Mab Fallback
This scenario shows how to configure the MAB-fallback
authentication mode.
Test Successful 802.1x Authentication With Successful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses the correct username and password.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth1 authenticator aaa authentication list1 set interfaces ethernet eth1 authenticator log-level debug set interfaces ethernet eth1 authenticator mode 802.1x-MAB set interfaces ethernet eth1 authenticator quiet-period 60 set interfaces ethernet eth1 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX19J5GUcQVQfD9IgdIbkVgdYabcszFZc4Pr6A18ofQ+vQZem8loBjJDr3GT6JoOSUUM5CUn8NtxH+w== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.261 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.261/0.261/0.261/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces ethernet eth1 supplicant encrypted-password U2FsdGVkX1934HMx5ucQg8+wdnuR1qs2ekYXgpTlGSo= set interfaces ethernet eth1 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run the command interfaces ethernet eth1 supplicant show status on DUT1 and check whether the output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run the command interfaces ethernet eth1 supplicant show stats on DUT1 and check whether the output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 6: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:11 Session User Name testing
Step 7: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.363 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.363/0.363/0.363/0.000 ms
Step 8: Run the command system journal show | grep "osdx hostapd" on DUT0 and check whether the output contains the following tokens:
IEEE 802.1X: authenticated - EAP type: 25 (PEAP)Show output
Jun 03 08:49:31.677581 osdx hostapd[46284]: eth1: IEEE 802.11 Fetching hardware channel/rate support not supported. Jun 03 08:49:31.677595 osdx hostapd[46284]: eth1: RADIUS Authentication server 10.215.168.1:1812 Jun 03 08:49:31.677924 osdx hostapd[46284]: connect[radius]: Network is unreachable Jun 03 08:49:31.677627 osdx hostapd[46284]: eth1: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Jun 03 08:49:31.677630 osdx hostapd[46284]: eth1: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Jun 03 08:49:31.693268 osdx hostapd[46284]: Discovery mode enabled on eth1 Jun 03 08:49:31.693352 osdx hostapd[46284]: eth1: interface state UNINITIALIZED->ENABLED Jun 03 08:49:31.693352 osdx hostapd[46284]: eth1: AP-ENABLED Jun 03 08:49:35.172066 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: New STA de:ad:be:ef:6c:11 added Jun 03 08:49:35.172081 osdx hostapd[46285]: eth1: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Jun 03 08:49:35.185374 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: start authentication Jun 03 08:49:35.185416 osdx hostapd[46285]: eth1: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Jun 03 08:49:35.185421 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Jun 03 08:49:35.185425 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Jun 03 08:49:35.185446 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response Jun 03 08:49:35.185449 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: received EAPOL-Start from STA Jun 03 08:49:35.185470 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: unauthorizing port Jun 03 08:49:35.185485 osdx hostapd[46285]: eth1: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Jun 03 08:49:35.185502 osdx hostapd[46285]: IEEE 802.1X: OSDX-EAP: getDecision: no identity known yet -> CONTINUE Jun 03 08:49:35.185514 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 34) Jun 03 08:49:35.186036 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: received EAP packet (code=2 id=34 len=12) from STA: EAP Response-Identity (1) Jun 03 08:49:35.186053 osdx hostapd[46285]: IEEE 802.1X: OSDX-EAP: getDecision: -> PASSTHROUGH Jun 03 08:49:35.186059 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: STA identity 'testing' Jun 03 08:49:35.186093 osdx hostapd[46285]: eth1: RADIUS Authentication server 10.215.168.1:1812 Jun 03 08:49:35.188549 osdx hostapd[46285]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:49:35.188582 osdx hostapd[46285]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:49:35.188883 osdx hostapd[46285]: eth1: RADIUS Received 80 bytes from RADIUS server Jun 03 08:49:35.188889 osdx hostapd[46285]: eth1: RADIUS Received RADIUS message Jun 03 08:49:35.188894 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:49:35.188918 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: decapsulated EAP packet (code=1 id=35 len=22) from RADIUS server: EAP-Request-MD5 (4) Jun 03 08:49:35.188927 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 35) Jun 03 08:49:35.189156 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: received EAP packet (code=2 id=35 len=6) from STA: EAP Response-unknown (3) Jun 03 08:49:35.189208 osdx hostapd[46285]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:49:35.189232 osdx hostapd[46285]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:49:35.189464 osdx hostapd[46285]: eth1: RADIUS Received 64 bytes from RADIUS server Jun 03 08:49:35.189470 osdx hostapd[46285]: eth1: RADIUS Received RADIUS message Jun 03 08:49:35.189475 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:49:35.189490 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: decapsulated EAP packet (code=1 id=36 len=6) from RADIUS server: EAP-Request-PEAP (25) Jun 03 08:49:35.189496 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 36) Jun 03 08:49:35.189886 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: received EAP packet (code=2 id=36 len=194) from STA: EAP Response-PEAP (25) Jun 03 08:49:35.189925 osdx hostapd[46285]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:49:35.189935 osdx hostapd[46285]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:49:35.191207 osdx hostapd[46285]: eth1: RADIUS Received 1068 bytes from RADIUS server Jun 03 08:49:35.191215 osdx hostapd[46285]: eth1: RADIUS Received RADIUS message Jun 03 08:49:35.191219 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:49:35.191240 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: decapsulated EAP packet (code=1 id=37 len=1004) from RADIUS server: EAP-Request-PEAP (25) Jun 03 08:49:35.191248 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 37) Jun 03 08:49:35.191438 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: received EAP packet (code=2 id=37 len=6) from STA: EAP Response-PEAP (25) Jun 03 08:49:35.191488 osdx hostapd[46285]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:49:35.191502 osdx hostapd[46285]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:49:35.191663 osdx hostapd[46285]: eth1: RADIUS Received 229 bytes from RADIUS server Jun 03 08:49:35.191669 osdx hostapd[46285]: eth1: RADIUS Received RADIUS message Jun 03 08:49:35.191673 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:49:35.191687 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: decapsulated EAP packet (code=1 id=38 len=171) from RADIUS server: EAP-Request-PEAP (25) Jun 03 08:49:35.191693 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 38) Jun 03 08:49:35.193255 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: received EAP packet (code=2 id=38 len=103) from STA: EAP Response-PEAP (25) Jun 03 08:49:35.193303 osdx hostapd[46285]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:49:35.193317 osdx hostapd[46285]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:49:35.193667 osdx hostapd[46285]: eth1: RADIUS Received 115 bytes from RADIUS server Jun 03 08:49:35.193674 osdx hostapd[46285]: eth1: RADIUS Received RADIUS message Jun 03 08:49:35.193678 