Acl Ip
This scenario shows how to install custom ACLs from received RADIUS messages (using “NAS-Filter-Rule” attributes and according to RFC3588).
Test 802.1x NAS-Filter-Rule ACLs
Description
DUT0 is configured with an 802.1x-authenticated interface and DUT1 is configured as a supplicant. Some ACLs are configured in the authentication server to filter incoming/outgoing traffic.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth1 authenticator aaa authentication list1 set interfaces ethernet eth1 authenticator log-level debug set interfaces ethernet eth1 authenticator mode only-802.1x set interfaces ethernet eth1 authenticator quiet-period 60 set interfaces ethernet eth1 authenticator reauth-period 0 set service ssh set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18h73qcaosPVvO1jGQPQpqL42s2RLuO1KwmBrzhbhHhjSo1EbKNIstP+nPI9TXyLLxMEV0F3tQR4w== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.664 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.664/0.664/0.664/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces ethernet eth1 supplicant encrypted-password U2FsdGVkX1/x73us09qf1SbKwoFcxp6UTe0mLPgtupk= set interfaces ethernet eth1 supplicant username user_acl_ip set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run the command interfaces ethernet eth1 supplicant show status on DUT1 and check whether the output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run the command interfaces ethernet eth1 supplicant show stats on DUT1 and check whether the output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 6: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:11 Session User Name user_acl_ip
Step 7: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.798 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.798/0.798/0.798/0.000 ms
Note
IP Filter Rule ACLs:
Allow incoming/outgoing ICMP traffic to/from 192.168.100.0/24.
Allow management SSH traffic (tcp 22).
Allow incoming UDP flows from 192.168.100.2:1234 towards 192.168.100.1:1234.
Drop remaining traffic.
Step 8: Run the command interfaces ethernet eth1 authenticator show acl rules on DUT0 and expect the following output:
Show output
Received ACL type: Filter-Rule. Rules for incoming traffic: 1: permit in 1 from any to 192.168.100.0/24 2: permit in 6 from any to 192.168.100.1 22 3: permit in 17 from 192.168.100.2 1234 to 192.168.100.1 1234 4: deny in ip from any to any Rules for outgoing traffic: 1: permit out 1 from 192.168.100.1 to any 2: permit out 6 from 192.168.100.1 22 to any 3: permit out 17 from 192.168.100.1 1234 to 192.168.100.2 1234 4: deny out ip from any to any
Step 9: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.728 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.728/0.728/0.728/0.000 ms
Step 10: Initiate an SSH connection from DUT1 to IP address 192.168.100.1 using user admin:
admin@DUT1$ ssh admin@192.168.100.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '192.168.100.1' (ECDSA) to the list of known hosts. admin@192.168.100.1's password: Welcome to Teldat OSDx v4.2.10.1 This system includes free software. Contact Teldat for licenses information and source code. Last login: Wed Jun 3 08:26:57 2026 admin@osdx$
Step 11: Initiate a udp connection from DUT1 to DUT0 and exchange messages between both endpoints
admin@DUT0$ monitor test connection server 1234 udp admin@DUT1$ monitor test connection client 192.168.100.1 1234 udp source-port 1234
Step 12: Expect a failure in the following command:
Initiate a udp connection from DUT0 to DUT1 and exchange messages between both endpoints
