Mab Fallback
This scenario shows how to configure the MAB-fallback
authentication mode.
Test Successful 802.1x Authentication With Successful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses the correct username and password.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth1 authenticator aaa authentication list1 set interfaces ethernet eth1 authenticator log-level debug set interfaces ethernet eth1 authenticator mode 802.1x-MAB set interfaces ethernet eth1 authenticator quiet-period 60 set interfaces ethernet eth1 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX19PCATKJzX2THid7Pl3bxHnPA3vg8IbDObNoZ79UnshALZAmNpF9tiJwyLQT4oqVVVKY0AraBvUuw== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.247 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.247/0.247/0.247/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces ethernet eth1 supplicant encrypted-password U2FsdGVkX193bY5Ndsdc57in3tMb6OePdUFV9sJQK2U= set interfaces ethernet eth1 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run the command interfaces ethernet eth1 supplicant show status on DUT1 and check whether the output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run the command interfaces ethernet eth1 supplicant show stats on DUT1 and check whether the output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 6: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:11 Session User Name testing
Step 7: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.212 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.212/0.212/0.212/0.000 ms
Step 8: Run the command system journal show | grep "osdx hostapd" on DUT0 and check whether the output contains the following tokens:
IEEE 802.1X: authenticated - EAP type: 25 (PEAP)Show output
May 19 21:18:05.006220 osdx hostapd[139712]: eth1: IEEE 802.11 Fetching hardware channel/rate support not supported. May 19 21:18:05.006245 osdx hostapd[139712]: eth1: RADIUS Authentication server 10.215.168.1:1812 May 19 21:18:05.006805 osdx hostapd[139712]: connect[radius]: Network is unreachable May 19 21:18:05.006334 osdx hostapd[139712]: eth1: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 May 19 21:18:05.006342 osdx hostapd[139712]: eth1: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode May 19 21:18:05.034061 osdx hostapd[139712]: Discovery mode enabled on eth1 May 19 21:18:05.034137 osdx hostapd[139712]: eth1: interface state UNINITIALIZED->ENABLED May 19 21:18:05.034137 osdx hostapd[139712]: eth1: AP-ENABLED May 19 21:18:08.237519 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: New STA de:ad:be:ef:6c:11 added May 19 21:18:08.237531 osdx hostapd[139713]: eth1: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode May 19 21:18:08.250083 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: start authentication May 19 21:18:08.250113 osdx hostapd[139713]: eth1: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames May 19 21:18:08.250120 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response May 19 21:18:08.250123 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response May 19 21:18:08.250137 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response May 19 21:18:08.250140 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: received EAPOL-Start from STA May 19 21:18:08.250154 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: unauthorizing port May 19 21:18:08.250163 osdx hostapd[139713]: eth1: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication May 19 21:18:08.250179 osdx hostapd[139713]: IEEE 802.1X: OSDX-EAP: getDecision: no identity known yet -> CONTINUE May 19 21:18:08.250191 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 40) May 19 21:18:08.250518 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: received EAP packet (code=2 id=40 len=12) from STA: EAP Response-Identity (1) May 19 21:18:08.250529 osdx hostapd[139713]: IEEE 802.1X: OSDX-EAP: getDecision: -> PASSTHROUGH May 19 21:18:08.250534 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: STA identity 'testing' May 19 21:18:08.250562 osdx hostapd[139713]: eth1: RADIUS Authentication server 10.215.168.1:1812 May 19 21:18:08.252299 osdx hostapd[139713]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:18:08.252326 osdx hostapd[139713]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:18:08.252571 osdx hostapd[139713]: eth1: RADIUS Received 80 bytes from RADIUS server May 19 21:18:08.252577 osdx hostapd[139713]: eth1: RADIUS Received RADIUS message May 19 21:18:08.252580 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:18:08.252598 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: decapsulated EAP packet (code=1 id=41 len=22) from RADIUS server: EAP-Request-MD5 (4) May 19 21:18:08.252604 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 41) May 19 21:18:08.252781 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: received EAP packet (code=2 id=41 len=6) from STA: EAP Response-unknown (3) May 19 21:18:08.252824 osdx hostapd[139713]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:18:08.252836 osdx hostapd[139713]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:18:08.252996 osdx hostapd[139713]: eth1: RADIUS Received 64 bytes from RADIUS server May 19 21:18:08.253000 osdx hostapd[139713]: eth1: RADIUS Received RADIUS message May 19 21:18:08.253003 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:18:08.253014 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: decapsulated EAP packet (code=1 id=42 len=6) from RADIUS server: EAP-Request-PEAP (25) May 19 21:18:08.253019 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 42) May 19 21:18:08.253271 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: received EAP packet (code=2 id=42 len=194) from STA: EAP Response-PEAP (25) May 19 21:18:08.253306 osdx hostapd[139713]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:18:08.253317 osdx hostapd[139713]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:18:08.254239 osdx hostapd[139713]: eth1: RADIUS Received 1068 bytes from RADIUS server May 19 21:18:08.254246 osdx hostapd[139713]: eth1: RADIUS Received RADIUS message May 19 21:18:08.254249 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:18:08.254270 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: decapsulated EAP packet (code=1 id=43 len=1004) from RADIUS server: EAP-Request-PEAP (25) May 19 21:18:08.254276 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 43) May 19 21:18:08.254402 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: received EAP packet (code=2 id=43 len=6) from STA: EAP Response-PEAP (25) May 19 21:18:08.254437 osdx hostapd[139713]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:18:08.254448 osdx hostapd[139713]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:18:08.254537 osdx hostapd[139713]: eth1: RADIUS Received 229 bytes from RADIUS server May 19 21:18:08.254542 osdx hostapd[139713]: eth1: RADIUS Received RADIUS message May 19 21:18:08.254544 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:18:08.254556 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: decapsulated EAP packet (code=1 id=44 len=171) from RADIUS server: EAP-Request-PEAP (25) May 19 21:18:08.254561 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 44) May 19 21:18:08.255758 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: received EAP packet (code=2 id=44 len=103) from STA: EAP Response-PEAP (25) May 19 21:18:08.255795 osdx hostapd[139713]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:18:08.255807 osdx hostapd[139713]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:18:08.256054 osdx hostapd[139713]: eth1: RADIUS Received 115 bytes from RADIUS server May 19 21:18:08.256059 osdx hostapd[139713]: eth1: RADIUS Received RADIUS message May 