Mab First
This scenario shows how to configure the MAB-first
authentication mode.
Test Successful MAB Authentication With Successful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses a correct MAC address and correct 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth1 authenticator aaa authentication list1 set interfaces ethernet eth1 authenticator log-level debug set interfaces ethernet eth1 authenticator mode MAB-802.1x set interfaces ethernet eth1 authenticator quiet-period 60 set interfaces ethernet eth1 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18vcWiFYQxrF80UfAxn71l821mpw1lueeP+hAUwAEKE3GsX/y0pUI5knmk98qRXG5m605xZDh2sag== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.334 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.334/0.334/0.334/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces ethernet eth1 supplicant encrypted-password U2FsdGVkX18lt+obtY7HlQX550iuy6VxXw6g4TG//O8= set interfaces ethernet eth1 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 1 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:11 Session User Name N/A
Step 5: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.562 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.562/0.562/0.562/0.000 ms
Step 6: Run the command system journal show | grep "osdx hostapd" on DUT0 and check whether the output contains the following tokens:
802.1X: MAB: station successfully authenticatedShow output
May 19 21:14:54.035937 osdx hostapd[133530]: eth1: IEEE 802.11 Fetching hardware channel/rate support not supported. May 19 21:14:54.035948 osdx hostapd[133530]: eth1: RADIUS Authentication server 10.215.168.1:1812 May 19 21:14:54.036170 osdx hostapd[133530]: connect[radius]: Network is unreachable May 19 21:14:54.035984 osdx hostapd[133530]: eth1: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 May 19 21:14:54.035988 osdx hostapd[133530]: eth1: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode May 19 21:14:54.063823 osdx hostapd[133530]: Discovery mode enabled on eth1 May 19 21:14:54.063875 osdx hostapd[133530]: eth1: interface state UNINITIALIZED->ENABLED May 19 21:14:54.063875 osdx hostapd[133530]: eth1: AP-ENABLED May 19 21:14:57.243540 osdx hostapd[133531]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: New STA de:ad:be:ef:6c:11 added May 19 21:14:57.243575 osdx hostapd[133531]: eth1: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode May 19 21:14:57.255823 osdx hostapd[133531]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB-first mode: Starting MAB authentication May 19 21:14:57.255856 osdx hostapd[133531]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: Starting RADIUS query May 19 21:14:57.255874 osdx hostapd[133531]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:11 May 19 21:14:57.258137 osdx hostapd[133531]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:11 May 19 21:14:57.258150 osdx hostapd[133531]: eth1: RADIUS Authentication server 10.215.168.1:1812 May 19 21:14:57.258230 osdx hostapd[133531]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:14:57.258262 osdx hostapd[133531]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:14:57.258286 osdx hostapd[133531]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: received EAPOL-Start from STA May 19 21:14:57.258562 osdx hostapd[133531]: eth1: RADIUS Received 20 bytes from RADIUS server May 19 21:14:57.258570 osdx hostapd[133531]: eth1: RADIUS Received RADIUS message May 19 21:14:57.258573 osdx hostapd[133531]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:14:57.258576 osdx hostapd[133531]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: Processing RADIUS response May 19 21:14:57.258589 osdx hostapd[133531]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:11' May 19 21:14:57.258602 osdx hostapd[133531]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: station successfully authenticated May 19 21:14:57.258605 osdx hostapd[133531]: eth1: IEEE 802.1X IEEE 802.1X: Discovery already disabled May 19 21:14:57.258613 osdx hostapd[133531]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: authorizing port May 19 21:14:57.258616 osdx hostapd[133531]: eth1: STA de:ad:be:ef:6c:11 RADIUS: starting accounting session 5D2C3E88F0CD4BCF
Test Successful MAB Authentication With Unsuccessful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses a correct MAC address, but wrong 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth1 authenticator aaa authentication list1 set interfaces ethernet eth1 authenticator log-level debug set interfaces ethernet eth1 authenticator mode MAB-802.1x set interfaces ethernet eth1 authenticator quiet-period 60 set interfaces ethernet eth1 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+7f8V47fdEc+HGKew4nittDDV3gfbY37M1opVOc+R0sniRaW7kFqDbBsZwjWSGy963U5BbpWHVOA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.236 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.236/0.236/0.236/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces ethernet eth1 supplicant encrypted-password U2FsdGVkX1+tDkRTPKBrkMMXnBv6E0bGPgaOYTCh8/o= set interfaces ethernet eth1 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 1 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:11 Session User Name N/A
Step 5: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.483 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.483/0.483/0.483/0.000 ms
