Local Mac
This scenario shows how to enable the local MAB authentication using a local MAC address database.
Test Successful MAB Local Authentication
Description
DUT0 is configured to perform MAB authentication using a local MAC address database. DUT1 uses a correct MAC address.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 authenticator aaa authentication list1 set interfaces ethernet eth1 authenticator log-level debug set interfaces ethernet eth1 authenticator mab local-mac 'DE:AD:BE:EF:6C:11' identity DUT1 set interfaces ethernet eth1 authenticator mode only-MAB set interfaces ethernet eth1 authenticator quiet-period 60 set interfaces ethernet eth1 authenticator reauth-period 0 set system aaa list list1 method 1 local set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.180 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.180/0.180/0.180/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.561 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.561/0.561/0.561/0.000 ms
Step 5: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Successes\s+([^0]\d*) Authentication Backend\s+Local Server Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend Local Server Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 0 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:11 Session User Name DUT1
Step 6: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.343 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.343/0.343/0.343/0.000 ms
Test Unsuccessful MAB Local Authentication
Description
DUT0 is configured to perform MAB authentication using a local MAC address database. DUT1 uses an incorrect MAC address.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 authenticator aaa authentication list1 set interfaces ethernet eth1 authenticator log-level debug set interfaces ethernet eth1 authenticator mab local-mac 'DE:AD:BE:EF:6C:11' identity DUT1 set interfaces ethernet eth1 authenticator mode only-MAB set interfaces ethernet eth1 authenticator quiet-period 60 set interfaces ethernet eth1 authenticator reauth-period 0 set system aaa list list1 method 1 local set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.225 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.225/0.225/0.225/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces ethernet eth1 mac '00:11:22:33:44:55' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend Local Server Authentication Failures 1 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 0 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 5: Expect a failure in the following command:
Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Test MAB Local Authentication Failover
Description
DUT0 is configured to perform authentication using two different methods: remote RADIUS server and local database. When the remote server is not reachable, it failovers and uses the local database.
Scenario
Note
The following configuration lines are added to drop RADIUS UDP packets sent to the authentication server.
Show output
set interfaces eth0 traffic policy out DROP_UDP set traffic policy DROP_UDP rule 1 selector SEL_UDP set traffic policy DROP_UDP rule 1 action drop set traffic selector SEL_UDP rule 1 protocol udp
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic policy out DROP_UDP set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 authenticator aaa authentication list1 set interfaces ethernet eth1 authenticator log-level debug set interfaces ethernet eth1 authenticator mab local-mac 'DE:AD:BE:EF:6C:11' identity DUT1 set interfaces ethernet eth1 authenticator mode only-MAB set interfaces ethernet eth1 authenticator quiet-period 60 set interfaces ethernet eth1 authenticator reauth-period 15 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa list list1 method 2 local set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18fcxdPcyptFIjnaMvLrk6NPpHwAaGVh3bsPOD8+Zl06hdbl9bIAhzpRxtROh03RJ+IQbydwwSqWA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy DROP_UDP rule 1 action drop set traffic policy DROP_UDP rule 1 selector SEL_UDP set traffic selector SEL_UDP rule 1 protocol udp
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.257 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.257/0.257/0.257/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.648 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.648/0.648/0.648/0.000 ms
Step 5: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Successes\s+([^0]\d*) Authentication Backend\s+Local Server Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend Local Server Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 0 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate TRUE Reauthenticate Period 15 Session Time 0 Session User MAC de:ad:be:ef:6c:11 Session User Name DUT1
Step 6: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.236 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.236/0.236/0.236/0.000 ms
Note
Delete this configuration line to restore connectivity to
to the RADIUS server and ensure the Authentication Backend
changed from Local Server to RADIUS.
