Mab Fallback
This scenario shows how to configure the MAB-fallback
authentication mode.
Test Successful 802.1x Authentication With Successful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses the correct username and password.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX19Y7cJohO6nmd1Sbz1S/y7vcStpSCV90oNNC4FZi1wI5qiapjaVT6PHWoyXD8GQ/LV/kpWqQjQ8LQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.392 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.392/0.392/0.392/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1/0qgbv/VAhUHNV+6wcWDorvVKTS/aGAe8= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 6: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name testing
Step 7: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.250 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.250/0.250/0.250/0.000 ms
Step 8: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: authenticated - EAP type: 25 (PEAP)Show output
Dec 11 14:13:38.885964 osdx hostapd[80424]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Dec 11 14:13:38.885978 osdx hostapd[80424]: eth2: RADIUS Authentication server 10.215.168.1:1812 Dec 11 14:13:38.886226 osdx hostapd[80424]: connect[radius]: Network is unreachable Dec 11 14:13:38.886025 osdx hostapd[80424]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Dec 11 14:13:38.886029 osdx hostapd[80424]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Dec 11 14:13:38.901816 osdx hostapd[80424]: Discovery mode enabled on eth2 Dec 11 14:13:38.901891 osdx hostapd[80424]: eth2: interface state UNINITIALIZED->ENABLED Dec 11 14:13:38.901891 osdx hostapd[80424]: eth2: AP-ENABLED Dec 11 14:13:42.250256 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Dec 11 14:13:42.250280 osdx hostapd[80425]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Dec 11 14:13:42.265879 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: start authentication Dec 11 14:13:42.265910 osdx hostapd[80425]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Dec 11 14:13:42.265914 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Dec 11 14:13:42.265917 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Dec 11 14:13:42.265933 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response Dec 11 14:13:42.265936 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAPOL-Start from STA Dec 11 14:13:42.265949 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Dec 11 14:13:42.265957 osdx hostapd[80425]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Dec 11 14:13:42.265979 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 111) Dec 11 14:13:42.266327 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=111 len=12) from STA: EAP Response-Identity (1) Dec 11 14:13:42.266338 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: STA identity 'testing' Dec 11 14:13:42.266364 osdx hostapd[80425]: eth2: RADIUS Authentication server 10.215.168.1:1812 Dec 11 14:13:42.268105 osdx hostapd[80425]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:13:42.268135 osdx hostapd[80425]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:13:42.268360 osdx hostapd[80425]: eth2: RADIUS Received 80 bytes from RADIUS server Dec 11 14:13:42.268365 osdx hostapd[80425]: eth2: RADIUS Received RADIUS message Dec 11 14:13:42.268370 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:13:42.268390 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=112 len=22) from RADIUS server: EAP-Request-MD5 (4) Dec 11 14:13:42.268397 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 112) Dec 11 14:13:42.268567 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=112 len=6) from STA: EAP Response-unknown (3) Dec 11 14:13:42.268610 osdx hostapd[80425]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:13:42.268623 osdx hostapd[80425]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:13:42.268794 osdx hostapd[80425]: eth2: RADIUS Received 64 bytes from RADIUS server Dec 11 14:13:42.268799 osdx hostapd[80425]: eth2: RADIUS Received RADIUS message Dec 11 14:13:42.268803 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:13:42.268818 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=113 len=6) from RADIUS server: EAP-Request-PEAP (25) Dec 11 14:13:42.268824 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 113) Dec 11 14:13:42.269096 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=113 len=194) from STA: EAP Response-PEAP (25) Dec 11 14:13:42.269130 osdx hostapd[80425]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:13:42.269140 osdx hostapd[80425]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:13:42.270598 osdx hostapd[80425]: eth2: RADIUS Received 1068 bytes from RADIUS server Dec 11 14:13:42.270604 osdx hostapd[80425]: eth2: RADIUS Received RADIUS message Dec 11 14:13:42.270607 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:13:42.270625 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=114 len=1004) from RADIUS server: EAP-Request-PEAP (25) Dec 11 14:13:42.270632 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 114) Dec 11 14:13:42.270794 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=114 len=6) from STA: EAP Response-PEAP (25) Dec 11 14:13:42.270831 osdx hostapd[80425]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:13:42.270842 osdx hostapd[80425]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:13:42.270951 osdx hostapd[80425]: eth2: RADIUS Received 229 bytes from RADIUS server Dec 11 14:13:42.270956 osdx hostapd[80425]: eth2: RADIUS Received RADIUS message Dec 11 14:13:42.270960 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:13:42.270974 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=115 len=171) from RADIUS server: EAP-Request-PEAP (25) Dec 11 14:13:42.270980 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 115) Dec 11 14:13:42.272197 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=115 len=103) from STA: EAP Response-PEAP (25) Dec 11 14:13:42.272231 osdx hostapd[80425]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:13:42.272240 osdx hostapd[80425]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:13:42.272483 osdx hostapd[80425]: eth2: RADIUS Received 115 bytes from RADIUS server Dec 11 14:13:42.272488 osdx hostapd[80425]: eth2: RADIUS Received RADIUS message Dec 11 14:13:42.272491 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:13:42.272504 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=116 len=57) from RADIUS server: EAP-Request-PEAP (25) Dec 11 14:13:42.272510 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 116) Dec 11 14:13:42.272653 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=116 len=6) from STA: EAP Response-PEAP (25) Dec 11 14:13:42.272683 osdx hostapd[80425]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:13:42.272694 osdx