Coa

This scenario shows how to enable CoA (Change of Authorization) in a device with 802.1x authentication.

../../../../../../_images/coa.svg

Test CoA Disconnect

Description

In this scenario, three parties are actively involved: an authenticator (DUT0), a supplicant (DUT1), and an authentication server (DUT2). Once the authentication is successfully performed, DUT2 sends a CoA/Disconnect message to terminate the active session.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set interfaces ethernet eth1 802.1x authenticator aaa authentication list1
set interfaces ethernet eth1 802.1x authenticator coa client 10.215.168.1
set interfaces ethernet eth1 802.1x authenticator coa encrypted-secret U2FsdGVkX1/ywiB0VOs2i92c1tCQwBuhS2pkBEgXEe0=
set interfaces ethernet eth1 802.1x authenticator reauth-period 0
set interfaces ethernet eth1 address 192.168.100.1/24
set system aaa group radius radgroup1 server serv1
set system aaa list list1 method 1 group radius radgroup1
set system aaa server radius serv1 address 10.215.168.1
set system aaa server radius serv1 encrypted-key U2FsdGVkX1/rhexz4pDrX/WXuP64jfA9a/UhqQyFksJJj6H1APTs85zgo0oWhi3WJwYAhGA924gmJF4bas5yPw==
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Ping IP address 10.215.168.1 from DUT0:

admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1
Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data.
64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.256 ms

--- 10.215.168.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.256/0.256/0.256/0.000 ms

Step 3: Set the following configuration in DUT1 :

set interfaces ethernet eth1 802.1x supplicant encrypted-password U2FsdGVkX1/esG2eUWwZdXnZ/RjV9ovxg+twQ9lU/7c=
set interfaces ethernet eth1 802.1x supplicant username testing
set interfaces ethernet eth1 address 192.168.100.2/24
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 4: Run command interfaces ethernet eth1 802.1x supplicant show status at DUT1 and check if output contains the following tokens:

Authorized
Show output
---------------------------------------------------
        Field                      Value
---------------------------------------------------
EAP State                                   SUCCESS
EAP TLS Cipher          ECDHE-RSA-AES256-GCM-SHA384
EAP TLS Version                             TLSv1.2
PAE State                             AUTHENTICATED
Supplicant Port Status                   Authorized
WPA State                                 COMPLETED

Step 5: Run command interfaces ethernet eth1 802.1x supplicant show stats at DUT1 and check if output matches the following regular expressions:

Port Status\s+Authorized
Show output
-------------------------------
       Field           Value
-------------------------------
EAPoL Frames (Rx)            11
EAPoL Frames (Tx)            11
Invalid Frames (Rx)           0
Logoff Frames (Tx)            0
Port Status          Authorized
Req Frames (Rx)               9
Req ID Frames (Rx)            1
Resp Frames (Tx)             10
Start Frames (Tx)             1

Step 6: Run command interfaces ethernet eth1 802.1x authenticator show stats at DUT0 and check if output matches the following regular expressions:

Authentication Successes\s+1
Show output
---------------------------------
         Field             Value
---------------------------------
Access Challenges               9
Authentication Backend     RADIUS
Authentication Failures         0
Authentication Successes        1
EAPoL frames (Rx)              11
EAPoL frames (Tx)              11
Reauthenticate              FALSE
Reauthenticate Period           0
Session Time                    0
Session User Name         testing

Step 7: Ping IP address 192.168.100.1 from DUT1:

admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1
Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data.
64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.329 ms

--- 192.168.100.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.329/0.329/0.329/0.000 ms

Note

Send a CoA/Disconnect request from the RADIUS server On Linux, the FreeRADIUS package includes the utility radtest that can be used to send these messages:

Show output
$ cat /osdx-tests/utils/dot1x/auth.req
User-Name = "testing"
$ radclient -s -t 1 -r 1 10.215.168.64:3799 disconnect coa_secret -f /osdx-tests/utils/dot1x/auth.req
Sent Disconnect-Request Id 47 from 0.0.0.0:53358 to 10.215.168.64:3799 length 29
Received Disconnect-ACK Id 47 from 10.215.168.64:3799 to 10.215.168.1:53358 length 44
Packet summary:
      Accepted      : 1
      Rejected      : 0
      Lost          : 0
      Passed filter : 1
      Failed filter : 0

Warning

Since CoA/Disconnect was successful, DUT1 is no longer able to reach DUT0.

