Mab First
This scenario shows how to configure the MAB-first
authentication mode.
Test Successful MAB Authentication With Successful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses a correct MAC address and correct 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX185OijfPNse5q7IoakP5OypaguKCgpYuTaWhtPjCQcFytjWeJ93WRZMt/Fg9WYWl5BP79gIVn0FzQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.221 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.221/0.221/0.221/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1+z+LkZ0Crg/FZEmapp8uel1DAqPMPQaTI= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 1 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name N/A
Step 5: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.238 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.238/0.238/0.238/0.000 ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
802.1X: MAB: station successfully authenticatedShow output
Dec 11 14:11:55.233474 osdx hostapd[77379]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Dec 11 14:11:55.233487 osdx hostapd[77379]: eth2: RADIUS Authentication server 10.215.168.1:1812 Dec 11 14:11:55.233772 osdx hostapd[77379]: connect[radius]: Network is unreachable Dec 11 14:11:55.233527 osdx hostapd[77379]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Dec 11 14:11:55.233531 osdx hostapd[77379]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Dec 11 14:11:55.249344 osdx hostapd[77379]: Discovery mode enabled on eth2 Dec 11 14:11:55.249405 osdx hostapd[77379]: eth2: interface state UNINITIALIZED->ENABLED Dec 11 14:11:55.249405 osdx hostapd[77379]: eth2: AP-ENABLED Dec 11 14:11:58.481684 osdx hostapd[77380]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Dec 11 14:11:58.481699 osdx hostapd[77380]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Dec 11 14:11:58.497377 osdx hostapd[77380]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB-first mode: Starting MAB authentication Dec 11 14:11:58.497409 osdx hostapd[77380]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Dec 11 14:11:58.497424 osdx hostapd[77380]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Dec 11 14:11:58.499274 osdx hostapd[77380]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Dec 11 14:11:58.499294 osdx hostapd[77380]: eth2: RADIUS Authentication server 10.215.168.1:1812 Dec 11 14:11:58.499396 osdx hostapd[77380]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:11:58.499429 osdx hostapd[77380]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:11:58.499455 osdx hostapd[77380]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAPOL-Start from STA Dec 11 14:11:58.499684 osdx hostapd[77380]: eth2: RADIUS Received 20 bytes from RADIUS server Dec 11 14:11:58.499689 osdx hostapd[77380]: eth2: RADIUS Received RADIUS message Dec 11 14:11:58.499695 osdx hostapd[77380]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:11:58.499700 osdx hostapd[77380]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Dec 11 14:11:58.499718 osdx hostapd[77380]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Dec 11 14:11:58.499720 osdx hostapd[77380]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Dec 11 14:11:58.499724 osdx hostapd[77380]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Dec 11 14:11:58.499735 osdx hostapd[77380]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Dec 11 14:11:58.499739 osdx hostapd[77380]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session AE3CF5B1FA1BAF6E
Test Successful MAB Authentication With Unsuccessful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses a correct MAC address, but wrong 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18rugCc2viPY3meqpGY/iG7FxUodIcN7z0ck4va/Xm9Mht8sE9yzCPi7iJWXpB74XvqI0aECkmemw== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.238 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.238/0.238/0.238/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1/gmbpOPWEmZXgpvI6ixkkH+3Ijad9xtWQ= set interfaces ethernet eth2 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 1 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name N/A
Step 5: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.268 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.268/0.268/0.268/0.000 ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
802.1X: MAB: station successfully authenticatedShow output