19 21:18:08.256062 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:18:08.256076 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: decapsulated EAP packet (code=1 id=45 len=57) from RADIUS server: EAP-Request-PEAP (25) May 19 21:18:08.256081 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 45) May 19 21:18:08.256245 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: received EAP packet (code=2 id=45 len=6) from STA: EAP Response-PEAP (25) May 19 21:18:08.256275 osdx hostapd[139713]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:18:08.256285 osdx hostapd[139713]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:18:08.256372 osdx hostapd[139713]: eth1: RADIUS Received 98 bytes from RADIUS server May 19 21:18:08.256377 osdx hostapd[139713]: eth1: RADIUS Received RADIUS message May 19 21:18:08.256379 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:18:08.256391 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: decapsulated EAP packet (code=1 id=46 len=40) from RADIUS server: EAP-Request-PEAP (25) May 19 21:18:08.256395 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 46) May 19 21:18:08.256504 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: received EAP packet (code=2 id=46 len=43) from STA: EAP Response-PEAP (25) May 19 21:18:08.256534 osdx hostapd[139713]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:18:08.256542 osdx hostapd[139713]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:18:08.256652 osdx hostapd[139713]: eth1: RADIUS Received 131 bytes from RADIUS server May 19 21:18:08.256656 osdx hostapd[139713]: eth1: RADIUS Received RADIUS message May 19 21:18:08.256659 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:18:08.256670 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: decapsulated EAP packet (code=1 id=47 len=73) from RADIUS server: EAP-Request-PEAP (25) May 19 21:18:08.256674 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 47) May 19 21:18:08.256844 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: received EAP packet (code=2 id=47 len=97) from STA: EAP Response-PEAP (25) May 19 21:18:08.256869 osdx hostapd[139713]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:18:08.256876 osdx hostapd[139713]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:18:08.257014 osdx hostapd[139713]: eth1: RADIUS Received 140 bytes from RADIUS server May 19 21:18:08.257019 osdx hostapd[139713]: eth1: RADIUS Received RADIUS message May 19 21:18:08.257022 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:18:08.257033 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: decapsulated EAP packet (code=1 id=48 len=82) from RADIUS server: EAP-Request-PEAP (25) May 19 21:18:08.257037 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 48) May 19 21:18:08.257156 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: received EAP packet (code=2 id=48 len=37) from STA: EAP Response-PEAP (25) May 19 21:18:08.257191 osdx hostapd[139713]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:18:08.257201 osdx hostapd[139713]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:18:08.257311 osdx hostapd[139713]: eth1: RADIUS Received 104 bytes from RADIUS server May 19 21:18:08.257315 osdx hostapd[139713]: eth1: RADIUS Received RADIUS message May 19 21:18:08.257317 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:18:08.257328 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: decapsulated EAP packet (code=1 id=49 len=46) from RADIUS server: EAP-Request-PEAP (25) May 19 21:18:08.257332 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 49) May 19 21:18:08.257444 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: received EAP packet (code=2 id=49 len=46) from STA: EAP Response-PEAP (25) May 19 21:18:08.257475 osdx hostapd[139713]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:18:08.257484 osdx hostapd[139713]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:18:08.257629 osdx hostapd[139713]: eth1: RADIUS Received 175 bytes from RADIUS server May 19 21:18:08.257633 osdx hostapd[139713]: eth1: RADIUS Received RADIUS message May 19 21:18:08.257636 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:18:08.257654 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing' May 19 21:18:08.257657 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: decapsulated EAP packet (code=3 id=49 len=4) from RADIUS server: EAP Success May 19 21:18:08.257670 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 49) May 19 21:18:08.257682 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: authorizing port May 19 21:18:08.257685 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 RADIUS: starting accounting session CE5601E69B6C9E14 May 19 21:18:08.257688 osdx hostapd[139713]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Test Successful 802.1x Authentication With Unsuccessful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses the correct username and password, but an incorrect MAC address.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth1 authenticator aaa authentication list1 set interfaces ethernet eth1 authenticator log-level debug set interfaces ethernet eth1 authenticator mode 802.1x-MAB set interfaces ethernet eth1 authenticator quiet-period 60 set interfaces ethernet eth1 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX19br8jMioylFKKTVRBOwUGbFrgS01IGFagk5h29BVNQPycYk8JUEwtJ5Fny/ngMlIgtE5EgpMsspg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.246 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.246/0.246/0.246/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces ethernet eth1 mac '00:11:22:33:44:55' set interfaces ethernet eth1 supplicant encrypted-password U2FsdGVkX18di5X3F9JqP8CubNgLz6CWjE4WGcz/tkY= set interfaces ethernet eth1 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run the command interfaces ethernet eth1 supplicant show status on DUT1 and check whether the output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run the command interfaces ethernet eth1 supplicant show stats on DUT1 and check whether the output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 6: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name testing
Step 7: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.243 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.243/0.243/0.243/0.000 ms
Step 8: Run the command system journal show | grep "osdx hostapd" on DUT0 and check whether the output contains the following tokens:
IEEE 802.1X: authenticated - EAP type: 25 (PEAP)Show output
May 19 21:18:15.996136 osdx hostapd[140271]: eth1: IEEE 802.11 Fetching hardware channel/rate support not supported. May 19 21:18:15.996158 osdx hostapd[140271]: eth1: RADIUS Authentication server 10.215.168.1:1812 May 19 21:18:15.996493 osdx hostapd[140271]: connect[radius]: Network is unreachable May 19 21:18:15.996212 osdx hostapd[140271]: eth1: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 May 19 21:18:15.996218 osdx hostapd[140271]: eth1: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode May 19 21:18:16.012024 osdx hostapd[140271]: Discovery mode enabled on eth1 May 19 21:18:16.012130 osdx hostapd[140271]: eth1: interface state UNINITIALIZED->ENABLED May 19 21:18:16.012130 osdx hostapd[140271]: eth1: AP-ENABLED May 19 21:18:19.199712 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added May 19 21:18:19.199746 osdx hostapd[140272]: eth1: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode May 19 21:18:19.212098 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: start authentication May 19 21:18:19.212157 osdx hostapd[140272]: eth1: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames May 19 21:18:19.212166 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response May 19 21:18:19.212173 