hostapd[80425]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:13:42.272822 osdx hostapd[80425]: eth2: RADIUS Received 98 bytes from RADIUS server Dec 11 14:13:42.272828 osdx hostapd[80425]: eth2: RADIUS Received RADIUS message Dec 11 14:13:42.272832 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:13:42.272847 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=117 len=40) from RADIUS server: EAP-Request-PEAP (25) Dec 11 14:13:42.272853 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 117) Dec 11 14:13:42.272969 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=117 len=43) from STA: EAP Response-PEAP (25) Dec 11 14:13:42.273000 osdx hostapd[80425]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:13:42.273010 osdx hostapd[80425]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:13:42.273147 osdx hostapd[80425]: eth2: RADIUS Received 131 bytes from RADIUS server Dec 11 14:13:42.273157 osdx hostapd[80425]: eth2: RADIUS Received RADIUS message Dec 11 14:13:42.273162 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:13:42.273200 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=118 len=73) from RADIUS server: EAP-Request-PEAP (25) Dec 11 14:13:42.273207 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 118) Dec 11 14:13:42.273422 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=118 len=97) from STA: EAP Response-PEAP (25) Dec 11 14:13:42.273458 osdx hostapd[80425]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:13:42.273471 osdx hostapd[80425]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:13:42.273632 osdx hostapd[80425]: eth2: RADIUS Received 140 bytes from RADIUS server Dec 11 14:13:42.273637 osdx hostapd[80425]: eth2: RADIUS Received RADIUS message Dec 11 14:13:42.273641 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:13:42.273655 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=119 len=82) from RADIUS server: EAP-Request-PEAP (25) Dec 11 14:13:42.273660 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 119) Dec 11 14:13:42.273828 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=119 len=37) from STA: EAP Response-PEAP (25) Dec 11 14:13:42.273862 osdx hostapd[80425]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:13:42.273873 osdx hostapd[80425]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:13:42.274004 osdx hostapd[80425]: eth2: RADIUS Received 104 bytes from RADIUS server Dec 11 14:13:42.274010 osdx hostapd[80425]: eth2: RADIUS Received RADIUS message Dec 11 14:13:42.274014 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:13:42.274027 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=120 len=46) from RADIUS server: EAP-Request-PEAP (25) Dec 11 14:13:42.274033 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 120) Dec 11 14:13:42.274190 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=120 len=46) from STA: EAP Response-PEAP (25) Dec 11 14:13:42.274221 osdx hostapd[80425]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:13:42.274232 osdx hostapd[80425]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:13:42.274384 osdx hostapd[80425]: eth2: RADIUS Received 175 bytes from RADIUS server Dec 11 14:13:42.274389 osdx hostapd[80425]: eth2: RADIUS Received RADIUS message Dec 11 14:13:42.274393 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:13:42.274413 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing' Dec 11 14:13:42.274417 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=3 id=120 len=4) from RADIUS server: EAP Success Dec 11 14:13:42.274432 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 120) Dec 11 14:13:42.274451 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Dec 11 14:13:42.274454 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session A8C10F36134AF416 Dec 11 14:13:42.274457 osdx hostapd[80425]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Test Successful 802.1x Authentication With Unsuccessful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses the correct username and password, but an incorrect MAC address.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+Dom4h16C4iBoL5S4CtF5ajk471gLfdd1+TwzFXJ+4ohVVodhf3nZkX8VXrpCogF2NeQ/e6+KeDQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.276 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.276/0.276/0.276/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX19HDq/VzATQWkU1+2aLPhGq0WZS1LNzAsA= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 6: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name testing
Step 7: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.248 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.248/0.248/0.248/0.000 ms
Step 8: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: authenticated - EAP type: 25 (PEAP)Show output
Dec 11 14:13:51.775246 osdx hostapd[80928]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Dec 11 14:13:51.775259 osdx hostapd[80928]: eth2: RADIUS Authentication server 10.215.168.1:1812 Dec 11 14:13:51.775553 osdx hostapd[80928]: connect[radius]: Network is unreachable Dec 11 14:13:51.775297 osdx hostapd[80928]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Dec 11 14:13:51.775303 osdx hostapd[80928]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Dec 11 14:13:51.791060 osdx hostapd[80928]: Discovery mode enabled on eth2 Dec 11 14:13:51.791132 osdx hostapd[80928]: eth2: interface state UNINITIALIZED->ENABLED Dec 11 14:13:51.791132 osdx hostapd[80928]: eth2: AP-ENABLED Dec 11 14:13:55.077365 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Dec 11 14:13:55.077384 osdx hostapd[80929]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Dec 11 14:13:55.091117 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: start authentication Dec 11 14:13:55.091144 osdx hostapd[80929]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Dec 11 14:13:55.091148 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Dec 11 14:13:55.091150 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Dec 11 14:13:55.091167 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response Dec 11 14:13:55.091169 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA Dec 11 14:13:55.091177 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port Dec 11 14:13:55.091184 osdx hostapd[80929]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Dec 11 14:13:55.091202 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 111) Dec 11 14:13:55.091505 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=111 len=12) from STA: EAP Response-Identity (1) Dec 11 14:13:55.091519 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'testing' Dec 11 14:13:55.091547 osdx hostapd[80929]: eth2: RADIUS Authentication server 10.215.168.1:1812 Dec 11 14:13:55.093287 osdx hostapd[80929]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:13:55.093312 