admin@DUT1$ monitor test connection server 4321 udp admin@DUT0$ monitor test connection client 192.168.100.2 4321 udp
Step 13: Run the command interfaces ethernet eth1 authenticator show acl stats on DUT0 and expect the following output:
Show output
ACL for ifc eth1 -- hook in ----------------------------------------------------- rule pkts match pkts eval bytes match bytes eval ----------------------------------------------------- 1 2 32 168 5517 2 25 30 5109 5349 3 5 5 240 240 4 0 0 0 0 ----------------------------------------------------- Total 32 32 5517 5517 ACL for ifc eth1 -- hook out ----------------------------------------------------- rule pkts match pkts eval bytes match bytes eval ----------------------------------------------------- 1 2 29 168 5413 2 20 27 4821 5245 3 5 7 240 424 4 2 2 184 184 ----------------------------------------------------- Total 29 29 5413 5413
Test 802.1x NAS-Filter-Rule ACLs And CoA
Description
In this scenario, DUT1 is properly authenticate and some ACLs are configured. A CoA message is later received from the authentication server that changes the configured ACLs to drop non-ICMP traffic.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth1 authenticator aaa authentication list1 set interfaces ethernet eth1 authenticator coa client 10.215.168.1 set interfaces ethernet eth1 authenticator coa encrypted-secret U2FsdGVkX18Yl/ARhM8qojuoVWTSmne+wBWlH/Ote/8= set interfaces ethernet eth1 authenticator log-level debug set interfaces ethernet eth1 authenticator mode only-802.1x set interfaces ethernet eth1 authenticator quiet-period 60 set interfaces ethernet eth1 authenticator reauth-period 0 set service ssh set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+S8HBHzmcjeLhfp9Lsb6iwDTrGZtXXan1Zu6msXuIh9cXLPXiHtY6miKYQhHTitMXkUWKTEV+V2Q== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.376 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.376/0.376/0.376/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces ethernet eth1 supplicant encrypted-password U2FsdGVkX1+LUKSaP3E970/7WpjTFNdF4KQ/UI8a8ZE= set interfaces ethernet eth1 supplicant username user_acl_ip set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run the command interfaces ethernet eth1 supplicant show status on DUT1 and check whether the output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run the command interfaces ethernet eth1 supplicant show stats on DUT1 and check whether the output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 6: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:11 Session User Name user_acl_ip
Step 7: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.645 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.645/0.645/0.645/0.000 ms
Note
Send a CoA/Disconnect request from the RADIUS server
On Linux, the FreeRADIUS package includes the
radtest utility, which can be used to send these messages:
Show output
$ cat /osdx-tests/utils/dot1x/acl_ip.req User-Name = "user_acl_ip" NAS-Filter-Rule = "permit in 1 from any to any" NAS-Filter-Rule += "deny in ip from any to any" $ radclient -s -t 1 -r 1 10.215.168.64:3799 coa coa_secret -f /osdx-tests/utils/dot1x/acl_ip.req Sent CoA-Request Id 22 from 0.0.0.0:51570 to 10.215.168.64:3799 length 89 Received CoA-ACK Id 22 from 10.215.168.64:3799 to 10.215.168.1:51570 length 44 Packet summary: Accepted : 1 Rejected : 0 Lost : 0 Passed filter : 1 Failed filter : 0
Note
IP Filter Rule ACLs:
Allow incoming ICMP traffic.
Drop remaining incoming traffic.
NOTE: outgoing traffic is allowed.