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response May 19 21:18:19.212205 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response May 19 21:18:19.212211 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA May 19 21:18:19.212239 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port May 19 21:18:19.212269 osdx hostapd[140272]: eth1: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication May 19 21:18:19.212303 osdx hostapd[140272]: IEEE 802.1X: OSDX-EAP: getDecision: no identity known yet -> CONTINUE May 19 21:18:19.212333 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 153) May 19 21:18:19.213044 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=153 len=12) from STA: EAP Response-Identity (1) May 19 21:18:19.213067 osdx hostapd[140272]: IEEE 802.1X: OSDX-EAP: getDecision: -> PASSTHROUGH May 19 21:18:19.213078 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'testing' May 19 21:18:19.213132 osdx hostapd[140272]: eth1: RADIUS Authentication server 10.215.168.1:1812 May 19 21:18:19.217890 osdx hostapd[140272]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:18:19.217951 osdx hostapd[140272]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:18:19.218583 osdx hostapd[140272]: eth1: RADIUS Received 80 bytes from RADIUS server May 19 21:18:19.218597 osdx hostapd[140272]: eth1: RADIUS Received RADIUS message May 19 21:18:19.218607 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:18:19.218651 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=154 len=22) from RADIUS server: EAP-Request-MD5 (4) May 19 21:18:19.218669 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 154) May 19 21:18:19.219329 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=154 len=6) from STA: EAP Response-unknown (3) May 19 21:18:19.219447 osdx hostapd[140272]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:18:19.219482 osdx hostapd[140272]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:18:19.220008 osdx hostapd[140272]: eth1: RADIUS Received 64 bytes from RADIUS server May 19 21:18:19.220022 osdx hostapd[140272]: eth1: RADIUS Received RADIUS message May 19 21:18:19.220029 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:18:19.220064 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=155 len=6) from RADIUS server: EAP-Request-PEAP (25) May 19 21:18:19.220077 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 155) May 19 21:18:19.220805 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=155 len=194) from STA: EAP Response-PEAP (25) May 19 21:18:19.220924 osdx hostapd[140272]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:18:19.220962 osdx hostapd[140272]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:18:19.223370 osdx hostapd[140272]: eth1: RADIUS Received 1068 bytes from RADIUS server May 19 21:18:19.223385 osdx hostapd[140272]: eth1: RADIUS Received RADIUS message May 19 21:18:19.223394 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:18:19.223443 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=156 len=1004) from RADIUS server: EAP-Request-PEAP (25) May 19 21:18:19.223459 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 156) May 19 21:18:19.223844 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=156 len=6) from STA: EAP Response-PEAP (25) May 19 21:18:19.223948 osdx hostapd[140272]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:18:19.224015 osdx hostapd[140272]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:18:19.224391 osdx hostapd[140272]: eth1: RADIUS Received 229 bytes from RADIUS server May 19 21:18:19.224417 osdx hostapd[140272]: eth1: RADIUS Received RADIUS message May 19 21:18:19.224428 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:18:19.224520 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=157 len=171) from RADIUS server: EAP-Request-PEAP (25) May 19 21:18:19.224541 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 157) May 19 21:18:19.227918 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=157 len=103) from STA: EAP Response-PEAP (25) May 19 21:18:19.228068 osdx hostapd[140272]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:18:19.228105 osdx hostapd[140272]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:18:19.228774 osdx hostapd[140272]: eth1: RADIUS Received 115 bytes from RADIUS server May 19 21:18:19.228787 osdx hostapd[140272]: eth1: RADIUS Received RADIUS message May 19 21:18:19.228796 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:18:19.228836 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=158 len=57) from RADIUS server: EAP-Request-PEAP (25) May 19 21:18:19.228851 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 158) May 19 21:18:19.229381 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=158 len=6) from STA: EAP Response-PEAP (25) May 19 21:18:19.229494 osdx hostapd[140272]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:18:19.229529 osdx hostapd[140272]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:18:19.229797 osdx hostapd[140272]: eth1: RADIUS Received 98 bytes from RADIUS server May 19 21:18:19.229810 osdx hostapd[140272]: eth1: RADIUS Received RADIUS message May 19 21:18:19.229817 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:18:19.229850 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=159 len=40) from RADIUS server: EAP-Request-PEAP (25) May 19 21:18:19.229864 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 159) May 19 21:18:19.230171 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=159 len=43) from STA: EAP Response-PEAP (25) May 19 21:18:19.230273 osdx hostapd[140272]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:18:19.230301 osdx hostapd[140272]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:18:19.230583 osdx hostapd[140272]: eth1: RADIUS Received 131 bytes from RADIUS server May 19 21:18:19.230598 osdx hostapd[140272]: eth1: RADIUS Received RADIUS message May 19 21:18:19.230606 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:18:19.230647 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=160 len=73) from RADIUS server: EAP-Request-PEAP (25) May 19 21:18:19.230662 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 160) May 19 21:18:19.231159 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=160 len=97) from STA: EAP Response-PEAP (25) May 19 21:18:19.231270 osdx hostapd[140272]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:18:19.231300 osdx hostapd[140272]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:18:19.231613 osdx hostapd[140272]: eth1: RADIUS Received 140 bytes from RADIUS server May 19 21:18:19.231627 osdx hostapd[140272]: eth1: RADIUS Received RADIUS message May 19 21:18:19.231638 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:18:19.231675 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=161 len=82) from RADIUS server: EAP-Request-PEAP (25) May 19 21:18:19.231689 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 161) May 19 21:18:19.232064 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=161 len=37) from STA: EAP Response-PEAP (25) May 19 21:18:19.232151 osdx hostapd[140272]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:18:19.232181 osdx hostapd[140272]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:18:19.232637 osdx hostapd[140272]: eth1: RADIUS Received 104 bytes from RADIUS server May 19 21:18:19.232655 osdx hostapd[140272]: eth1: RADIUS Received RADIUS message May 19 21:18:19.232664 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:18:19.232715 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=162 len=46) from RADIUS server: EAP-Request-PEAP (25) May 19 21:18:19.232732 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 162) May 19 21:18:19.233155 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=162 