osdx hostapd[80929]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:13:55.093567 osdx hostapd[80929]: eth2: RADIUS Received 80 bytes from RADIUS server Dec 11 14:13:55.093572 osdx hostapd[80929]: eth2: RADIUS Received RADIUS message Dec 11 14:13:55.093575 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:13:55.093593 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=112 len=22) from RADIUS server: EAP-Request-MD5 (4) Dec 11 14:13:55.093599 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 112) Dec 11 14:13:55.093771 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=112 len=6) from STA: EAP Response-unknown (3) Dec 11 14:13:55.093809 osdx hostapd[80929]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:13:55.093819 osdx hostapd[80929]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:13:55.093995 osdx hostapd[80929]: eth2: RADIUS Received 64 bytes from RADIUS server Dec 11 14:13:55.094000 osdx hostapd[80929]: eth2: RADIUS Received RADIUS message Dec 11 14:13:55.094004 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:13:55.094021 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=113 len=6) from RADIUS server: EAP-Request-PEAP (25) Dec 11 14:13:55.094027 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 113) Dec 11 14:13:55.094335 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=113 len=194) from STA: EAP Response-PEAP (25) Dec 11 14:13:55.094373 osdx hostapd[80929]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:13:55.094384 osdx hostapd[80929]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:13:55.095349 osdx hostapd[80929]: eth2: RADIUS Received 1068 bytes from RADIUS server Dec 11 14:13:55.095355 osdx hostapd[80929]: eth2: RADIUS Received RADIUS message Dec 11 14:13:55.095359 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:13:55.095380 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=114 len=1004) from RADIUS server: EAP-Request-PEAP (25) Dec 11 14:13:55.095387 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 114) Dec 11 14:13:55.095541 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=114 len=6) from STA: EAP Response-PEAP (25) Dec 11 14:13:55.095580 osdx hostapd[80929]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:13:55.095591 osdx hostapd[80929]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:13:55.095715 osdx hostapd[80929]: eth2: RADIUS Received 229 bytes from RADIUS server Dec 11 14:13:55.095720 osdx hostapd[80929]: eth2: RADIUS Received RADIUS message Dec 11 14:13:55.095723 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:13:55.095736 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=115 len=171) from RADIUS server: EAP-Request-PEAP (25) Dec 11 14:13:55.095743 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 115) Dec 11 14:13:55.096969 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=115 len=103) from STA: EAP Response-PEAP (25) Dec 11 14:13:55.097010 osdx hostapd[80929]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:13:55.097021 osdx hostapd[80929]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:13:55.097317 osdx hostapd[80929]: eth2: RADIUS Received 115 bytes from RADIUS server Dec 11 14:13:55.097322 osdx hostapd[80929]: eth2: RADIUS Received RADIUS message Dec 11 14:13:55.097325 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:13:55.097337 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=116 len=57) from RADIUS server: EAP-Request-PEAP (25) Dec 11 14:13:55.097342 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 116) Dec 11 14:13:55.097542 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=116 len=6) from STA: EAP Response-PEAP (25) Dec 11 14:13:55.097574 osdx hostapd[80929]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:13:55.097584 osdx hostapd[80929]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:13:55.097691 osdx hostapd[80929]: eth2: RADIUS Received 98 bytes from RADIUS server Dec 11 14:13:55.097695 osdx hostapd[80929]: eth2: RADIUS Received RADIUS message Dec 11 14:13:55.097698 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:13:55.097709 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=117 len=40) from RADIUS server: EAP-Request-PEAP (25) Dec 11 14:13:55.097714 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 117) Dec 11 14:13:55.097832 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=117 len=43) from STA: EAP Response-PEAP (25) Dec 11 14:13:55.097858 osdx hostapd[80929]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:13:55.097865 osdx hostapd[80929]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:13:55.097976 osdx hostapd[80929]: eth2: RADIUS Received 131 bytes from RADIUS server Dec 11 14:13:55.097981 osdx hostapd[80929]: eth2: RADIUS Received RADIUS message Dec 11 14:13:55.097983 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:13:55.097994 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=118 len=73) from RADIUS server: EAP-Request-PEAP (25) Dec 11 14:13:55.097998 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 118) Dec 11 14:13:55.098217 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=118 len=97) from STA: EAP Response-PEAP (25) Dec 11 14:13:55.098243 osdx hostapd[80929]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:13:55.098250 osdx hostapd[80929]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:13:55.098399 osdx hostapd[80929]: eth2: RADIUS Received 140 bytes from RADIUS server Dec 11 14:13:55.098404 osdx hostapd[80929]: eth2: RADIUS Received RADIUS message Dec 11 14:13:55.098406 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:13:55.098417 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=119 len=82) from RADIUS server: EAP-Request-PEAP (25) Dec 11 14:13:55.098421 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 119) Dec 11 14:13:55.098559 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=119 len=37) from STA: EAP Response-PEAP (25) Dec 11 14:13:55.098585 osdx hostapd[80929]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:13:55.098592 osdx hostapd[80929]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:13:55.098714 osdx hostapd[80929]: eth2: RADIUS Received 104 bytes from RADIUS server Dec 11 14:13:55.098718 osdx hostapd[80929]: eth2: RADIUS Received RADIUS message Dec 11 14:13:55.098720 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:13:55.098731 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=120 len=46) from RADIUS server: EAP-Request-PEAP (25) Dec 11 14:13:55.098735 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 120) Dec 11 14:13:55.098863 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=120 len=46) from STA: EAP Response-PEAP (25) Dec 11 14:13:55.098888 osdx hostapd[80929]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:13:55.098894 osdx