Step 6: Run the command system journal show | grep "osdx hostapd" on DUT0 and check whether the output contains the following tokens:
802.1X: MAB: station successfully authenticatedShow output
May 19 21:15:05.033025 osdx hostapd[134089]: eth1: IEEE 802.11 Fetching hardware channel/rate support not supported. May 19 21:15:05.033038 osdx hostapd[134089]: eth1: RADIUS Authentication server 10.215.168.1:1812 May 19 21:15:05.033305 osdx hostapd[134089]: connect[radius]: Network is unreachable May 19 21:15:05.033078 osdx hostapd[134089]: eth1: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 May 19 21:15:05.033082 osdx hostapd[134089]: eth1: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode May 19 21:15:05.056963 osdx hostapd[134089]: Discovery mode enabled on eth1 May 19 21:15:05.057048 osdx hostapd[134089]: eth1: interface state UNINITIALIZED->ENABLED May 19 21:15:05.057048 osdx hostapd[134089]: eth1: AP-ENABLED May 19 21:15:08.208564 osdx hostapd[134090]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: New STA de:ad:be:ef:6c:11 added May 19 21:15:08.208592 osdx hostapd[134090]: eth1: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode May 19 21:15:08.224983 osdx hostapd[134090]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB-first mode: Starting MAB authentication May 19 21:15:08.225049 osdx hostapd[134090]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: Starting RADIUS query May 19 21:15:08.225088 osdx hostapd[134090]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:11 May 19 21:15:08.229580 osdx hostapd[134090]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:11 May 19 21:15:08.229605 osdx hostapd[134090]: eth1: RADIUS Authentication server 10.215.168.1:1812 May 19 21:15:08.229787 osdx hostapd[134090]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:15:08.229843 osdx hostapd[134090]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:15:08.229901 osdx hostapd[134090]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: received EAPOL-Start from STA May 19 21:15:08.230367 osdx hostapd[134090]: eth1: RADIUS Received 20 bytes from RADIUS server May 19 21:15:08.230380 osdx hostapd[134090]: eth1: RADIUS Received RADIUS message May 19 21:15:08.230388 osdx hostapd[134090]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:15:08.230396 osdx hostapd[134090]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: Processing RADIUS response May 19 21:15:08.230420 osdx hostapd[134090]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:11' May 19 21:15:08.230449 osdx hostapd[134090]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: station successfully authenticated May 19 21:15:08.230456 osdx hostapd[134090]: eth1: IEEE 802.1X IEEE 802.1X: Discovery already disabled May 19 21:15:08.230477 osdx hostapd[134090]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: authorizing port May 19 21:15:08.230485 osdx hostapd[134090]: eth1: STA de:ad:be:ef:6c:11 RADIUS: starting accounting session CA165220678B8E13
Test Successful MAB Authentication With Unsupported 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 does not support 802.1x authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth1 authenticator aaa authentication list1 set interfaces ethernet eth1 authenticator log-level debug set interfaces ethernet eth1 authenticator mode MAB-802.1x set interfaces ethernet eth1 authenticator quiet-period 60 set interfaces ethernet eth1 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+yHgPQAR28q3JL39tw7AvV0qZzfvFekRGnm6QAePALN3A1YfiGGDC1V8oZu/qXO6O183IrHBoWMA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.161 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.161/0.161/0.161/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.619 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.619/0.619/0.619/0.000 ms
Step 5: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 0 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:11 Session User Name N/A
Step 6: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.256 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.256/0.256/0.256/0.000 ms
Step 7: Run the command system journal show | grep "osdx hostapd" on DUT0 and check whether the output contains the following tokens:
802.1X: MAB: station successfully authenticatedShow output
May 19 21:15:16.035469 osdx hostapd[134648]: eth1: IEEE 802.11 Fetching hardware channel/rate support not supported. May 19 21:15:16.035492 osdx hostapd[134648]: eth1: RADIUS Authentication server 10.215.168.1:1812 May 19 21:15:16.035824 osdx hostapd[134648]: connect[radius]: Network is unreachable May 19 21:15:16.035538 osdx hostapd[134648]: eth1: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 May 19 21:15:16.035544 osdx hostapd[134648]: eth1: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode May 19 21:15:16.051187 osdx hostapd[134648]: Discovery mode enabled on eth1 May 19 21:15:16.051312 osdx hostapd[134648]: eth1: interface state UNINITIALIZED->ENABLED May 19 21:15:16.051312 osdx hostapd[134648]: eth1: AP-ENABLED May 19 21:15:21.051489 osdx hostapd[134649]: eth1: STA de:ad:be:ef:6c:11 DRIVER: Device discovered, triggering MAB authentication May 19 21:15:21.051520 osdx hostapd[134649]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: New STA de:ad:be:ef:6c:11 added May 19 21:15:21.051527 osdx hostapd[134649]: eth1: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode May 19 21:15:21.067242 osdx