len=46) from STA: EAP Response-PEAP (25) May 19 21:18:19.233271 osdx hostapd[140272]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:18:19.233301 osdx hostapd[140272]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:18:19.233652 osdx hostapd[140272]: eth1: RADIUS Received 175 bytes from RADIUS server May 19 21:18:19.233666 osdx hostapd[140272]: eth1: RADIUS Received RADIUS message May 19 21:18:19.233674 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:18:19.233721 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing' May 19 21:18:19.233729 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=3 id=162 len=4) from RADIUS server: EAP Success May 19 21:18:19.233762 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 162) May 19 21:18:19.233793 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: authorizing port May 19 21:18:19.233801 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 RADIUS: starting accounting session 95EE7464F8EEC327 May 19 21:18:19.233809 osdx hostapd[140272]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Test Unsuccessful 802.1x Authentication With Successful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses an incorrect username.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth1 authenticator aaa authentication list1 set interfaces ethernet eth1 authenticator log-level debug set interfaces ethernet eth1 authenticator mode 802.1x-MAB set interfaces ethernet eth1 authenticator quiet-period 60 set interfaces ethernet eth1 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18Yn+UjQFjJ4SkM2IFZHQg79p0pnFRNgIZbPq/X/85pQR4wtF92obL+UEm9n28axVL8CeSm7d7Xow== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.462 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.462/0.462/0.462/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces ethernet eth1 supplicant encrypted-password U2FsdGVkX18LSWdJ4HOOqaIkE7FWB/od4gzr3ROTJ8k= set interfaces ethernet eth1 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 8 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 10 EAPoL frames (Tx) 10 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:11 Session User Name wrong
Step 5: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.561 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.561/0.561/0.561/0.000 ms
Step 6: Run the command system journal show | grep "osdx hostapd" on DUT0 and check whether the output contains the following tokens:
IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately 802.1X: MAB: station successfully authenticatedShow output
May 19 21:18:28.052748 osdx hostapd[140830]: eth1: IEEE 802.11 Fetching hardware channel/rate support not supported. May 19 21:18:28.052775 osdx hostapd[140830]: eth1: RADIUS Authentication server 10.215.168.1:1812 May 19 21:18:28.053249 osdx hostapd[140830]: connect[radius]: Network is unreachable May 19 21:18:28.052847 osdx hostapd[140830]: eth1: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 May 19 21:18:28.052856 osdx hostapd[140830]: eth1: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode May 19 21:18:28.068502 osdx hostapd[140830]: Discovery mode enabled on eth1 May 19 21:18:28.068589 osdx hostapd[140830]: eth1: interface state UNINITIALIZED->ENABLED May 19 21:18:28.068647 osdx hostapd[140830]: eth1: AP-ENABLED May 19 21:18:31.263920 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: New STA de:ad:be:ef:6c:11 added May 19 21:18:31.263931 osdx hostapd[140831]: eth1: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode May 19 21:18:31.276566 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: start authentication May 19 21:18:31.276625 osdx hostapd[140831]: eth1: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames May 19 21:18:31.276635 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response May 19 21:18:31.276647 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response May 19 21:18:31.276676 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response May 19 21:18:31.276683 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: received EAPOL-Start from STA May 19 21:18:31.276707 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: unauthorizing port May 19 21:18:31.276725 osdx hostapd[140831]: eth1: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication May 19 21:18:31.276768 osdx hostapd[140831]: IEEE 802.1X: OSDX-EAP: getDecision: no identity known yet -> CONTINUE May 19 21:18:31.276798 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 165) May 19 21:18:31.277355 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: received EAP packet (code=2 id=165 len=10) from STA: EAP Response-Identity (1) May 19 21:18:31.277376 osdx hostapd[140831]: IEEE 802.1X: OSDX-EAP: getDecision: -> PASSTHROUGH May 19 21:18:31.277386 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: STA identity 'wrong' May 19 21:18:31.277434 osdx hostapd[140831]: eth1: RADIUS Authentication server 10.215.168.1:1812 May 19 21:18:31.282049 osdx hostapd[140831]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:18:31.282108 osdx hostapd[140831]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:18:31.282600 osdx hostapd[140831]: eth1: RADIUS Received 80 bytes from RADIUS server May 19 21:18:31.282614 osdx hostapd[140831]: eth1: RADIUS Received RADIUS message May 19 21:18:31.282624 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:18:31.282668 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: decapsulated EAP packet (code=1 id=166 len=22) from RADIUS server: EAP-Request-MD5 (4) May 19 21:18:31.282685 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 166) May 19 21:18:31.283146 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: received EAP packet (code=2 id=166 len=6) from STA: EAP Response-unknown (3) May 19 21:18:31.283254 osdx hostapd[140831]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:18:31.283287 osdx hostapd[140831]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:18:31.283679 osdx hostapd[140831]: eth1: RADIUS Received 64 bytes from RADIUS server May 19 21:18:31.283693 osdx hostapd[140831]: eth1: RADIUS Received RADIUS message May 19 21:18:31.283702 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:18:31.283743 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: decapsulated EAP packet (code=1 id=167 len=6) from RADIUS server: EAP-Request-PEAP (25) May 19 21:18:31.283759 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 167) May 19 21:18:31.284416 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: received EAP packet (code=2 id=167 len=194) from STA: EAP Response-PEAP (25) May 19 21:18:31.284515 osdx hostapd[140831]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:18:31.284537 osdx hostapd[140831]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:18:31.286994 osdx hostapd[140831]: eth1: RADIUS Received 1068 bytes from RADIUS server May 19 21:18:31.287009 osdx hostapd[140831]: eth1: RADIUS Received RADIUS message May 19 21:18:31.287018 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:18:31.287065 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: decapsulated EAP packet (code=1 id=168 len=1004) from RADIUS server: EAP-Request-PEAP (25) May 19 21:18:31.287080 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 168) May 19 21:18:31.287447 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: received EAP packet (code=2 id=168 len=6) from STA: EAP Response-PEAP (25) May 19 21:18:31.287542 osdx hostapd[140831]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:18:31.287570 osdx hostapd[140831]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:18:31.287912 osdx hostapd[140831]: eth1: RADIUS Received 229 bytes from RADIUS server May 19 21:18:31.287927 osdx hostapd[140831]: eth1: RADIUS Received RADIUS message May 19 21:18:31.287936 