hostapd[80929]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:13:55.099057 osdx hostapd[80929]: eth2: RADIUS Received 175 bytes from RADIUS server Dec 11 14:13:55.099062 osdx hostapd[80929]: eth2: RADIUS Received RADIUS message Dec 11 14:13:55.099065 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:13:55.099082 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing' Dec 11 14:13:55.099085 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=3 id=120 len=4) from RADIUS server: EAP Success Dec 11 14:13:55.099097 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 120) Dec 11 14:13:55.099110 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authorizing port Dec 11 14:13:55.099113 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 RADIUS: starting accounting session D6B71725C21147EA Dec 11 14:13:55.099131 osdx hostapd[80929]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Test Unsuccessful 802.1x Authentication With Successful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses an incorrect username.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18XMISbMUGghtcEO5+1AAQlQpbdp3k/VgqNbo3mTt14gdE+7xJiOBg6Pdcmbp7ki5AofzG7MXnsOw== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.190 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.190/0.190/0.190/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX18yCnULAIZGQsY2hF8yWqP5VOu9t3NbxOY= set interfaces ethernet eth2 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 8 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 10 EAPoL frames (Tx) 10 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name wrong
Step 5: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.304 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.304/0.304/0.304/0.000 ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately 802.1X: MAB: station successfully authenticatedShow output
Dec 11 14:14:04.258876 osdx hostapd[81437]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Dec 11 14:14:04.258889 osdx hostapd[81437]: eth2: RADIUS Authentication server 10.215.168.1:1812 Dec 11 14:14:04.259233 osdx hostapd[81437]: connect[radius]: Network is unreachable Dec 11 14:14:04.258931 osdx hostapd[81437]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Dec 11 14:14:04.258935 osdx hostapd[81437]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Dec 11 14:14:04.290698 osdx hostapd[81437]: Discovery mode enabled on eth2 Dec 11 14:14:04.290775 osdx hostapd[81437]: eth2: interface state UNINITIALIZED->ENABLED Dec 11 14:14:04.290775 osdx hostapd[81437]: eth2: AP-ENABLED Dec 11 14:14:07.414189 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Dec 11 14:14:07.414209 osdx hostapd[81438]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Dec 11 14:14:07.430766 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: start authentication Dec 11 14:14:07.430799 osdx hostapd[81438]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Dec 11 14:14:07.430803 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Dec 11 14:14:07.430806 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Dec 11 14:14:07.430821 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response Dec 11 14:14:07.430824 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAPOL-Start from STA Dec 11 14:14:07.430833 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Dec 11 14:14:07.430842 osdx hostapd[81438]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Dec 11 14:14:07.430863 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 46) Dec 11 14:14:07.431242 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=46 len=10) from STA: EAP Response-Identity (1) Dec 11 14:14:07.431253 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: STA identity 'wrong' Dec 11 14:14:07.431278 osdx hostapd[81438]: eth2: RADIUS Authentication server 10.215.168.1:1812 Dec 11 14:14:07.433952 osdx hostapd[81438]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:14:07.434002 osdx hostapd[81438]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:14:07.434457 osdx hostapd[81438]: eth2: RADIUS Received 80 bytes from RADIUS server Dec 11 14:14:07.434470 osdx hostapd[81438]: eth2: RADIUS Received RADIUS message Dec 11 14:14:07.434478 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:14:07.434517 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=47 len=22) from RADIUS server: EAP-Request-MD5 (4) Dec 11 14:14:07.434529 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 47) Dec 11 14:14:07.434964 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=47 len=6) from STA: EAP Response-unknown (3) Dec 11 14:14:07.435082 osdx hostapd[81438]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:14:07.435113 osdx hostapd[81438]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:14:07.435476 osdx hostapd[81438]: eth2: RADIUS Received 64 bytes from RADIUS server Dec 11 14:14:07.435488 osdx hostapd[81438]: eth2: RADIUS Received RADIUS message Dec 11 14:14:07.435495 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:14:07.435527 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=48 len=6) from RADIUS server: EAP-Request-PEAP (25) Dec 11 14:14:07.435538 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 48) Dec 11 14:14:07.436140 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=48 len=194) from STA: EAP Response-PEAP (25) Dec 11 14:14:07.436243 osdx hostapd[81438]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:14:07.436273 osdx hostapd[81438]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:14:07.438040 osdx hostapd[81438]: eth2: RADIUS Received 1068 bytes from RADIUS server Dec 11 14:14:07.438054 osdx hostapd[81438]: eth2: RADIUS Received RADIUS message Dec 11 14:14:07.438064 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:14:07.438116 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=49 len=1004) from RADIUS server: EAP-Request-PEAP (25) Dec 11 14:14:07.438142 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 49) Dec 11 14:14:07.438572 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=49 len=6) from STA: EAP Response-PEAP (25) Dec 11 14:14:07.438700 osdx hostapd[81438]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:14:07.438729 osdx hostapd[81438]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:14:07.439016 osdx hostapd[81438]: eth2: RADIUS Received 229 bytes from RADIUS server Dec 11 14:14:07.439024 osdx hostapd[81438]: eth2: RADIUS Received RADIUS message Dec 11 14:14:07.439030 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:14:07.439058 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=50 len=171) from RADIUS server: EAP-Request-PEAP (25) Dec 11 14:14:07.439071 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 50) Dec 11 14:14:07.441844 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=50 