Step 8: Expect a failure in the following command: Ping IP address 192.168.100.1 from DUT1:

admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1
Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data.

--- 192.168.100.1 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

Test CoA Disconnect Unauthorized Client

Description

In this scenario, the DUT2 IP is not allowed in a DUT0 CoA configuration. The request is, therefore, rejected.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set interfaces ethernet eth1 802.1x authenticator aaa authentication list1
set interfaces ethernet eth1 802.1x authenticator coa client 1.1.1.1
set interfaces ethernet eth1 802.1x authenticator coa encrypted-secret U2FsdGVkX18iZMmfng2clXUgfIfks6uYt0td2ER4fkk=
set interfaces ethernet eth1 802.1x authenticator reauth-period 0
set interfaces ethernet eth1 address 192.168.100.1/24
set system aaa group radius radgroup1 server serv1
set system aaa list list1 method 1 group radius radgroup1
set system aaa server radius serv1 address 10.215.168.1
set system aaa server radius serv1 encrypted-key U2FsdGVkX18Ho+W3ymHguKN6nhS24z5MPXOTc6J37RzIIXji7Mb3BgWuLFTDSO3gxEIj+jLdj8v+6Nz1Ood1fw==
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Ping IP address 10.215.168.1 from DUT0:

admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1
Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data.
64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.219 ms

--- 10.215.168.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.219/0.219/0.219/0.000 ms

Step 3: Set the following configuration in DUT1 :

set interfaces ethernet eth1 802.1x supplicant encrypted-password U2FsdGVkX18WRhwStR3CiymRPNbMdV4DSLeviigvtIo=
set interfaces ethernet eth1 802.1x supplicant username testing
set interfaces ethernet eth1 address 192.168.100.2/24
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 4: Run command interfaces ethernet eth1 802.1x supplicant show status at DUT1 and check if output contains the following tokens:

Authorized
Show output
---------------------------------------------------
        Field                      Value
---------------------------------------------------
EAP State                                   SUCCESS
EAP TLS Cipher          ECDHE-RSA-AES256-GCM-SHA384
EAP TLS Version                             TLSv1.2
PAE State                             AUTHENTICATED
Supplicant Port Status                   Authorized
WPA State                                 COMPLETED

Step 5: Run command interfaces ethernet eth1 802.1x supplicant show stats at DUT1 and check if output matches the following regular expressions:

Port Status\s+Authorized
Show output
-------------------------------
       Field           Value
-------------------------------
EAPoL Frames (Rx)            11
EAPoL Frames (Tx)            11
Invalid Frames (Rx)           0
Logoff Frames (Tx)            0
Port Status          Authorized
Req Frames (Rx)               9
Req ID Frames (Rx)            1
Resp Frames (Tx)             10
Start Frames (Tx)             1

Step 6: Run command interfaces ethernet eth1 802.1x authenticator show stats at DUT0 and check if output matches the following regular expressions:

Authentication Successes\s+1
Show output
---------------------------------
         Field             Value
---------------------------------
Access Challenges               9
Authentication Backend     RADIUS
Authentication Failures         0
Authentication Successes        1
EAPoL frames (Rx)              11
EAPoL frames (Tx)              11
Reauthenticate              FALSE
Reauthenticate Period           0
Session Time                    0
Session User Name         testing

Step 7: Ping IP address 192.168.100.1 from DUT1:

admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1
Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data.
64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.324 ms

--- 192.168.100.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.324/0.324/0.324/0.000 ms

Note

Send a CoA/Disconnect request from the RADIUS server On Linux, the FreeRADIUS package includes the utility radtest that can be used to send these messages:

Show output
$ cat /osdx-tests/utils/dot1x/auth.req
User-Name = "testing"
$ radclient -s -t 1 -r 1 10.215.168.64:3799 disconnect coa_secret -f /osdx-tests/utils/dot1x/auth.req
Sent Disconnect-Request Id 185 from 0.0.0.0:37000 to 10.215.168.64:3799 length 29
Packet summary:
      Accepted      : 0
      Rejected      : 0
      Lost          : 1
      Passed filter : 0
      Failed filter : 0

Warning

Since CoA/Disconnect was unsuccessful, DUT1 is still able to reach DUT0.