hostapd[134649]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB-first mode: Starting MAB authentication May 19 21:15:21.067300 osdx hostapd[134649]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: Starting RADIUS query May 19 21:15:21.067339 osdx hostapd[134649]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:11 May 19 21:15:21.071554 osdx hostapd[134649]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:11 May 19 21:15:21.071575 osdx hostapd[134649]: eth1: RADIUS Authentication server 10.215.168.1:1812 May 19 21:15:21.071701 osdx hostapd[134649]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:15:21.071747 osdx hostapd[134649]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:15:21.072226 osdx hostapd[134649]: eth1: RADIUS Received 20 bytes from RADIUS server May 19 21:15:21.072236 osdx hostapd[134649]: eth1: RADIUS Received RADIUS message May 19 21:15:21.072243 osdx hostapd[134649]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:15:21.072250 osdx hostapd[134649]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: Processing RADIUS response May 19 21:15:21.072266 osdx hostapd[134649]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:11' May 19 21:15:21.072287 osdx hostapd[134649]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: station successfully authenticated May 19 21:15:21.072294 osdx hostapd[134649]: eth1: IEEE 802.1X IEEE 802.1X: Discovery already disabled May 19 21:15:21.072310 osdx hostapd[134649]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: authorizing port May 19 21:15:21.072316 osdx hostapd[134649]: eth1: STA de:ad:be:ef:6c:11 RADIUS: starting accounting session 51043162EB7C1902
Test Unsuccessful MAB Authentication With Successful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses an incorrect MAC address, but correct 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth1 authenticator aaa authentication list1 set interfaces ethernet eth1 authenticator log-level debug set interfaces ethernet eth1 authenticator mode MAB-802.1x set interfaces ethernet eth1 authenticator quiet-period 60 set interfaces ethernet eth1 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/JDUiJCtW+kCFpRZ4sRxLcDlqjKGp7t/tiZMArkOdTHNmGmXD35HwHbyMbbEhOV2Nsoz3Tv+T56g== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.234 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.234/0.234/0.234/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces ethernet eth1 mac '00:11:22:33:44:55' set interfaces ethernet eth1 supplicant encrypted-password U2FsdGVkX19FiNvpPja5sWNclE7kbyiSxXY+gLvSvs8= set interfaces ethernet eth1 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run the command interfaces ethernet eth1 supplicant show status on DUT1 and check whether the output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run the command interfaces ethernet eth1 supplicant show stats on DUT1 and check whether the output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 6: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name testing
Step 7: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.364 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.364/0.364/0.364/0.000 ms
Step 8: Run the command system journal show | grep "osdx hostapd" on DUT0 and check whether the output contains the following tokens:
IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X IEEE 802.1X: authenticated - EAP type: 25 (PEAP)Show output
May 19 21:15:31.001742 osdx hostapd[135215]: eth1: IEEE 802.11 Fetching hardware channel/rate support not supported. May 19 21:15:31.001753 osdx hostapd[135215]: eth1: RADIUS Authentication server 10.215.168.1:1812 May 19 21:15:31.001944 osdx hostapd[135215]: connect[radius]: Network is unreachable May 19 21:15:31.001790 osdx hostapd[135215]: eth1: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 May 19 21:15:31.001793 osdx hostapd[135215]: eth1: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode May 19 21:15:31.021681 osdx hostapd[135215]: Discovery mode enabled on eth1 May 19 21:15:31.021814 osdx hostapd[135215]: eth1: interface state UNINITIALIZED->ENABLED May 19 21:15:31.021814 osdx hostapd[135215]: eth1: AP-ENABLED May 19 21:15:34.333094 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added May 19 21:15:34.333107 osdx hostapd[135216]: eth1: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode May 19 21:15:34.345663 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: Starting MAB authentication May 19 21:15:34.345689 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query May 19 21:15:34.345706 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 May 19 21:15:34.347354 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 May 19 21:15:34.347364 osdx hostapd[135216]: eth1: RADIUS Authentication server 10.215.168.1:1812 May 19 21:15:34.347441 osdx hostapd[135216]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:15:34.347467 osdx hostapd[135216]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:15:34.347494 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA May 19 21:15:35.347576 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) May 19 21:15:35.347646 osdx hostapd[135216]: eth1: RADIUS Next RADIUS client retransmit in 2 seconds May 19 21:15:35.348009 osdx hostapd[135216]: eth1: RADIUS Received 20 bytes from RADIUS server May 19 21:15:35.348020 osdx hostapd[135216]: eth1: RADIUS Received RADIUS message May 19 21:15:35.348032 