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:18:31.287974 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: decapsulated EAP packet (code=1 id=169 len=171) from RADIUS server: EAP-Request-PEAP (25) May 19 21:18:31.287989 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 169) May 19 21:18:31.291371 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: received EAP packet (code=2 id=169 len=103) from STA: EAP Response-PEAP (25) May 19 21:18:31.291516 osdx hostapd[140831]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:18:31.291554 osdx hostapd[140831]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:18:31.292304 osdx hostapd[140831]: eth1: RADIUS Received 115 bytes from RADIUS server May 19 21:18:31.292318 osdx hostapd[140831]: eth1: RADIUS Received RADIUS message May 19 21:18:31.292327 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:18:31.292390 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: decapsulated EAP packet (code=1 id=170 len=57) from RADIUS server: EAP-Request-PEAP (25) May 19 21:18:31.292410 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 170) May 19 21:18:31.293010 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: received EAP packet (code=2 id=170 len=6) from STA: EAP Response-PEAP (25) May 19 21:18:31.293103 osdx hostapd[140831]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:18:31.293127 osdx hostapd[140831]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:18:31.293389 osdx hostapd[140831]: eth1: RADIUS Received 98 bytes from RADIUS server May 19 21:18:31.293404 osdx hostapd[140831]: eth1: RADIUS Received RADIUS message May 19 21:18:31.293415 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:18:31.293447 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: decapsulated EAP packet (code=1 id=171 len=40) from RADIUS server: EAP-Request-PEAP (25) May 19 21:18:31.293464 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 171) May 19 21:18:31.293858 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: received EAP packet (code=2 id=171 len=41) from STA: EAP Response-PEAP (25) May 19 21:18:31.293938 osdx hostapd[140831]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:18:31.293961 osdx hostapd[140831]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:18:31.294313 osdx hostapd[140831]: eth1: RADIUS Received 131 bytes from RADIUS server May 19 21:18:31.294328 osdx hostapd[140831]: eth1: RADIUS Received RADIUS message May 19 21:18:31.294337 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:18:31.294373 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: decapsulated EAP packet (code=1 id=172 len=73) from RADIUS server: EAP-Request-PEAP (25) May 19 21:18:31.294388 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 172) May 19 21:18:31.294968 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: received EAP packet (code=2 id=172 len=95) from STA: EAP Response-PEAP (25) May 19 21:18:31.295103 osdx hostapd[140831]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:18:31.295143 osdx hostapd[140831]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:18:31.295482 osdx hostapd[140831]: eth1: RADIUS Received 104 bytes from RADIUS server May 19 21:18:31.295496 osdx hostapd[140831]: eth1: RADIUS Received RADIUS message May 19 21:18:31.295504 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:18:31.295541 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: decapsulated EAP packet (code=1 id=173 len=46) from RADIUS server: EAP-Request-PEAP (25) May 19 21:18:31.295556 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 173) May 19 21:18:31.295898 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: received EAP packet (code=2 id=173 len=46) from STA: EAP Response-PEAP (25) May 19 21:18:31.295997 osdx hostapd[140831]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:18:31.296027 osdx hostapd[140831]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:18:32.296131 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Resending RADIUS message (id=8) May 19 21:18:32.296189 osdx hostapd[140831]: eth1: RADIUS Next RADIUS client retransmit in 2 seconds May 19 21:18:32.296571 osdx hostapd[140831]: eth1: RADIUS Received 44 bytes from RADIUS server May 19 21:18:32.296580 osdx hostapd[140831]: eth1: RADIUS Received RADIUS message May 19 21:18:32.296589 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:18:32.296677 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: decapsulated EAP packet (code=4 id=173 len=4) from RADIUS server: EAP Failure May 19 21:18:32.296750 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 173) May 19 21:18:32.296776 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: unauthorizing port May 19 21:18:32.296785 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) May 19 21:18:32.296792 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately May 19 21:18:32.296802 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: Starting RADIUS query May 19 21:18:32.296869 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:11 May 19 21:18:32.296888 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:11 May 19 21:18:32.296916 osdx hostapd[140831]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:18:32.296941 osdx hostapd[140831]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:18:32.296976 osdx hostapd[140831]: eth1: RADIUS Received 44 bytes from RADIUS server May 19 21:18:32.296983 osdx hostapd[140831]: eth1: RADIUS Received RADIUS message May 19 21:18:32.296989 osdx hostapd[140831]: eth1: RADIUS No matching RADIUS request found (type=0 id=8) - dropping packet May 19 21:18:32.297452 osdx hostapd[140831]: eth1: RADIUS Received 20 bytes from RADIUS server May 19 21:18:32.297462 osdx hostapd[140831]: eth1: RADIUS Received RADIUS message May 19 21:18:32.297471 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:18:32.297479 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: Processing RADIUS response May 19 21:18:32.297544 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: station successfully authenticated May 19 21:18:32.297552 osdx hostapd[140831]: eth1: IEEE 802.1X IEEE 802.1X: Discovery already disabled May 19 21:18:32.297571 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: authorizing port May 19 21:18:32.297579 osdx hostapd[140831]: eth1: STA de:ad:be:ef:6c:11 RADIUS: starting accounting session 349C58C4C21F972F
Test Unsuccessful 802.1x Authentication With Unsuccessful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses an incorrect username and MAC address.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth1 authenticator aaa authentication list1 set interfaces ethernet eth1 authenticator log-level debug set interfaces ethernet eth1 authenticator mode 802.1x-MAB set interfaces ethernet eth1 authenticator quiet-period 60 set interfaces ethernet eth1 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+A2GMbYcIuLaqUi+ZIMVgPajprv15qTB3oGo+oVfM1cSPbLbdqPvK4lkrYjvbI31XsjQqhWLF38g== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.478 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.478/0.478/0.478/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces ethernet eth1 mac '00:11:22:33:44:55' set interfaces ethernet eth1 supplicant encrypted-password U2FsdGVkX195d6IFIy7533pOK2/jqdydi38X9Hmeu/U= set interfaces ethernet eth1 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run the command interfaces ethernet eth1 supplicant show stats on DUT1 and check whether the output matches the following regular expressions:
Port Status\s+UnauthorizedShow output
--------------------------------- Field Value --------------------------------- EAPoL Frames (Rx) 10 EAPoL Frames (Tx) 10 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Unauthorized Req Frames (Rx) 8 Req ID Frames (Rx) 1 Resp Frames (Tx) 9 Start Frames (Tx) 1
