Eap Server
This scenario shows how to enable the local 802.1X EAP server to authenticate users.
Test Successful Local 802.1x Authentication
Description
DUT0 is configured to perform 802.1x authentication using a local database with usernames and passwords. DUT1 uses the correct username and password.
Scenario
Note
Execute the following operational commands in DUT0 to
generate the required x509 files:
Show output
pki generate private-key running://ca.key rsa pki generate certificate running://ca.crt x509 private-key running://ca.key days 365 pki generate private-key running://server.key rsa pki generate csr running://server.csr private-key running://server.key pki sign running://server.crt csr running://server.csr certificate running://ca.crt private-key running://ca.key days 365
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x eap-server username testing encrypted-password U2FsdGVkX19EDzh1tltxklqi9KkB/K58XqhiWPb+Bwc= set interfaces ethernet eth2 authenticator 802.1x eap-server x509 ca-cert 'running://ca.crt' set interfaces ethernet eth2 authenticator 802.1x eap-server x509 server-cert 'running://server.crt' set interfaces ethernet eth2 authenticator 802.1x eap-server x509 server-key 'running://server.key' set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode only-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa list list1 method 1 local set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.194 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.194/0.194/0.194/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1+8xwDRGZIf63LBQRcONERQKOvjrgto9Oo= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 9 EAPoL Frames (Tx) 9 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 7 Req ID Frames (Rx) 1 Resp Frames (Tx) 8 Start Frames (Tx) 1
Step 6: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+([^0]\d*) Authentication Backend\s+Local Server Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 7 Authentication Backend Local Server Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 9 EAPoL frames (Tx) 9 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name testing
Step 7: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.370 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.370/0.370/0.370/0.000 ms
Test Unsuccessful Local 802.1x Authentication
Description
DUT0 is configured to perform authentication using a local database with usernames and passwords. DUT1 uses an incorrect username.
Scenario
Note
Execute the following operational commands in DUT0 to
generate the required x509 files:
Show output
pki generate private-key running://ca.key rsa pki generate certificate running://ca.crt x509 private-key running://ca.key days 365 pki generate private-key running://server.key rsa pki generate csr running://server.csr private-key running://server.key pki sign running://server.crt csr running://server.csr certificate running://ca.crt private-key running://ca.key days 365
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x eap-server username testing encrypted-password U2FsdGVkX1+ZsW8vcZHR0nUPflf9PGARLD+r7FSISLY= set interfaces ethernet eth2 authenticator 802.1x eap-server x509 ca-cert 'running://ca.crt' set interfaces ethernet eth2 authenticator 802.1x eap-server x509 server-cert 'running://server.crt' set interfaces ethernet eth2 authenticator 802.1x eap-server x509 server-key 'running://server.key' set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode only-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa list list1 method 1 local set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.230 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.230/0.230/0.230/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1/naODq4VJpFinEcdr6m5dRDzF1YbKMgLU= set interfaces ethernet eth2 supplicant username bad_username set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+UnauthorizedShow output
--------------------------------- Field Value --------------------------------- EAPoL Frames (Rx) 0 EAPoL Frames (Tx) 0 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Unauthorized Req Frames (Rx) 0 Req ID Frames (Rx) 0 Resp Frames (Tx) 0 Start Frames (Tx) 0
Step 5: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+UnauthorizedShow output
--------------------------------- Field Value --------------------------------- EAPoL Frames (Rx) 7 EAPoL Frames (Tx) 7 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Unauthorized Req Frames (Rx) 5 Req ID Frames (Rx) 1 Resp Frames (Tx) 6 Start Frames (Tx) 1
Step 6: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 5 Authentication Backend Local Server Authentication Failures 1 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 7 EAPoL frames (Tx) 7 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name N/A
Step 7: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Test 802.1x Authentication Failover
Description
DUT0 is configured to perform authentication using two different methods: remote RADIUS server and local database. When the remote server is not reachable, it failovers and uses the local database.
Scenario
Note
Execute the following operational commands in DUT0 to
generate the required x509 files:
Show output
pki generate private-key running://ca.key rsa pki generate certificate running://ca.crt x509 private-key running://ca.key days 365 pki generate private-key running://server.key rsa pki generate csr running://server.csr private-key running://server.key pki sign running://server.crt csr running://server.csr certificate running://ca.crt private-key running://ca.key days 365
Note
The following configuration lines are added to drop RADIUS UDP packets sent to the authentication server.
Show output
set interfaces eth0 traffic policy out DROP_UDP set traffic policy DROP_UDP rule 1 selector SEL_UDP set traffic policy DROP_UDP rule 1 action drop set traffic selector SEL_UDP rule 1 protocol udp
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic policy out DROP_UDP set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x eap-server username testing encrypted-password U2FsdGVkX1//sYr9Bl8YtWCtZaseLjQe8VpJUd3vnjA= set interfaces ethernet eth2 authenticator 802.1x eap-server x509 ca-cert 'running://ca.crt' set interfaces ethernet eth2 authenticator 802.1x eap-server x509 server-cert 'running://server.crt' set interfaces ethernet eth2 authenticator 802.1x eap-server x509 server-key 'running://server.key' set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode only-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 15 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa list list1 method 2 local set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX19IGaw03cabmy7x4/c4NwlG0vdyG4OHZRuibBlkopGPn0YwByqakTOKT2EjTq5NwLptJqpXqeu+UQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy DROP_UDP rule 1 action drop set traffic policy DROP_UDP rule 1 selector SEL_UDP set traffic selector SEL_UDP rule 1 protocol udp
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.170 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.170/0.170/0.170/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1/ceGm5oVtPD3zW6tuHWgwpJRDO4uDfIic= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 10 EAPoL Frames (Tx) 10 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 8 Req ID Frames (Rx) 1 Resp Frames (Tx) 9 Start Frames (Tx) 1
Step 6: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+([^0]\d*) Authentication Backend\s+Local Server Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 7 Authentication Backend Local Server Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 10 EAPoL frames (Tx) 10 Quiet Period 60 Reauthenticate TRUE Reauthenticate Period 15 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name testing
Step 7: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.432 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.432/0.432/0.432/0.000 ms
Note
Delete this configuration line to restore connectivity to
to the RADIUS server and ensure the Authentication Backend
changed from Local Server to RADIUS.
Show output
del interfaces eth0 traffic
Step 8: Modify the following configuration lines in DUT0 :
delete interfaces ethernet eth0 traffic
Step 9: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+([^0]\d*) Authentication Backend\s+RADIUSShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 16 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 2 EAPoL frames (Rx) 20 EAPoL frames (Tx) 21 Quiet Period 60 Reauthenticate TRUE Reauthenticate Period 15 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name testing