Step 8: Run the command interfaces ethernet eth1 authenticator show acl rules on DUT0 and expect the following output:
Show output
Received ACL type: Filter-Rule. Rules for incoming traffic: 1: permit in 1 from any to any 2: deny in ip from any to any
Step 9: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.408 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.408/0.408/0.408/0.000 ms
Step 10: Initiate an SSH connection from DUT1 to IP address 192.168.100.1 using user admin which is expected to fail:
admin@DUT1$ ssh admin@192.168.100.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null
Step 11: Expect a failure in the following command:
Initiate a udp connection from DUT1 to DUT0 and exchange messages between both endpoints
admin@DUT0$ monitor test connection server 1234 udp admin@DUT1$ monitor test connection client 192.168.100.1 1234 udp source-port 1234
Step 12: Expect a failure in the following command:
Initiate a udp connection from DUT0 to DUT1 and exchange messages between both endpoints
admin@DUT1$ monitor test connection server 4321 udp admin@DUT0$ monitor test connection client 192.168.100.2 4321 udp
Step 13: Run the command interfaces ethernet eth1 authenticator show acl stats on DUT0 and expect the following output:
Show output
ACL for ifc eth1 -- hook in ----------------------------------------------------- rule pkts match pkts eval bytes match bytes eval ----------------------------------------------------- 1 1 12 84 720 2 11 11 636 636 ----------------------------------------------------- Total 12 12 720 720
Test MAB NAS-Filter-Rule ACLs
Description
DUT0 is configured with a MAB-authenticated interface. Some ACLs are configured in the authentication server to filter incoming/outgoing traffic based on NAS-Filter-Rule attributes received after MAC authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 authenticator aaa authentication list1 set interfaces ethernet eth1 authenticator log-level debug set interfaces ethernet eth1 authenticator mode only-MAB set interfaces ethernet eth1 authenticator quiet-period 60 set interfaces ethernet eth1 authenticator reauth-period 0 set service ssh set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18o4QgTgQ03hS8i6CNrLP6Pd7F3iOFJRgm1qCp8P0ATc3M4ydc/dv34qR13A/TuFAAvvAc5frYqYg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.292 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.292/0.292/0.292/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces ethernet eth1 mac 'de:ad:be:ef:6c:1f' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.471 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.471/0.471/0.471/0.000 ms
Step 5: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 0 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:1f Session User Name N/A
Step 6: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.665 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.665/0.665/0.665/0.000 ms
Note
IP Filter Rule ACLs:
Allow incoming/outgoing ICMP traffic to/from 192.168.100.0/24.
Allow management SSH traffic (tcp 22).
Allow incoming UDP flows from 192.168.100.2:1234 towards 192.168.100.1:1234.
Drop remaining traffic.
Step 7: Run the command interfaces ethernet eth1 authenticator show acl rules on DUT0 and expect the following output:
Show output
Received ACL type: Filter-Rule. Rules for incoming traffic: 1: permit in 1 from any to 192.168.100.0/24 2: permit in 6 from any to 192.168.100.1 22 3: permit in 17 from 192.168.100.2 1234 to 192.168.100.1 1234 4: deny in ip from any to any Rules for outgoing traffic: 1: permit out 1 from 192.168.100.1 to any 2: permit out 6 from 192.168.100.1 22 to any 3: permit out 17 from 192.168.100.1 1234 to 192.168.100.2 1234 4: deny out ip from any to any
Step 8: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.375 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.375/0.375/0.375/0.000 ms
Step 9: Initiate an SSH connection from DUT1 to IP address 192.168.100.1 using user admin:
admin@DUT1$ ssh admin@192.168.100.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '192.168.100.1' (ECDSA) to the list of known hosts. admin@192.168.100.1's password: Welcome to Teldat OSDx v4.2.10.1 This system includes free software. Contact Teldat for licenses information and source code. Last login: Wed Jun 3 09:01:24 2026 from 192.168.100.2 admin@osdx$
Step 10: Initiate a udp connection from DUT1 to DUT0 and exchange messages between both endpoints
admin@DUT0$ monitor test connection server 1234 udp admin@DUT1$ monitor test connection client 192.168.100.1 1234 udp source-port 1234
Step 11: Expect a failure in the following command:
Initiate a udp connection from DUT0 to DUT1 and exchange messages between both endpoints