Step 5: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 8 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 10 EAPoL frames (Tx) 10 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 6: Expect a failure in the following command:
Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 7: Run the command system journal show | grep "osdx hostapd" on DUT0 and check whether the output contains the following tokens:
IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately 802.1X: MAB: Authentication failedShow output
May 19 21:18:38.994082 osdx hostapd[141393]: eth1: IEEE 802.11 Fetching hardware channel/rate support not supported. May 19 21:18:38.994091 osdx hostapd[141393]: eth1: RADIUS Authentication server 10.215.168.1:1812 May 19 21:18:38.994320 osdx hostapd[141393]: connect[radius]: Network is unreachable May 19 21:18:38.994158 osdx hostapd[141393]: eth1: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 May 19 21:18:38.994161 osdx hostapd[141393]: eth1: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode May 19 21:18:39.009981 osdx hostapd[141393]: Discovery mode enabled on eth1 May 19 21:18:39.010033 osdx hostapd[141393]: eth1: interface state UNINITIALIZED->ENABLED May 19 21:18:39.010033 osdx hostapd[141393]: eth1: AP-ENABLED May 19 21:18:42.252631 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added May 19 21:18:42.252659 osdx hostapd[141394]: eth1: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode May 19 21:18:42.266041 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: start authentication May 19 21:18:42.266076 osdx hostapd[141394]: eth1: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames May 19 21:18:42.266082 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response May 19 21:18:42.266085 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response May 19 21:18:42.266103 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response May 19 21:18:42.266107 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA May 19 21:18:42.266126 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port May 19 21:18:42.266139 osdx hostapd[141394]: eth1: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication May 19 21:18:42.266156 osdx hostapd[141394]: IEEE 802.1X: OSDX-EAP: getDecision: no identity known yet -> CONTINUE May 19 21:18:42.266172 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 225) May 19 21:18:42.266535 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=225 len=10) from STA: EAP Response-Identity (1) May 19 21:18:42.266548 osdx hostapd[141394]: IEEE 802.1X: OSDX-EAP: getDecision: -> PASSTHROUGH May 19 21:18:42.266553 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'wrong' May 19 21:18:42.266584 osdx hostapd[141394]: eth1: RADIUS Authentication server 10.215.168.1:1812 May 19 21:18:42.269003 osdx hostapd[141394]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:18:42.269032 osdx hostapd[141394]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:18:42.269319 osdx hostapd[141394]: eth1: RADIUS Received 80 bytes from RADIUS server May 19 21:18:42.269325 osdx hostapd[141394]: eth1: RADIUS Received RADIUS message May 19 21:18:42.269329 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:18:42.269353 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=226 len=22) from RADIUS server: EAP-Request-MD5 (4) May 19 21:18:42.269361 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 226) May 19 21:18:42.269588 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=226 len=6) from STA: EAP Response-unknown (3) May 19 21:18:42.269636 osdx hostapd[141394]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:18:42.269650 osdx hostapd[141394]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:18:42.269802 osdx hostapd[141394]: eth1: RADIUS Received 64 bytes from RADIUS server May 19 21:18:42.269807 osdx hostapd[141394]: eth1: RADIUS Received RADIUS message May 19 21:18:42.269810 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:18:42.269823 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=227 len=6) from RADIUS server: EAP-Request-PEAP (25) May 19 21:18:42.269829 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 227) May 19 21:18:42.270143 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=227 len=194) from STA: EAP Response-PEAP (25) May 19 21:18:42.270188 osdx hostapd[141394]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:18:42.270201 osdx hostapd[141394]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:18:42.271722 osdx hostapd[141394]: eth1: RADIUS Received 1068 bytes from RADIUS server May 19 21:18:42.271736 osdx hostapd[141394]: eth1: RADIUS Received RADIUS message May 19 21:18:42.271745 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:18:42.271795 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=228 len=1004) from RADIUS server: EAP-Request-PEAP (25) May 19 21:18:42.271812 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 228) May 19 21:18:42.272075 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=228 len=6) from STA: EAP Response-PEAP (25) May 19 21:18:42.272112 osdx hostapd[141394]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:18:42.272123 osdx hostapd[141394]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:18:42.272215 osdx hostapd[141394]: eth1: RADIUS Received 229 bytes from RADIUS server May 19 21:18:42.272219 osdx hostapd[141394]: eth1: RADIUS Received RADIUS message May 19 21:18:42.272222 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:18:42.272233 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=229 len=171) from RADIUS server: EAP-Request-PEAP (25) May 19 21:18:42.272238 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 229) May 19 21:18:42.273433 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=229 len=103) from STA: EAP Response-PEAP (25) May 19 21:18:42.273474 osdx hostapd[141394]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:18:42.273488 osdx hostapd[141394]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:18:42.273756 osdx hostapd[141394]: eth1: RADIUS Received 115 bytes from RADIUS server May 19 21:18:42.273760 osdx hostapd[141394]: eth1: RADIUS Received RADIUS message May 19 21:18:42.273763 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:18:42.273775 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=230 len=57) from RADIUS server: EAP-Request-PEAP (25) May 19 21:18:42.273780 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 230) May 19 21:18:42.273934 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=230 len=6) from STA: EAP Response-PEAP (25) May 19 21:18:42.273972 osdx hostapd[141394]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:18:42.273982 osdx hostapd[141394]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:18:42.274072 osdx hostapd[141394]: eth1: RADIUS Received 98 bytes from RADIUS server May 19 21:18:42.274076 osdx hostapd[141394]: eth1: RADIUS Received RADIUS message May 19 21:18:42.274079 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:18:42.274089 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=231 len=40) from RADIUS server: EAP-Request-PEAP (25) May 19 21:18:42.274094 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 231) May 19 21:18:42.274191 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=231 len=41) from STA: EAP Response-PEAP (25) May 19 21:18:42.274219 osdx hostapd[141394]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:18:42.274228 osdx hostapd[141394]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:18:42.274315 osdx hostapd[141394]: eth1: RADIUS Received 131 bytes from RADIUS server May 19 21:18:42.274320 osdx hostapd[141394]: eth1: RADIUS Received RADIUS message May 19 21:18:42.274322 