Show output
del interfaces eth0 traffic
Step 7: Modify the following configuration lines in DUT0 :
delete interfaces ethernet eth0 traffic
Step 8: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Successes\s+([^0]\d*) Authentication Backend\s+RADIUSShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 2 EAPoL frames (Rx) 0 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate TRUE Reauthenticate Period 15 Session Time 0 Session User MAC de:ad:be:ef:6c:11 Session User Name DUT1
Test MAB Local Authentication Failopen
Description
DUT0 is configured to perform authentication using a local MAC address database; the fail-open policy is configured as well. As DUT1 uses an incorrect MAC address the fail-open policy will be triggered.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 authenticator aaa authentication list1 set interfaces ethernet eth1 authenticator fail-open true set interfaces ethernet eth1 authenticator log-level debug set interfaces ethernet eth1 authenticator mab local-mac 'DE:AD:BE:EF:6C:11' identity DUT1 set interfaces ethernet eth1 authenticator mode only-MAB set interfaces ethernet eth1 authenticator quiet-period 60 set interfaces ethernet eth1 authenticator reauth-period 3600 set system aaa list list1 method 1 local set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.234 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.234/0.234/0.234/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces ethernet eth1 mac '00:11:22:33:44:55' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.449 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.449/0.449/0.449/0.000 ms
Step 5: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Successes\s+([^0]\d*) Authentication Backend\s+Fail-open Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend Fail-open Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 0 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate TRUE Reauthenticate Period 3600 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name default
Step 6: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.591 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.591/0.591/0.591/0.000 ms
Test MAB Local Authentication Failopen Local Success
Description
DUT0 is configured to perform authentication using a local MAC address database; the fail-open policy is configured as well. As DUT1 uses a correct MAC address the fail-open policy will not be triggered.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 authenticator aaa authentication list1 set interfaces ethernet eth1 authenticator fail-open true set interfaces ethernet eth1 authenticator log-level debug set interfaces ethernet eth1 authenticator mab local-mac 'DE:AD:BE:EF:6C:11' identity DUT1 set interfaces ethernet eth1 authenticator mode only-MAB set interfaces ethernet eth1 authenticator quiet-period 60 set interfaces ethernet eth1 authenticator reauth-period 3600 set system aaa list list1 method 1 local set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.491 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.491/0.491/0.491/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.521 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.521/0.521/0.521/0.000 ms
Step 5: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Successes\s+([^0]\d*) Authentication Backend\s+Local Server Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend Local Server Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 0 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate TRUE Reauthenticate Period 3600 Session Time 0 Session User MAC de:ad:be:ef:6c:11 Session User Name DUT1
Step 6: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.495 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.495/0.495/0.495/0.000 ms
Test MAB Authentication Failopen RADIUS Success
Description
DUT0 is configured to perform authentication using two different methods: remote RADIUS server and local MAC address database. The fail-open policy is configured as well. As the RADIUS server is reachable, the fail-open policy should not be triggered.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 authenticator aaa authentication list1 set interfaces ethernet eth1 authenticator fail-open true set interfaces ethernet eth1 authenticator log-level debug set interfaces ethernet eth1 authenticator mode only-MAB set interfaces ethernet eth1 authenticator quiet-period 60 set interfaces ethernet eth1 authenticator reauth-period 15 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa list list1 method 2 local set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+32uviFN75x8ioEHf1Z+KqrfLfH7MbuJ+ac1zEu1E1qZzC9n4LGegh7XcWIsvCFbugLFWxGehjSw== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.217 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.217/0.217/0.217/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.680 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.680/0.680/0.680/0.000 ms
Step 5: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Successes\s+([^0]\d*) Authentication Backend\s+RADIUS Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 0 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate TRUE Reauthenticate Period 15 Session Time 0 Session User MAC de:ad:be:ef:6c:11 Session User Name N/A
Step 6: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.511 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.511/0.511/0.511/0.000 ms
Test MAB Authentication Failopen RADIUS Failure
Description
DUT0 is configured to perform authentication using two different methods: remote RADIUS server and local MAC address database. The fail-open policy is configured as well. As the RADIUS server is reachable, the fail-open policy should not be triggered.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 authenticator aaa authentication list1 set interfaces ethernet eth1 authenticator fail-open true set interfaces ethernet eth1 authenticator log-level debug set interfaces ethernet eth1 authenticator mode only-MAB set interfaces ethernet eth1 authenticator quiet-period 60 set interfaces ethernet eth1 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa list list1 method 2 local set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+I7A6soo3ZiLO77PxszBkZXrjTwNgOVWGQbEb9erzSio7Th+7/uB/M4iIOD346ELOHW7JC0h14AA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.410 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.410/0.410/0.410/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces ethernet eth1 mac '00:11:22:33:44:55' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend Local Server Authentication Failures 2 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 0 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 5: Expect a failure in the following command:
Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Test MAB Authentication RADIUS Success Fallback to Failopen
Description
DUT0 is configured to perform authentication using two different methods: remote RADIUS server and local MAC address database. It is also configured to authorise the port by default if the RADIUS servers are not reachable. Initially, when the RADIUS server is reachable the user should be authenticated based on its decision. When the RADIUS server becomes unreachable, the failover policy triggers. As the provided identity is not found on the local database, the fail-open policy triggers and authenticates the port.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 authenticator aaa authentication list1 set interfaces ethernet eth1 authenticator fail-open true set interfaces ethernet eth1 authenticator log-level debug set interfaces ethernet eth1 authenticator mode only-MAB set interfaces ethernet eth1 authenticator quiet-period 60 set interfaces ethernet eth1 authenticator reauth-period 30 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa list list1 method 2 local set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18nCZfmc3ElL1fWpSdmQ4NZs1jOlCiDr1U7CaOhkvqSMAKqO3k6o938nekNk03Sp1uF0x6Hqy/iCg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.273 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.273/0.273/0.273/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.582 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.582/0.582/0.582/0.000 ms
Step 5: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Successes\s+([^0]\d*) Authentication Backend\s+RADIUS Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 0 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate TRUE Reauthenticate Period 30 Session Time 0 Session User MAC de:ad:be:ef:6c:11 Session User Name N/A
Step 6: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.263 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.263/0.263/0.263/0.000 ms
Note
The following configuration lines are added to drop RADIUS UDP packets sent to the authentication server.