len=103) from STA: EAP Response-PEAP (25) Dec 11 14:14:07.441923 osdx hostapd[81438]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:14:07.441945 osdx hostapd[81438]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:14:07.442522 osdx hostapd[81438]: eth2: RADIUS Received 115 bytes from RADIUS server Dec 11 14:14:07.442534 osdx hostapd[81438]: eth2: RADIUS Received RADIUS message Dec 11 14:14:07.442544 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:14:07.442582 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=51 len=57) from RADIUS server: EAP-Request-PEAP (25) Dec 11 14:14:07.442595 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 51) Dec 11 14:14:07.443094 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=51 len=6) from STA: EAP Response-PEAP (25) Dec 11 14:14:07.443198 osdx hostapd[81438]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:14:07.443224 osdx hostapd[81438]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:14:07.443497 osdx hostapd[81438]: eth2: RADIUS Received 98 bytes from RADIUS server Dec 11 14:14:07.443507 osdx hostapd[81438]: eth2: RADIUS Received RADIUS message Dec 11 14:14:07.443515 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:14:07.443546 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=52 len=40) from RADIUS server: EAP-Request-PEAP (25) Dec 11 14:14:07.443558 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 52) Dec 11 14:14:07.443950 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=52 len=41) from STA: EAP Response-PEAP (25) Dec 11 14:14:07.444030 osdx hostapd[81438]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:14:07.444053 osdx hostapd[81438]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:14:07.444377 osdx hostapd[81438]: eth2: RADIUS Received 131 bytes from RADIUS server Dec 11 14:14:07.444386 osdx hostapd[81438]: eth2: RADIUS Received RADIUS message Dec 11 14:14:07.444393 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:14:07.444430 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=53 len=73) from RADIUS server: EAP-Request-PEAP (25) Dec 11 14:14:07.444447 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 53) Dec 11 14:14:07.444971 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=53 len=95) from STA: EAP Response-PEAP (25) Dec 11 14:14:07.445057 osdx hostapd[81438]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:14:07.445086 osdx hostapd[81438]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:14:07.445406 osdx hostapd[81438]: eth2: RADIUS Received 104 bytes from RADIUS server Dec 11 14:14:07.445415 osdx hostapd[81438]: eth2: RADIUS Received RADIUS message Dec 11 14:14:07.445435 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:14:07.445476 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=54 len=46) from RADIUS server: EAP-Request-PEAP (25) Dec 11 14:14:07.445487 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 54) Dec 11 14:14:07.445852 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=54 len=46) from STA: EAP Response-PEAP (25) Dec 11 14:14:07.445916 osdx hostapd[81438]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:14:07.445933 osdx hostapd[81438]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:14:08.446035 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Resending RADIUS message (id=8) Dec 11 14:14:08.446075 osdx hostapd[81438]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Dec 11 14:14:08.446217 osdx hostapd[81438]: eth2: RADIUS Received 44 bytes from RADIUS server Dec 11 14:14:08.446221 osdx hostapd[81438]: eth2: RADIUS Received RADIUS message Dec 11 14:14:08.446225 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:14:08.446281 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=4 id=54 len=4) from RADIUS server: EAP Failure Dec 11 14:14:08.446306 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 54) Dec 11 14:14:08.446321 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Dec 11 14:14:08.446326 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) Dec 11 14:14:08.446329 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately Dec 11 14:14:08.446333 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Dec 11 14:14:08.446381 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Dec 11 14:14:08.446392 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Dec 11 14:14:08.446407 osdx hostapd[81438]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:14:08.446426 osdx hostapd[81438]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:14:08.446439 osdx hostapd[81438]: eth2: RADIUS Received 44 bytes from RADIUS server Dec 11 14:14:08.446443 osdx hostapd[81438]: eth2: RADIUS Received RADIUS message Dec 11 14:14:08.446446 osdx hostapd[81438]: eth2: RADIUS No matching RADIUS request found (type=0 id=8) - dropping packet Dec 11 14:14:08.446657 osdx hostapd[81438]: eth2: RADIUS Received 20 bytes from RADIUS server Dec 11 14:14:08.446661 osdx hostapd[81438]: eth2: RADIUS Received RADIUS message Dec 11 14:14:08.446667 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:14:08.446671 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Dec 11 14:14:08.446687 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Dec 11 14:14:08.446691 osdx hostapd[81438]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Dec 11 14:14:08.446700 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Dec 11 14:14:08.446704 osdx hostapd[81438]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 744510769272521D
Test Unsuccessful 802.1x Authentication With Unsuccessful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses an incorrect username and MAC address.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/ikD/BbwhDbtJvq5ueoBkQd/yE9q2rcHgXHHzZQh3uIRdRfYTAVaLoY13yPLOyEvNN0stGi59Ycw== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.203 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.203/0.203/0.203/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1/iRCZJ8zRW5UUWtzVzFLQWsrK2Cxutu+s= set interfaces ethernet eth2 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+UnauthorizedShow output
--------------------------------- Field Value --------------------------------- EAPoL Frames (Rx) 10 EAPoL Frames (Tx) 10 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Unauthorized Req Frames (Rx) 8 Req ID Frames (Rx) 1 Resp Frames (Tx) 9 Start Frames (Tx) 1
Step 5: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 8 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 10 EAPoL frames (Tx) 10 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 6: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 7: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately 802.1X: MAB: Authentication failedShow output