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:49:35.193694 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: decapsulated EAP packet (code=1 id=39 len=57) from RADIUS server: EAP-Request-PEAP (25) Jun 03 08:49:35.193701 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 39) Jun 03 08:49:35.194004 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: received EAP packet (code=2 id=39 len=6) from STA: EAP Response-PEAP (25) Jun 03 08:49:35.194048 osdx hostapd[46285]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:49:35.194060 osdx hostapd[46285]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:49:35.194220 osdx hostapd[46285]: eth1: RADIUS Received 98 bytes from RADIUS server Jun 03 08:49:35.194226 osdx hostapd[46285]: eth1: RADIUS Received RADIUS message Jun 03 08:49:35.194230 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:49:35.194245 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: decapsulated EAP packet (code=1 id=40 len=40) from RADIUS server: EAP-Request-PEAP (25) Jun 03 08:49:35.194253 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 40) Jun 03 08:49:35.194482 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: received EAP packet (code=2 id=40 len=43) from STA: EAP Response-PEAP (25) Jun 03 08:49:35.194519 osdx hostapd[46285]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:49:35.194531 osdx hostapd[46285]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:49:35.194736 osdx hostapd[46285]: eth1: RADIUS Received 131 bytes from RADIUS server Jun 03 08:49:35.194740 osdx hostapd[46285]: eth1: RADIUS Received RADIUS message Jun 03 08:49:35.194744 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:49:35.194761 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: decapsulated EAP packet (code=1 id=41 len=73) from RADIUS server: EAP-Request-PEAP (25) Jun 03 08:49:35.194767 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 41) Jun 03 08:49:35.195044 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: received EAP packet (code=2 id=41 len=97) from STA: EAP Response-PEAP (25) Jun 03 08:49:35.195083 osdx hostapd[46285]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:49:35.195093 osdx hostapd[46285]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:49:35.195296 osdx hostapd[46285]: eth1: RADIUS Received 140 bytes from RADIUS server Jun 03 08:49:35.195302 osdx hostapd[46285]: eth1: RADIUS Received RADIUS message Jun 03 08:49:35.195307 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:49:35.195322 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: decapsulated EAP packet (code=1 id=42 len=82) from RADIUS server: EAP-Request-PEAP (25) Jun 03 08:49:35.195328 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 42) Jun 03 08:49:35.195563 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: received EAP packet (code=2 id=42 len=37) from STA: EAP Response-PEAP (25) Jun 03 08:49:35.195600 osdx hostapd[46285]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:49:35.195648 osdx hostapd[46285]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:49:35.195768 osdx hostapd[46285]: eth1: RADIUS Received 104 bytes from RADIUS server Jun 03 08:49:35.195773 osdx hostapd[46285]: eth1: RADIUS Received RADIUS message Jun 03 08:49:35.195778 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:49:35.195793 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: decapsulated EAP packet (code=1 id=43 len=46) from RADIUS server: EAP-Request-PEAP (25) Jun 03 08:49:35.195801 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 43) Jun 03 08:49:35.196036 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: received EAP packet (code=2 id=43 len=46) from STA: EAP Response-PEAP (25) Jun 03 08:49:35.196073 osdx hostapd[46285]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:49:35.196085 osdx hostapd[46285]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:49:35.196280 osdx hostapd[46285]: eth1: RADIUS Received 175 bytes from RADIUS server Jun 03 08:49:35.196286 osdx hostapd[46285]: eth1: RADIUS Received RADIUS message Jun 03 08:49:35.196290 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:49:35.196315 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing' Jun 03 08:49:35.196319 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: decapsulated EAP packet (code=3 id=43 len=4) from RADIUS server: EAP Success Jun 03 08:49:35.196413 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 43) Jun 03 08:49:35.196432 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: authorizing port Jun 03 08:49:35.196436 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 RADIUS: starting accounting session C440D5CFDAF11B20 Jun 03 08:49:35.196440 osdx hostapd[46285]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Test Successful 802.1x Authentication With Unsuccessful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses the correct username and password, but an incorrect MAC address.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth1 authenticator aaa authentication list1 set interfaces ethernet eth1 authenticator log-level debug set interfaces ethernet eth1 authenticator mode 802.1x-MAB set interfaces ethernet eth1 authenticator quiet-period 60 set interfaces ethernet eth1 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX183F75iHkSYcBUZSEqR8oIqdbynP2l5CC5adAekMO1O0TVv7Yvd0fikYognUgGh8Nb1nS+ijjEw8w== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.260 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.260/0.260/0.260/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces ethernet eth1 mac '00:11:22:33:44:55' set interfaces ethernet eth1 supplicant encrypted-password U2FsdGVkX1/I2Bd66hXnOT8P235hF1eTDVnDBGOaY8c= set interfaces ethernet eth1 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run the command interfaces ethernet eth1 supplicant show status on DUT1 and check whether the output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run the command interfaces ethernet eth1 supplicant show stats on DUT1 and check whether the output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 6: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name testing
Step 7: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.599 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.599/0.599/0.599/0.000 ms
Step 8: Run the command system journal show | grep "osdx hostapd" on DUT0 and check whether the output contains the following tokens:
IEEE 802.1X: authenticated - EAP type: 25 (PEAP)Show output
Jun 03 08:49:45.717797 osdx hostapd[46843]: eth1: IEEE 802.11 Fetching hardware channel/rate support not supported. Jun 03 08:49:45.717811 osdx hostapd[46843]: eth1: RADIUS Authentication server 10.215.168.1:1812 Jun 03 08:49:45.718066 osdx hostapd[46843]: connect[radius]: Network is unreachable Jun 03 08:49:45.717869 osdx hostapd[46843]: eth1: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Jun 03 08:49:45.717873 osdx hostapd[46843]: eth1: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Jun 03 08:49:45.737531 osdx hostapd[46843]: Discovery mode enabled on eth1 Jun 03 08:49:45.737615 osdx hostapd[46843]: eth1: interface state UNINITIALIZED->ENABLED Jun 03 08:49:45.737615 osdx hostapd[46843]: eth1: AP-ENABLED Jun 03 08:49:49.417299 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Jun 03 08:49:49.417314 osdx hostapd[46844]: eth1: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Jun 03 08:49:49.429588 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: start authentication Jun 03 08:49:49.429618 osdx hostapd[46844]: eth1: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Jun 03 08:49:49.429622 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Jun 03 08:49:49.429626 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Jun 