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:15:35.348040 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response May 19 21:15:35.348140 osdx hostapd[135216]: eth1: IEEE 802.1X IEEE 802.1X: Discovery already disabled May 19 21:15:35.348147 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X May 19 21:15:35.348154 osdx hostapd[135216]: eth1: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames May 19 21:15:35.348160 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first: 802.1X authentication started May 19 21:15:35.348175 osdx hostapd[135216]: eth1: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication May 19 21:15:35.348193 osdx hostapd[135216]: IEEE 802.1X: OSDX-EAP: getDecision: no identity known yet -> CONTINUE May 19 21:15:35.348216 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 68) May 19 21:15:35.348245 osdx hostapd[135216]: eth1: RADIUS Received 20 bytes from RADIUS server May 19 21:15:35.348251 osdx hostapd[135216]: eth1: RADIUS Received RADIUS message May 19 21:15:35.348257 osdx hostapd[135216]: eth1: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet May 19 21:15:35.348964 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=68 len=12) from STA: EAP Response-Identity (1) May 19 21:15:35.348981 osdx hostapd[135216]: IEEE 802.1X: OSDX-EAP: getDecision: -> PASSTHROUGH May 19 21:15:35.348991 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'testing' May 19 21:15:35.349129 osdx hostapd[135216]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:15:35.349162 osdx hostapd[135216]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:15:35.349610 osdx hostapd[135216]: eth1: RADIUS Received 80 bytes from RADIUS server May 19 21:15:35.349617 osdx hostapd[135216]: eth1: RADIUS Received RADIUS message May 19 21:15:35.349645 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:15:35.349695 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=69 len=22) from RADIUS server: EAP-Request-MD5 (4) May 19 21:15:35.349710 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 69) May 19 21:15:35.350232 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=69 len=6) from STA: EAP Response-unknown (3) May 19 21:15:35.350403 osdx hostapd[135216]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:15:35.350445 osdx hostapd[135216]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:15:35.350873 osdx hostapd[135216]: eth1: RADIUS Received 64 bytes from RADIUS server May 19 21:15:35.350889 osdx hostapd[135216]: eth1: RADIUS Received RADIUS message May 19 21:15:35.350900 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:15:35.350969 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=70 len=6) from RADIUS server: EAP-Request-PEAP (25) May 19 21:15:35.350987 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 70) May 19 21:15:35.351937 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=70 len=194) from STA: EAP Response-PEAP (25) May 19 21:15:35.352065 osdx hostapd[135216]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:15:35.352102 osdx hostapd[135216]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:15:35.354601 osdx hostapd[135216]: eth1: RADIUS Received 1068 bytes from RADIUS server May 19 21:15:35.354619 osdx hostapd[135216]: eth1: RADIUS Received RADIUS message May 19 21:15:35.354632 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:15:35.354699 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=71 len=1004) from RADIUS server: EAP-Request-PEAP (25) May 19 21:15:35.354722 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 71) May 19 21:15:35.355187 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=71 len=6) from STA: EAP Response-PEAP (25) May 19 21:15:35.355312 osdx hostapd[135216]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:15:35.355355 osdx hostapd[135216]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:15:35.355689 osdx hostapd[135216]: eth1: RADIUS Received 229 bytes from RADIUS server May 19 21:15:35.355707 osdx hostapd[135216]: eth1: RADIUS Received RADIUS message May 19 21:15:35.355719 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:15:35.355768 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=72 len=171) from RADIUS server: EAP-Request-PEAP (25) May 19 21:15:35.355789 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 72) May 19 21:15:35.359418 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=72 len=103) from STA: EAP Response-PEAP (25) May 19 21:15:35.359553 osdx hostapd[135216]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:15:35.359596 osdx hostapd[135216]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:15:35.360268 osdx hostapd[135216]: eth1: RADIUS Received 115 bytes from RADIUS server May 19 21:15:35.360282 osdx hostapd[135216]: eth1: RADIUS Received RADIUS message May 19 21:15:35.360290 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:15:35.360335 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=73 len=57) from RADIUS server: EAP-Request-PEAP (25) May 19 21:15:35.360355 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 73) May 19 21:15:35.360839 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=73 len=6) from STA: EAP Response-PEAP (25) May 19 21:15:35.360942 osdx hostapd[135216]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:15:35.360975 osdx hostapd[135216]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:15:35.361173 osdx hostapd[135216]: eth1: RADIUS Received 98 bytes from