Dec 11 14:14:16.838194 osdx hostapd[81943]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Dec 11 14:14:16.838213 osdx hostapd[81943]: eth2: RADIUS Authentication server 10.215.168.1:1812 Dec 11 14:14:16.838632 osdx hostapd[81943]: connect[radius]: Network is unreachable Dec 11 14:14:16.838272 osdx hostapd[81943]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Dec 11 14:14:16.838277 osdx hostapd[81943]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Dec 11 14:14:16.857891 osdx hostapd[81943]: Discovery mode enabled on eth2 Dec 11 14:14:16.857987 osdx hostapd[81943]: eth2: interface state UNINITIALIZED->ENABLED Dec 11 14:14:16.857987 osdx hostapd[81943]: eth2: AP-ENABLED Dec 11 14:14:20.152190 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Dec 11 14:14:20.152204 osdx hostapd[81944]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Dec 11 14:14:20.165867 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: start authentication Dec 11 14:14:20.165892 osdx hostapd[81944]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Dec 11 14:14:20.165896 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Dec 11 14:14:20.165898 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Dec 11 14:14:20.165912 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response Dec 11 14:14:20.165915 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA Dec 11 14:14:20.165924 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port Dec 11 14:14:20.165935 osdx hostapd[81944]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Dec 11 14:14:20.165953 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 74) Dec 11 14:14:20.166303 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=74 len=10) from STA: EAP Response-Identity (1) Dec 11 14:14:20.166318 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'wrong' Dec 11 14:14:20.166345 osdx hostapd[81944]: eth2: RADIUS Authentication server 10.215.168.1:1812 Dec 11 14:14:20.168245 osdx hostapd[81944]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:14:20.168274 osdx hostapd[81944]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:14:20.168568 osdx hostapd[81944]: eth2: RADIUS Received 80 bytes from RADIUS server Dec 11 14:14:20.168574 osdx hostapd[81944]: eth2: RADIUS Received RADIUS message Dec 11 14:14:20.168579 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:14:20.168605 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=75 len=22) from RADIUS server: EAP-Request-MD5 (4) Dec 11 14:14:20.168613 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 75) Dec 11 14:14:20.168899 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=75 len=6) from STA: EAP Response-unknown (3) Dec 11 14:14:20.168950 osdx hostapd[81944]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:14:20.168963 osdx hostapd[81944]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:14:20.169161 osdx hostapd[81944]: eth2: RADIUS Received 64 bytes from RADIUS server Dec 11 14:14:20.169166 osdx hostapd[81944]: eth2: RADIUS Received RADIUS message Dec 11 14:14:20.169169 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:14:20.169188 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=76 len=6) from RADIUS server: EAP-Request-PEAP (25) Dec 11 14:14:20.169194 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 76) Dec 11 14:14:20.169610 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=76 len=194) from STA: EAP Response-PEAP (25) Dec 11 14:14:20.169653 osdx hostapd[81944]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:14:20.169664 osdx hostapd[81944]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:14:20.170676 osdx hostapd[81944]: eth2: RADIUS Received 1068 bytes from RADIUS server Dec 11 14:14:20.170685 osdx hostapd[81944]: eth2: RADIUS Received RADIUS message Dec 11 14:14:20.170690 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:14:20.170719 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=77 len=1004) from RADIUS server: EAP-Request-PEAP (25) Dec 11 14:14:20.170729 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 77) Dec 11 14:14:20.170935 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=77 len=6) from STA: EAP Response-PEAP (25) Dec 11 14:14:20.170985 osdx hostapd[81944]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:14:20.171001 osdx hostapd[81944]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:14:20.171117 osdx hostapd[81944]: eth2: RADIUS Received 229 bytes from RADIUS server Dec 11 14:14:20.171123 osdx hostapd[81944]: eth2: RADIUS Received RADIUS message Dec 11 14:14:20.171127 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:14:20.171144 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=78 len=171) from RADIUS server: EAP-Request-PEAP (25) Dec 11 14:14:20.171151 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 78) Dec 11 14:14:20.172549 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=78 len=103) from STA: EAP Response-PEAP (25) Dec 11 14:14:20.172599 osdx hostapd[81944]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:14:20.172611 osdx hostapd[81944]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:14:20.172931 osdx hostapd[81944]: eth2: RADIUS Received 115 bytes from RADIUS server Dec 11 14:14:20.172939 osdx hostapd[81944]: eth2: RADIUS Received RADIUS message Dec 11 14:14:20.172944 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:14:20.172971 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=79 len=57) from RADIUS server: EAP-Request-PEAP (25) Dec 11 14:14:20.172979 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 79) Dec 11 14:14:20.173237 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=79 len=6) from STA: EAP Response-PEAP (25) Dec 11 14:14:20.173277 osdx hostapd[81944]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:14:20.173289 osdx hostapd[81944]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:14:20.173439 osdx hostapd[81944]: eth2: RADIUS Received 98 bytes from RADIUS server Dec 11 14:14:20.173445 osdx hostapd[81944]: eth2: RADIUS Received RADIUS message Dec 11 14:14:20.173450 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:14:20.173465 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=80 len=40) from RADIUS server: EAP-Request-PEAP (25) Dec 11 14:14:20.173472 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 80) Dec 11 14:14:20.173635 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=80 len=41) from STA: EAP Response-PEAP (25) Dec 11 14:14:20.173668 osdx hostapd[81944]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:14:20.173679 osdx hostapd[81944]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:14:20.173853 osdx hostapd[81944]: eth2: RADIUS Received 131 bytes from RADIUS server Dec 11 14:14:20.173861 osdx hostapd[81944]: eth2: RADIUS Received RADIUS message Dec 11 14:14:20.173869 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:14:20.173899 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=81 len=73) from RADIUS server: EAP-Request-PEAP (25) Dec 11 14:14:20.173907 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 81) Dec 11 14:14:20.174175 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=81 len=95) from STA: EAP Response-PEAP (25) Dec 11 14:14:20.174221 osdx hostapd[81944]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:14:20.174234 osdx hostapd[81944]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:14:20.174405 osdx hostapd[81944]: eth2: RADIUS Received 104 bytes from RADIUS server Dec 11 14:14:20.174410 osdx hostapd[81944]: eth2: RADIUS Received RADIUS message Dec 11 14:14:20.174414 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:14:20.174430 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=82 len=46) from RADIUS server: EAP-Request-PEAP (25) Dec 11 14:14:20.174436 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 82) Dec 11 14:14:20.174584 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=82 len=46) from STA: EAP Response-PEAP (25) Dec 11 14:14:20.174621 osdx hostapd[81944]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:14:20.174633 osdx hostapd[81944]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:14:21.174729 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=8) Dec 11 14:14:21.174774 osdx hostapd[81944]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Dec 11 14:14:21.174956 osdx hostapd[81944]: eth2: RADIUS Received 44 bytes from RADIUS server Dec 11 14:14:21.174960 osdx hostapd[81944]: eth2: RADIUS Received RADIUS message Dec 11 14:14:21.174966 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:14:21.175020 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=4 id=82 len=4) from RADIUS server: EAP Failure Dec 11 14:14:21.175051 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 82) Dec 11 14:14:21.175067 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port Dec 11 14:14:21.175072 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) Dec 11 14:14:21.175076 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately Dec 11 14:14:21.175081 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Dec 11 14:14:21.175114 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Dec 11 14:14:21.175123 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Dec 11 14:14:21.175136 osdx hostapd[81944]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:14:21.175146 osdx hostapd[81944]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:14:21.175160 osdx hostapd[81944]: eth2: RADIUS Received 44 bytes from RADIUS server Dec 11 14:14:21.175163 osdx hostapd[81944]: eth2: RADIUS Received RADIUS message Dec 11 14:14:21.175166 osdx hostapd[81944]: eth2: RADIUS No matching RADIUS request found (type=0 id=8) - dropping packet Dec 11 14:14:22.175250 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Dec 11 14:14:22.175290 osdx hostapd[81944]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Dec 11 14:14:22.175489 osdx hostapd[81944]: eth2: RADIUS Received 20 bytes from RADIUS server Dec 11 14:14:22.175495 osdx hostapd[81944]: eth2: RADIUS Received RADIUS message Dec 11 14:14:22.175500 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:14:22.175506 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Dec 11 14:14:22.175564 osdx hostapd[81944]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Dec 11 14:14:22.175568 osdx hostapd[81944]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Dec 11 14:14:22.175572 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Authentication failed, entering held state (quiet period 60 sec) Dec 11 14:14:22.175575 osdx hostapd[81944]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Retry timeout registered for 60 seconds Dec 11 14:14:22.175586 osdx hostapd[81944]: eth2: RADIUS Received 20 bytes from RADIUS server Dec 11 14:14:22.175589 osdx hostapd[81944]: eth2: RADIUS Received RADIUS message Dec 11 14:14:22.175593 osdx hostapd[81944]: eth2: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet
Test Unsupported 802.1x Authentication With Successful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 does not support 802.1x authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18Lok7Vm+4hUIeWK14MVjO0FufGl+S2R0I0tDDwIGvwBbRAcDuMGzqRbkg6NeJxjtMpmC5W5TTFnQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.198 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.198/0.198/0.198/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.440 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.440/0.440/0.440/0.000 ms
Step 5: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 0 EAPoL frames (Tx) 4 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name N/A
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.255 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.255/0.255/0.255/0.000 ms
Step 7: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately 802.1X: MAB: station successfully authenticatedShow output
Dec 11 14:14:30.953536 osdx hostapd[82439]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Dec 11 14:14:30.953826 osdx hostapd[82439]: connect[radius]: Network is unreachable Dec 11 14:14:30.953552 osdx hostapd[82439]: eth2: RADIUS Authentication server 10.215.168.1:1812 Dec 11 14:14:30.953599 osdx hostapd[82439]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Dec 11 14:14:30.953603 osdx hostapd[82439]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Dec 11 14:14:30.977355 osdx hostapd[82439]: Discovery mode enabled on eth2 Dec 11 14:14:30.977466 osdx hostapd[82439]: eth2: interface state UNINITIALIZED->ENABLED Dec 11 14:14:30.977466 osdx hostapd[82439]: eth2: AP-ENABLED Dec 11 14:14:35.978132 osdx hostapd[82440]: eth2: STA de:ad:be:ef:6c:12 DRIVER: Device discovered, triggering MAB authentication Dec 11 14:14:35.978167 osdx hostapd[82440]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Dec 11 14:14:35.978176 osdx hostapd[82440]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Dec 11 14:14:35.997390 osdx hostapd[82440]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: start authentication Dec 11 14:14:35.997430 osdx hostapd[82440]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Dec 11 14:14:35.997436 osdx hostapd[82440]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Dec 11 14:14:35.997439 osdx hostapd[82440]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Dec 11 14:14:35.997463 osdx hostapd[82440]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Dec 11 14:14:35.997474 osdx hostapd[82440]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Dec 11 14:14:35.997507 osdx hostapd[82440]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 36) Dec 11 14:14:39.000096 osdx hostapd[82440]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 36) Dec 11 14:14:45.005130 osdx