03 08:49:49.429641 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response Jun 03 08:49:49.429644 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA Jun 03 08:49:49.429657 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port Jun 03 08:49:49.429674 osdx hostapd[46844]: eth1: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Jun 03 08:49:49.429686 osdx hostapd[46844]: IEEE 802.1X: OSDX-EAP: getDecision: no identity known yet -> CONTINUE Jun 03 08:49:49.429701 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 44) Jun 03 08:49:49.434720 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=44 len=12) from STA: EAP Response-Identity (1) Jun 03 08:49:49.434734 osdx hostapd[46844]: IEEE 802.1X: OSDX-EAP: getDecision: -> PASSTHROUGH Jun 03 08:49:49.434739 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'testing' Jun 03 08:49:49.434774 osdx hostapd[46844]: eth1: RADIUS Authentication server 10.215.168.1:1812 Jun 03 08:49:49.437189 osdx hostapd[46844]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:49:49.437225 osdx hostapd[46844]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:49:49.437527 osdx hostapd[46844]: eth1: RADIUS Received 80 bytes from RADIUS server Jun 03 08:49:49.437533 osdx hostapd[46844]: eth1: RADIUS Received RADIUS message Jun 03 08:49:49.437538 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:49:49.437565 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=45 len=22) from RADIUS server: EAP-Request-MD5 (4) Jun 03 08:49:49.437573 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 45) Jun 03 08:49:49.437912 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=45 len=6) from STA: EAP Response-unknown (3) Jun 03 08:49:49.437981 osdx hostapd[46844]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:49:49.437999 osdx hostapd[46844]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:49:49.438213 osdx hostapd[46844]: eth1: RADIUS Received 64 bytes from RADIUS server Jun 03 08:49:49.438218 osdx hostapd[46844]: eth1: RADIUS Received RADIUS message Jun 03 08:49:49.438225 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:49:49.438246 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=46 len=6) from RADIUS server: EAP-Request-PEAP (25) Jun 03 08:49:49.438253 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 46) Jun 03 08:49:49.438737 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=46 len=194) from STA: EAP Response-PEAP (25) Jun 03 08:49:49.438795 osdx hostapd[46844]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:49:49.438812 osdx hostapd[46844]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:49:49.440155 osdx hostapd[46844]: eth1: RADIUS Received 1068 bytes from RADIUS server Jun 03 08:49:49.440163 osdx hostapd[46844]: eth1: RADIUS Received RADIUS message Jun 03 08:49:49.440166 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:49:49.440193 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=47 len=1004) from RADIUS server: EAP-Request-PEAP (25) Jun 03 08:49:49.440201 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 47) Jun 03 08:49:49.441040 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=47 len=6) from STA: EAP Response-PEAP (25) Jun 03 08:49:49.441097 osdx hostapd[46844]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:49:49.441145 osdx hostapd[46844]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:49:49.441304 osdx hostapd[46844]: eth1: RADIUS Received 229 bytes from RADIUS server Jun 03 08:49:49.441311 osdx hostapd[46844]: eth1: RADIUS Received RADIUS message Jun 03 08:49:49.441315 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:49:49.441333 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=48 len=171) from RADIUS server: EAP-Request-PEAP (25) Jun 03 08:49:49.441340 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 48) Jun 03 08:49:49.443138 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=48 len=103) from STA: EAP Response-PEAP (25) Jun 03 08:49:49.443196 osdx hostapd[46844]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:49:49.443211 osdx hostapd[46844]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:49:49.443604 osdx hostapd[46844]: eth1: RADIUS Received 115 bytes from RADIUS server Jun 03 08:49:49.443610 osdx hostapd[46844]: eth1: RADIUS Received RADIUS message Jun 03 08:49:49.443614 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:49:49.443632 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=49 len=57) from RADIUS server: EAP-Request-PEAP (25) Jun 03 08:49:49.443638 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 49) Jun 03 08:49:49.443905 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=49 len=6) from STA: EAP Response-PEAP (25) Jun 03 08:49:49.443945 osdx hostapd[46844]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:49:49.443956 osdx hostapd[46844]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:49:49.444126 osdx hostapd[46844]: eth1: RADIUS Received 98 bytes from RADIUS server Jun 03 08:49:49.444134 osdx hostapd[46844]: eth1: RADIUS Received RADIUS message Jun 03 08:49:49.444145 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:49:49.444168 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=50 len=40) from RADIUS server: EAP-Request-PEAP (25) Jun 03 08:49:49.444176 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 50) Jun 03 08:49:49.444414 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=50 len=43) from STA: EAP Response-PEAP (25) Jun 03 08:49:49.444459 osdx hostapd[46844]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:49:49.444473 osdx hostapd[46844]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:49:49.444666 osdx hostapd[46844]: eth1: RADIUS Received 131 bytes from RADIUS server Jun 03 08:49:49.444670 osdx hostapd[46844]: eth1: RADIUS Received RADIUS message Jun 03 08:49:49.444674 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:49:49.444689 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=51 len=73) from RADIUS server: EAP-Request-PEAP (25) Jun 03 08:49:49.444696 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 51) Jun 03 08:49:49.445345 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=51 len=97) from STA: EAP Response-PEAP (25) Jun 03 08:49:49.445421 osdx hostapd[46844]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:49:49.445444 osdx hostapd[46844]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:49:49.445690 osdx hostapd[46844]: eth1: RADIUS Received 140 bytes from RADIUS server Jun 03 08:49:49.445696 osdx hostapd[46844]: eth1: RADIUS Received RADIUS message Jun 03 08:49:49.445701 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:49:49.445729 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=52 len=82) from RADIUS server: EAP-Request-PEAP (25) Jun 03 08:49:49.445736 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 52) Jun 03 08:49:49.446000 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=52 len=37) from STA: EAP Response-PEAP (25) Jun 03 08:49:49.446053 osdx hostapd[46844]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:49:49.446243 osdx hostapd[46844]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:49:49.446306 osdx hostapd[46844]: eth1: RADIUS Received 104 bytes from RADIUS server Jun 03 08:49:49.446311 osdx hostapd[46844]: eth1: RADIUS Received RADIUS message Jun 03 08:49:49.446315 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:49:49.446338 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=53 len=46) from RADIUS server: EAP-Request-PEAP (25) Jun 03 08:49:49.446346 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 53) Jun 03 08:49:49.447110 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=53 len=46) from STA: EAP Response-PEAP (25) Jun 03 08:49:49.447162 osdx hostapd[46844]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:49:49.447177 osdx hostapd[46844]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:49:49.447459 osdx hostapd[46844]: eth1: RADIUS Received 175 bytes from RADIUS server Jun 03 08:49:49.447467 osdx hostapd[46844]: eth1: RADIUS Received RADIUS message Jun 03 08:49:49.447471 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:49:49.447501 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing' Jun 03 08:49:49.447505 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=3 id=53 len=4) from RADIUS server: EAP Success Jun 03 08:49:49.447528 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 53) Jun 03 08:49:49.447548 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: authorizing port Jun 03 08:49:49.447552 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 RADIUS: starting accounting session 5049E1E6D1BE58A6 Jun 03 08:49:49.447555 osdx hostapd[46844]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Test Unsuccessful 802.1x Authentication With Successful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses an incorrect username.