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:18:42.274334 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=232 len=73) from RADIUS server: EAP-Request-PEAP (25) May 19 21:18:42.274339 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 232) May 19 21:18:42.274512 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=232 len=95) from STA: EAP Response-PEAP (25) May 19 21:18:42.274540 osdx hostapd[141394]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:18:42.274549 osdx hostapd[141394]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:18:42.274647 osdx hostapd[141394]: eth1: RADIUS Received 104 bytes from RADIUS server May 19 21:18:42.274651 osdx hostapd[141394]: eth1: RADIUS Received RADIUS message May 19 21:18:42.274654 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:18:42.274665 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=233 len=46) from RADIUS server: EAP-Request-PEAP (25) May 19 21:18:42.274671 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 233) May 19 21:18:42.274765 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=233 len=46) from STA: EAP Response-PEAP (25) May 19 21:18:42.274792 osdx hostapd[141394]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:18:42.274801 osdx hostapd[141394]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:18:43.274912 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=8) May 19 21:18:43.274982 osdx hostapd[141394]: eth1: RADIUS Next RADIUS client retransmit in 2 seconds May 19 21:18:43.275348 osdx hostapd[141394]: eth1: RADIUS Received 44 bytes from RADIUS server May 19 21:18:43.275356 osdx hostapd[141394]: eth1: RADIUS Received RADIUS message May 19 21:18:43.275366 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:18:43.275475 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=4 id=233 len=4) from RADIUS server: EAP Failure May 19 21:18:43.275535 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 233) May 19 21:18:43.275564 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port May 19 21:18:43.275574 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) May 19 21:18:43.275581 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately May 19 21:18:43.275593 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query May 19 21:18:43.275659 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 May 19 21:18:43.275687 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 May 19 21:18:43.275726 osdx hostapd[141394]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:18:43.275752 osdx hostapd[141394]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:18:43.275836 osdx hostapd[141394]: eth1: RADIUS Received 44 bytes from RADIUS server May 19 21:18:43.275845 osdx hostapd[141394]: eth1: RADIUS Received RADIUS message May 19 21:18:43.275852 osdx hostapd[141394]: eth1: RADIUS No matching RADIUS request found (type=0 id=8) - dropping packet May 19 21:18:44.275853 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) May 19 21:18:44.275913 osdx hostapd[141394]: eth1: RADIUS Next RADIUS client retransmit in 2 seconds May 19 21:18:44.276235 osdx hostapd[141394]: eth1: RADIUS Received 20 bytes from RADIUS server May 19 21:18:44.276254 osdx hostapd[141394]: eth1: RADIUS Received RADIUS message May 19 21:18:44.276264 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:18:44.276273 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response May 19 21:18:44.276367 osdx hostapd[141394]: eth1: IEEE 802.1X IEEE 802.1X: Discovery already disabled May 19 21:18:44.276373 osdx hostapd[141394]: eth1: IEEE 802.1X IEEE 802.1X: Discovery already disabled May 19 21:18:44.276381 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Authentication failed, entering held state (quiet period 60 sec) May 19 21:18:44.276388 osdx hostapd[141394]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Retry timeout registered for 60 seconds May 19 21:18:44.276405 osdx hostapd[141394]: eth1: RADIUS Received 20 bytes from RADIUS server May 19 21:18:44.276412 osdx hostapd[141394]: eth1: RADIUS Received RADIUS message May 19 21:18:44.276418 osdx hostapd[141394]: eth1: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet
Test Unsupported 802.1x Authentication With Successful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 does not support 802.1x authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth1 authenticator aaa authentication list1 set interfaces ethernet eth1 authenticator log-level debug set interfaces ethernet eth1 authenticator mode 802.1x-MAB set interfaces ethernet eth1 authenticator quiet-period 60 set interfaces ethernet eth1 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX19J/5IZZuAIlguvH9S1BfI/t+s4VKKMZKFYF0tkZ1mD1BTNa5VPp/g93VFlpjzBcAAjnOO/zvZoWg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.218 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.218/0.218/0.218/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.344 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.344/0.344/0.344/0.000 ms
Step 5: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 0 EAPoL frames (Tx) 4 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:11 Session User Name N/A
Step 6: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.242 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.242/0.242/0.242/0.000 ms
Step 7: Run the command system journal show | grep "osdx hostapd" on DUT0 and check whether the output contains the following tokens:
IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately 802.1X: MAB: station successfully authenticatedShow output
May 19 21:18:52.038829 osdx hostapd[141942]: eth1: IEEE 802.11 Fetching hardware channel/rate support not supported. May 19 21:18:52.038875 osdx hostapd[141942]: eth1: RADIUS Authentication server 10.215.168.1:1812 May 19 21:18:52.039302 osdx hostapd[141942]: connect[radius]: Network is unreachable May 19 21:18:52.038940 osdx hostapd[141942]: eth1: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 May 19 21:18:52.038948 osdx hostapd[141942]: eth1: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode May 19 21:18:52.066592 osdx hostapd[141942]: Discovery mode enabled on eth1 May 19 21:18:52.066679 osdx hostapd[141942]: eth1: interface state UNINITIALIZED->ENABLED May 19 21:18:52.066679 osdx hostapd[141942]: eth1: AP-ENABLED May 19 21:18:57.066907 osdx hostapd[141943]: eth1: STA de:ad:be:ef:6c:11 DRIVER: Device discovered, triggering MAB authentication May 19 21:18:57.066942 osdx hostapd[141943]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: New STA de:ad:be:ef:6c:11 added May 19 21:18:57.066950 osdx hostapd[141943]: eth1: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode May 19 21:18:57.082678 osdx hostapd[141943]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: start authentication May 19 21:18:57.082735 osdx hostapd[141943]: eth1: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames May 19 21:18:57.082744 osdx hostapd[141943]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response May 19 21:18:57.082750 osdx hostapd[141943]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response May 19 21:18:57.082772 osdx hostapd[141943]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: unauthorizing port May 19 21:18:57.082790 osdx hostapd[141943]: eth1: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication May 19 21:18:57.082823 osdx hostapd[141943]: IEEE 802.1X: OSDX-EAP: getDecision: no identity known yet -> CONTINUE May 19 21:18:57.082861 osdx hostapd[141943]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 226) May 19 21:19:00.084922 osdx hostapd[141943]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 226) May 19 21:19:06.089908 osdx hostapd[141943]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 226) May 19 21:19:18.099980 osdx