Dec 11 14:12:07.466819 osdx hostapd[77886]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Dec 11 14:12:07.466831 osdx hostapd[77886]: eth2: RADIUS Authentication server 10.215.168.1:1812 Dec 11 14:12:07.467116 osdx hostapd[77886]: connect[radius]: Network is unreachable Dec 11 14:12:07.466863 osdx hostapd[77886]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Dec 11 14:12:07.466866 osdx hostapd[77886]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Dec 11 14:12:07.486676 osdx hostapd[77886]: Discovery mode enabled on eth2 Dec 11 14:12:07.486740 osdx hostapd[77886]: eth2: interface state UNINITIALIZED->ENABLED Dec 11 14:12:07.486740 osdx hostapd[77886]: eth2: AP-ENABLED Dec 11 14:12:10.577031 osdx hostapd[77887]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Dec 11 14:12:10.577044 osdx hostapd[77887]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Dec 11 14:12:10.594746 osdx hostapd[77887]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB-first mode: Starting MAB authentication Dec 11 14:12:10.594771 osdx hostapd[77887]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Dec 11 14:12:10.594787 osdx hostapd[77887]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Dec 11 14:12:10.596473 osdx hostapd[77887]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Dec 11 14:12:10.596483 osdx hostapd[77887]: eth2: RADIUS Authentication server 10.215.168.1:1812 Dec 11 14:12:10.596547 osdx hostapd[77887]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:12:10.596596 osdx hostapd[77887]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:12:10.596636 osdx hostapd[77887]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAPOL-Start from STA Dec 11 14:12:10.596908 osdx hostapd[77887]: eth2: RADIUS Received 20 bytes from RADIUS server Dec 11 14:12:10.596913 osdx hostapd[77887]: eth2: RADIUS Received RADIUS message Dec 11 14:12:10.596917 osdx hostapd[77887]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:12:10.596920 osdx hostapd[77887]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Dec 11 14:12:10.596943 osdx hostapd[77887]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Dec 11 14:12:10.596945 osdx hostapd[77887]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Dec 11 14:12:10.596948 osdx hostapd[77887]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Dec 11 14:12:10.596956 osdx hostapd[77887]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Dec 11 14:12:10.596958 osdx hostapd[77887]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session F2A438B61A28504A
Test Successful MAB Authentication With Unsupported 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 does not support 802.1x authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX192ynRnCw8T0CqS8JsobL75oUozgYF83q67+Dfbbzl5F2Y3qQoX+LUONiY+7OUM48I3HubMoKfESA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.311 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.311/0.311/0.311/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.565 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.565/0.565/0.565/0.000 ms
Step 5: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 0 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name N/A
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.268 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.268/0.268/0.268/0.000 ms
Step 7: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
802.1X: MAB: station successfully authenticatedShow output
Dec 11 14:12:18.554357 osdx hostapd[78390]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Dec 11 14:12:18.554373 osdx hostapd[78390]: eth2: RADIUS Authentication server 10.215.168.1:1812 Dec 11 14:12:18.554695 osdx hostapd[78390]: connect[radius]: Network is unreachable Dec 11 14:12:18.554423 osdx hostapd[78390]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Dec 11 14:12:18.554427 osdx hostapd[78390]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Dec 11 14:12:18.578716 osdx hostapd[78390]: Discovery mode enabled on eth2 Dec 11 14:12:18.578716 osdx hostapd[78390]: eth2: interface state UNINITIALIZED->ENABLED Dec 11 14:12:18.578716 osdx hostapd[78390]: eth2: AP-ENABLED Dec 11 14:12:23.578962 osdx hostapd[78391]: eth2: STA de:ad:be:ef:6c:12 DRIVER: Device discovered, triggering MAB authentication Dec 11 14:12:23.578999 osdx hostapd[78391]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Dec 11 14:12:23.579008 osdx hostapd[78391]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Dec 11 14:12:23.602206 osdx hostapd[78391]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB-first mode: Starting MAB authentication Dec 11 14:12:23.602247 osdx hostapd[78391]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Dec 11 14:12:23.602265 osdx hostapd[78391]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Dec 11 14:12:23.604639 osdx hostapd[78391]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Dec 11 14:12:23.604653 osdx hostapd[78391]: eth2: RADIUS Authentication server 10.215.168.1:1812 Dec 11 14:12:23.604742 osdx hostapd[78391]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:12:23.604778 osdx hostapd[78391]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:12:23.605068 osdx hostapd[78391]: eth2: RADIUS Received 20 bytes from RADIUS server Dec 11 14:12:23.605079 osdx hostapd[78391]: eth2: RADIUS Received RADIUS message Dec 11 14:12:23.605084 osdx hostapd[78391]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:12:23.605089 osdx hostapd[78391]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Dec 11 14:12:23.605115 osdx hostapd[78391]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Dec 11 14:12:23.605119 osdx hostapd[78391]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Dec 11 14:12:23.605123 osdx hostapd[78391]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Dec 11 14:12:23.605142 osdx hostapd[78391]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Dec 11 14:12:23.605146 osdx hostapd[78391]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 1A56913D00B62830
Test Unsuccessful MAB Authentication With Successful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses an incorrect MAC address, but correct 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18G46tNVKxgN6DgzLCwnvQaxUEQf38qeXP7YGPVOjJt3xyU+gzmSFhnirU3U6Jr7jkVUiMiCTyw4A== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.831 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.831/0.831/0.831/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1+In5r3+YBioBb1iRbw46IzGegsDaSoTmU= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 6: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name testing
Step 7: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.329 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.329/0.329/0.329/0.000 ms
Step 8: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X IEEE 802.1X: authenticated - EAP type: 25 (PEAP)Show output
Dec 11 14:12:35.662032 osdx hostapd[78904]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Dec 11 14:12:35.662050 osdx hostapd[78904]: eth2: RADIUS Authentication server 10.215.168.1:1812 Dec 11 14:12:35.662334 osdx hostapd[78904]: connect[radius]: Network is unreachable Dec 11 14:12:35.662111 osdx hostapd[78904]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Dec 11 14:12:35.662116 osdx hostapd[78904]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Dec 11 14:12:35.677884 osdx hostapd[78904]: Discovery mode enabled on eth2 Dec 11 14:12:35.677968 osdx hostapd[78904]: eth2: interface state UNINITIALIZED->ENABLED Dec 11 14:12:35.677968 osdx hostapd[78904]: eth2: AP-ENABLED Dec 11 14:12:39.095193 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Dec 11 14:12:39.095209 osdx hostapd[78905]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Dec 11 14:12:39.105920 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: Starting MAB authentication Dec 11 14:12:39.105952 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Dec 11 14:12:39.105970 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Dec 11 14:12:39.108325 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Dec 11 14:12:39.108339 osdx hostapd[78905]: eth2: RADIUS Authentication server 10.215.168.1:1812 Dec 11 14:12:39.108425 osdx hostapd[78905]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:12:39.108609 osdx hostapd[78905]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:12:39.108642 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA Dec 11 14:12:40.108686 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Dec 11 14:12:40.108717 osdx hostapd[78905]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Dec 11 14:12:40.108893 osdx hostapd[78905]: eth2: RADIUS Received 20 bytes from RADIUS server Dec 11 14:12:40.108896 osdx hostapd[78905]: eth2: RADIUS Received RADIUS message Dec 11 14:12:40.108899 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:12:40.108903 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Dec 11 14:12:40.109010 osdx hostapd[78905]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Dec 11 14:12:40.109012 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X Dec 11 14:12:40.109015 osdx hostapd[78905]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Dec 11 14:12:40.109017 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first: 802.1X authentication started Dec 11 14:12:40.109024 osdx hostapd[78905]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Dec 11 14:12:40.109036 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 20) Dec 11 14:12:40.109047 osdx hostapd[78905]: eth2: RADIUS Received 20 bytes from RADIUS server Dec 11 14:12:40.109049 osdx hostapd[78905]: eth2: RADIUS Received RADIUS message Dec 11 14:12:40.109052 osdx hostapd[78905]: eth2: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet Dec 11 14:12:40.109372 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=20 len=12) from STA: EAP Response-Identity (1) Dec 11 14:12:40.109386 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'testing' Dec 11 14:12:40.109445 osdx hostapd[78905]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:12:40.109463 osdx hostapd[78905]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:12:40.109714 osdx hostapd[78905]: eth2: RADIUS Received 80 bytes from RADIUS server Dec 11 14:12:40.109719 osdx hostapd[78905]: eth2: RADIUS Received RADIUS message Dec 11 14:12:40.109722 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:12:40.109743 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=21 len=22) from RADIUS server: EAP-Request-MD5 (4) Dec 11 14:12:40.109749 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 21) Dec 11 14:12:40.109965 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=21 len=6) from STA: EAP Response-unknown (3) Dec 11 14:12:40.110024 osdx hostapd[78905]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:12:40.110041 osdx hostapd[78905]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:12:40.110254 osdx hostapd[78905]: eth2: RADIUS Received 64 bytes from RADIUS server Dec 11 14:12:40.110259 osdx hostapd[78905]: eth2: RADIUS Received RADIUS message Dec 11 14:12:40.110262 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:12:40.110282 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=22 len=6) from RADIUS server: EAP-Request-PEAP (25) Dec 11 14:12:40.110290 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 22) Dec 11 14:12:40.110624 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=22 len=194) from STA: EAP Response-PEAP (25) Dec 11 14:12:40.110661 osdx hostapd[78905]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:12:40.110672 osdx hostapd[78905]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:12:40.111942 osdx hostapd[78905]: eth2: RADIUS Received 1068 bytes from RADIUS server Dec 11 14:12:40.111950 osdx hostapd[78905]: eth2: RADIUS Received RADIUS message Dec 11 14:12:40.111954 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:12:40.111980 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=23 len=1004) from RADIUS server: EAP-Request-PEAP (25) Dec 11 14:12:40.111987 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 23) Dec 11 14:12:40.112186 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=23 len=6) from STA: EAP Response-PEAP (25) Dec 11 14:12:40.112233 osdx hostapd[78905]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:12:40.112249 osdx hostapd[78905]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:12:40.112373 osdx hostapd[78905]: eth2: RADIUS Received 229 bytes from RADIUS server Dec 11 14:12:40.112378 osdx hostapd[78905]: eth2: RADIUS Received RADIUS message Dec 11 14:12:40.112382 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:12:40.112406 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=24 len=171) from RADIUS server: EAP-Request-PEAP (25) Dec 11 14:12:40.112413 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 24) Dec 11 14:12:40.113981 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=24 len=103) from STA: EAP Response-PEAP (25) Dec 11 14:12:40.114039 osdx hostapd[78905]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:12:40.114053 osdx hostapd[78905]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:12:40.114461 osdx hostapd[78905]: eth2: RADIUS Received 115 bytes from RADIUS server Dec 11 14:12:40.114466 osdx hostapd[78905]: eth2: RADIUS Received RADIUS message Dec 11 14:12:40.114469 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:12:40.114487 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=25 len=57) from RADIUS server: EAP-Request-PEAP (25) Dec 11 14:12:40.114493 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 25) Dec 11 14:12:40.114835 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=25 len=6) from STA: EAP Response-PEAP (25) Dec 11 14:12:40.114899 osdx hostapd[78905]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:12:40.114947 osdx hostapd[78905]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:12:40.115076 osdx hostapd[78905]: eth2: RADIUS Received 98 bytes from RADIUS server Dec 11 14:12:40.115082 osdx hostapd[78905]: eth2: RADIUS Received RADIUS message Dec 11 14:12:40.115086 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:12:40.115111 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=26 len=40) from RADIUS server: EAP-Request-PEAP (25) Dec 11 14:12:40.115119 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 26) Dec 11 14:12:40.115308 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=26 len=43) from STA: EAP Response-PEAP (25) Dec 11 14:12:40.115347 osdx hostapd[78905]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:12:40.115359 osdx hostapd[78905]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:12:40.115527 osdx hostapd[78905]: eth2: RADIUS Received 131 bytes from RADIUS server Dec 11 14:12:40.115533 osdx hostapd[78905]: eth2: RADIUS Received RADIUS message Dec 11 14:12:40.115543 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:12:40.115565 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=27 len=73) from RADIUS server: EAP-Request-PEAP (25) Dec 11 14:12:40.115571 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 27) Dec 11 14:12:40.115839 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=27 len=97) from STA: EAP Response-PEAP (25) Dec 11 14:12:40.115890 osdx hostapd[78905]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:12:40.115905 osdx hostapd[78905]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:12:40.116067 osdx hostapd[78905]: eth2: RADIUS Received 140 bytes from RADIUS server Dec 11 14:12:40.116072 osdx hostapd[78905]: eth2: RADIUS Received RADIUS message Dec 11 14:12:40.116075 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:12:40.116091 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=28 len=82) from RADIUS server: EAP-Request-PEAP (25) Dec 11 14:12:40.116103 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 28) Dec 11 14:12:40.116286 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=28 len=37) from STA: EAP Response-PEAP (25) Dec 11 14:12:40.116323 osdx hostapd[78905]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:12:40.116333 osdx hostapd[78905]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:12:40.116514 osdx hostapd[78905]: eth2: RADIUS Received 104 bytes from RADIUS server Dec 11 14:12:40.116519 osdx hostapd[78905]: eth2: RADIUS Received RADIUS message Dec 11 14:12:40.116523 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:12:40.116541 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=29 len=46) from RADIUS server: EAP-Request-PEAP (25) Dec 11 14:12:40.116548 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 29) Dec 11 14:12:40.116751 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=29 len=46) from STA: EAP Response-PEAP (25) Dec 11 14:12:40.116786 osdx hostapd[78905]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:12:40.116795 osdx hostapd[78905]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:12:40.117002 osdx hostapd[78905]: eth2: RADIUS Received 175 bytes from RADIUS server Dec 11 14:12:40.117008 osdx hostapd[78905]: eth2: RADIUS Received RADIUS message Dec 11 14:12:40.117011 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:12:40.117035 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing' Dec 11 14:12:40.117039 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=3 id=29 len=4) from RADIUS server: EAP Success Dec 11 14:12:40.117054 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 29) Dec 11 14:12:40.117069 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authorizing port Dec 11 14:12:40.117073 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 RADIUS: starting accounting session 9720CA7F7CFF4899 Dec 11 14:12:40.117097 osdx hostapd[78905]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Test Unsuccessful MAB Authentication With Unsuccessful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses an incorrect MAC address and incorrect 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX19Q9tZsCD1VYuiw36TTvbZXRQI+0vjqE2Z9B4iGXx+U9AZG99AJb5YUZ0XJF5w1yH1ZN2XsRVv0rw== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.314 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.314/0.314/0.314/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX18o/EspMOAvLP/UUXUC+cq2rjVZQnmfXhQ= set interfaces ethernet eth2 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+UnauthorizedShow output
--------------------------------- Field Value --------------------------------- EAPoL Frames (Rx) 9 EAPoL Frames (Tx) 10 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Unauthorized Req Frames (Rx) 8 Req ID Frames (Rx) 1 Resp Frames (Tx) 9 Start Frames (Tx) 1
Step 5: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 8 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 10 EAPoL frames (Tx) 9 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 6: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 7: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X IEEE 802.1X: authentication failed - EAP type: 25 (PEAP)Show output
Dec 11 14:12:47.667484 osdx hostapd[79413]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Dec 11 14:12:47.667502 osdx hostapd[79413]: eth2: RADIUS Authentication server 10.215.168.1:1812 Dec 11 14:12:47.667809 osdx hostapd[79413]: connect[radius]: Network is unreachable Dec 11 14:12:47.667548 osdx hostapd[79413]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Dec 11 14:12:47.667553 osdx hostapd[79413]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Dec 11 14:12:47.687818 osdx hostapd[79413]: Discovery mode enabled on eth2 Dec 11 14:12:47.687818 osdx hostapd[79413]: eth2: interface state UNINITIALIZED->ENABLED Dec 11 14:12:47.687818 osdx hostapd[79413]: eth2: AP-ENABLED Dec 11 14:12:50.997615 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Dec 11 14:12:50.997631 osdx hostapd[79414]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Dec 11 14:12:51.015332 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: Starting MAB authentication Dec 11 14:12:51.015363 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Dec 11 14:12:51.015383 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Dec 11 14:12:51.017715 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Dec 11 14:12:51.017730 osdx hostapd[79414]: eth2: RADIUS Authentication server 10.215.168.1:1812 Dec 11 14:12:51.017816 osdx hostapd[79414]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:12:51.017850 osdx hostapd[79414]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:12:51.017878 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA Dec 11 14:12:52.017929 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Dec 11 14:12:52.017959 osdx hostapd[79414]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Dec 11 14:12:52.018147 osdx hostapd[79414]: eth2: RADIUS Received 20 bytes from RADIUS server Dec 11 14:12:52.018151 osdx hostapd[79414]: eth2: RADIUS Received RADIUS message Dec 11 14:12:52.018154 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:12:52.018158 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Dec 11 14:12:52.018202 osdx hostapd[79414]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Dec 11 14:12:52.018205 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X Dec 11 14:12:52.018209 osdx hostapd[79414]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Dec 11 14:12:52.018212 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first: 802.1X authentication started Dec 11 14:12:52.018223 osdx hostapd[79414]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Dec 11 14:12:52.018247 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 189) Dec 11 14:12:52.018574 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=189 len=10) from STA: EAP Response-Identity (1) Dec 11 14:12:52.018583 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'wrong' Dec 11 14:12:52.018635 osdx hostapd[79414]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:12:52.018647 osdx hostapd[79414]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:12:52.018851 osdx hostapd[79414]: eth2: RADIUS Received 80 bytes from RADIUS server Dec 11 14:12:52.018856 osdx hostapd[79414]: eth2: RADIUS Received RADIUS message Dec 11 14:12:52.018859 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:12:52.018877 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=190 len=22) from RADIUS server: EAP-Request-MD5 (4) Dec 11 14:12:52.018883 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 190) Dec 11 14:12:52.019070 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=190 len=6) from STA: EAP Response-unknown (3) Dec 11 14:12:52.019108 osdx hostapd[79414]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:12:52.019120 osdx hostapd[79414]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:12:52.019314 osdx hostapd[79414]: eth2: RADIUS Received 64 bytes from RADIUS server Dec 11 14:12:52.019319 osdx hostapd[79414]: eth2: RADIUS Received RADIUS message Dec 11 14:12:52.019322 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:12:52.019338 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=191 len=6) from RADIUS server: EAP-Request-PEAP (25) Dec 11 14:12:52.019342 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 191) Dec 11 14:12:52.019682 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=191 len=194) from STA: EAP Response-PEAP (25) Dec 11 14:12:52.019753 osdx hostapd[79414]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:12:52.019773 osdx hostapd[79414]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:12:52.020990 osdx hostapd[79414]: eth2: RADIUS Received 1068 bytes from RADIUS server Dec 11 14:12:52.020996 osdx hostapd[79414]: eth2: RADIUS Received RADIUS message Dec 11 14:12:52.020999 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:12:52.021026 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=192 len=1004) from RADIUS server: EAP-Request-PEAP (25) Dec 11 14:12:52.021039 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 192) Dec 11 14:12:52.021212 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=192 len=6) from STA: EAP Response-PEAP (25) Dec 11 14:12:52.021261 osdx hostapd[79414]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:12:52.021275 osdx hostapd[79414]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:12:52.021411 osdx hostapd[79414]: eth2: RADIUS Received 229 bytes from RADIUS server Dec 11 14:12:52.021415 osdx hostapd[79414]: eth2: RADIUS Received RADIUS message Dec 11 14:12:52.021419 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:12:52.021442 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=193 len=171) from RADIUS server: EAP-Request-PEAP (25) Dec 11 14:12:52.021455 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 193) Dec 11 14:12:52.022779 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=193 len=103) from STA: EAP Response-PEAP (25) Dec 11 14:12:52.022833 osdx hostapd[79414]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:12:52.022848 osdx hostapd[79414]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:12:52.023199 osdx hostapd[79414]: eth2: RADIUS Received 115 bytes from RADIUS server Dec 11 14:12:52.023205 osdx hostapd[79414]: eth2: RADIUS Received RADIUS message Dec 11 14:12:52.023208 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:12:52.023238 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=194 len=57) from RADIUS server: EAP-Request-PEAP (25) Dec 11 14:12:52.023245 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 194) Dec 11 14:12:52.023526 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=194 len=6) from STA: EAP Response-PEAP (25) Dec 11 14:12:52.023562 osdx hostapd[79414]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:12:52.023578 osdx hostapd[79414]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:12:52.023722 osdx hostapd[79414]: eth2: RADIUS Received 98 bytes from RADIUS server Dec 11 14:12:52.023726 osdx hostapd[79414]: eth2: RADIUS Received RADIUS message Dec 11 14:12:52.023730 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:12:52.023749 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=195 len=40) from RADIUS server: EAP-Request-PEAP (25) Dec 11 14:12:52.023756 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 195) Dec 11 14:12:52.023905 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=195 len=41) from STA: EAP Response-PEAP (25) Dec 11 14:12:52.023935 osdx hostapd[79414]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:12:52.023944 osdx hostapd[79414]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:12:52.024082 osdx hostapd[79414]: eth2: RADIUS Received 131 bytes from RADIUS server Dec 11 14:12:52.024087 osdx hostapd[79414]: eth2: RADIUS Received RADIUS message Dec 11 14:12:52.024090 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:12:52.024102 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=196 len=73) from RADIUS server: EAP-Request-PEAP (25) Dec 11 14:12:52.024107 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 196) Dec 11 14:12:52.024379 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=196 len=95) from STA: EAP Response-PEAP (25) Dec 11 14:12:52.024411 osdx hostapd[79414]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:12:52.024419 osdx hostapd[79414]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:12:52.024587 osdx hostapd[79414]: eth2: RADIUS Received 104 bytes from RADIUS server Dec 11 14:12:52.024593 osdx hostapd[79414]: eth2: RADIUS Received RADIUS message Dec 11 14:12:52.024596 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:12:52.024611 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=197 len=46) from RADIUS server: EAP-Request-PEAP (25) Dec 11 14:12:52.024617 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 197) Dec 11 14:12:52.024810 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=197 len=46) from STA: EAP Response-PEAP (25) Dec 11 14:12:52.024855 osdx hostapd[79414]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:12:52.024869 osdx hostapd[79414]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:12:53.024981 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=8) Dec 11 14:12:53.025045 osdx hostapd[79414]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Dec 11 14:12:53.025281 osdx hostapd[79414]: eth2: RADIUS Received 44 bytes from RADIUS server Dec 11 14:12:53.025286 osdx hostapd[79414]: eth2: RADIUS Received RADIUS message Dec 11 14:12:53.025291 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:12:53.025343 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=4 id=197 len=4) from RADIUS server: EAP Failure Dec 11 14:12:53.025371 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 197) Dec 11 14:12:53.025493 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port Dec 11 14:12:53.025498 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) Dec 11 14:12:53.025501 osdx hostapd[79414]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Authentication failed, enforcing quiet period (60 seconds) Dec 11 14:12:53.025506 osdx hostapd[79414]: eth2: RADIUS Received 44 bytes from RADIUS server Dec 11 14:12:53.025509 osdx hostapd[79414]: eth2: RADIUS Received RADIUS message Dec 11 14:12:53.025512 osdx hostapd[79414]: eth2: RADIUS No matching RADIUS request found (type=0 id=8) - dropping packet
Test Unsuccessful MAB Authentication With Unsupported 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 does not support 802.1x authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1865oDdtm6zCsWSnJw1vx5ksxRUOrUtYGE5CXhoh7neaaScLLx9K8Uu0i1pjtBuy/cgwT1FT5H0YA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.294 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.294/0.294/0.294/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 0 EAPoL frames (Tx) 2 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 5: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X IEEE 802.1X: EAP authentication timeoutShow output
Dec 11 14:13:00.594920 osdx hostapd[79910]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Dec 11 14:13:00.594931 osdx hostapd[79910]: eth2: RADIUS Authentication server 10.215.168.1:1812 Dec 11 14:13:00.595246 osdx hostapd[79910]: connect[radius]: Network is unreachable Dec 11 14:13:00.594965 osdx hostapd[79910]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Dec 11 14:13:00.594968 osdx hostapd[79910]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Dec 11 14:13:00.610816 osdx hostapd[79910]: Discovery mode enabled on eth2 Dec 11 14:13:00.610905 osdx hostapd[79910]: eth2: interface state UNINITIALIZED->ENABLED Dec 11 14:13:00.610905 osdx hostapd[79910]: eth2: AP-ENABLED Dec 11 14:13:05.611530 osdx hostapd[79911]: eth2: STA 00:11:22:33:44:55 DRIVER: Device discovered, triggering MAB authentication Dec 11 14:13:05.611577 osdx hostapd[79911]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Dec 11 14:13:05.611587 osdx hostapd[79911]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Dec 11 14:13:05.626841 osdx hostapd[79911]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: Starting MAB authentication Dec 11 14:13:05.626873 osdx hostapd[79911]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Dec 11 14:13:05.626892 osdx hostapd[79911]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Dec 11 14:13:05.629247 osdx hostapd[79911]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Dec 11 14:13:05.629264 osdx hostapd[79911]: eth2: RADIUS Authentication server 10.215.168.1:1812 Dec 11 14:13:05.629348 osdx hostapd[79911]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 14:13:05.629382 osdx hostapd[79911]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 14:13:06.629474 osdx hostapd[79911]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Dec 11 14:13:06.629515 osdx hostapd[79911]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Dec 11 14:13:06.629709 osdx hostapd[79911]: eth2: RADIUS Received 20 bytes from RADIUS server Dec 11 14:13:06.629713 osdx hostapd[79911]: eth2: RADIUS Received RADIUS message Dec 11 14:13:06.629718 osdx hostapd[79911]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 14:13:06.629723 osdx hostapd[79911]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Dec 11 14:13:06.629787 osdx hostapd[79911]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Dec 11 14:13:06.629791 osdx hostapd[79911]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X Dec 11 14:13:06.629795 osdx hostapd[79911]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Dec 11 14:13:06.629799 osdx hostapd[79911]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first: 802.1X authentication started Dec 11 14:13:06.629807 osdx hostapd[79911]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Dec 11 14:13:06.629824 osdx hostapd[79911]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 167) Dec 11 14:13:06.629971 osdx hostapd[79911]: eth2: RADIUS Received 20 bytes from RADIUS server Dec 11 14:13:06.629983 osdx hostapd[79911]: eth2: RADIUS Received RADIUS message Dec 11 14:13:06.629987 osdx hostapd[79911]: eth2: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet Dec 11 14:13:09.630613 osdx hostapd[79911]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 167) Dec 11 14:13:14.491932 osdx OSDxCLI[48660]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Dec 11 14:13:15.635604 osdx hostapd[79911]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 167) Dec 11 14:13:22.731714 osdx OSDxCLI[48660]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Dec 11 14:13:27.646626 osdx hostapd[79911]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: aborting authentication Dec 11 14:13:27.646638 osdx hostapd[79911]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: EAP authentication timeout - enforcing 60 second quiet period before retrying Dec 11 14:13:27.646652 osdx hostapd[79911]: eth2: STA 00:11:22:33:44:55 MLME: MLME-DEAUTHENTICATE.indication(00:11:22:33:44:55, 2) Dec 11 14:13:27.646658 osdx hostapd[79911]: eth2: STA 00:11:22:33:44:55 MLME: MLME-DELETEKEYS.request(00:11:22:33:44:55)