Reauth Period
This scenario shows how to configure the reauthentication period in a device with 802.1x/MAB authentication.
Test Reauth Period In 802.1X Mode
Description
This scenario shows how to configure the reauthentication period in a device with 802.1x authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode only-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 20 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/Gp2bxXKQd2mnYHzBb4EE4xA6If3BuT0XQ1Bf67qfUDOe/6fk8Lfr82BHXXudzSV9Wdit+4OlMgQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.182 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.182/0.182/0.182/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1+UFFjprT5dc8HrE9YQx6fTCzrSlxFPOs8= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: authenticatedShow output
Dec 11 13:55:36.698466 osdx hostapd[56778]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Dec 11 13:55:36.698478 osdx hostapd[56778]: eth2: RADIUS Authentication server 10.215.168.1:1812 Dec 11 13:55:36.698712 osdx hostapd[56778]: connect[radius]: Network is unreachable Dec 11 13:55:36.698512 osdx hostapd[56778]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X, eap_server=0, eap_quiet_period=60, eap_max_retrans=2 Dec 11 13:55:36.698515 osdx hostapd[56778]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Dec 11 13:55:36.714325 osdx hostapd[56778]: Discovery mode enabled on eth2 Dec 11 13:55:36.714377 osdx hostapd[56778]: eth2: interface state UNINITIALIZED->ENABLED Dec 11 13:55:36.714377 osdx hostapd[56778]: eth2: AP-ENABLED Dec 11 13:55:36.714323 osdx hostapd[56778]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: enabling transmission of periodic EAP-Request frames Dec 11 13:55:38.088773 osdx OSDxCLI[48660]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Dec 11 13:55:39.886692 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Dec 11 13:55:39.886703 osdx hostapd[56779]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Dec 11 13:55:39.902437 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: start authentication Dec 11 13:55:39.902475 osdx hostapd[56779]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Dec 11 13:55:39.902494 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAPOL-Start from STA Dec 11 13:55:39.902508 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Dec 11 13:55:39.902516 osdx hostapd[56779]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Dec 11 13:55:39.902545 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 251) Dec 11 13:55:39.902976 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=251 len=12) from STA: EAP Response-Identity (1) Dec 11 13:55:39.902989 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: STA identity 'testing' Dec 11 13:55:39.903018 osdx hostapd[56779]: eth2: RADIUS Authentication server 10.215.168.1:1812 Dec 11 13:55:39.904882 osdx hostapd[56779]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 13:55:39.904914 osdx hostapd[56779]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 13:55:39.905246 osdx hostapd[56779]: eth2: RADIUS Received 80 bytes from RADIUS server Dec 11 13:55:39.905252 osdx hostapd[56779]: eth2: RADIUS Received RADIUS message Dec 11 13:55:39.905256 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 13:55:39.905282 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=252 len=22) from RADIUS server: EAP-Request-MD5 (4) Dec 11 13:55:39.905296 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 252) Dec 11 13:55:39.905585 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=252 len=6) from STA: EAP Response-unknown (3) Dec 11 13:55:39.905653 osdx hostapd[56779]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 13:55:39.905671 osdx hostapd[56779]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 13:55:39.905970 osdx hostapd[56779]: eth2: RADIUS Received 64 bytes from RADIUS server Dec 11 13:55:39.905976 osdx hostapd[56779]: eth2: RADIUS Received RADIUS message Dec 11 13:55:39.905981 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 13:55:39.906000 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=253 len=6) from RADIUS server: EAP-Request-PEAP (25) Dec 11 13:55:39.906007 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 253) Dec 11 13:55:39.906438 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=253 len=194) from STA: EAP Response-PEAP (25) Dec 11 13:55:39.906490 osdx hostapd[56779]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 13:55:39.906503 osdx hostapd[56779]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 13:55:39.907668 osdx hostapd[56779]: eth2: RADIUS Received 1068 bytes from RADIUS server Dec 11 13:55:39.907675 osdx hostapd[56779]: eth2: RADIUS Received RADIUS message Dec 11 13:55:39.907679 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 13:55:39.907706 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=254 len=1004) from RADIUS server: EAP-Request-PEAP (25) Dec 11 13:55:39.907713 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 254) Dec 11 13:55:39.907952 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=254 len=6) from STA: EAP Response-PEAP (25) Dec 11 13:55:39.908000 osdx hostapd[56779]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 13:55:39.908015 osdx hostapd[56779]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 13:55:39.908180 osdx hostapd[56779]: eth2: RADIUS Received 229 bytes from RADIUS server Dec 11 13:55:39.908185 osdx hostapd[56779]: eth2: RADIUS Received RADIUS message Dec 11 13:55:39.908188 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 13:55:39.908204 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=255 len=171) from RADIUS server: EAP-Request-PEAP (25) Dec 11 13:55:39.908212 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 255) Dec 11 13:55:39.910206 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=255 len=103) from STA: EAP Response-PEAP (25) Dec 11 13:55:39.910269 osdx hostapd[56779]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 13:55:39.910290 osdx hostapd[56779]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 13:55:39.910733 osdx hostapd[56779]: eth2: RADIUS Received 115 bytes from RADIUS server Dec 11 13:55:39.910737 osdx hostapd[56779]: eth2: RADIUS Received RADIUS message Dec 11 13:55:39.910741 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 13:55:39.910757 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=0 len=57) from RADIUS server: EAP-Request-PEAP (25) Dec 11 13:55:39.910764 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 0) Dec 11 13:55:39.911056 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=0 len=6) from STA: EAP Response-PEAP (25) Dec 11 13:55:39.911120 osdx hostapd[56779]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 13:55:39.911191 osdx hostapd[56779]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 13:55:39.911282 osdx hostapd[56779]: eth2: RADIUS Received 98 bytes from RADIUS server Dec 11 13:55:39.911288 osdx hostapd[56779]: eth2: RADIUS Received RADIUS message Dec 11 13:55:39.911291 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 13:55:39.911316 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=1 len=40) from RADIUS server: EAP-Request-PEAP (25) Dec 11 13:55:39.911322 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 1) Dec 11 13:55:39.911525 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=1 len=43) from STA: EAP Response-PEAP (25) Dec 11 13:55:39.911568 osdx hostapd[56779]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 13:55:39.911580 osdx hostapd[56779]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 13:55:39.911794 osdx hostapd[56779]: eth2: RADIUS Received 131 bytes from RADIUS server Dec 11 13:55:39.911802 osdx hostapd[56779]: eth2: RADIUS Received RADIUS message Dec 11 13:55:39.911807 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 13:55:39.911832 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=2 len=73) from RADIUS server: EAP-Request-PEAP (25) Dec 11 13:55:39.911841 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 2) Dec 11 13:55:39.912147 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=2 len=97) from STA: EAP Response-PEAP (25) Dec 11 13:55:39.912194 osdx hostapd[56779]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 13:55:39.912207 osdx hostapd[56779]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 13:55:39.912432 osdx hostapd[56779]: eth2: RADIUS Received 140 bytes from RADIUS server Dec 11 13:55:39.912438 osdx hostapd[56779]: eth2: RADIUS Received RADIUS message Dec 11 13:55:39.912443 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 13:55:39.912460 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=3 len=82) from RADIUS server: EAP-Request-PEAP (25) Dec 11 13:55:39.912467 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 3) Dec 11 13:55:39.912715 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=3 len=37) from STA: EAP Response-PEAP (25) Dec 11 13:55:39.912757 osdx hostapd[56779]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 13:55:39.912770 osdx hostapd[56779]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 13:55:39.912941 osdx hostapd[56779]: eth2: RADIUS Received 104 bytes from RADIUS server Dec 11 13:55:39.912947 osdx hostapd[56779]: eth2: RADIUS Received RADIUS message Dec 11 13:55:39.912952 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 13:55:39.912969 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=4 len=46) from RADIUS server: EAP-Request-PEAP (25) Dec 11 13:55:39.912976 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 4) Dec 11 13:55:39.913212 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=4 len=46) from STA: EAP Response-PEAP (25) Dec 11 13:55:39.913255 osdx hostapd[56779]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 13:55:39.913269 osdx hostapd[56779]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 13:55:39.913483 osdx hostapd[56779]: eth2: RADIUS Received 175 bytes from RADIUS server Dec 11 13:55:39.913490 osdx hostapd[56779]: eth2: RADIUS Received RADIUS message Dec 11 13:55:39.913494 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 13:55:39.913518 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing' Dec 11 13:55:39.913521 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=3 id=4 len=4) from RADIUS server: EAP Success Dec 11 13:55:39.913699 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 4) Dec 11 13:55:39.913717 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Dec 11 13:55:39.913719 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session F77955F74E020D25 Dec 11 13:55:39.913723 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Step 5: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: Re-authentication period expiredShow output
Dec 11 13:55:40.590374 osdx OSDxCLI[48660]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Dec 11 13:55:42.706872 osdx OSDxCLI[48660]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Dec 11 13:55:44.797611 osdx OSDxCLI[48660]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Dec 11 13:55:46.864523 osdx OSDxCLI[48660]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Dec 11 13:55:48.943630 osdx OSDxCLI[48660]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Dec 11 13:55:51.011703 osdx OSDxCLI[48660]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Dec 11 13:55:53.090442 osdx OSDxCLI[48660]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Dec 11 13:55:55.158475 osdx OSDxCLI[48660]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Dec 11 13:55:57.235312 osdx OSDxCLI[48660]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Dec 11 13:55:59.310439 osdx OSDxCLI[48660]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Dec 11 13:55:59.920125 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Re-authentication period expired (20 seconds), triggering re-authentication Dec 11 13:55:59.920136 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Starting re-authentication (port will be unauthorized until authentication succeeds) Dec 11 13:55:59.920141 osdx hostapd[56779]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Dec 11 13:55:59.920181 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 35) Dec 11 13:55:59.920551 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=35 len=12) from STA: EAP Response-Identity (1) Dec 11 13:55:59.920559 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: STA identity 'testing' Dec 11 13:55:59.920628 osdx hostapd[56779]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 13:55:59.920661 osdx hostapd[56779]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 13:55:59.920888 osdx hostapd[56779]: eth2: RADIUS Received 80 bytes from RADIUS server Dec 11 13:55:59.920893 osdx hostapd[56779]: eth2: RADIUS Received RADIUS message Dec 11 13:55:59.920896 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 13:55:59.920915 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=36 len=22) from RADIUS server: EAP-Request-MD5 (4) Dec 11 13:55:59.920921 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 36) Dec 11 13:55:59.921128 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=36 len=6) from STA: EAP Response-unknown (3) Dec 11 13:55:59.921161 osdx hostapd[56779]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 13:55:59.921172 osdx hostapd[56779]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 13:55:59.921351 osdx hostapd[56779]: eth2: RADIUS Received 64 bytes from RADIUS server Dec 11 13:55:59.921356 osdx hostapd[56779]: eth2: RADIUS Received RADIUS message Dec 11 13:55:59.921358 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 13:55:59.921370 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=37 len=6) from RADIUS server: EAP-Request-PEAP (25) Dec 11 13:55:59.921375 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 37) Dec 11 13:55:59.921661 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=37 len=194) from STA: EAP Response-PEAP (25) Dec 11 13:55:59.921701 osdx hostapd[56779]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 13:55:59.921713 osdx hostapd[56779]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 13:55:59.923722 osdx hostapd[56779]: eth2: RADIUS Received 1068 bytes from RADIUS server Dec 11 13:55:59.923737 osdx hostapd[56779]: eth2: RADIUS Received RADIUS message Dec 11 13:55:59.923746 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 13:55:59.923790 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=38 len=1004) from RADIUS server: EAP-Request-PEAP (25) Dec 11 13:55:59.923801 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 38) Dec 11 13:55:59.924140 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=38 len=6) from STA: EAP Response-PEAP (25) Dec 11 13:55:59.924211 osdx hostapd[56779]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 13:55:59.924235 osdx hostapd[56779]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 13:55:59.924502 osdx hostapd[56779]: eth2: RADIUS Received 229 bytes from RADIUS server Dec 11 13:55:59.924512 osdx hostapd[56779]: eth2: RADIUS Received RADIUS message Dec 11 13:55:59.924518 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 13:55:59.924544 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=39 len=171) from RADIUS server: EAP-Request-PEAP (25) Dec 11 13:55:59.924555 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 39) Dec 11 13:55:59.926955 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=39 len=103) from STA: EAP Response-PEAP (25) Dec 11 13:55:59.927058 osdx hostapd[56779]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 13:55:59.927094 osdx hostapd[56779]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 13:55:59.927815 osdx hostapd[56779]: eth2: RADIUS Received 115 bytes from RADIUS server Dec 11 13:55:59.927829 osdx hostapd[56779]: eth2: RADIUS Received RADIUS message Dec 11 13:55:59.927839 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 13:55:59.927887 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=40 len=57) from RADIUS server: EAP-Request-PEAP (25) Dec 11 13:55:59.927905 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 40) Dec 11 13:55:59.928513 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=40 len=6) from STA: EAP Response-PEAP (25) Dec 11 13:55:59.928606 osdx hostapd[56779]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 13:55:59.928637 osdx hostapd[56779]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 13:55:59.928961 osdx hostapd[56779]: eth2: RADIUS Received 98 bytes from RADIUS server Dec 11 13:55:59.928978 osdx hostapd[56779]: eth2: RADIUS Received RADIUS message Dec 11 13:55:59.928986 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 13:55:59.929017 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=41 len=40) from RADIUS server: EAP-Request-PEAP (25) Dec 11 13:55:59.929029 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 41) Dec 11 13:55:59.929553 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=41 len=43) from STA: EAP Response-PEAP (25) Dec 11 13:55:59.929639 osdx hostapd[56779]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 13:55:59.929667 osdx hostapd[56779]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 13:55:59.930029 osdx hostapd[56779]: eth2: RADIUS Received 131 bytes from RADIUS server Dec 11 13:55:59.930042 osdx hostapd[56779]: eth2: RADIUS Received RADIUS message Dec 11 13:55:59.930051 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 13:55:59.930106 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=42 len=73) from RADIUS server: EAP-Request-PEAP (25) Dec 11 13:55:59.930136 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 42) Dec 11 13:55:59.930737 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=42 len=97) from STA: EAP Response-PEAP (25) Dec 11 13:55:59.930832 osdx hostapd[56779]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 13:55:59.930869 osdx hostapd[56779]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 13:55:59.931279 osdx hostapd[56779]: eth2: RADIUS Received 140 bytes from RADIUS server Dec 11 13:55:59.931293 osdx hostapd[56779]: eth2: RADIUS Received RADIUS message Dec 11 13:55:59.931303 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 13:55:59.931346 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=43 len=82) from RADIUS server: EAP-Request-PEAP (25) Dec 11 13:55:59.931363 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 43) Dec 11 13:55:59.931912 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=43 len=37) from STA: EAP Response-PEAP (25) Dec 11 13:55:59.932105 osdx hostapd[56779]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 13:55:59.932156 osdx hostapd[56779]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 13:55:59.932704 osdx hostapd[56779]: eth2: RADIUS Received 104 bytes from RADIUS server Dec 11 13:55:59.932722 osdx hostapd[56779]: eth2: RADIUS Received RADIUS message Dec 11 13:55:59.932733 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 13:55:59.932793 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=44 len=46) from RADIUS server: EAP-Request-PEAP (25) Dec 11 13:55:59.932827 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 44) Dec 11 13:55:59.933428 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=44 len=46) from STA: EAP Response-PEAP (25) Dec 11 13:55:59.933578 osdx hostapd[56779]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 13:55:59.933623 osdx hostapd[56779]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 13:55:59.934136 osdx hostapd[56779]: eth2: RADIUS Received 175 bytes from RADIUS server Dec 11 13:55:59.934160 osdx hostapd[56779]: eth2: RADIUS Received RADIUS message Dec 11 13:55:59.934170 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 13:55:59.934243 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing' Dec 11 13:55:59.934255 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=3 id=44 len=4) from RADIUS server: EAP Success Dec 11 13:55:59.934327 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 44) Dec 11 13:55:59.934352 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Dec 11 13:55:59.934359 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session F77955F74E020D25 Dec 11 13:55:59.934367 osdx hostapd[56779]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Test Reauth Period In MAB Mode
Description
This scenario shows how to configure the reauthentication period in a device with MAB authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode only-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 20 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX19IBnfxK0I9qds8mSxnj/fZgd9OeanHEaBzaUeveyBOeLuZKNcE9AVat4HId+TSRShBFe2eeQ97rw== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.204 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.204/0.204/0.204/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
MAB: station successfully authenticatedShow output
Dec 11 13:56:07.267656 osdx hostapd[57361]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Dec 11 13:56:07.267670 osdx hostapd[57361]: eth2: RADIUS Authentication server 10.215.168.1:1812 Dec 11 13:56:07.267862 osdx hostapd[57361]: connect[radius]: Network is unreachable Dec 11 13:56:07.267703 osdx hostapd[57361]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-only, eap_server=0, eap_quiet_period=60, eap_max_retrans=5 Dec 11 13:56:07.267706 osdx hostapd[57361]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Dec 11 13:56:07.291542 osdx hostapd[57361]: Discovery mode enabled on eth2 Dec 11 13:56:07.291614 osdx hostapd[57361]: eth2: interface state UNINITIALIZED->ENABLED Dec 11 13:56:07.291614 osdx hostapd[57361]: eth2: AP-ENABLED Dec 11 13:56:10.445910 osdx OSDxCLI[48660]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Dec 11 13:56:12.293408 osdx hostapd[57362]: eth2: STA de:ad:be:ef:6c:12 DRIVER: Device discovered, triggering MAB authentication Dec 11 13:56:12.293459 osdx hostapd[57362]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Dec 11 13:56:12.293470 osdx hostapd[57362]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Dec 11 13:56:12.307588 osdx hostapd[57362]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB-only mode: Starting MAB authentication Dec 11 13:56:12.307623 osdx hostapd[57362]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Dec 11 13:56:12.307647 osdx hostapd[57362]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Dec 11 13:56:12.310005 osdx hostapd[57362]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Dec 11 13:56:12.310019 osdx hostapd[57362]: eth2: RADIUS Authentication server 10.215.168.1:1812 Dec 11 13:56:12.310105 osdx hostapd[57362]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 13:56:12.310140 osdx hostapd[57362]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 13:56:12.310416 osdx hostapd[57362]: eth2: RADIUS Received 20 bytes from RADIUS server Dec 11 13:56:12.310423 osdx hostapd[57362]: eth2: RADIUS Received RADIUS message Dec 11 13:56:12.310427 osdx hostapd[57362]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 13:56:12.310432 osdx hostapd[57362]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Dec 11 13:56:12.310449 osdx hostapd[57362]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Dec 11 13:56:12.310453 osdx hostapd[57362]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Dec 11 13:56:12.310456 osdx hostapd[57362]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Re-authentication enabled (next reauth in 20 seconds) Dec 11 13:56:12.310460 osdx hostapd[57362]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Dec 11 13:56:12.310470 osdx hostapd[57362]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Dec 11 13:56:12.310474 osdx hostapd[57362]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 473BEB1879EF0E03
Step 5: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: Re-authentication period expiredShow output
Dec 11 13:56:14.921411 osdx OSDxCLI[48660]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Dec 11 13:56:18.103142 osdx OSDxCLI[48660]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Dec 11 13:56:21.313241 osdx OSDxCLI[48660]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Dec 11 13:56:24.498330 osdx OSDxCLI[48660]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Dec 11 13:56:27.680769 osdx OSDxCLI[48660]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Dec 11 13:56:30.846830 osdx OSDxCLI[48660]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Dec 11 13:56:32.325351 osdx hostapd[57362]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Re-authentication period expired (20 seconds), triggering re-authentication Dec 11 13:56:32.325371 osdx hostapd[57362]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Dec 11 13:56:32.325428 osdx hostapd[57362]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Dec 11 13:56:32.325470 osdx hostapd[57362]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Dec 11 13:56:32.325502 osdx hostapd[57362]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 13:56:32.325542 osdx hostapd[57362]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 13:56:32.325913 osdx hostapd[57362]: eth2: RADIUS Received 20 bytes from RADIUS server Dec 11 13:56:32.325920 osdx hostapd[57362]: eth2: RADIUS Received RADIUS message Dec 11 13:56:32.325926 osdx hostapd[57362]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 13:56:32.325931 osdx hostapd[57362]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Dec 11 13:56:32.325952 osdx hostapd[57362]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Dec 11 13:56:32.325957 osdx hostapd[57362]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Re-authentication enabled (next reauth in 20 seconds) Dec 11 13:56:32.325961 osdx hostapd[57362]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Dec 11 13:56:32.325965 osdx hostapd[57362]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Dec 11 13:56:32.325969 osdx hostapd[57362]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 473BEB1879EF0E03
Test Reauth Period In MAB-Fallback Mode
Description
This scenario shows how to configure the reauthentication period in a device with 802.1x-MAB authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 20 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX19DybzY+WY7bJS6P1Jh/qC7+mrJDlNGlwA5hVddoT8Q/STfkrgTndJc0XhLN5d8ZS+pI1ryTuWk9Q== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.212 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.212/0.212/0.212/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
MAB: station successfully authenticatedShow output
Dec 11 13:56:45.696792 osdx hostapd[57926]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Dec 11 13:56:45.696803 osdx hostapd[57926]: eth2: RADIUS Authentication server 10.215.168.1:1812 Dec 11 13:56:45.697085 osdx hostapd[57926]: connect[radius]: Network is unreachable Dec 11 13:56:45.696840 osdx hostapd[57926]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Dec 11 13:56:45.696845 osdx hostapd[57926]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Dec 11 13:56:45.712646 osdx hostapd[57926]: Discovery mode enabled on eth2 Dec 11 13:56:45.712643 osdx hostapd[57926]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: enabling transmission of periodic EAP-Request frames Dec 11 13:56:45.712722 osdx hostapd[57926]: eth2: interface state UNINITIALIZED->ENABLED Dec 11 13:56:45.712722 osdx hostapd[57926]: eth2: AP-ENABLED Dec 11 13:56:50.714495 osdx hostapd[57927]: eth2: STA de:ad:be:ef:6c:12 DRIVER: Device discovered, triggering MAB authentication Dec 11 13:56:50.714540 osdx hostapd[57927]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Dec 11 13:56:50.714553 osdx hostapd[57927]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Dec 11 13:56:50.736753 osdx hostapd[57927]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: start authentication Dec 11 13:56:50.736794 osdx hostapd[57927]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Dec 11 13:56:50.736799 osdx hostapd[57927]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Dec 11 13:56:50.736803 osdx hostapd[57927]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Dec 11 13:56:50.736822 osdx hostapd[57927]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Dec 11 13:56:50.736831 osdx hostapd[57927]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Dec 11 13:56:50.736863 osdx hostapd[57927]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 217) Dec 11 13:56:52.556438 osdx OSDxCLI[48660]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Dec 11 13:56:53.739480 osdx hostapd[57927]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 217) Dec 11 13:56:56.751491 osdx OSDxCLI[48660]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Dec 11 13:56:59.744507 osdx hostapd[57927]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 217) Dec 11 13:57:00.942948 osdx OSDxCLI[48660]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Dec 11 13:57:05.114658 osdx OSDxCLI[48660]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Dec 11 13:57:09.299666 osdx OSDxCLI[48660]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Dec 11 13:57:11.755492 osdx hostapd[57927]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: aborting authentication Dec 11 13:57:11.755502 osdx hostapd[57927]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately Dec 11 13:57:11.755508 osdx hostapd[57927]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Dec 11 13:57:11.755548 osdx hostapd[57927]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Dec 11 13:57:11.757612 osdx hostapd[57927]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Dec 11 13:57:11.757627 osdx hostapd[57927]: eth2: RADIUS Authentication server 10.215.168.1:1812 Dec 11 13:57:11.757709 osdx hostapd[57927]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 13:57:11.757745 osdx hostapd[57927]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 13:57:11.757769 osdx hostapd[57927]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Dec 11 13:57:11.757789 osdx hostapd[57927]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 191) Dec 11 13:57:11.758017 osdx hostapd[57927]: eth2: RADIUS Received 20 bytes from RADIUS server Dec 11 13:57:11.758023 osdx hostapd[57927]: eth2: RADIUS Received RADIUS message Dec 11 13:57:11.758028 osdx hostapd[57927]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 13:57:11.758032 osdx hostapd[57927]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Dec 11 13:57:11.758056 osdx hostapd[57927]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Dec 11 13:57:11.758059 osdx hostapd[57927]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Dec 11 13:57:11.758063 osdx hostapd[57927]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Re-authentication enabled (next reauth in 20 seconds) Dec 11 13:57:11.758066 osdx hostapd[57927]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Dec 11 13:57:11.758075 osdx hostapd[57927]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Dec 11 13:57:11.758079 osdx hostapd[57927]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session DC4ED68F909B63D9
Step 5: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: Re-authentication period expiredShow output
Dec 11 13:57:14.761279 osdx OSDxCLI[48660]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Dec 11 13:57:17.934780 osdx OSDxCLI[48660]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Dec 11 13:57:21.123044 osdx OSDxCLI[48660]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Dec 11 13:57:24.304658 osdx OSDxCLI[48660]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Dec 11 13:57:27.463827 osdx OSDxCLI[48660]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Dec 11 13:57:30.713520 osdx OSDxCLI[48660]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Dec 11 13:57:31.775498 osdx hostapd[57927]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Re-authentication period expired (20 seconds), triggering re-authentication Dec 11 13:57:31.775524 osdx hostapd[57927]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB fallback: Scheduling MAB trigger in 30 seconds if no 802.1X response Dec 11 13:57:31.775530 osdx hostapd[57927]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Dec 11 13:57:31.775578 osdx hostapd[57927]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Dec 11 13:57:31.775587 osdx hostapd[57927]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Dec 11 13:57:31.775616 osdx hostapd[57927]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 41) Dec 11 13:57:34.778475 osdx hostapd[57927]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 41)
Test Reauth Period In MAB-First Mode
Description
This scenario shows how to configure the reauthentication period in a device with MAB-802.1X authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 20 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18JZYLKwL/YRYTOlxeKdl7n9atNRh8FCWXZXKY+hgB9Fmadz/9L3zHO8WlMWe9B7Ptr9Cl6vtUiQQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.216 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.216/0.216/0.216/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
MAB: station successfully authenticatedShow output
Dec 11 13:57:48.428825 osdx hostapd[58515]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Dec 11 13:57:48.428839 osdx hostapd[58515]: eth2: RADIUS Authentication server 10.215.168.1:1812 Dec 11 13:57:48.429151 osdx hostapd[58515]: connect[radius]: Network is unreachable Dec 11 13:57:48.428882 osdx hostapd[58515]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Dec 11 13:57:48.428885 osdx hostapd[58515]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Dec 11 13:57:48.460640 osdx hostapd[58515]: Discovery mode enabled on eth2 Dec 11 13:57:48.460728 osdx hostapd[58515]: eth2: interface state UNINITIALIZED->ENABLED Dec 11 13:57:48.460728 osdx hostapd[58515]: eth2: AP-ENABLED Dec 11 13:57:48.460641 osdx hostapd[58515]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: enabling transmission of periodic EAP-Request frames Dec 11 13:57:52.090890 osdx OSDxCLI[48660]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Dec 11 13:57:53.464457 osdx hostapd[58516]: eth2: STA de:ad:be:ef:6c:12 DRIVER: Device discovered, triggering MAB authentication Dec 11 13:57:53.464507 osdx hostapd[58516]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Dec 11 13:57:53.464517 osdx hostapd[58516]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Dec 11 13:57:53.476645 osdx hostapd[58516]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB-first mode: Starting MAB authentication Dec 11 13:57:53.476672 osdx hostapd[58516]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Dec 11 13:57:53.476691 osdx hostapd[58516]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Dec 11 13:57:53.478312 osdx hostapd[58516]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Dec 11 13:57:53.478322 osdx hostapd[58516]: eth2: RADIUS Authentication server 10.215.168.1:1812 Dec 11 13:57:53.478392 osdx hostapd[58516]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 13:57:53.478420 osdx hostapd[58516]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 13:57:53.478460 osdx hostapd[58516]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Sending EAP-Request/Identity frame Dec 11 13:57:53.478469 osdx hostapd[58516]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Next EAP-Request/Identity retransmit in 20 seconds Dec 11 13:57:53.478691 osdx hostapd[58516]: eth2: RADIUS Received 20 bytes from RADIUS server Dec 11 13:57:53.478696 osdx hostapd[58516]: eth2: RADIUS Received RADIUS message Dec 11 13:57:53.478699 osdx hostapd[58516]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 13:57:53.478702 osdx hostapd[58516]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Dec 11 13:57:53.478721 osdx hostapd[58516]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Dec 11 13:57:53.478725 osdx hostapd[58516]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Dec 11 13:57:53.478728 osdx hostapd[58516]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Re-authentication enabled (next reauth in 20 seconds) Dec 11 13:57:53.478731 osdx hostapd[58516]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Dec 11 13:57:53.478743 osdx hostapd[58516]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Dec 11 13:57:53.478746 osdx hostapd[58516]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session C317CE09509CA2E2
Step 5: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: Re-authentication period expiredShow output
Dec 11 13:57:56.573629 osdx OSDxCLI[48660]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Dec 11 13:57:59.755439 osdx OSDxCLI[48660]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Dec 11 13:58:02.972444 osdx OSDxCLI[48660]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Dec 11 13:58:06.188927 osdx OSDxCLI[48660]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Dec 11 13:58:09.367193 osdx OSDxCLI[48660]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Dec 11 13:58:12.532260 osdx OSDxCLI[48660]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Dec 11 13:58:13.479453 osdx hostapd[58516]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Sending EAP-Request/Identity frame Dec 11 13:58:13.479476 osdx hostapd[58516]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Next EAP-Request/Identity retransmit in 20 seconds Dec 11 13:58:13.492487 osdx hostapd[58516]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Re-authentication period expired (20 seconds), triggering re-authentication Dec 11 13:58:13.492501 osdx hostapd[58516]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Dec 11 13:58:13.492539 osdx hostapd[58516]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Dec 11 13:58:13.492565 osdx hostapd[58516]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Dec 11 13:58:13.492602 osdx hostapd[58516]: eth2: RADIUS Sending RADIUS message to authentication server Dec 11 13:58:13.492637 osdx hostapd[58516]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Dec 11 13:58:13.492929 osdx hostapd[58516]: eth2: RADIUS Received 20 bytes from RADIUS server Dec 11 13:58:13.492933 osdx hostapd[58516]: eth2: RADIUS Received RADIUS message Dec 11 13:58:13.492936 osdx hostapd[58516]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Dec 11 13:58:13.492940 osdx hostapd[58516]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Dec 11 13:58:13.492955 osdx hostapd[58516]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Dec 11 13:58:13.492958 osdx hostapd[58516]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Re-authentication enabled (next reauth in 20 seconds) Dec 11 13:58:13.492960 osdx hostapd[58516]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Dec 11 13:58:13.492963 osdx hostapd[58516]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Dec 11 13:58:13.492966 osdx hostapd[58516]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session C317CE09509CA2E2