Show output
set interfaces eth0 traffic policy out DROP_UDP set traffic policy DROP_UDP rule 1 selector SEL_UDP set traffic policy DROP_UDP rule 1 action drop set traffic selector SEL_UDP rule 1 protocol udp
Step 7: Modify the following configuration lines in DUT0 :
set interfaces ethernet eth0 traffic policy out DROP_UDP set traffic policy DROP_UDP rule 1 action drop set traffic policy DROP_UDP rule 1 selector SEL_UDP set traffic selector SEL_UDP rule 1 protocol udp
Step 8: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.492 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.492/0.492/0.492/0.000 ms
Step 9: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.248 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.248/0.248/0.248/0.000 ms
Step 10: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.298 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.298/0.298/0.298/0.000 ms
Step 11: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.406 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.406/0.406/0.406/0.000 ms
Step 12: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.254 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.254/0.254/0.254/0.000 ms
Step 13: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.517 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.517/0.517/0.517/0.000 ms
Step 14: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.559 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.559/0.559/0.559/0.000 ms
Step 15: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.226 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.226/0.226/0.226/0.000 ms
Step 16: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.215 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.215/0.215/0.215/0.000 ms
Step 17: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Successes\s+([^0]\d*) Authentication Backend\s+Fail-open Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend Fail-open Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 2 EAPoL frames (Rx) 0 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate TRUE Reauthenticate Period 30 Session Time 0 Session User MAC de:ad:be:ef:6c:11 Session User Name default
Step 18: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.230 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.230/0.230/0.230/0.000 ms
Test MAB Authentication RADIUS Failure Fallback to Failopen
Description
DUT0 is configured to perform authentication using two different methods: remote RADIUS server and local MAC address database. It is also configured to authorise the port by default if the RADIUS servers are not reachable. Initially, when the RADIUS server is reachable the user should be authenticated based on its decision. When the RADIUS server becomes unreachable, the failover policy triggers. As the provided identity is not found on the local database, the fail-open policy triggers and authenticates the port.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 authenticator aaa authentication list1 set interfaces ethernet eth1 authenticator fail-open true set interfaces ethernet eth1 authenticator log-level debug set interfaces ethernet eth1 authenticator mode only-MAB set interfaces ethernet eth1 authenticator quiet-period 60 set interfaces ethernet eth1 authenticator reauth-period 30 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa list list1 method 2 local set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX19cs8SA78cgxHPmQQMX0Esar9OA4WZDscpjghWTetZu2tjfufoOOHCpgTWwd2KGrSN2obENLKwnLg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.207 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.207/0.207/0.207/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces ethernet eth1 mac '00:11:22:33:44:55' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend Local Server Authentication Failures 2 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 0 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate TRUE Reauthenticate Period 30 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 5: Expect a failure in the following command:
Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Note
The following configuration lines are added to drop RADIUS UDP packets sent to the authentication server.
Show output
set interfaces eth0 traffic policy out DROP_UDP set traffic policy DROP_UDP rule 1 selector SEL_UDP set traffic policy DROP_UDP rule 1 action drop set traffic selector SEL_UDP rule 1 protocol udp
Step 6: Modify the following configuration lines in DUT0 :
set interfaces ethernet eth0 traffic policy out DROP_UDP set traffic policy DROP_UDP rule 1 action drop set traffic policy DROP_UDP rule 1 selector SEL_UDP set traffic selector SEL_UDP rule 1 protocol udp
Step 7: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Successes\s+([^0]\d*) Authentication Backend\s+Fail-open Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend Fail-open Authentication Failures 2 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 0 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate TRUE Reauthenticate Period 30 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name default
Step 8: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.326 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.326/0.326/0.326/0.000 ms