hostapd[82440]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 36) Dec 11 14:14:57.018128 osdx hostapd[82440]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: aborting authentication Dec 11 14:14:57.018138 osdx hostapd[82440]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately Dec 11 14:14:57.018144 osdx hostapd[82440]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Dec 11 14:14:57.018194 osdx hostapd[82440]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Dec 11 14:14:57.020578 osdx hostapd[82440]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Dec 11 14:14:57.020596 osdx hostapd[82440]: eth2: RADIUS Authentication server 10.215.168.1:1812 Dec 11 14:14:57.020678 osdx hostapd[82440]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:14:57.020822 osdx hostapd[82440]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:14:57.020847 osdx hostapd[82440]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Dec 11 14:14:57.020863 osdx hostapd[82440]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 248) Dec 11 14:14:57.021044 osdx hostapd[82440]: eth2: RADIUS Received 20 bytes from RADIUS server Dec 11 14:14:57.021050 osdx hostapd[82440]: eth2: RADIUS Received RADIUS message Dec 11 14:14:57.021054 osdx hostapd[82440]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:14:57.021059 osdx hostapd[82440]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Dec 11 14:14:57.021081 osdx hostapd[82440]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Dec 11 14:14:57.021084 osdx hostapd[82440]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Dec 11 14:14:57.021088 osdx hostapd[82440]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Dec 11 14:14:57.021098 osdx hostapd[82440]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Dec 11 14:14:57.021102 osdx hostapd[82440]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 223CC86D8D8D2F1E
Test Unsupported 802.1x Authentication With Unsuccessful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 does not support 802.1x authentication and uses an incorrect MAC address.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/T2kgo8qQ6GKchbyI2fZRSfSvF6L4FLbpbAyRk2FxiK0AkmmK+A+sJ6EYPcpSztb0ugSSPprgPAQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.222 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.222/0.222/0.222/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 2 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 0 EAPoL frames (Tx) 4 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 5: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately 802.1X: MAB: Authentication failedShow output
Dec 11 14:15:07.666494 osdx hostapd[82991]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Dec 11 14:15:07.666507 osdx hostapd[82991]: eth2: RADIUS Authentication server 10.215.168.1:1812 Dec 11 14:15:07.666847 osdx hostapd[82991]: connect[radius]: Network is unreachable Dec 11 14:15:07.666548 osdx hostapd[82991]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Dec 11 14:15:07.666551 osdx hostapd[82991]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Dec 11 14:15:07.694328 osdx hostapd[82991]: Discovery mode enabled on eth2 Dec 11 14:15:07.694444 osdx hostapd[82991]: eth2: interface state UNINITIALIZED->ENABLED Dec 11 14:15:07.694444 osdx hostapd[82991]: eth2: AP-ENABLED Dec 11 14:15:12.694929 osdx hostapd[82992]: eth2: STA 00:11:22:33:44:55 DRIVER: Device discovered, triggering MAB authentication Dec 11 14:15:12.694968 osdx hostapd[82992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Dec 11 14:15:12.694978 osdx hostapd[82992]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Dec 11 14:15:12.714378 osdx hostapd[82992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: start authentication Dec 11 14:15:12.714414 osdx hostapd[82992]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Dec 11 14:15:12.714419 osdx hostapd[82992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Dec 11 14:15:12.714423 osdx hostapd[82992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Dec 11 14:15:12.714444 osdx hostapd[82992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port Dec 11 14:15:12.714452 osdx hostapd[82992]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Dec 11 14:15:12.714482 osdx hostapd[82992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 234) Dec 11 14:15:15.717119 osdx hostapd[82992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 234) Dec 11 14:15:21.722138 osdx hostapd[82992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 234) Dec 11 14:15:33.731914 osdx hostapd[82992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: aborting authentication Dec 11 14:15:33.731923 osdx hostapd[82992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately Dec 11 14:15:33.731929 osdx hostapd[82992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Dec 11 14:15:33.731969 osdx hostapd[82992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Dec 11 14:15:33.734343 osdx hostapd[82992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Dec 11 14:15:33.734356 osdx hostapd[82992]: eth2: RADIUS Authentication server 10.215.168.1:1812 Dec 11 14:15:33.734441 osdx hostapd[82992]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:15:33.734473 osdx hostapd[82992]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:15:33.734493 osdx hostapd[82992]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Dec 11 14:15:33.734515 osdx hostapd[82992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 20) Dec 11 14:15:34.735095 osdx hostapd[82992]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Dec 11 14:15:34.735130 osdx hostapd[82992]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Dec 11 14:15:34.735392 osdx hostapd[82992]: eth2: RADIUS Received 20 bytes from RADIUS server Dec 11 14:15:34.735395 osdx hostapd[82992]: eth2: RADIUS Received RADIUS message Dec 11 14:15:34.735399 osdx hostapd[82992]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:15:34.735403 osdx hostapd[82992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Dec 11 14:15:34.735454 osdx hostapd[82992]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Dec 11 14:15:34.735457 osdx hostapd[82992]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Dec 11 14:15:34.735459 osdx hostapd[82992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Authentication failed, entering held state (quiet period 60 sec) Dec 11 14:15:34.735462 osdx hostapd[82992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Retry timeout registered for 60 seconds Dec 11 14:15:34.735469 osdx hostapd[82992]: eth2: RADIUS Received 20 bytes from RADIUS server Dec 11 14:15:34.735471 osdx hostapd[82992]: eth2: RADIUS Received RADIUS message Dec 11 14:15:34.735473 osdx hostapd[82992]: eth2: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet