Eap Server
This scenario shows how to enable the local EAP server to authenticate users.
Test 802.1x Local Authentication
Description
DUT0 is configured to perform authentication using a local database with usernames and passwords.
Scenario
Note
Execute the following operational commands in DUT0 to
generate the required x509 files:
Show output
pki generate private-key running://ca.key rsa pki generate certificate running://ca.crt x509 private-key running://ca.key days 365 pki generate private-key running://server.key rsa pki generate csr running://server.csr private-key running://server.key pki sign running://server.crt csr running://server.csr certificate running://ca.crt private-key running://ca.key days 365
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 802.1x authenticator aaa authentication list1 set interfaces ethernet eth1 802.1x authenticator eap-server username testing encrypted-password U2FsdGVkX18poCfu6Ox8/+R2n7Ps3/36wUYAaxP4/Xs= set interfaces ethernet eth1 802.1x authenticator eap-server x509 ca-cert 'running://ca.crt' set interfaces ethernet eth1 802.1x authenticator eap-server x509 server-cert 'running://server.crt' set interfaces ethernet eth1 802.1x authenticator eap-server x509 server-key 'running://server.key' set interfaces ethernet eth1 802.1x authenticator log-level debug set interfaces ethernet eth1 802.1x authenticator reauth-period 0 set interfaces ethernet eth1 address 192.168.100.1/24 set system aaa list list1 method 1 local set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.182 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.182/0.182/0.182/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 802.1x supplicant encrypted-password U2FsdGVkX18Fx0VnsfQpQqeCeIcnzjb9xvtKFhrGme0= set interfaces ethernet eth1 802.1x supplicant username testing set interfaces ethernet eth1 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth1 802.1x supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run command interfaces ethernet eth1 802.1x supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 9 EAPoL Frames (Tx) 9 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 7 Req ID Frames (Rx) 1 Resp Frames (Tx) 8 Start Frames (Tx) 1
Step 6: Run command interfaces ethernet eth1 802.1x authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+([^0]\d*) Authentication Backend\s+Local ServerShow output
-------------------------------------- Field Value -------------------------------------- Access Challenges 7 Authentication Backend Local Server Authentication Failures 0 Authentication Successes 1 EAPoL frames (Rx) 9 EAPoL frames (Tx) 9 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User Name testing
Step 7: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.282 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.282/0.282/0.282/0.000 ms
Test 802.1x Authentication Failover
Description
DUT0 is configured to perform authentication using two different methods: remote RADIUS server and local database. When the remote server is not reachable, it failovers and uses the local database.
Scenario
Note
The following configuration lines are added to drop RADIUS UDP packets sent to the authentication server.
Show output
set interfaces eth0 traffic policy out DROP_UDP set traffic policy DROP_UDP rule 1 selector SEL_UDP set traffic policy DROP_UDP rule 1 action drop set traffic selector SEL_UDP rule 1 protocol udp
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic policy out DROP_UDP set interfaces ethernet eth1 802.1x authenticator aaa authentication list1 set interfaces ethernet eth1 802.1x authenticator eap-server username testing encrypted-password U2FsdGVkX18cTey8Vy5QOIX6u7spXC4j6ErT/D1Fbag= set interfaces ethernet eth1 802.1x authenticator eap-server x509 ca-cert 'running://ca.crt' set interfaces ethernet eth1 802.1x authenticator eap-server x509 server-cert 'running://server.crt' set interfaces ethernet eth1 802.1x authenticator eap-server x509 server-key 'running://server.key' set interfaces ethernet eth1 802.1x authenticator log-level debug set interfaces ethernet eth1 802.1x authenticator reauth-period 15 set interfaces ethernet eth1 address 192.168.100.1/24 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa list list1 method 2 local set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18LEHQWFUaEzyrG3jMj6iUU0v3mwa7O8yK5TVEUjLpX60SnNRw6ahkU37o0+633CJYasG0P2mNlnw== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy DROP_UDP rule 1 action drop set traffic policy DROP_UDP rule 1 selector SEL_UDP set traffic selector SEL_UDP rule 1 protocol udp
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.175 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.175/0.175/0.175/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 802.1x supplicant encrypted-password U2FsdGVkX18xddc2njlU5r4SJJwm5Otiyc8erCDBw+4= set interfaces ethernet eth1 802.1x supplicant username testing set interfaces ethernet eth1 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth1 802.1x supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run command interfaces ethernet eth1 802.1x supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 13 EAPoL Frames (Tx) 13 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 3 Resp Frames (Tx) 12 Start Frames (Tx) 1
Step 6: Run command interfaces ethernet eth1 802.1x authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+([^0]\d*) Authentication Backend\s+Local ServerShow output
-------------------------------------- Field Value -------------------------------------- Access Challenges 7 Authentication Backend Local Server Authentication Failures 0 Authentication Successes 1 EAPoL frames (Rx) 9 EAPoL frames (Tx) 9 Reauthenticate TRUE Reauthenticate Period 15 Session Time 1 Session User Name testing
Step 7: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.336 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.336/0.336/0.336/0.000 ms
Note
Delete this configuration line to restore connectivity to
to the RADIUS server and ensure the Authentication Backend
changed from Local Server to RADIUS.
Show output
del interfaces eth0 traffic
Step 8: Modify the following configuration lines in DUT0 :
delete interfaces ethernet eth0 traffic
Step 9: Run command interfaces ethernet eth1 802.1x authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+([^0]\d*) Authentication Backend\s+RADIUSShow output
--------------------------------- Field Value --------------------------------- Access Challenges 16 Authentication Backend RADIUS Authentication Failures 0 Authentication Successes 2 EAPoL frames (Rx) 19 EAPoL frames (Tx) 20 Reauthenticate TRUE Reauthenticate Period 15 Session Time 7 Session User Name testing