RADIUS server May 19 21:15:35.361186 osdx hostapd[135216]: eth1: RADIUS Received RADIUS message May 19 21:15:35.361192 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:15:35.361224 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=74 len=40) from RADIUS server: EAP-Request-PEAP (25) May 19 21:15:35.361239 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 74) May 19 21:15:35.361536 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=74 len=43) from STA: EAP Response-PEAP (25) May 19 21:15:35.361611 osdx hostapd[135216]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:15:35.361658 osdx hostapd[135216]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:15:35.361877 osdx hostapd[135216]: eth1: RADIUS Received 131 bytes from RADIUS server May 19 21:15:35.361889 osdx hostapd[135216]: eth1: RADIUS Received RADIUS message May 19 21:15:35.361896 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:15:35.361946 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=75 len=73) from RADIUS server: EAP-Request-PEAP (25) May 19 21:15:35.361963 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 75) May 19 21:15:35.362444 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=75 len=97) from STA: EAP Response-PEAP (25) May 19 21:15:35.362515 osdx hostapd[135216]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:15:35.362543 osdx hostapd[135216]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:15:35.362798 osdx hostapd[135216]: eth1: RADIUS Received 140 bytes from RADIUS server May 19 21:15:35.362811 osdx hostapd[135216]: eth1: RADIUS Received RADIUS message May 19 21:15:35.362818 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:15:35.362847 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=76 len=82) from RADIUS server: EAP-Request-PEAP (25) May 19 21:15:35.362859 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 76) May 19 21:15:35.363194 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=76 len=37) from STA: EAP Response-PEAP (25) May 19 21:15:35.363266 osdx hostapd[135216]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:15:35.363292 osdx hostapd[135216]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:15:35.363657 osdx hostapd[135216]: eth1: RADIUS Received 104 bytes from RADIUS server May 19 21:15:35.363670 osdx hostapd[135216]: eth1: RADIUS Received RADIUS message May 19 21:15:35.363676 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:15:35.363705 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=77 len=46) from RADIUS server: EAP-Request-PEAP (25) May 19 21:15:35.363717 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 77) May 19 21:15:35.364103 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=77 len=46) from STA: EAP Response-PEAP (25) May 19 21:15:35.364178 osdx hostapd[135216]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:15:35.364200 osdx hostapd[135216]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:15:35.364511 osdx hostapd[135216]: eth1: RADIUS Received 175 bytes from RADIUS server May 19 21:15:35.364524 osdx hostapd[135216]: eth1: RADIUS Received RADIUS message May 19 21:15:35.364530 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:15:35.364576 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing' May 19 21:15:35.364589 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=3 id=77 len=4) from RADIUS server: EAP Success May 19 21:15:35.364629 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 77) May 19 21:15:35.364668 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: authorizing port May 19 21:15:35.364678 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 RADIUS: starting accounting session FAFDC1D5A8490113 May 19 21:15:35.364703 osdx hostapd[135216]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Test Unsuccessful MAB Authentication With Unsuccessful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses an incorrect MAC address and incorrect 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth1 authenticator aaa authentication list1 set interfaces ethernet eth1 authenticator log-level debug set interfaces ethernet eth1 authenticator mode MAB-802.1x set interfaces ethernet eth1 authenticator quiet-period 60 set interfaces ethernet eth1 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+7txtUs8QWAc75gcPed2+IhbFTLyBArwVzz4o0FqRLHLoWTtIemxTfJhpYZmq4TRlr+mkPjGoGXA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.234 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.234/0.234/0.234/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces ethernet eth1 mac '00:11:22:33:44:55' set interfaces ethernet eth1 supplicant encrypted-password U2FsdGVkX19G3pSBtGzFzJDZ3ROhiLzQ09fbjpf3rvM= set interfaces ethernet eth1 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run the command interfaces ethernet eth1 supplicant show stats on DUT1 and check whether the output matches the following regular expressions:
Port Status\s+UnauthorizedShow output
--------------------------------- Field Value --------------------------------- EAPoL Frames (Rx) 9 EAPoL Frames (Tx) 10 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Unauthorized Req Frames (Rx) 8 Req ID Frames (Rx) 1 Resp Frames (Tx) 9 Start Frames (Tx) 1
Step 5: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 8 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 10 EAPoL frames (Tx) 9 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 6: Expect a failure in the following command:
Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 7: Run the command system journal show | grep "osdx hostapd" on DUT0 and check whether the output contains the following tokens:
IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X IEEE 802.1X: authentication failed - EAP type: 25 (PEAP)Show output
May 19 21:15:43.025668 osdx hostapd[135779]: eth1: IEEE 802.11 Fetching hardware channel/rate support not supported. May 19 21:15:43.025679 osdx hostapd[135779]: eth1: RADIUS Authentication server 10.215.168.1:1812 May 19 21:15:43.025908 osdx hostapd[135779]: connect[radius]: Network is unreachable May 19 21:15:43.025712 osdx hostapd[135779]: eth1: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 May 19 21:15:43.025716 osdx hostapd[135779]: eth1: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode May 19 21:15:43.053589 osdx hostapd[135779]: Discovery mode enabled on eth1 May 19 21:15:43.053706 osdx hostapd[135779]: eth1: interface state UNINITIALIZED->ENABLED May 19 21:15:43.053706 osdx hostapd[135779]: eth1: AP-ENABLED May 19 21:15:46.346986 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added May 19 21:15:46.347001 osdx hostapd[135780]: eth1: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode May 19 21:15:46.369651 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: Starting MAB authentication May 19 21:15:46.369717 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query May 19 21:15:46.369772 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 May 19 21:15:46.374337 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 May 19 21:15:46.374363 osdx hostapd[135780]: eth1: RADIUS Authentication server 10.215.168.1:1812 May 19 21:15:46.374562 osdx hostapd[135780]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:15:46.374631 osdx hostapd[135780]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:15:46.374692 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA May 19 21:15:47.374730 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) May 19 21:15:47.374790 osdx hostapd[135780]: eth1: RADIUS Next RADIUS client retransmit in 2 seconds May 19 21:15:47.375201 osdx hostapd[135780]: eth1: RADIUS Received 20 bytes from RADIUS server May 19 21:15:47.375210 osdx hostapd[135780]: eth1: RADIUS Received RADIUS message May 19 21:15:47.375220 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:15:47.375229 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response May 19 21:15:47.375337 osdx hostapd[135780]: eth1: IEEE 802.1X IEEE 802.1X: Discovery already disabled May 19 21:15:47.375346 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X May 19 21:15:47.375355 osdx hostapd[135780]: eth1: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames May 19 21:15:47.375363 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first: 802.1X authentication started May 19 21:15:47.375382 osdx hostapd[135780]: eth1: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication May 19 21:15:47.375407 osdx hostapd[135780]: IEEE 802.1X: OSDX-EAP: getDecision: no identity known yet -> CONTINUE May 19 21:15:47.375433 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 251) May 19 21:15:47.376151 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=251 len=10) from STA: EAP Response-Identity (1) May 19 21:15:47.376179 osdx hostapd[135780]: IEEE 802.1X: OSDX-EAP: getDecision: -> PASSTHROUGH May 19 21:15:47.376189 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'wrong' May 19 21:15:47.376318 osdx hostapd[135780]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:15:47.376353 osdx hostapd[135780]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:15:47.376817 osdx hostapd[135780]: eth1: RADIUS Received 80 bytes from RADIUS server May 19 21:15:47.376840 osdx hostapd[135780]: eth1: RADIUS Received RADIUS message May 19 21:15:47.376849 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:15:47.376891 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=252 len=22) from RADIUS server: EAP-Request-MD5 (4) May 19 21:15:47.376907 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 252) May 19 21:15:47.377431 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=252 len=6) from STA: EAP Response-unknown (3) May 19 21:15:47.377565 osdx hostapd[135780]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:15:47.377593 osdx hostapd[135780]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:15:47.378077 osdx hostapd[135780]: eth1: RADIUS Received 64 bytes from RADIUS server May 19 21:15:47.378090 osdx hostapd[135780]: eth1: RADIUS Received RADIUS message May 19 21:15:47.378097 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:15:47.378131 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=253 len=6) from RADIUS server: EAP-Request-PEAP (25) May 19 21:15:47.378145 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 253) May 19 21:15:47.378890 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=253 len=194) from STA: EAP Response-PEAP (25) May 19 21:15:47.378990 osdx hostapd[135780]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:15:47.379023 osdx hostapd[135780]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:15:47.381614 osdx hostapd[135780]: eth1: RADIUS Received 1068 bytes from RADIUS server May 19 21:15:47.381633 osdx hostapd[135780]: eth1: RADIUS Received RADIUS message May 19 21:15:47.381644 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:15:47.381719 