admin@DUT1$ monitor test connection server 4321 udp admin@DUT0$ monitor test connection client 192.168.100.2 4321 udp
Step 12: Run the command interfaces ethernet eth1 authenticator show acl stats on DUT0 and expect the following output:
Show output
ACL for ifc eth1 -- hook in ----------------------------------------------------- rule pkts match pkts eval bytes match bytes eval ----------------------------------------------------- 1 3 33 252 5601 2 25 30 5109 5349 3 5 5 240 240 4 0 0 0 0 ----------------------------------------------------- Total 33 33 5601 5601 ACL for ifc eth1 -- hook out ----------------------------------------------------- rule pkts match pkts eval bytes match bytes eval ----------------------------------------------------- 1 3 29 252 5417 2 19 26 4741 5165 3 5 7 240 424 4 2 2 184 184 ----------------------------------------------------- Total 29 29 5417 5417
Test MAB NAS-Filter-Rule ACLs And CoA
Description
In this scenario, DUT1 is authenticated via MAC address and some ACLs are configured. A CoA message is later received from the authentication server that changes the configured ACLs to drop non-ICMP traffic.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 authenticator aaa authentication list1 set interfaces ethernet eth1 authenticator coa client 10.215.168.1 set interfaces ethernet eth1 authenticator coa encrypted-secret U2FsdGVkX18Qq8JpIhkmCrQ6QRne3WlhGcRnpdgLCnk= set interfaces ethernet eth1 authenticator log-level debug set interfaces ethernet eth1 authenticator mode only-MAB set interfaces ethernet eth1 authenticator quiet-period 60 set interfaces ethernet eth1 authenticator reauth-period 0 set service ssh set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18sYc6vXGPKMN/u+kaYZDENZgZfQOyXeP3AGSqEMibiQJjyOGumVLjOLNhPFC9K8iTRuQu4gGJWYA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=1.54 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.539/1.539/1.539/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces ethernet eth1 mac 'de:ad:be:ef:6c:1f' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.515 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.515/0.515/0.515/0.000 ms
Step 5: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 0 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:1f Session User Name N/A
Step 6: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.787 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.787/0.787/0.787/0.000 ms
Note
Send a CoA/Disconnect request from the RADIUS server
On Linux, the FreeRADIUS package includes the
radtest utility, which can be used to send these messages:
Show output
$ cat /osdx-tests/utils/dot1x/mab_acl_ip.req User-Name = "de:ad:be:ef:6c:1f" NAS-Filter-Rule = "permit in 1 from any to any" NAS-Filter-Rule += "deny in ip from any to any" $ radclient -s -t 1 -r 1 10.215.168.64:3799 coa coa_secret -f /osdx-tests/utils/dot1x/mab_acl_ip.req Sent CoA-Request Id 232 from 0.0.0.0:47559 to 10.215.168.64:3799 length 95 Received CoA-ACK Id 232 from 10.215.168.64:3799 to 10.215.168.1:47559 length 44 Packet summary: Accepted : 1 Rejected : 0 Lost : 0 Passed filter : 1 Failed filter : 0
Note
IP Filter Rule ACLs:
Allow incoming ICMP traffic.
Drop remaining incoming traffic.
NOTE: outgoing traffic is allowed.
Step 7: Run the command interfaces ethernet eth1 authenticator show acl rules on DUT0 and expect the following output:
Show output
Received ACL type: Filter-Rule. Rules for incoming traffic: 1: permit in 1 from any to any 2: deny in ip from any to any
Step 8: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.324 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.324/0.324/0.324/0.000 ms
Step 9: Initiate an SSH connection from DUT1 to IP address 192.168.100.1 using user admin which is expected to fail:
admin@DUT1$ ssh admin@192.168.100.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null
Step 10: Expect a failure in the following command:
Initiate a udp connection from DUT1 to DUT0 and exchange messages between both endpoints
admin@DUT0$ monitor test connection server 1234 udp admin@DUT1$ monitor test connection client 192.168.100.1 1234 udp source-port 1234
Step 11: Expect a failure in the following command:
Initiate a udp connection from DUT0 to DUT1 and exchange messages between both endpoints
admin@DUT1$ monitor test connection server 4321 udp admin@DUT0$ monitor test connection client 192.168.100.2 4321 udp
Step 12: Run the command interfaces ethernet eth1 authenticator show acl stats on DUT0 and expect the following output:
Show output
ACL for ifc eth1 -- hook in ----------------------------------------------------- rule pkts match pkts eval bytes match bytes eval ----------------------------------------------------- 1 1 12 84 720 2 11 11 636 636 ----------------------------------------------------- Total 12 12 720 720