hostapd[141943]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: aborting authentication May 19 21:19:18.100003 osdx hostapd[141943]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately May 19 21:19:18.100016 osdx hostapd[141943]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: Starting RADIUS query May 19 21:19:18.100081 osdx hostapd[141943]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:11 May 19 21:19:18.104578 osdx hostapd[141943]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:11 May 19 21:19:18.104605 osdx hostapd[141943]: eth1: RADIUS Authentication server 10.215.168.1:1812 May 19 21:19:18.104788 osdx hostapd[141943]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:19:18.104858 osdx hostapd[141943]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:19:18.104908 osdx hostapd[141943]: eth1: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication May 19 21:19:18.104941 osdx hostapd[141943]: IEEE 802.1X: OSDX-EAP: getDecision: no identity known yet -> CONTINUE May 19 21:19:18.104982 osdx hostapd[141943]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 115) May 19 21:19:18.105438 osdx hostapd[141943]: eth1: RADIUS Received 20 bytes from RADIUS server May 19 21:19:18.105451 osdx hostapd[141943]: eth1: RADIUS Received RADIUS message May 19 21:19:18.105459 osdx hostapd[141943]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:19:18.105468 osdx hostapd[141943]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: Processing RADIUS response May 19 21:19:18.105496 osdx hostapd[141943]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:11' May 19 21:19:18.105521 osdx hostapd[141943]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: station successfully authenticated May 19 21:19:18.105531 osdx hostapd[141943]: eth1: IEEE 802.1X IEEE 802.1X: Discovery already disabled May 19 21:19:18.105556 osdx hostapd[141943]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: authorizing port May 19 21:19:18.105565 osdx hostapd[141943]: eth1: STA de:ad:be:ef:6c:11 RADIUS: starting accounting session 7AA6E20921697AC0
Test Unsupported 802.1x Authentication With Unsuccessful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 does not support 802.1x authentication and uses an incorrect MAC address.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth1 authenticator aaa authentication list1 set interfaces ethernet eth1 authenticator log-level debug set interfaces ethernet eth1 authenticator mode 802.1x-MAB set interfaces ethernet eth1 authenticator quiet-period 60 set interfaces ethernet eth1 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18n3QEzfOndqJmPaQfQJU7WKuuOvgqYG/YnD8hJ/9iZpKvAu7JILMxkiP51iqO0cpNGlH7ZT8zKtA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.441 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.441/0.441/0.441/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces ethernet eth1 mac '00:11:22:33:44:55' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 2 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 0 EAPoL frames (Tx) 4 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 5: Expect a failure in the following command:
Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 6: Run the command system journal show | grep "osdx hostapd" on DUT0 and check whether the output contains the following tokens:
IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately 802.1X: MAB: Authentication failedShow output
May 19 21:19:27.047951 osdx hostapd[142545]: eth1: IEEE 802.11 Fetching hardware channel/rate support not supported. May 19 21:19:27.047989 osdx hostapd[142545]: eth1: RADIUS Authentication server 10.215.168.1:1812 May 19 21:19:27.048456 osdx hostapd[142545]: connect[radius]: Network is unreachable May 19 21:19:27.048069 osdx hostapd[142545]: eth1: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 May 19 21:19:27.048077 osdx hostapd[142545]: eth1: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode May 19 21:19:27.075690 osdx hostapd[142545]: Discovery mode enabled on eth1 May 19 21:19:27.075754 osdx hostapd[142545]: eth1: interface state UNINITIALIZED->ENABLED May 19 21:19:27.075778 osdx hostapd[142545]: eth1: AP-ENABLED May 19 21:19:32.076120 osdx hostapd[142546]: eth1: STA 00:11:22:33:44:55 DRIVER: Device discovered, triggering MAB authentication May 19 21:19:32.076187 osdx hostapd[142546]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added May 19 21:19:32.076204 osdx hostapd[142546]: eth1: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode May 19 21:19:32.091788 osdx hostapd[142546]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: start authentication May 19 21:19:32.091845 osdx hostapd[142546]: eth1: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames May 19 21:19:32.091855 osdx hostapd[142546]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response May 19 21:19:32.091862 osdx hostapd[142546]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response May 19 21:19:32.091892 osdx hostapd[142546]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port May 19 21:19:32.091909 osdx hostapd[142546]: eth1: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication May 19 21:19:32.091944 osdx hostapd[142546]: IEEE 802.1X: OSDX-EAP: getDecision: no identity known yet -> CONTINUE May 19 21:19:32.091975 osdx hostapd[142546]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 182) May 19 21:19:35.094108 osdx hostapd[142546]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 182) May 19 21:19:41.099141 osdx hostapd[142546]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 182) May 19 21:19:53.109075 osdx hostapd[142546]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: aborting authentication May 19 21:19:53.109098 osdx hostapd[142546]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately May 19 21:19:53.109109 osdx hostapd[142546]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query May 19 21:19:53.109175 osdx hostapd[142546]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 May 19 21:19:53.113711 osdx hostapd[142546]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 May 19 21:19:53.113737 osdx hostapd[142546]: eth1: RADIUS Authentication server 10.215.168.1:1812 May 19 21:19:53.113892 osdx hostapd[142546]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:19:53.113970 osdx hostapd[142546]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:19:53.114026 osdx hostapd[142546]: eth1: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication May 19 21:19:53.114061 osdx hostapd[142546]: IEEE 802.1X: OSDX-EAP: getDecision: no identity known yet -> CONTINUE May 19 21:19:53.114095 osdx hostapd[142546]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 68) May 19 21:19:54.114041 osdx hostapd[142546]: eth1: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) May 19 21:19:54.114100 osdx hostapd[142546]: eth1: RADIUS Next RADIUS client retransmit in 2 seconds May 19 21:19:54.114577 osdx hostapd[142546]: eth1: RADIUS Received 20 bytes from RADIUS server May 19 21:19:54.114585 osdx hostapd[142546]: eth1: RADIUS Received RADIUS message May 19 21:19:54.114595 osdx hostapd[142546]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:19:54.114603 osdx hostapd[142546]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response May 19 21:19:54.114694 osdx hostapd[142546]: eth1: IEEE 802.1X IEEE 802.1X: Discovery already disabled May 19 21:19:54.114702 osdx hostapd[142546]: eth1: IEEE 802.1X IEEE 802.1X: Discovery already disabled May 19 21:19:54.114710 osdx hostapd[142546]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Authentication failed, entering held state (quiet period 60 sec) May 19 21:19:54.114716 osdx hostapd[142546]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Retry timeout registered for 60 seconds