMdWr0MJx+mDuA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.464 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.464/0.464/0.464/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces ethernet eth1 supplicant encrypted-password U2FsdGVkX1/W84PqfTggaorKpGhU0Z0QlHOLBAfJWDU= set interfaces ethernet eth1 supplicant username bad_username set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run the command interfaces ethernet eth1 supplicant show stats on DUT1 and check whether the output matches the following regular expressions:
Port Status\s+UnauthorizedShow output
--------------------------------- Field Value --------------------------------- EAPoL Frames (Rx) 0 EAPoL Frames (Tx) 0 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Unauthorized Req Frames (Rx) 0 Req ID Frames (Rx) 0 Resp Frames (Tx) 0 Start Frames (Tx) 0
Step 5: Run the command interfaces ethernet eth1 supplicant show stats on DUT1 and check whether the output matches the following regular expressions:
Port Status\s+UnauthorizedShow output
--------------------------------- Field Value --------------------------------- EAPoL Frames (Rx) 9 EAPoL Frames (Tx) 10 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Unauthorized Req Frames (Rx) 8 Req ID Frames (Rx) 1 Resp Frames (Tx) 9 Start Frames (Tx) 1
Step 6: Run the command interfaces ethernet eth1 supplicant show stats on DUT1 and check whether the output matches the following regular expressions:
Port Status\s+UnauthorizedShow output
--------------------------------- Field Value --------------------------------- EAPoL Frames (Rx) 10 EAPoL Frames (Tx) 10 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Unauthorized Req Frames (Rx) 8 Req ID Frames (Rx) 1 Resp Frames (Tx) 9 Start Frames (Tx) 1
Step 7: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 8 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 10 EAPoL frames (Tx) 10 Quiet Period 60 Reauthenticate TRUE Reauthenticate Period 15 Session Time 0 Session User MAC de:ad:be:ef:6c:11 Session User Name N/A
Step 8: Expect a failure in the following command:
Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Note
The following configuration lines are added to drop RADIUS UDP packets sent to the authentication server.
Show output
set interfaces eth0 traffic policy out DROP_UDP set traffic policy DROP_UDP rule 1 selector SEL_UDP set traffic policy DROP_UDP rule 1 action drop set traffic selector SEL_UDP rule 1 protocol udp
Step 9: Modify the following configuration lines in DUT0 :
set interfaces ethernet eth0 traffic policy out DROP_UDP set traffic policy DROP_UDP rule 1 action drop set traffic policy DROP_UDP rule 1 selector SEL_UDP set traffic selector SEL_UDP rule 1 protocol udp
Step 10: Run the command interfaces ethernet eth1 supplicant show status on DUT1 and check whether the output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 11: Run the command interfaces ethernet eth1 supplicant show stats on DUT1 and check whether the output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 22 EAPoL Frames (Tx) 22 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 18 Req ID Frames (Rx) 2 Resp Frames (Tx) 20 Start Frames (Tx) 2
Step 12: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Successes\s+([^0]\d*) Authentication Backend\s+Fail-open Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 6 Authentication Backend Fail-open Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 9 EAPoL frames (Tx) 9 Quiet Period 60 Reauthenticate TRUE Reauthenticate Period 15 Session Time 0 Session User MAC de:ad:be:ef:6c:11 Session User Name default
Step 13: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.414 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.414/0.414/0.414/0.000 ms