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=254 len=1004) from RADIUS server: EAP-Request-PEAP (25) May 19 21:15:47.381741 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 254) May 19 21:15:47.382156 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=254 len=6) from STA: EAP Response-PEAP (25) May 19 21:15:47.382259 osdx hostapd[135780]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:15:47.382292 osdx hostapd[135780]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:15:47.382582 osdx hostapd[135780]: eth1: RADIUS Received 229 bytes from RADIUS server May 19 21:15:47.382597 osdx hostapd[135780]: eth1: RADIUS Received RADIUS message May 19 21:15:47.382609 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:15:47.382651 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=255 len=171) from RADIUS server: EAP-Request-PEAP (25) May 19 21:15:47.382668 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 255) May 19 21:15:47.385707 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=255 len=103) from STA: EAP Response-PEAP (25) May 19 21:15:47.385809 osdx hostapd[135780]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:15:47.385850 osdx hostapd[135780]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:15:47.386649 osdx hostapd[135780]: eth1: RADIUS Received 115 bytes from RADIUS server May 19 21:15:47.386664 osdx hostapd[135780]: eth1: RADIUS Received RADIUS message May 19 21:15:47.386671 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:15:47.386723 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=0 len=57) from RADIUS server: EAP-Request-PEAP (25) May 19 21:15:47.386741 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 0) May 19 21:15:47.387216 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=0 len=6) from STA: EAP Response-PEAP (25) May 19 21:15:47.387308 osdx hostapd[135780]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:15:47.387339 osdx hostapd[135780]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:15:47.387626 osdx hostapd[135780]: eth1: RADIUS Received 98 bytes from RADIUS server May 19 21:15:47.387637 osdx hostapd[135780]: eth1: RADIUS Received RADIUS message May 19 21:15:47.387644 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:15:47.387667 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=1 len=40) from RADIUS server: EAP-Request-PEAP (25) May 19 21:15:47.387676 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 1) May 19 21:15:47.387877 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=1 len=41) from STA: EAP Response-PEAP (25) May 19 21:15:47.387922 osdx hostapd[135780]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:15:47.387937 osdx hostapd[135780]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:15:47.388115 osdx hostapd[135780]: eth1: RADIUS Received 131 bytes from RADIUS server May 19 21:15:47.388122 osdx hostapd[135780]: eth1: RADIUS Received RADIUS message May 19 21:15:47.388126 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:15:47.388143 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=2 len=73) from RADIUS server: EAP-Request-PEAP (25) May 19 21:15:47.388152 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 2) May 19 21:15:47.388397 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=2 len=95) from STA: EAP Response-PEAP (25) May 19 21:15:47.388440 osdx hostapd[135780]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:15:47.388454 osdx hostapd[135780]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:15:47.388759 osdx hostapd[135780]: eth1: RADIUS Received 104 bytes from RADIUS server May 19 21:15:47.388770 osdx hostapd[135780]: eth1: RADIUS Received RADIUS message May 19 21:15:47.388777 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:15:47.388809 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=3 len=46) from RADIUS server: EAP-Request-PEAP (25) May 19 21:15:47.388837 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 3) May 19 21:15:47.389145 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=3 len=46) from STA: EAP Response-PEAP (25) May 19 21:15:47.389220 osdx hostapd[135780]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:15:47.389245 osdx hostapd[135780]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:15:48.389355 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=8) May 19 21:15:48.389415 osdx hostapd[135780]: eth1: RADIUS Next RADIUS client retransmit in 2 seconds May 19 21:15:48.389758 osdx hostapd[135780]: eth1: RADIUS Received 44 bytes from RADIUS server May 19 21:15:48.389767 osdx hostapd[135780]: eth1: RADIUS Received RADIUS message May 19 21:15:48.389776 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:15:48.389877 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=4 id=3 len=4) from RADIUS server: EAP Failure May 19 21:15:48.389940 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 3) May 19 21:15:48.389967 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port May 19 21:15:48.389992 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) May 19 21:15:48.390000 osdx hostapd[135780]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Authentication failed, enforcing quiet period (60 seconds) May 19 21:15:48.390014 osdx hostapd[135780]: eth1: RADIUS Received 44 bytes from RADIUS server May 19 21:15:48.390022 osdx hostapd[135780]: eth1: RADIUS Received RADIUS message May 19 21:15:48.390032 osdx hostapd[135780]: eth1: RADIUS No matching RADIUS request found (type=0 id=8) - dropping packet
