Mab First
This scenario shows how to configure the MAB-first
authentication mode.
Test Successful MAB Authentication With Successful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses a correct MAC address and correct 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth1 authenticator aaa authentication list1 set interfaces ethernet eth1 authenticator log-level debug set interfaces ethernet eth1 authenticator mode MAB-802.1x set interfaces ethernet eth1 authenticator quiet-period 60 set interfaces ethernet eth1 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18NdwvLOpw4B4wYlYR/IMxjOSH8BRVia4TVMgFNfdEleIx/ZTtZ9/byqSawkE/gPyqrJbh2Y3DTzQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.311 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.311/0.311/0.311/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces ethernet eth1 supplicant encrypted-password U2FsdGVkX1/Ib7zCIxGxfBIqxXpHDSf/1QLFPUZqyP0= set interfaces ethernet eth1 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 1 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:11 Session User Name N/A
Step 5: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.306 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.306/0.306/0.306/0.000 ms
Step 6: Run the command system journal show | grep "osdx hostapd" on DUT0 and check whether the output contains the following tokens:
802.1X: MAB: station successfully authenticatedShow output
Jun 03 08:53:26.558542 osdx hostapd[52524]: eth1: IEEE 802.11 Fetching hardware channel/rate support not supported. Jun 03 08:53:26.558555 osdx hostapd[52524]: eth1: RADIUS Authentication server 10.215.168.1:1812 Jun 03 08:53:26.558822 osdx hostapd[52524]: connect[radius]: Network is unreachable Jun 03 08:53:26.558592 osdx hostapd[52524]: eth1: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Jun 03 08:53:26.558596 osdx hostapd[52524]: eth1: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Jun 03 08:53:26.578399 osdx hostapd[52524]: Discovery mode enabled on eth1 Jun 03 08:53:26.578473 osdx hostapd[52524]: eth1: interface state UNINITIALIZED->ENABLED Jun 03 08:53:26.578473 osdx hostapd[52524]: eth1: AP-ENABLED Jun 03 08:53:29.851136 osdx hostapd[52525]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: New STA de:ad:be:ef:6c:11 added Jun 03 08:53:29.851149 osdx hostapd[52525]: eth1: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Jun 03 08:53:29.870444 osdx hostapd[52525]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB-first mode: Starting MAB authentication Jun 03 08:53:29.870478 osdx hostapd[52525]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: Starting RADIUS query Jun 03 08:53:29.870496 osdx hostapd[52525]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:11 Jun 03 08:53:29.872265 osdx hostapd[52525]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:11 Jun 03 08:53:29.872275 osdx hostapd[52525]: eth1: RADIUS Authentication server 10.215.168.1:1812 Jun 03 08:53:29.872358 osdx hostapd[52525]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:53:29.872388 osdx hostapd[52525]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:53:29.872420 osdx hostapd[52525]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: received EAPOL-Start from STA Jun 03 08:53:29.872656 osdx hostapd[52525]: eth1: RADIUS Received 20 bytes from RADIUS server Jun 03 08:53:29.872661 osdx hostapd[52525]: eth1: RADIUS Received RADIUS message Jun 03 08:53:29.872665 osdx hostapd[52525]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:53:29.872669 osdx hostapd[52525]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: Processing RADIUS response Jun 03 08:53:29.872679 osdx hostapd[52525]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:11' Jun 03 08:53:29.872693 osdx hostapd[52525]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: station successfully authenticated Jun 03 08:53:29.872697 osdx hostapd[52525]: eth1: IEEE 802.1X IEEE 802.1X: Discovery already disabled Jun 03 08:53:29.872707 osdx hostapd[52525]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: authorizing port Jun 03 08:53:29.872710 osdx hostapd[52525]: eth1: STA de:ad:be:ef:6c:11 RADIUS: starting accounting session 36733414AFD66377
Test Successful MAB Authentication With Unsuccessful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses a correct MAC address, but wrong 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth1 authenticator aaa authentication list1 set interfaces ethernet eth1 authenticator log-level debug set interfaces ethernet eth1 authenticator mode MAB-802.1x set interfaces ethernet eth1 authenticator quiet-period 60 set interfaces ethernet eth1 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/lipkmy2jwHORUPSDmwERbAO91VquueTSjMhP5NnYXEKxYy0oke6KbgVlsM+pIg0MjijI5lNDV7w== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.274 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.274/0.274/0.274/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces ethernet eth1 supplicant encrypted-password U2FsdGVkX1/OpeAcG63AQWP4S1SWsPpL4sPqHSM6o/A= set interfaces ethernet eth1 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 1 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:11 Session User Name N/A
Step 5: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.276 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.276/0.276/0.276/0.000 ms
Step 6: Run the command system journal show | grep "osdx hostapd" on DUT0 and check whether the output contains the following tokens:
802.1X: MAB: station successfully authenticatedShow output
Jun 03 08:53:39.379376 osdx hostapd[53085]: eth1: IEEE 802.11 Fetching hardware channel/rate support not supported. Jun 03 08:53:39.379386 osdx hostapd[53085]: eth1: RADIUS Authentication server 10.215.168.1:1812 Jun 03 08:53:39.379614 osdx hostapd[53085]: connect[radius]: Network is unreachable Jun 03 08:53:39.379419 osdx hostapd[53085]: eth1: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Jun 03 08:53:39.379422 osdx hostapd[53085]: eth1: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Jun 03 08:53:39.407171 osdx hostapd[53085]: Discovery mode enabled on eth1 Jun 03 08:53:39.407252 osdx hostapd[53085]: eth1: interface state UNINITIALIZED->ENABLED Jun 03 08:53:39.407252 osdx hostapd[53085]: eth1: AP-ENABLED Jun 03 08:53:43.020987 osdx hostapd[53086]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: New STA de:ad:be:ef:6c:11 added Jun 03 08:53:43.021003 osdx hostapd[53086]: eth1: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Jun 03 08:53:43.039217 osdx hostapd[53086]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB-first mode: Starting MAB authentication Jun 03 08:53:43.039245 osdx hostapd[53086]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: Starting RADIUS query Jun 03 08:53:43.039259 osdx hostapd[53086]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:11 Jun 03 08:53:43.040976 osdx hostapd[53086]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:11 Jun 03 08:53:43.040986 osdx hostapd[53086]: eth1: RADIUS Authentication server 10.215.168.1:1812 Jun 03 08:53:43.041055 osdx hostapd[53086]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:53:43.041081 osdx hostapd[53086]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:53:43.041110 osdx hostapd[53086]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: received EAPOL-Start from STA Jun 03 08:53:43.041361 osdx hostapd[53086]: eth1: RADIUS Received 20 bytes from RADIUS server Jun 03 08:53:43.041367 osdx hostapd[53086]: eth1: RADIUS Received RADIUS message Jun 03 08:53:43.041371 osdx hostapd[53086]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:53:43.041375 osdx hostapd[53086]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: Processing RADIUS response Jun 03 08:53:43.041387 osdx hostapd[53086]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:11' Jun 03 08:53:43.041396 osdx hostapd[53086]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: station successfully authenticated Jun 03 08:53:43.041399 osdx hostapd[53086]: eth1: IEEE 802.1X IEEE 802.1X: Discovery already disabled Jun 03 08:53:43.041407 osdx hostapd[53086]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: authorizing port Jun 03 08:53:43.041409 osdx hostapd[53086]: eth1: STA de:ad:be:ef:6c:11 RADIUS: starting accounting session 41A99DE81D8CDD46
Test Successful MAB Authentication With Unsupported 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 does not support 802.1x authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth1 authenticator aaa authentication list1 set interfaces ethernet eth1 authenticator log-level debug set interfaces ethernet eth1 authenticator mode MAB-802.1x set interfaces ethernet eth1 authenticator quiet-period 60 set interfaces ethernet eth1 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+doCwIUJJo4ClyJPAakJr6248og2xLAB6w2IfzLFLKRgRMgJH97w/tBw4Ix/Fe0bvmPcztc1eqYQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.449 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.449/0.449/0.449/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.543 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.543/0.543/0.543/0.000 ms
Step 5: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 0 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:11 Session User Name N/A
Step 6: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.295 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.295/0.295/0.295/0.000 ms
Step 7: Run the command system journal show | grep "osdx hostapd" on DUT0 and check whether the output contains the following tokens:
802.1X: MAB: station successfully authenticatedShow output
Jun 03 08:53:52.842619 osdx hostapd[53644]: eth1: IEEE 802.11 Fetching hardware channel/rate support not supported. Jun 03 08:53:52.842630 osdx hostapd[53644]: eth1: RADIUS Authentication server 10.215.168.1:1812 Jun 03 08:53:52.842901 osdx hostapd[53644]: connect[radius]: Network is unreachable Jun 03 08:53:52.842670 osdx hostapd[53644]: eth1: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Jun 03 08:53:52.842673 osdx hostapd[53644]: eth1: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Jun 03 08:53:52.878394 osdx hostapd[53644]: Discovery mode enabled on eth1 Jun 03 08:53:52.878503 osdx hostapd[53644]: eth1: interface state UNINITIALIZED->ENABLED Jun 03 08:53:52.878503 osdx hostapd[53644]: eth1: AP-ENABLED Jun 03 08:53:57.878617 osdx hostapd[53645]: eth1: STA de:ad:be:ef:6c:11 DRIVER: Device discovered, triggering MAB authentication Jun 03 08:53:57.878651 osdx hostapd[53645]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: New STA de:ad:be:ef:6c:11 added Jun 03 08:53:57.878659 osdx hostapd[53645]: eth1: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Jun 03 08:53:57.894370 osdx hostapd[53645]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB-first mode: Starting MAB authentication Jun 03 08:53:57.894405 osdx hostapd[53645]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: Starting RADIUS query Jun 03 08:53:57.894425 osdx hostapd[53645]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:11 Jun 03 08:53:57.896765 osdx hostapd[53645]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:11 Jun 03 08:53:57.896778 osdx hostapd[53645]: eth1: RADIUS Authentication server 10.215.168.1:1812 Jun 03 08:53:57.896871 osdx hostapd[53645]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:53:57.896905 osdx hostapd[53645]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:53:57.897173 osdx hostapd[53645]: eth1: RADIUS Received 20 bytes from RADIUS server Jun 03 08:53:57.897179 osdx hostapd[53645]: eth1: RADIUS Received RADIUS message Jun 03 08:53:57.897183 osdx hostapd[53645]: eth1: STA de:ad:be:ef:6c:11 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:53:57.897188 osdx hostapd[53645]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: Processing RADIUS response Jun 03 08:53:57.897198 osdx hostapd[53645]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:11' Jun 03 08:53:57.897214 osdx hostapd[53645]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: MAB: station successfully authenticated Jun 03 08:53:57.897218 osdx hostapd[53645]: eth1: IEEE 802.1X IEEE 802.1X: Discovery already disabled Jun 03 08:53:57.897232 osdx hostapd[53645]: eth1: STA de:ad:be:ef:6c:11 IEEE 802.1X: authorizing port Jun 03 08:53:57.897236 osdx hostapd[53645]: eth1: STA de:ad:be:ef:6c:11 RADIUS: starting accounting session 97765A385342B636
Test Unsuccessful MAB Authentication With Successful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses an incorrect MAC address, but correct 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth1 authenticator aaa authentication list1 set interfaces ethernet eth1 authenticator log-level debug set interfaces ethernet eth1 authenticator mode MAB-802.1x set interfaces ethernet eth1 authenticator quiet-period 60 set interfaces ethernet eth1 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+9k+or2R6jTfxbDYjD/3bIdY4qeT/S1f/TNvu7EJa+Lrrtd+hGNFX/eMxSc7zBaBacB/pZ6niOZA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.263 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.263/0.263/0.263/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces ethernet eth1 mac '00:11:22:33:44:55' set interfaces ethernet eth1 supplicant encrypted-password U2FsdGVkX1/chHtHjSKexQ9vefabmCjxS9Q/Sb0DDRM= set interfaces ethernet eth1 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run the command interfaces ethernet eth1 supplicant show status on DUT1 and check whether the output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run the command interfaces ethernet eth1 supplicant show stats on DUT1 and check whether the output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 6: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name testing
Step 7: Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.694 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.694/0.694/0.694/0.000 ms
Step 8: Run the command system journal show | grep "osdx hostapd" on DUT0 and check whether the output contains the following tokens:
IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X IEEE 802.1X: authenticated - EAP type: 25 (PEAP)Show output
Jun 03 08:54:10.355058 osdx hostapd[54211]: eth1: IEEE 802.11 Fetching hardware channel/rate support not supported. Jun 03 08:54:10.355073 osdx hostapd[54211]: eth1: RADIUS Authentication server 10.215.168.1:1812 Jun 03 08:54:10.355398 osdx hostapd[54211]: connect[radius]: Network is unreachable Jun 03 08:54:10.355108 osdx hostapd[54211]: eth1: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Jun 03 08:54:10.355111 osdx hostapd[54211]: eth1: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Jun 03 08:54:10.378955 osdx hostapd[54211]: Discovery mode enabled on eth1 Jun 03 08:54:10.379023 osdx hostapd[54211]: eth1: interface state UNINITIALIZED->ENABLED Jun 03 08:54:10.379043 osdx hostapd[54211]: eth1: AP-ENABLED Jun 03 08:54:13.703665 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Jun 03 08:54:13.703676 osdx hostapd[54212]: eth1: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Jun 03 08:54:13.718982 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: Starting MAB authentication Jun 03 08:54:13.719011 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Jun 03 08:54:13.719029 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Jun 03 08:54:13.720684 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Jun 03 08:54:13.720693 osdx hostapd[54212]: eth1: RADIUS Authentication server 10.215.168.1:1812 Jun 03 08:54:13.720755 osdx hostapd[54212]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:54:13.720781 osdx hostapd[54212]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:54:13.720802 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA Jun 03 08:54:14.720875 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Jun 03 08:54:14.720916 osdx hostapd[54212]: eth1: RADIUS Next RADIUS client retransmit in 2 seconds Jun 03 08:54:14.721120 osdx hostapd[54212]: eth1: RADIUS Received 20 bytes from RADIUS server Jun 03 08:54:14.721124 osdx hostapd[54212]: eth1: RADIUS Received RADIUS message Jun 03 08:54:14.721127 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:54:14.721131 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Jun 03 08:54:14.721193 osdx hostapd[54212]: eth1: IEEE 802.1X IEEE 802.1X: Discovery already disabled Jun 03 08:54:14.721195 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X Jun 03 08:54:14.721198 osdx hostapd[54212]: eth1: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Jun 03 08:54:14.721201 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first: 802.1X authentication started Jun 03 08:54:14.721207 osdx hostapd[54212]: eth1: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Jun 03 08:54:14.721222 osdx hostapd[54212]: IEEE 802.1X: OSDX-EAP: getDecision: no identity known yet -> CONTINUE Jun 03 08:54:14.721230 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 139) Jun 03 08:54:14.721243 osdx hostapd[54212]: eth1: RADIUS Received 20 bytes from RADIUS server Jun 03 08:54:14.721246 osdx hostapd[54212]: eth1: RADIUS Received RADIUS message Jun 03 08:54:14.721248 osdx hostapd[54212]: eth1: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet Jun 03 08:54:14.721599 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=139 len=12) from STA: EAP Response-Identity (1) Jun 03 08:54:14.721609 osdx hostapd[54212]: IEEE 802.1X: OSDX-EAP: getDecision: -> PASSTHROUGH Jun 03 08:54:14.721614 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'testing' Jun 03 08:54:14.721681 osdx hostapd[54212]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:54:14.721696 osdx hostapd[54212]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:54:14.721912 osdx hostapd[54212]: eth1: RADIUS Received 80 bytes from RADIUS server Jun 03 08:54:14.721918 osdx hostapd[54212]: eth1: RADIUS Received RADIUS message Jun 03 08:54:14.721922 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:54:14.721941 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=140 len=22) from RADIUS server: EAP-Request-MD5 (4) Jun 03 08:54:14.721948 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 140) Jun 03 08:54:14.722132 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=140 len=6) from STA: EAP Response-unknown (3) Jun 03 08:54:14.722181 osdx hostapd[54212]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:54:14.722194 osdx hostapd[54212]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:54:14.722402 osdx hostapd[54212]: eth1: RADIUS Received 64 bytes from RADIUS server Jun 03 08:54:14.722409 osdx hostapd[54212]: eth1: RADIUS Received RADIUS message Jun 03 08:54:14.722414 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:54:14.722441 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=141 len=6) from RADIUS server: EAP-Request-PEAP (25) Jun 03 08:54:14.722449 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 141) Jun 03 08:54:14.722814 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=141 len=194) from STA: EAP Response-PEAP (25) Jun 03 08:54:14.722857 osdx hostapd[54212]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:54:14.722873 osdx hostapd[54212]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:54:14.723900 osdx hostapd[54212]: eth1: RADIUS Received 1068 bytes from RADIUS server Jun 03 08:54:14.723908 osdx hostapd[54212]: eth1: RADIUS Received RADIUS message Jun 03 08:54:14.723913 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:54:14.723943 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=142 len=1004) from RADIUS server: EAP-Request-PEAP (25) Jun 03 08:54:14.723952 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 142) Jun 03 08:54:14.724212 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=142 len=6) from STA: EAP Response-PEAP (25) Jun 03 08:54:14.724268 osdx hostapd[54212]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:54:14.724288 osdx hostapd[54212]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:54:14.724432 osdx hostapd[54212]: eth1: RADIUS Received 229 bytes from RADIUS server Jun 03 08:54:14.724438 osdx hostapd[54212]: eth1: RADIUS Received RADIUS message Jun 03 08:54:14.724442 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:54:14.724458 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=143 len=171) from RADIUS server: EAP-Request-PEAP (25) Jun 03 08:54:14.724464 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 143) Jun 03 08:54:14.726456 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=143 len=103) from STA: EAP Response-PEAP (25) Jun 03 08:54:14.726510 osdx hostapd[54212]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:54:14.726527 osdx hostapd[54212]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:54:14.726926 osdx hostapd[54212]: eth1: RADIUS Received 115 bytes from RADIUS server Jun 03 08:54:14.726933 osdx hostapd[54212]: eth1: RADIUS Received RADIUS message Jun 03 08:54:14.726937 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:54:14.726957 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=144 len=57) from RADIUS server: EAP-Request-PEAP (25) Jun 03 08:54:14.726964 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 144) Jun 03 08:54:14.727245 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=144 len=6) from STA: EAP Response-PEAP (25) Jun 03 08:54:14.727279 osdx hostapd[54212]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:54:14.727291 osdx hostapd[54212]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:54:14.727426 osdx hostapd[54212]: eth1: RADIUS Received 98 bytes from RADIUS server Jun 03 08:54:14.727431 osdx hostapd[54212]: eth1: RADIUS Received RADIUS message Jun 03 08:54:14.727433 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:54:14.727445 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=145 len=40) from RADIUS server: EAP-Request-PEAP (25) Jun 03 08:54:14.727449 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 145) Jun 03 08:54:14.727626 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=145 len=43) from STA: EAP Response-PEAP (25) Jun 03 08:54:14.727663 osdx hostapd[54212]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:54:14.727673 osdx hostapd[54212]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:54:14.727813 osdx hostapd[54212]: eth1: RADIUS Received 131 bytes from RADIUS server Jun 03 08:54:14.727817 osdx hostapd[54212]: eth1: RADIUS Received RADIUS message Jun 03 08:54:14.727819 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:54:14.727831 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=146 len=73) from RADIUS server: EAP-Request-PEAP (25) Jun 03 08:54:14.727837 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 146) Jun 03 08:54:14.728124 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=146 len=97) from STA: EAP Response-PEAP (25) Jun 03 08:54:14.728168 osdx hostapd[54212]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:54:14.728179 osdx hostapd[54212]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:54:14.728347 osdx hostapd[54212]: eth1: RADIUS Received 140 bytes from RADIUS server Jun 03 08:54:14.728351 osdx hostapd[54212]: eth1: RADIUS Received RADIUS message Jun 03 08:54:14.728354 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:54:14.728365 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=147 len=82) from RADIUS server: EAP-Request-PEAP (25) Jun 03 08:54:14.728370 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 147) Jun 03 08:54:14.728565 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=147 len=37) from STA: EAP Response-PEAP (25) Jun 03 08:54:14.728612 osdx hostapd[54212]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:54:14.728628 osdx hostapd[54212]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:54:14.728815 osdx hostapd[54212]: eth1: RADIUS Received 104 bytes from RADIUS server Jun 03 08:54:14.728822 osdx hostapd[54212]: eth1: RADIUS Received RADIUS message Jun 03 08:54:14.728826 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:54:14.728844 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=148 len=46) from RADIUS server: EAP-Request-PEAP (25) Jun 03 08:54:14.728851 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 148) Jun 03 08:54:14.729012 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=148 len=46) from STA: EAP Response-PEAP (25) Jun 03 08:54:14.729051 osdx hostapd[54212]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:54:14.729063 osdx hostapd[54212]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:54:14.729252 osdx hostapd[54212]: eth1: RADIUS Received 175 bytes from RADIUS server Jun 03 08:54:14.729261 osdx hostapd[54212]: eth1: RADIUS Received RADIUS message Jun 03 08:54:14.729265 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:54:14.729288 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing' Jun 03 08:54:14.729292 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=3 id=148 len=4) from RADIUS server: EAP Success Jun 03 08:54:14.729307 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 148) Jun 03 08:54:14.729322 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: authorizing port Jun 03 08:54:14.729325 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 RADIUS: starting accounting session D9372579EDCD72C5 Jun 03 08:54:14.729336 osdx hostapd[54212]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Test Unsuccessful MAB Authentication With Unsuccessful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses an incorrect MAC address and incorrect 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth1 authenticator aaa authentication list1 set interfaces ethernet eth1 authenticator log-level debug set interfaces ethernet eth1 authenticator mode MAB-802.1x set interfaces ethernet eth1 authenticator quiet-period 60 set interfaces ethernet eth1 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+RcqJHd/BA9wdSdEOPOJjhe3QonwBUWZ2QP7LwXA26n0DBR6l8/D17UfPE7+Q7VPHTt/7AQufHLQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.346 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.346/0.346/0.346/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces ethernet eth1 mac '00:11:22:33:44:55' set interfaces ethernet eth1 supplicant encrypted-password U2FsdGVkX1/84890dGdArVd8m4bg2NSMTjlE9NFdcf0= set interfaces ethernet eth1 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run the command interfaces ethernet eth1 supplicant show stats on DUT1 and check whether the output matches the following regular expressions:
Port Status\s+UnauthorizedShow output
--------------------------------- Field Value --------------------------------- EAPoL Frames (Rx) 9 EAPoL Frames (Tx) 10 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Unauthorized Req Frames (Rx) 8 Req ID Frames (Rx) 1 Resp Frames (Tx) 9 Start Frames (Tx) 1
Step 5: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 8 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 10 EAPoL frames (Tx) 9 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 6: Expect a failure in the following command:
Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 7: Run the command system journal show | grep "osdx hostapd" on DUT0 and check whether the output contains the following tokens:
IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X IEEE 802.1X: authentication failed - EAP type: 25 (PEAP)Show output
Jun 03 08:54:23.257365 osdx hostapd[54775]: eth1: IEEE 802.11 Fetching hardware channel/rate support not supported. Jun 03 08:54:23.257382 osdx hostapd[54775]: eth1: RADIUS Authentication server 10.215.168.1:1812 Jun 03 08:54:23.257647 osdx hostapd[54775]: connect[radius]: Network is unreachable Jun 03 08:54:23.257415 osdx hostapd[54775]: eth1: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Jun 03 08:54:23.257418 osdx hostapd[54775]: eth1: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Jun 03 08:54:23.277214 osdx hostapd[54775]: Discovery mode enabled on eth1 Jun 03 08:54:23.277302 osdx hostapd[54775]: eth1: interface state UNINITIALIZED->ENABLED Jun 03 08:54:23.277302 osdx hostapd[54775]: eth1: AP-ENABLED Jun 03 08:54:26.691953 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Jun 03 08:54:26.691965 osdx hostapd[54776]: eth1: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Jun 03 08:54:26.705287 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: Starting MAB authentication Jun 03 08:54:26.705328 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Jun 03 08:54:26.705347 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Jun 03 08:54:26.707516 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Jun 03 08:54:26.707534 osdx hostapd[54776]: eth1: RADIUS Authentication server 10.215.168.1:1812 Jun 03 08:54:26.707618 osdx hostapd[54776]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:54:26.707653 osdx hostapd[54776]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:54:26.707685 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA Jun 03 08:54:27.707744 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Jun 03 08:54:27.707779 osdx hostapd[54776]: eth1: RADIUS Next RADIUS client retransmit in 2 seconds Jun 03 08:54:27.707990 osdx hostapd[54776]: eth1: RADIUS Received 20 bytes from RADIUS server Jun 03 08:54:27.707995 osdx hostapd[54776]: eth1: RADIUS Received RADIUS message Jun 03 08:54:27.708000 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:54:27.708004 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Jun 03 08:54:27.708065 osdx hostapd[54776]: eth1: IEEE 802.1X IEEE 802.1X: Discovery already disabled Jun 03 08:54:27.708068 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X Jun 03 08:54:27.708072 osdx hostapd[54776]: eth1: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Jun 03 08:54:27.708075 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first: 802.1X authentication started Jun 03 08:54:27.708084 osdx hostapd[54776]: eth1: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Jun 03 08:54:27.708092 osdx hostapd[54776]: IEEE 802.1X: OSDX-EAP: getDecision: no identity known yet -> CONTINUE Jun 03 08:54:27.708103 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 193) Jun 03 08:54:27.708118 osdx hostapd[54776]: eth1: RADIUS Received 20 bytes from RADIUS server Jun 03 08:54:27.708121 osdx hostapd[54776]: eth1: RADIUS Received RADIUS message Jun 03 08:54:27.708124 osdx hostapd[54776]: eth1: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet Jun 03 08:54:27.708793 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=193 len=10) from STA: EAP Response-Identity (1) Jun 03 08:54:27.708807 osdx hostapd[54776]: IEEE 802.1X: OSDX-EAP: getDecision: -> PASSTHROUGH Jun 03 08:54:27.708812 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'wrong' Jun 03 08:54:27.708878 osdx hostapd[54776]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:54:27.709089 osdx hostapd[54776]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:54:27.709162 osdx hostapd[54776]: eth1: RADIUS Received 80 bytes from RADIUS server Jun 03 08:54:27.709168 osdx hostapd[54776]: eth1: RADIUS Received RADIUS message Jun 03 08:54:27.709173 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:54:27.709197 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=194 len=22) from RADIUS server: EAP-Request-MD5 (4) Jun 03 08:54:27.709204 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 194) Jun 03 08:54:27.709479 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=194 len=6) from STA: EAP Response-unknown (3) Jun 03 08:54:27.709540 osdx hostapd[54776]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:54:27.709554 osdx hostapd[54776]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:54:27.709805 osdx hostapd[54776]: eth1: RADIUS Received 64 bytes from RADIUS server Jun 03 08:54:27.709812 osdx hostapd[54776]: eth1: RADIUS Received RADIUS message Jun 03 08:54:27.709817 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:54:27.709834 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=195 len=6) from RADIUS server: EAP-Request-PEAP (25) Jun 03 08:54:27.709841 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 195) Jun 03 08:54:27.710246 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=195 len=194) from STA: EAP Response-PEAP (25) Jun 03 08:54:27.710292 osdx hostapd[54776]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:54:27.710305 osdx hostapd[54776]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:54:27.711466 osdx hostapd[54776]: eth1: RADIUS Received 1068 bytes from RADIUS server Jun 03 08:54:27.711473 osdx hostapd[54776]: eth1: RADIUS Received RADIUS message Jun 03 08:54:27.711476 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:54:27.711509 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=196 