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth1 authenticator aaa authentication list1 set interfaces ethernet eth1 authenticator log-level debug set interfaces ethernet eth1 authenticator mode 802.1x-MAB set interfaces ethernet eth1 authenticator quiet-period 60 set interfaces ethernet eth1 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18mtWp5rBDrUhoRvRX7pel8L308arEYT0cx+DLx+muo7p75bDGUXylbGIQu0nV2C1ypMK5iJqFbkQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.282 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.282/0.282/0.282/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces ethernet eth1 supplicant encrypted-password U2FsdGVkX19Bc6YDqp6cjTvyYd/oIA2+VhSYu0CJqTU= set interfaces ethernet eth1 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 8 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 10 EAPoL frames (Tx) 10 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:11 Session User Name wrong
Step 5: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.624 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.624/0.624/0.624/0.000 ms
Step 6: Run the command system journal show | grep "osdx hostapd" on DUT0 and check whether the output contains the following tokens:
IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately 802.1X: MAB: station successfully authenticatedShow output
Jun 03 08:49:59.459204 osdx hostapd[47403]: eth1: IEEE 802.11 Fetching hardware channel/rate support not supported. Jun 03 08:49:59.459221 osdx hostapd[47403]: eth1: RADIUS Authentication server 10.215.168.1:1812 Jun 03 08:49:59.459580 osdx hostapd[47403]: connect[radius]: Network is unreachable Jun 03 08:49:59.459256 osdx hostapd[47403]: eth1: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Jun 03 08:49:59.459259 osdx hostapd[47403]: eth1: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Jun 03 08:49:59.482985 osdx hostapd[47403]: Discovery mode enabled on eth1 Jun 03 08:49:59.483078 osdx hostapd[47403]: eth1: interface state UNINITIALIZED->ENABLED Jun 03 08:49:59.483078 osdx hostapd[47403]: eth1: AP-ENABLED Jun 03 08:50:02.792690 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: New STA de:ad:be:ef:6c:11 added Jun 03 08:50:02.792702 osdx hostapd[47404]: eth1: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Jun 03 08:50:02.811034 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: start authentication Jun 03 08:50:02.811062 osdx hostapd[47404]: eth1: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Jun 03 08:50:02.811066 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Jun 03 08:50:02.811068 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Jun 03 08:50:02.811084 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response Jun 03 08:50:02.811087 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: received EAPOL-Start from STA Jun 03 08:50:02.811096 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: unauthorizing port Jun 03 08:50:02.811106 osdx hostapd[47404]: eth1: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Jun 03 08:50:02.811119 osdx hostapd[47404]: IEEE 802.1X: OSDX-EAP: getDecision: no identity known yet -> CONTINUE Jun 03 08:50:02.811132 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 115) Jun 03 08:50:02.811527 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: received EAP packet (code=2 id=115 len=10) from STA: EAP Response-Identity (1) Jun 03 08:50:02.811541 osdx hostapd[47404]: IEEE 802.1X: OSDX-EAP: getDecision: -> PASSTHROUGH Jun 03 08:50:02.811546 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: STA identity 'wrong' Jun 03 08:50:02.811579 osdx hostapd[47404]: eth1: RADIUS Authentication server 10.215.168.1:1812 Jun 03 08:50:02.815053 osdx hostapd[47404]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:50:02.815095 osdx hostapd[47404]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:50:02.815519 osdx hostapd[47404]: eth1: RADIUS Received 80 bytes from RADIUS server Jun 03 08:50:02.815531 osdx hostapd[47404]: eth1: RADIUS Received RADIUS message Jun 03 08:50:02.815538 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:50:02.815572 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: decapsulated EAP packet (code=1 id=116 len=22) from RADIUS server: EAP-Request-MD5 (4) Jun 03 08:50:02.815584 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 116) Jun 03 08:50:02.816011 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: received EAP packet (code=2 id=116 len=6) from STA: EAP Response-unknown (3) Jun 03 08:50:02.816110 osdx hostapd[47404]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:50:02.816133 osdx hostapd[47404]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:50:02.816489 osdx hostapd[47404]: eth1: RADIUS Received 64 bytes from RADIUS server Jun 03 08:50:02.816500 osdx hostapd[47404]: eth1: RADIUS Received RADIUS message Jun 03 08:50:02.816505 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:50:02.816533 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: decapsulated EAP packet (code=1 id=117 len=6) from RADIUS server: EAP-Request-PEAP (25) Jun 03 08:50:02.816544 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 117) Jun 03 08:50:02.817202 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: received EAP packet (code=2 id=117 len=194) from STA: EAP Response-PEAP (25) Jun 03 08:50:02.817285 osdx hostapd[47404]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:50:02.817313 osdx hostapd[47404]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:50:02.819234 osdx hostapd[47404]: eth1: RADIUS Received 1068 bytes from RADIUS server Jun 03 08:50:02.819244 osdx hostapd[47404]: eth1: RADIUS Received RADIUS message Jun 03 08:50:02.819249 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:50:02.819285 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: decapsulated EAP packet (code=1 id=118 len=1004) from RADIUS server: EAP-Request-PEAP (25) Jun 03 08:50:02.819296 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 118) Jun 03 08:50:02.819660 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: received EAP packet (code=2 id=118 len=6) from STA: EAP Response-PEAP (25) Jun 03 08:50:02.819728 osdx hostapd[47404]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:50:02.819746 osdx hostapd[47404]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:50:02.819961 osdx hostapd[47404]: eth1: RADIUS Received 229 bytes from RADIUS server Jun 03 08:50:02.819970 osdx hostapd[47404]: eth1: RADIUS Received RADIUS message Jun 03 08:50:02.819976 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:50:02.819999 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: decapsulated EAP packet (code=1 id=119 len=171) from RADIUS server: EAP-Request-PEAP (25) Jun 03 08:50:02.820008 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 119) Jun 03 08:50:02.822691 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: received EAP packet (code=2 id=119 len=103) from STA: EAP Response-PEAP (25) Jun 03 08:50:02.822762 osdx hostapd[47404]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:50:02.822780 osdx hostapd[47404]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:50:02.823275 osdx hostapd[47404]: eth1: RADIUS Received 115 bytes from RADIUS server Jun 03 08:50:02.823283 osdx hostapd[47404]: eth1: RADIUS Received RADIUS message Jun 03 08:50:02.823287 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:50:02.823308 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: decapsulated EAP packet (code=1 id=120 len=57) from RADIUS server: EAP-Request-PEAP (25) Jun 03 08:50:02.823316 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 120) Jun 03 08:50:02.823677 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: received EAP packet (code=2 id=120 len=6) from STA: EAP Response-PEAP (25) Jun 03 08:50:02.823727 osdx hostapd[47404]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:50:02.823742 osdx hostapd[47404]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:50:02.823937 osdx hostapd[47404]: eth1: RADIUS Received 98 bytes from RADIUS server Jun 03 08:50:02.823944 osdx hostapd[47404]: eth1: RADIUS Received RADIUS message Jun 03 08:50:02.823948 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:50:02.823968 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: decapsulated EAP packet (code=1 id=121 len=40) from RADIUS server: EAP-Request-PEAP (25) Jun 03 08:50:02.823975 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 121) Jun 03 08:50:02.824231 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: received EAP packet (code=2 id=121 len=41) from STA: EAP Response-PEAP (25) Jun 03 08:50:02.824279 osdx hostapd[47404]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:50:02.824295 osdx hostapd[47404]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:50:02.824567 osdx hostapd[47404]: eth1: RADIUS Received 131 bytes from RADIUS server Jun 03 08:50:02.824579 osdx hostapd[47404]: eth1: RADIUS Received RADIUS message Jun 03 08:50:02.824585 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:50:02.824626 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: decapsulated EAP packet (code=1 id=122 len=73) from RADIUS server: EAP-Request-PEAP (25) Jun 03 08:50:02.824637 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 122) Jun 03 08:50:02.825028 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: received EAP packet (code=2 id=122 len=95) from STA: EAP Response-PEAP (25) Jun 03 08:50:02.825082 osdx hostapd[47404]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:50:02.825102 osdx hostapd[47404]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:50:02.825351 osdx hostapd[47404]: eth1: RADIUS Received 104 bytes from RADIUS server Jun 03 08:50:02.825367 osdx hostapd[47404]: eth1: RADIUS Received RADIUS message Jun 03 08:50:02.825373 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:50:02.825402 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: decapsulated EAP packet (code=1 id=123 len=46) from RADIUS server: EAP-Request-PEAP (25) Jun 03 08:50:02.825413 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 123) Jun 03 08:50:02.825735 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: received EAP packet (code=2 id=123 len=46) from STA: EAP Response-PEAP (25) Jun 03 08:50:02.825797 osdx hostapd[47404]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:50:02.825817 osdx hostapd[47404]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:50:03.825906 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Resending RADIUS message (id=8) Jun 03 08:50:03.825943 osdx hostapd[47404]: eth1: RADIUS Next RADIUS client retransmit in 2 seconds Jun 03 08:50:03.826107 osdx hostapd[47404]: eth1: RADIUS Received 44 bytes from RADIUS server Jun 03 08:50:03.826112 osdx hostapd[47404]: eth1: RADIUS Received RADIUS message Jun 03 08:50:03.826116 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:50:03.826159 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: decapsulated EAP packet (code=4 id=123 len=4) from RADIUS server: EAP Failure Jun 03 08:50:03.826185 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 123) Jun 03 08:50:03.826201 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: unauthorizing port Jun 03 08:50:03.826204 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) Jun 03 08:50:03.826207 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately Jun 03 08:50:03.826211 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: Starting RADIUS query Jun 03 08:50:03.826236 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:11 Jun 03 08:50:03.826273 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:11 Jun 03 08:50:03.826286 osdx hostapd[47404]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:50:03.826298 osdx hostapd[47404]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:50:03.826316 osdx hostapd[47404]: eth1: RADIUS Received 44 bytes from RADIUS server Jun 03 08:50:03.826320 osdx hostapd[47404]: eth1: RADIUS Received RADIUS message Jun 03 08:50:03.826323 osdx hostapd[47404]: eth1: RADIUS No matching RADIUS request found (type=0 id=8) - dropping packet Jun 03 08:50:03.826523 osdx hostapd[47404]: eth1: RADIUS Received 20 bytes from RADIUS server Jun 03 08:50:03.826529 osdx hostapd[47404]: eth1: RADIUS Received RADIUS message Jun 03 08:50:03.826536 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:50:03.826540 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: Processing RADIUS response Jun 03 08:50:03.826568 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: station successfully authenticated Jun 03 08:50:03.826572 osdx hostapd[47404]: eth1: IEEE 802.1X IEEE 802.1X: Discovery already disabled Jun 03 08:50:03.826582 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: authorizing port Jun 03 08:50:03.826585 osdx hostapd[47404]: eth1: STA de:ad:be:ef:6c:11 RADIUS: starting accounting session 478E39085AE36A68
Test Unsuccessful 802.1x Authentication With Unsuccessful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses an incorrect username and MAC address.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth1 authenticator aaa authentication list1 set interfaces ethernet eth1 authenticator log-level debug set interfaces ethernet eth1 authenticator mode 802.1x-MAB set interfaces ethernet eth1 authenticator quiet-period 60 set interfaces ethernet eth1 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX19dbon7C6oD5ICgw8rbdERw+jYGHSq5Cf8B8kpiXv46avilamA69zC3m1x5ywXob5BUaWZjuNoqPQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.280 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.280/0.280/0.280/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces ethernet eth1 mac '00:11:22:33:44:55' set interfaces ethernet eth1 supplicant encrypted-password U2FsdGVkX1+QDea4Hn+R3QRVPrB1yQpQ3sD/jj7vd3Y= set interfaces ethernet eth1 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run the command interfaces ethernet eth1 supplicant show stats on DUT1 and check whether the output matches the following regular expressions:
Port Status\s+UnauthorizedShow output
--------------------------------- Field Value --------------------------------- EAPoL Frames (Rx) 10 EAPoL Frames (Tx) 10 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Unauthorized Req Frames (Rx) 8 Req ID Frames (Rx) 1 Resp Frames (Tx) 9 Start Frames (Tx) 1