Test Unsuccessful MAB Authentication With Unsupported 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 does not support 802.1x authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth1 authenticator aaa authentication list1 set interfaces ethernet eth1 authenticator log-level debug set interfaces ethernet eth1 authenticator mode MAB-802.1x set interfaces ethernet eth1 authenticator quiet-period 60 set interfaces ethernet eth1 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX19jrRxlDRU7N7214eJG1wJVPDMa9RBjoVcvNN98Er7trBGtUcLYIJCyi945frzHbkPLxCCx8Faoig== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.369 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.369/0.369/0.369/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces ethernet eth1 mac '00:11:22:33:44:55' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 0 EAPoL frames (Tx) 2 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 5: Expect a failure in the following command:
Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 6: Run the command system journal show | grep "osdx hostapd" on DUT0 and check whether the output contains the following tokens:
IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X IEEE 802.1X: EAP authentication timeoutShow output
May 19 21:15:55.156172 osdx hostapd[136331]: eth1: IEEE 802.11 Fetching hardware channel/rate support not supported. May 19 21:15:55.156215 osdx hostapd[136331]: eth1: RADIUS Authentication server 10.215.168.1:1812 May 19 21:15:55.156683 osdx hostapd[136331]: connect[radius]: Network is unreachable May 19 21:15:55.156297 osdx hostapd[136331]: eth1: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 May 19 21:15:55.156305 osdx hostapd[136331]: eth1: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode May 19 21:15:55.191939 osdx hostapd[136331]: Discovery mode enabled on eth1 May 19 21:15:55.192010 osdx hostapd[136331]: eth1: interface state UNINITIALIZED->ENABLED May 19 21:15:55.192047 osdx hostapd[136331]: eth1: AP-ENABLED May 19 21:16:00.192343 osdx hostapd[136332]: eth1: STA 00:11:22:33:44:55 DRIVER: Device discovered, triggering MAB authentication May 19 21:16:00.192419 osdx hostapd[136332]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added May 19 21:16:00.192438 osdx hostapd[136332]: eth1: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode May 19 21:16:00.208015 osdx hostapd[136332]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: Starting MAB authentication May 19 21:16:00.208086 osdx hostapd[136332]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query May 19 21:16:00.208139 osdx hostapd[136332]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 May 19 21:16:00.212647 osdx hostapd[136332]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 May 19 21:16:00.212673 osdx hostapd[136332]: eth1: RADIUS Authentication server 10.215.168.1:1812 May 19 21:16:00.212840 osdx hostapd[136332]: eth1: RADIUS Sending RADIUS message to authentication server May 19 21:16:00.212897 osdx hostapd[136332]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds May 19 21:16:01.212989 osdx hostapd[136332]: eth1: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) May 19 21:16:01.213046 osdx hostapd[136332]: eth1: RADIUS Next RADIUS client retransmit in 2 seconds May 19 21:16:01.213554 osdx hostapd[136332]: eth1: RADIUS Received 20 bytes from RADIUS server May 19 21:16:01.213562 osdx hostapd[136332]: eth1: RADIUS Received RADIUS message May 19 21:16:01.213571 osdx hostapd[136332]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 19 21:16:01.213580 osdx hostapd[136332]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response May 19 21:16:01.213660 osdx hostapd[136332]: eth1: IEEE 802.1X IEEE 802.1X: Discovery already disabled May 19 21:16:01.213667 osdx hostapd[136332]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X May 19 21:16:01.213674 osdx hostapd[136332]: eth1: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames May 19 21:16:01.213681 osdx hostapd[136332]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first: 802.1X authentication started May 19 21:16:01.213697 osdx hostapd[136332]: eth1: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication May 19 21:16:01.213716 osdx hostapd[136332]: IEEE 802.1X: OSDX-EAP: getDecision: no identity known yet -> CONTINUE May 19 21:16:01.213738 osdx hostapd[136332]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 192) May 19 21:16:04.211270 osdx hostapd[136332]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 192) May 19 21:16:09.155826 osdx OSDxCLI[103550]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. May 19 21:16:10.216303 osdx hostapd[136332]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 192) May 19 21:16:17.335676 osdx OSDxCLI[103550]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. May 19 21:16:22.227362 osdx hostapd[136332]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: aborting authentication May 19 21:16:22.227390 osdx hostapd[136332]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: EAP authentication timeout - enforcing 60 second quiet period before retrying May 19 21:16:22.227418 osdx hostapd[136332]: eth1: STA 00:11:22:33:44:55 MLME: MLME-DEAUTHENTICATE.indication(00:11:22:33:44:55, 2) May 19 21:16:22.227425 osdx hostapd[136332]: eth1: STA 00:11:22:33:44:55 MLME: MLME-DELETEKEYS.request(00:11:22:33:44:55)