Step 8: Ping IP address 192.168.100.1 from DUT1:

admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1
Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data.
64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.241 ms

--- 192.168.100.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.241/0.241/0.241/0.000 ms

Test CoA Disconnect Wrong Username

Description

In this scenario, DUT2 sends a CoA request to DUT0 using the wrong username. DUT0 rejects the request.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set interfaces ethernet eth1 802.1x authenticator aaa authentication list1
set interfaces ethernet eth1 802.1x authenticator coa client 10.215.168.1
set interfaces ethernet eth1 802.1x authenticator coa encrypted-secret U2FsdGVkX19U9TxWdOj7iXgn+M6kUg5UiAcIs6gxOVc=
set interfaces ethernet eth1 802.1x authenticator reauth-period 0
set interfaces ethernet eth1 address 192.168.100.1/24
set system aaa group radius radgroup1 server serv1
set system aaa list list1 method 1 group radius radgroup1
set system aaa server radius serv1 address 10.215.168.1
set system aaa server radius serv1 encrypted-key U2FsdGVkX18qZw0Kmc5jWNQBzCILIK4gTOI62JD9H8uqIh9gLzK+Z4IypHXnNqYp4uhLnPW1J/LC6Fexe2Hx+w==
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Ping IP address 10.215.168.1 from DUT0:

admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1
Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data.
64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.234 ms

--- 10.215.168.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.234/0.234/0.234/0.000 ms

Step 3: Set the following configuration in DUT1 :

set interfaces ethernet eth1 802.1x supplicant encrypted-password U2FsdGVkX183q0JkEh+745WDrOod76NtfhcogqoWEp8=
set interfaces ethernet eth1 802.1x supplicant username testing
set interfaces ethernet eth1 address 192.168.100.2/24
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 4: Run command interfaces ethernet eth1 802.1x supplicant show status at DUT1 and check if output contains the following tokens:

Authorized
Show output
---------------------------------------------------
        Field                      Value
---------------------------------------------------
EAP State                                   SUCCESS
EAP TLS Cipher          ECDHE-RSA-AES256-GCM-SHA384
EAP TLS Version                             TLSv1.2
PAE State                             AUTHENTICATED
Supplicant Port Status                   Authorized
WPA State                                 COMPLETED

Step 5: Run command interfaces ethernet eth1 802.1x supplicant show stats at DUT1 and check if output matches the following regular expressions:

Port Status\s+Authorized
Show output
-------------------------------
       Field           Value
-------------------------------
EAPoL Frames (Rx)            11
EAPoL Frames (Tx)            11
Invalid Frames (Rx)           0
Logoff Frames (Tx)            0
Port Status          Authorized
Req Frames (Rx)               9
Req ID Frames (Rx)            1
Resp Frames (Tx)             10
Start Frames (Tx)             1

Step 6: Run command interfaces ethernet eth1 802.1x authenticator show stats at DUT0 and check if output matches the following regular expressions:

Authentication Successes\s+1
Show output
---------------------------------
         Field             Value
---------------------------------
Access Challenges               9
Authentication Backend     RADIUS
Authentication Failures         0
Authentication Successes        1
EAPoL frames (Rx)              11
EAPoL frames (Tx)              11
Reauthenticate              FALSE
Reauthenticate Period           0
Session Time                    0
Session User Name         testing

Step 7: Ping IP address 192.168.100.1 from DUT1:

admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1
Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data.
64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.330 ms

--- 192.168.100.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.330/0.330/0.330/0.000 ms

Note

Send a CoA/Disconnect request from the RADIUS server On Linux, the FreeRADIUS package includes the utility radtest that can be used to send these messages:

Show output
$ cat /osdx-tests/utils/dot1x/wrong_auth.req
User-Name = "wrong"
$ radclient -s -t 1 -r 1 10.215.168.64:3799 disconnect coa_secret -f /osdx-tests/utils/dot1x/wrong_auth.req
Sent Disconnect-Request Id 81 from 0.0.0.0:38171 to 10.215.168.64:3799 length 27
Received Disconnect-NAK Id 81 from 10.215.168.64:3799 to 10.215.168.1:38171 length 50
Packet summary:
      Accepted      : 0
      Rejected      : 1
      Lost          : 0
      Passed filter : 0
      Failed filter : 1

Warning

Since CoA/Disconnect was unsuccessful, DUT1 is still able to reach DUT0.