Step 5: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 8 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 10 EAPoL frames (Tx) 10 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 6: Expect a failure in the following command:
Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 7: Run the command system journal show | grep "osdx hostapd" on DUT0 and check whether the output contains the following tokens:
IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately 802.1X: MAB: Authentication failedShow output
Jun 03 08:50:11.527438 osdx hostapd[47966]: eth1: IEEE 802.11 Fetching hardware channel/rate support not supported. Jun 03 08:50:11.527458 osdx hostapd[47966]: eth1: RADIUS Authentication server 10.215.168.1:1812 Jun 03 08:50:11.527712 osdx hostapd[47966]: connect[radius]: Network is unreachable Jun 03 08:50:11.527506 osdx hostapd[47966]: eth1: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Jun 03 08:50:11.527511 osdx hostapd[47966]: eth1: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Jun 03 08:50:11.555246 osdx hostapd[47966]: Discovery mode enabled on eth1 Jun 03 08:50:11.555348 osdx hostapd[47966]: eth1: interface state UNINITIALIZED->ENABLED Jun 03 08:50:11.555348 osdx hostapd[47966]: eth1: AP-ENABLED Jun 03 08:50:15.104940 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Jun 03 08:50:15.104952 osdx hostapd[47967]: eth1: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Jun 03 08:50:15.123263 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: start authentication Jun 03 08:50:15.123296 osdx hostapd[47967]: eth1: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Jun 03 08:50:15.123300 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Jun 03 08:50:15.123303 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Jun 03 08:50:15.123318 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response Jun 03 08:50:15.123321 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA Jun 03 08:50:15.123330 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port Jun 03 08:50:15.123339 osdx hostapd[47967]: eth1: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Jun 03 08:50:15.123358 osdx hostapd[47967]: IEEE 802.1X: OSDX-EAP: getDecision: no identity known yet -> CONTINUE Jun 03 08:50:15.123376 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 58) Jun 03 08:50:15.123776 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=58 len=10) from STA: EAP Response-Identity (1) Jun 03 08:50:15.123791 osdx hostapd[47967]: IEEE 802.1X: OSDX-EAP: getDecision: -> PASSTHROUGH Jun 03 08:50:15.123797 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'wrong' Jun 03 08:50:15.123829 osdx hostapd[47967]: eth1: RADIUS Authentication server 10.215.168.1:1812 Jun 03 08:50:15.126236 osdx hostapd[47967]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:50:15.126269 osdx hostapd[47967]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:50:15.126583 osdx hostapd[47967]: eth1: RADIUS Received 80 bytes from RADIUS server Jun 03 08:50:15.126590 osdx hostapd[47967]: eth1: RADIUS Received RADIUS message Jun 03 08:50:15.126594 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:50:15.126616 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=59 len=22) from RADIUS server: EAP-Request-MD5 (4) Jun 03 08:50:15.126624 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 59) Jun 03 08:50:15.126887 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=59 len=6) from STA: EAP Response-unknown (3) Jun 03 08:50:15.126955 osdx hostapd[47967]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:50:15.126970 osdx hostapd[47967]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:50:15.127166 osdx hostapd[47967]: eth1: RADIUS Received 64 bytes from RADIUS server Jun 03 08:50:15.127187 osdx hostapd[47967]: eth1: RADIUS Received RADIUS message Jun 03 08:50:15.127191 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:50:15.127208 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=60 len=6) from RADIUS server: EAP-Request-PEAP (25) Jun 03 08:50:15.127215 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 60) Jun 03 08:50:15.127613 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=60 len=194) from STA: EAP Response-PEAP (25) Jun 03 08:50:15.127677 osdx hostapd[47967]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:50:15.127693 osdx hostapd[47967]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:50:15.128765 osdx hostapd[47967]: eth1: RADIUS Received 1068 bytes from RADIUS server Jun 03 08:50:15.128774 osdx hostapd[47967]: eth1: RADIUS Received RADIUS message Jun 03 08:50:15.128779 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:50:15.128807 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=61 len=1004) from RADIUS server: EAP-Request-PEAP (25) Jun 03 08:50:15.128816 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 61) Jun 03 08:50:15.129050 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=61 len=6) from STA: EAP Response-PEAP (25) Jun 03 08:50:15.129112 osdx hostapd[47967]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:50:15.129129 osdx hostapd[47967]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:50:15.129293 osdx hostapd[47967]: eth1: RADIUS Received 229 bytes from RADIUS server Jun 03 08:50:15.129299 osdx hostapd[47967]: eth1: RADIUS Received RADIUS message Jun 03 08:50:15.129303 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:50:15.129319 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=62 len=171) from RADIUS server: EAP-Request-PEAP (25) Jun 03 08:50:15.129326 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 62) Jun 03 08:50:15.131380 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=62 len=103) from STA: EAP Response-PEAP (25) Jun 03 08:50:15.131453 osdx hostapd[47967]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:50:15.131503 osdx hostapd[47967]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:50:15.131875 osdx hostapd[47967]: eth1: RADIUS Received 115 bytes from RADIUS server Jun 03 08:50:15.131885 osdx hostapd[47967]: eth1: RADIUS Received RADIUS message Jun 03 08:50:15.131889 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:50:15.131912 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=63 len=57) from RADIUS server: EAP-Request-PEAP (25) Jun 03 08:50:15.131925 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 63) Jun 03 08:50:15.132253 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=63 len=6) from STA: EAP Response-PEAP (25) Jun 03 08:50:15.132303 osdx hostapd[47967]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:50:15.132317 osdx hostapd[47967]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:50:15.132497 osdx hostapd[47967]: eth1: RADIUS Received 98 bytes from RADIUS server Jun 03 08:50:15.132503 osdx hostapd[47967]: eth1: RADIUS Received RADIUS message Jun 03 08:50:15.132506 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:50:15.132523 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=64 len=40) from RADIUS server: EAP-Request-PEAP (25) Jun 03 08:50:15.132532 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 64) Jun 03 08:50:15.132795 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=64 len=41) from STA: EAP Response-PEAP (25) Jun 03 08:50:15.132836 osdx hostapd[47967]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:50:15.132850 osdx hostapd[47967]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:50:15.133055 osdx hostapd[47967]: eth1: RADIUS Received 131 bytes from RADIUS server Jun 03 08:50:15.133064 osdx hostapd[47967]: eth1: RADIUS Received RADIUS message Jun 03 08:50:15.133069 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:50:15.133102 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=65 len=73) from RADIUS server: EAP-Request-PEAP (25) Jun 