len=1004) from RADIUS server: EAP-Request-PEAP (25) Jun 03 08:54:27.711517 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 196) Jun 03 08:54:27.711836 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=196 len=6) from STA: EAP Response-PEAP (25) Jun 03 08:54:27.711900 osdx hostapd[54776]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:54:27.711917 osdx hostapd[54776]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:54:27.712081 osdx hostapd[54776]: eth1: RADIUS Received 229 bytes from RADIUS server Jun 03 08:54:27.712089 osdx hostapd[54776]: eth1: RADIUS Received RADIUS message Jun 03 08:54:27.712094 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:54:27.712114 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=197 len=171) from RADIUS server: EAP-Request-PEAP (25) Jun 03 08:54:27.712120 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 197) Jun 03 08:54:27.713569 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=197 len=103) from STA: EAP Response-PEAP (25) Jun 03 08:54:27.713625 osdx hostapd[54776]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:54:27.713647 osdx hostapd[54776]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:54:27.714074 osdx hostapd[54776]: eth1: RADIUS Received 115 bytes from RADIUS server Jun 03 08:54:27.714082 osdx hostapd[54776]: eth1: RADIUS Received RADIUS message Jun 03 08:54:27.714087 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:54:27.714114 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=198 len=57) from RADIUS server: EAP-Request-PEAP (25) Jun 03 08:54:27.714122 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 198) Jun 03 08:54:27.714483 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=198 len=6) from STA: EAP Response-PEAP (25) Jun 03 08:54:27.714534 osdx hostapd[54776]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:54:27.714548 osdx hostapd[54776]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:54:27.714717 osdx hostapd[54776]: eth1: RADIUS Received 98 bytes from RADIUS server Jun 03 08:54:27.714724 osdx hostapd[54776]: eth1: RADIUS Received RADIUS message Jun 03 08:54:27.714729 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:54:27.714747 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=199 len=40) from RADIUS server: EAP-Request-PEAP (25) Jun 03 08:54:27.714754 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 199) Jun 03 08:54:27.714998 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=199 len=41) from STA: EAP Response-PEAP (25) Jun 03 08:54:27.715052 osdx hostapd[54776]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:54:27.715125 osdx hostapd[54776]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:54:27.715271 osdx hostapd[54776]: eth1: RADIUS Received 131 bytes from RADIUS server Jun 03 08:54:27.715277 osdx hostapd[54776]: eth1: RADIUS Received RADIUS message Jun 03 08:54:27.715282 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:54:27.715300 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=200 len=73) from RADIUS server: EAP-Request-PEAP (25) Jun 03 08:54:27.715307 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 200) Jun 03 08:54:27.715609 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=200 len=95) from STA: EAP Response-PEAP (25) Jun 03 08:54:27.715656 osdx hostapd[54776]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:54:27.715670 osdx hostapd[54776]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:54:27.715924 osdx hostapd[54776]: eth1: RADIUS Received 104 bytes from RADIUS server Jun 03 08:54:27.715929 osdx hostapd[54776]: eth1: RADIUS Received RADIUS message Jun 03 08:54:27.715932 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:54:27.715948 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=201 len=46) from RADIUS server: EAP-Request-PEAP (25) Jun 03 08:54:27.715954 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 201) Jun 03 08:54:27.716152 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=201 len=46) from STA: EAP Response-PEAP (25) Jun 03 08:54:27.716188 osdx hostapd[54776]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:54:27.716200 osdx hostapd[54776]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:54:28.716307 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=8) Jun 03 08:54:28.716349 osdx hostapd[54776]: eth1: RADIUS Next RADIUS client retransmit in 2 seconds Jun 03 08:54:28.716528 osdx hostapd[54776]: eth1: RADIUS Received 44 bytes from RADIUS server Jun 03 08:54:28.716533 osdx hostapd[54776]: eth1: RADIUS Received RADIUS message Jun 03 08:54:28.716538 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:54:28.716586 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=4 id=201 len=4) from RADIUS server: EAP Failure Jun 03 08:54:28.716616 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 201) Jun 03 08:54:28.716630 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port Jun 03 08:54:28.716635 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) Jun 03 08:54:28.716638 osdx hostapd[54776]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Authentication failed, enforcing quiet period (60 seconds) Jun 03 08:54:28.716644 osdx hostapd[54776]: eth1: RADIUS Received 44 bytes from RADIUS server Jun 03 08:54:28.716646 osdx hostapd[54776]: eth1: RADIUS Received RADIUS message Jun 03 08:54:28.716649 osdx hostapd[54776]: eth1: RADIUS No matching RADIUS request found (type=0 id=8) - dropping packet
Test Unsuccessful MAB Authentication With Unsupported 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 does not support 802.1x authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth1 authenticator aaa authentication list1 set interfaces ethernet eth1 authenticator log-level debug set interfaces ethernet eth1 authenticator mode MAB-802.1x set interfaces ethernet eth1 authenticator quiet-period 60 set interfaces ethernet eth1 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+PCySRQW9hdm5e8AJp9DY+P+QQMwkPdvHSc6DYC5NgL6EYMZqi3zRkMYaz4ilI2TeFzNCIftXYFQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.216 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.216/0.216/0.216/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces ethernet eth1 mac '00:11:22:33:44:55' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run the command interfaces ethernet eth1 authenticator show stats on DUT0 and check whether the output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 0 EAPoL frames (Tx) 2 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 5: Expect a failure in the following command:
Ping the IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 6: Run the command system journal show | grep "osdx hostapd" on DUT0 and check whether the output contains the following tokens:
IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X IEEE 802.1X: EAP authentication timeoutShow output
Jun 03 08:54:37.545230 osdx hostapd[55330]: eth1: IEEE 802.11 Fetching hardware channel/rate support not supported. Jun 03 08:54:37.545245 osdx hostapd[55330]: eth1: RADIUS Authentication server 10.215.168.1:1812 Jun 03 08:54:37.545511 osdx hostapd[55330]: connect[radius]: Network is unreachable Jun 03 08:54:37.545295 osdx hostapd[55330]: eth1: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Jun 03 08:54:37.545299 osdx hostapd[55330]: eth1: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Jun 03 08:54:37.565020 osdx hostapd[55330]: Discovery mode enabled on eth1 Jun 03 08:54:37.565116 osdx hostapd[55330]: eth1: interface state UNINITIALIZED->ENABLED Jun 03 08:54:37.565154 osdx hostapd[55330]: eth1: AP-ENABLED Jun 03 08:54:42.565262 osdx hostapd[55331]: eth1: STA 00:11:22:33:44:55 DRIVER: Device discovered, triggering MAB authentication Jun 03 08:54:42.565298 osdx hostapd[55331]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Jun 03 08:54:42.565306 osdx hostapd[55331]: eth1: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Jun 03 08:54:42.585069 osdx hostapd[55331]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: Starting MAB authentication Jun 03 08:54:42.585105 osdx hostapd[55331]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Jun 03 08:54:42.585125 osdx hostapd[55331]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Jun 03 08:54:42.587498 osdx hostapd[55331]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Jun 03 08:54:42.587512 osdx hostapd[55331]: eth1: RADIUS Authentication server 10.215.168.1:1812 Jun 03 08:54:42.587605 osdx hostapd[55331]: eth1: RADIUS Sending RADIUS message to authentication server Jun 03 08:54:42.587643 osdx hostapd[55331]: eth1: RADIUS Next RADIUS client retransmit in 1 seconds Jun 03 08:54:43.587728 osdx hostapd[55331]: eth1: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Jun 03 08:54:43.587759 osdx hostapd[55331]: eth1: RADIUS Next RADIUS client retransmit in 2 seconds Jun 03 08:54:43.587948 osdx hostapd[55331]: eth1: RADIUS Received 20 bytes from RADIUS server Jun 03 08:54:43.587951 osdx hostapd[55331]: eth1: RADIUS Received RADIUS message Jun 03 08:54:43.587955 osdx hostapd[55331]: eth1: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 03 08:54:43.587958 osdx hostapd[55331]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Jun 03 08:54:43.588007 osdx hostapd[55331]: eth1: IEEE 802.1X IEEE 802.1X: Discovery already disabled Jun 03 08:54:43.588010 osdx hostapd[55331]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X Jun 03 08:54:43.588013 osdx hostapd[55331]: eth1: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Jun 03 08:54:43.588016 osdx hostapd[55331]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first: 802.1X authentication started Jun 03 08:54:43.588026 osdx hostapd[55331]: eth1: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Jun 03 08:54:43.588034 osdx hostapd[55331]: IEEE 802.1X: OSDX-EAP: getDecision: no identity known yet -> CONTINUE Jun 03 08:54:43.588046 osdx hostapd[55331]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 5) Jun 03 08:54:46.588276 osdx hostapd[55331]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 5) Jun 03 08:54:51.730891 osdx OSDxCLI[5794]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jun 03 08:54:52.593263 osdx hostapd[55331]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 5) Jun 03 08:54:59.925691 osdx OSDxCLI[5794]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jun 03 08:55:04.604293 osdx hostapd[55331]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: aborting authentication Jun 03 08:55:04.604309 osdx hostapd[55331]: eth1: STA 00:11:22:33:44:55 IEEE 802.1X: EAP authentication timeout - enforcing 60 second quiet period before retrying Jun 03 08:55:04.604322 osdx hostapd[55331]: eth1: STA 00:11:22:33:44:55 MLME: MLME-DEAUTHENTICATE.indication(00:11:22:33:44:55, 2) Jun 03 08:55:04.604328 osdx hostapd[55331]: eth1: STA 00:11:22:33:44:55 MLME: MLME-DELETEKEYS.request(00:11:22:33:44:55)