Step 8: Ping IP address 192.168.100.1 from DUT1:

admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1
Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data.
64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.218 ms

--- 192.168.100.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.218/0.218/0.218/0.000 ms

Test CoA Disconnect Wrong Secret

Description

In this scenario, DUT2 uses a wrong secret to send a CoA request to DUT0. The request is, therefore, rejected.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set interfaces ethernet eth1 802.1x authenticator aaa authentication list1
set interfaces ethernet eth1 802.1x authenticator coa client 10.215.168.1
set interfaces ethernet eth1 802.1x authenticator coa encrypted-secret U2FsdGVkX19INyrwbAgI87taBbKUvGgFbvKgg0m32Z8=
set interfaces ethernet eth1 802.1x authenticator reauth-period 0
set interfaces ethernet eth1 address 192.168.100.1/24
set system aaa group radius radgroup1 server serv1
set system aaa list list1 method 1 group radius radgroup1
set system aaa server radius serv1 address 10.215.168.1
set system aaa server radius serv1 encrypted-key U2FsdGVkX19tL1dGyPYCgU+7C/sVpI07bIvbfUB5b31h5EeeDaFvoEmE52mEKSQdrV2MpUfxWb+IffK+My9N8A==
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Ping IP address 10.215.168.1 from DUT0:

admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1
Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data.
64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.209 ms

--- 10.215.168.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.209/0.209/0.209/0.000 ms

Step 3: Set the following configuration in DUT1 :

set interfaces ethernet eth1 802.1x supplicant encrypted-password U2FsdGVkX1+zTQ9FvDiPyr44Zf4wUX+JH4tXgKzBwDY=
set interfaces ethernet eth1 802.1x supplicant username testing
set interfaces ethernet eth1 address 192.168.100.2/24
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 4: Run command interfaces ethernet eth1 802.1x supplicant show status at DUT1 and check if output contains the following tokens:

Authorized
Show output
---------------------------------------------------
        Field                      Value
---------------------------------------------------
EAP State                                   SUCCESS
EAP TLS Cipher          ECDHE-RSA-AES256-GCM-SHA384
EAP TLS Version                             TLSv1.2
PAE State                             AUTHENTICATED
Supplicant Port Status                   Authorized
WPA State                                 COMPLETED

Step 5: Run command interfaces ethernet eth1 802.1x supplicant show stats at DUT1 and check if output matches the following regular expressions:

Port Status\s+Authorized
Show output
-------------------------------
       Field           Value
-------------------------------
EAPoL Frames (Rx)            11
EAPoL Frames (Tx)            11
Invalid Frames (Rx)           0
Logoff Frames (Tx)            0
Port Status          Authorized
Req Frames (Rx)               9
Req ID Frames (Rx)            1
Resp Frames (Tx)             10
Start Frames (Tx)             1

Step 6: Run command interfaces ethernet eth1 802.1x authenticator show stats at DUT0 and check if output matches the following regular expressions:

Authentication Successes\s+1
Show output
---------------------------------
         Field             Value
---------------------------------
Access Challenges               9
Authentication Backend     RADIUS
Authentication Failures         0
Authentication Successes        1
EAPoL frames (Rx)              11
EAPoL frames (Tx)              11
Reauthenticate              FALSE
Reauthenticate Period           0
Session Time                    0
Session User Name         testing

Step 7: Ping IP address 192.168.100.1 from DUT1:

admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1
Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data.
64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.347 ms

--- 192.168.100.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.347/0.347/0.347/0.000 ms

Note

Send a CoA/Disconnect request from the RADIUS server On Linux, the FreeRADIUS package includes the utility radtest that can be used to send these messages:

Show output
$ cat /osdx-tests/utils/dot1x/auth.req
User-Name = "testing"
$ radclient -s -t 1 -r 1 10.215.168.64:3799 disconnect 123456 -f /osdx-tests/utils/dot1x/auth.req
Sent Disconnect-Request Id 92 from 0.0.0.0:46705 to 10.215.168.64:3799 length 29
Packet summary:
      Accepted      : 0
      Rejected      : 0
      Lost          : 1
      Passed filter : 0
      Failed filter : 0

Warning

Since CoA/Disconnect was unsuccessful, DUT1 is still able to reach DUT0.

Step 8: Ping IP address 192.168.100.1 from DUT1:

admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1
Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data.
64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.229 ms

--- 192.168.100.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.229/0.229/0.229/0.000 ms