03 08:50:15.133111 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 65) Jun 03 08:50:15.133494 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=65 len=95) from STA: EAP Response-PEAP (25) Jun 03 08:50:15.133546 osdx hostapd[47967]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:50:15.133559 osdx hostapd[47967]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:50:15.133766 osdx hostapd[47967]: eth1: RADIUS Received 104 bytes from RADIUS server Jun 03 08:50:15.133774 osdx hostapd[47967]: eth1: RADIUS Received RADIUS message Jun 03 08:50:15.133781 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:50:15.133800 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=66 len=46) from RADIUS server: EAP-Request-PEAP (25) Jun 03 08:50:15.133807 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 66) Jun 03 08:50:15.134160 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=66 len=46) from STA: EAP Response-PEAP (25) Jun 03 08:50:15.134205 osdx hostapd[47967]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:50:15.134218 osdx hostapd[47967]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:50:16.134315 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=8) Jun 03 08:50:16.134358 osdx hostapd[47967]: eth1: RADIUS Next RADIUS client retransmit in 2 seconds Jun 03 08:50:16.134585 osdx hostapd[47967]: eth1: RADIUS Received 44 bytes from RADIUS server Jun 03 08:50:16.134590 osdx hostapd[47967]: eth1: RADIUS Received RADIUS message Jun 03 08:50:16.134594 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:50:16.134651 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=4 id=66 len=4) from RADIUS server: EAP Failure Jun 03 08:50:16.134681 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 66) Jun 03 08:50:16.134801 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port Jun 03 08:50:16.134807 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) Jun 03 08:50:16.134811 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately Jun 03 08:50:16.134817 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Jun 03 08:50:16.134845 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Jun 03 08:50:16.134855 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Jun 03 08:50:16.134871 osdx hostapd[47967]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:50:16.134950 osdx hostapd[47967]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:50:16.134967 osdx hostapd[47967]: eth1: RADIUS Received 44 bytes from RADIUS server Jun 03 08:50:16.134970 osdx hostapd[47967]: eth1: RADIUS Received RADIUS message Jun 03 08:50:16.134973 osdx hostapd[47967]: eth1: RADIUS No matching RADIUS request found (type=0 id=8) - dropping packet Jun 03 08:50:17.135041 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Jun 03 08:50:17.135079 osdx hostapd[47967]: eth1: RADIUS Next RADIUS client retransmit in 2 seconds Jun 03 08:50:17.135243 osdx hostapd[47967]: eth1: RADIUS Received 20 bytes from RADIUS server Jun 03 08:50:17.135248 osdx hostapd[47967]: eth1: RADIUS Received RADIUS message Jun 03 08:50:17.135252 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:50:17.135256 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Jun 03 08:50:17.135309 osdx hostapd[47967]: eth1: IEEE 802.1X IEEE 802.1X: Discovery already disabled Jun 03 08:50:17.135312 osdx hostapd[47967]: eth1: IEEE 802.1X IEEE 802.1X: Discovery already disabled Jun 03 08:50:17.135315 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Authentication failed, entering held state (quiet period 60 sec) Jun 03 08:50:17.135318 osdx hostapd[47967]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Retry timeout registered for 60 seconds Jun 03 08:50:17.135326 osdx hostapd[47967]: eth1: RADIUS Received 20 bytes from RADIUS server Jun 03 08:50:17.135329 osdx hostapd[47967]: eth1: RADIUS Received RADIUS message Jun 03 08:50:17.135332 osdx hostapd[47967]: eth1: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet
Test Unsupported 802.1x Authentication With Successful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 does not support 802.1x authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth1 authenticator aaa authentication list1 set interfaces ethernet eth1 authenticator log-level debug set interfaces ethernet eth1 authenticator mode 802.1x-MAB set interfaces ethernet eth1 authenticator quiet-period 60 set interfaces ethernet eth1 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+eM/FBf/74DhFLcgDCRMiKZdEPaod348pvyew8AFybk9iTO7PkDm5IAOAVp/Od7iPZk/Py2Vj2uA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.283 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.283/0.283/0.283/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.446 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.446/0.446/0.446/0.000 ms
Step 5: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 0 EAPoL frames (Tx) 4 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:11 Session User Name N/A
Step 6: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.295 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.295/0.295/0.295/0.000 ms
Step 7: Run the command system journal show | grep "osdx hostapd" on DUT0 and check whether the output contains the following tokens:
IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately 802.1X: MAB: station successfully authenticatedShow output
Jun 03 08:50:26.588693 osdx hostapd[48515]: eth1: IEEE 802.11 Fetching hardware channel/rate support not supported. Jun 03 08:50:26.588705 osdx hostapd[48515]: eth1: RADIUS Authentication server 10.215.168.1:1812 Jun 03 08:50:26.588943 osdx hostapd[48515]: connect[radius]: Network is unreachable Jun 03 08:50:26.588739 osdx hostapd[48515]: eth1: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Jun 03 08:50:26.588742 osdx hostapd[48515]: eth1: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Jun 03 08:50:26.612568 osdx hostapd[48515]: Discovery mode enabled on eth1 Jun 03 08:50:26.612640 osdx hostapd[48515]: eth1: interface state UNINITIALIZED->ENABLED Jun 03 08:50:26.612640 osdx hostapd[48515]: eth1: AP-ENABLED Jun 03 08:50:31.612838 osdx hostapd[48516]: eth1: STA de:ad:be:ef:6c:11 DRIVER: Device discovered, triggering MAB authentication Jun 03 08:50:31.612883 osdx hostapd[48516]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: New STA de:ad:be:ef:6c:11 added Jun 03 08:50:31.612894 osdx hostapd[48516]: eth1: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Jun 03 08:50:31.644669 osdx hostapd[48516]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: start authentication Jun 03 08:50:31.644711 osdx hostapd[48516]: eth1: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Jun 03 08:50:31.644719 osdx hostapd[48516]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Jun 03 08:50:31.644722 osdx hostapd[48516]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Jun 03 08:50:31.644746 osdx hostapd[48516]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: unauthorizing port Jun 03 08:50:31.644760 osdx hostapd[48516]: eth1: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Jun 03 08:50:31.644785 osdx hostapd[48516]: IEEE 802.1X: OSDX-EAP: getDecision: no identity known yet -> CONTINUE Jun 03 08:50:31.644801 osdx hostapd[48516]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 4) Jun 03 08:50:34.646838 osdx hostapd[48516]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 4) Jun 03 08:50:40.651857 osdx hostapd[48516]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 4) Jun 03 08:50:52.660307 osdx hostapd[48516]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: aborting authentication Jun 03 08:50:52.660316 osdx hostapd[48516]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately Jun 03 08:50:52.660322 osdx hostapd[48516]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: Starting RADIUS query Jun 03 08:50:52.660368 osdx hostapd[48516]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:11 Jun 03 08:50:52.662218 osdx hostapd[48516]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:11 Jun 03 08:50:52.662232 osdx hostapd[48516]: eth1: RADIUS Authentication server 10.215.168.1:1812 Jun 03 08:50:52.662311 osdx hostapd[48516]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:50:52.662342 osdx hostapd[48516]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:50:52.662360 osdx hostapd[48516]: eth1: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Jun 03 08:50:52.662374 osdx hostapd[48516]: IEEE 802.1X: OSDX-EAP: getDecision: no identity known yet -> CONTINUE Jun 03 08:50:52.662385 osdx hostapd[48516]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: Sending EAP Packet (identifier 227) Jun 03 08:50:52.662682 osdx hostapd[48516]: eth1: RADIUS Received 20 bytes from RADIUS server Jun 03 08:50:52.662689 osdx hostapd[48516]: eth1: RADIUS Received RADIUS message Jun 03 08:50:52.662694 osdx hostapd[48516]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:50:52.662699 osdx hostapd[48516]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: Processing RADIUS response Jun 03 08:50:52.662720 osdx hostapd[48516]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:11' Jun 03 08:50:52.662736 osdx hostapd[48516]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: station successfully authenticated Jun 03 08:50:52.662740 osdx hostapd[48516]: eth1: IEEE 802.1X IEEE 802.1X: Discovery already disabled Jun 03 08:50:52.662757 osdx hostapd[48516]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: authorizing port Jun 03 08:50:52.662761 osdx hostapd[48516]: eth1: STA de:ad:be:ef:6c:11 RADIUS: starting accounting session E7BCFD28A2056287
Test Unsupported 802.1x Authentication With Unsuccessful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 does not support 802.1x authentication and uses an incorrect MAC address.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth1 authenticator aaa authentication list1 set interfaces ethernet eth1 authenticator log-level debug set interfaces ethernet eth1 authenticator mode 802.1x-MAB set interfaces ethernet eth1 authenticator quiet-period 60 set interfaces ethernet eth1 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/TG8TJuno/s5DEecg4Wp93d73/07M9CUzCl3XxhuHN+j3bVuMztmYiTpOZQR2tuSs+mkbbAFy8JA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.335 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.335/0.335/0.335/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces ethernet eth1 mac '00:11:22:33:44:55' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 2 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 0 EAPoL frames (Tx) 4 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 5: Expect a failure in the following command:
Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 6: Run the command system journal show | grep "osdx hostapd" on DUT0 and check whether the output contains the following tokens:
IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately 802.1X: MAB: Authentication failedShow output
Jun 03 08:51:05.580793 osdx hostapd[49120]: eth1: IEEE 802.11 Fetching hardware channel/rate support not supported. Jun 03 08:51:05.581046 osdx hostapd[49120]: connect[radius]: Network is unreachable Jun 03 08:51:05.580805 osdx hostapd[49120]: eth1: RADIUS Authentication server 10.215.168.1:1812 Jun 03 08:51:05.580852 osdx hostapd[49120]: eth1: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Jun 03 08:51:05.580855 osdx hostapd[49120]: eth1: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Jun 03 08:51:05.604629 osdx hostapd[49120]: Discovery mode enabled on eth1 Jun 03 08:51:05.604705 osdx hostapd[49120]: eth1: interface state UNINITIALIZED->ENABLED Jun 03 08:51:05.604705 osdx hostapd[49120]: eth1: AP-ENABLED Jun 03 08:51:10.604927 osdx hostapd[49121]: eth1: STA 00:11:22:33:44:55 DRIVER: Device discovered, triggering MAB authentication Jun 03 08:51:10.604969 osdx hostapd[49121]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Jun 03 08:51:10.604976 osdx hostapd[49121]: eth1: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Jun 03 08:51:10.620688 osdx hostapd[49121]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: start authentication Jun 03 08:51:10.620718 osdx hostapd[49121]: eth1: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Jun 03 08:51:10.620722 osdx hostapd[49121]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Jun 03 08:51:10.620724 osdx hostapd[49121]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Jun 03 08:51:10.620743 osdx hostapd[49121]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port Jun 03 08:51:10.620750 osdx hostapd[49121]: eth1: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Jun 03 08:51:10.620774 osdx hostapd[49121]: IEEE 802.1X: OSDX-EAP: getDecision: no identity known yet -> CONTINUE Jun 03 08:51:10.620788 osdx hostapd[49121]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 171) Jun 03 08:51:13.622907 osdx hostapd[49121]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 171) Jun 03 08:51:19.627928 osdx hostapd[49121]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 171) Jun 03 08:51:31.637485 osdx hostapd[49121]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: aborting authentication Jun 03 08:51:31.637495 osdx hostapd[49121]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately Jun 03 08:51:31.637501 osdx hostapd[49121]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Jun 03 08:51:31.637541 osdx hostapd[49121]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Jun 03 08:51:31.639370 osdx hostapd[49121]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Jun 03 08:51:31.639384 osdx hostapd[49121]: eth1: RADIUS Authentication server 10.215.168.1:1812 Jun 03 08:51:31.639466 osdx hostapd[49121]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:51:31.639544 osdx hostapd[49121]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:51:31.639570 osdx hostapd[49121]: eth1: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Jun 03 08:51:31.639578 osdx hostapd[49121]: IEEE 802.1X: OSDX-EAP: getDecision: no identity known yet -> CONTINUE Jun 03 08:51:31.639588 osdx hostapd[49121]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 164) Jun 03 08:51:32.639874 osdx hostapd[49121]: eth1: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Jun 03 08:51:32.639908 osdx hostapd[49121]: eth1: RADIUS Next RADIUS client retransmit in 2 seconds Jun 03 08:51:32.640065 osdx hostapd[49121]: eth1: RADIUS Received 20 bytes from RADIUS server Jun 03 08:51:32.640068 osdx hostapd[49121]: eth1: RADIUS Received RADIUS message Jun 03 08:51:32.640072 osdx hostapd[49121]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:51:32.640075 osdx hostapd[49121]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Jun 03 08:51:32.640130 osdx hostapd[49121]: eth1: IEEE 802.1X IEEE 802.1X: Discovery already disabled Jun 03 08:51:32.640133 osdx hostapd[49121]: eth1: IEEE 802.1X IEEE 802.1X: Discovery already disabled Jun 03 08:51:32.640136 osdx hostapd[49121]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Authentication failed, entering held state (quiet period 60 sec) Jun 03 08:51:32.640139 osdx hostapd[49121]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Retry timeout registered for 60 seconds Jun 03 08:51:32.640146 osdx hostapd[49121]: eth1: RADIUS Received 20 bytes from RADIUS server Jun 03 08:51:32.640148 osdx hostapd[49121]: eth1: RADIUS Received RADIUS message Jun 03 08:51:32.640150 osdx hostapd[49121]: eth1: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet