Coa
This scenario shows how to enable CoA (Change of Authorization) in a device with 802.1x authentication.
Test CoA Disconnect
Description
In this scenario, three parties are actively involved: an authenticator (DUT0), a supplicant (DUT1), and an authentication server (DUT2). Once the authentication is successfully performed, DUT2 sends a CoA/Disconnect message to terminate the active session.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 802.1x authenticator aaa authentication list1 set interfaces ethernet eth1 802.1x authenticator coa client 10.215.168.1 set interfaces ethernet eth1 802.1x authenticator coa encrypted-secret U2FsdGVkX1+Mfd+VvCC3Kh9VVdEXdCkQ4r8X4RO3qP4= set interfaces ethernet eth1 802.1x authenticator reauth-period 0 set interfaces ethernet eth1 address 192.168.100.1/24 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+0mVyaJ8WwNAEY4aKKTwyYQRd/3o1ckFT4CuhfFlmnCAEOUkojiu9x6B4zE//s/gmK/sYB/aLAQA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.180 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.180/0.180/0.180/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 802.1x supplicant encrypted-password U2FsdGVkX1/4oBxe0oD5EW1sUh9HYQGLenEgsWMV0xw= set interfaces ethernet eth1 802.1x supplicant username testing set interfaces ethernet eth1 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth1 802.1x supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run command interfaces ethernet eth1 802.1x supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 6: Run command interfaces ethernet eth1 802.1x authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1Show output
--------------------------------- Field Value --------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User Name testing
Step 7: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.321 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.321/0.321/0.321/0.000 ms
Note
Send a CoA/Disconnect request from the RADIUS server
On Linux, the FreeRADIUS package includes the utility
radtest that can be used to send these messages:
Show output
$ cat /osdx-tests/utils/dot1x/auth.req User-Name = "testing" $ radclient -s -t 1 -r 1 10.215.168.64:3799 disconnect coa_secret -f /osdx-tests/utils/dot1x/auth.req Sent Disconnect-Request Id 38 from 0.0.0.0:52009 to 10.215.168.64:3799 length 29 Received Disconnect-ACK Id 38 from 10.215.168.64:3799 to 10.215.168.1:52009 length 44 Packet summary: Accepted : 1 Rejected : 0 Lost : 0 Passed filter : 1 Failed filter : 0
Warning
Since CoA/Disconnect was successful, DUT1 is no longer able to reach DUT0.
Step 8: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Test CoA Disconnect Wrong Username
Description
In this scenario, DUT2 sends a CoA request to DUT0 using the wrong username. DUT0 rejects the request.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 802.1x authenticator aaa authentication list1 set interfaces ethernet eth1 802.1x authenticator coa client 10.215.168.1 set interfaces ethernet eth1 802.1x authenticator coa encrypted-secret U2FsdGVkX1/Egi8HAlKEzslu9ZOXbaw+Nkqh1pChWzE= set interfaces ethernet eth1 802.1x authenticator reauth-period 0 set interfaces ethernet eth1 address 192.168.100.1/24 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/CiD0tzQhNUnc5veAe0iUlNCF8LaEpUiA36FyGq5MsD9pwd+IqAllecp6vixeHTkR1i0pluIhkOA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.191 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.191/0.191/0.191/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 802.1x supplicant encrypted-password U2FsdGVkX19N/yqZ8/8cwCaSLcH3nwj0iqX7M5aYbSQ= set interfaces ethernet eth1 802.1x supplicant username testing set interfaces ethernet eth1 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth1 802.1x supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run command interfaces ethernet eth1 802.1x supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 6: Run command interfaces ethernet eth1 802.1x authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1Show output
--------------------------------- Field Value --------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User Name testing
Step 7: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.333 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.333/0.333/0.333/0.000 ms
Note
Send a CoA/Disconnect request from the RADIUS server
On Linux, the FreeRADIUS package includes the utility
radtest that can be used to send these messages:
Show output
$ cat /osdx-tests/utils/dot1x/wrong_auth.req User-Name = "wrong" $ radclient -s -t 1 -r 1 10.215.168.64:3799 disconnect coa_secret -f /osdx-tests/utils/dot1x/wrong_auth.req Sent Disconnect-Request Id 170 from 0.0.0.0:35867 to 10.215.168.64:3799 length 27 Received Disconnect-NAK Id 170 from 10.215.168.64:3799 to 10.215.168.1:35867 length 50 Packet summary: Accepted : 0 Rejected : 1 Lost : 0 Passed filter : 0 Failed filter : 1
Warning
Since CoA/Disconnect was unsuccessful, DUT1 is still able to reach DUT0.
Step 8: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.208 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.208/0.208/0.208/0.000 ms
Test CoA Disconnect Wrong Secret
Description
In this scenario, DUT2 uses a wrong secret to send a CoA request to DUT0. The request is, therefore, rejected.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 802.1x authenticator aaa authentication list1 set interfaces ethernet eth1 802.1x authenticator coa client 10.215.168.1 set interfaces ethernet eth1 802.1x authenticator coa encrypted-secret U2FsdGVkX18Y3WZ9p0dJcXB/ImK/7q99S2hjFy0s8vI= set interfaces ethernet eth1 802.1x authenticator reauth-period 0 set interfaces ethernet eth1 address 192.168.100.1/24 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/X0uEqfaMvq1AGFi4wth2ChaYkWc0kLdtzt6ZFq+WZFA/pQd5n+DZZD+Wv5iAnKxznOj3alTfUAQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.186 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.186/0.186/0.186/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth1 802.1x supplicant encrypted-password U2FsdGVkX18PyNW5kQUCtv4UhIpSOK2bSDkphcmdlUY= set interfaces ethernet eth1 802.1x supplicant username testing set interfaces ethernet eth1 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth1 802.1x supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run command interfaces ethernet eth1 802.1x supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 6: Run command interfaces ethernet eth1 802.1x authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1Show output
--------------------------------- Field Value --------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User Name testing
Step 7: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.309 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.309/0.309/0.309/0.000 ms
Note
Send a CoA/Disconnect request from the RADIUS server
On Linux, the FreeRADIUS package includes the utility
radtest that can be used to send these messages:
Show output
$ cat /osdx-tests/utils/dot1x/auth.req User-Name = "testing" $ radclient -s -t 1 -r 1 10.215.168.64:3799 disconnect 123456 -f /osdx-tests/utils/dot1x/auth.req Sent Disconnect-Request Id 31 from 0.0.0.0:40575 to 10.215.168.64:3799 length 29 Packet summary: Accepted : 0 Rejected : 0 Lost : 1 Passed filter : 0 Failed filter : 0
Warning
Since CoA/Disconnect was unsuccessful, DUT1 is still able to reach DUT0.
Step 8: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.253 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.253/0.253/0.253/0.000 ms