Dhcp
This scenario shows how to configure a device to perform 802.1X/MAB authentication. The supplicant uses DHCP and no additional traffic is sent to start the authentication process.
Test Denied Authentication With DHCP Client
Description
This scenario shows how to configure 802.1X/MAB authentication in a device with a DHCP-Server. A DHCP-Client is connected, but authentication fails. This test-case ensures it does not get a DHCP lease.
Scenario
Step 1: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address dhcp set interfaces ethernet eth2 mac '00:11:22:33:44:55' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set service dhcp-server shared-network LAN subnet 192.168.100.0/24 start 192.168.100.2 stop 192.168.100.20 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/NiZnJVoDiFJGy6IA3gSsMJw1S9naoLBeIJr/zHORc/cbP7HVUPrhrAmHCNP7Ej8tpKudCj3Ndeg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.208 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.208/0.208/0.208/0.000 ms
Step 4: Run command interfaces ethernet eth2 authenticator show status at DUT0 and check if output contains the following tokens:
Current status: UnauthorizedShow output
Current status: Unauthorized
Step 5: Run command interfaces ethernet show at DUT1 and check if output does not contain the following tokens:
192.168.100Show output
----------------------------------------------------------------- Name IP Address Admin Oper Vrf Description ----------------------------------------------------------------- eth0 down down eth1 down down eth2 fe80::dcad:beff:feef:6c12/64 up up eth3 down down
Step 6: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
ping: connect: Network is unreachable
Test 802.1X Authentication With DHCP Client
Description
This scenario shows how to configure 802.1X authentication in a device with a DHCP-Server. A DHCP-Client is connected and successfully authenticated using 802.1X.
Scenario
Step 1: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address dhcp set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX19zLcOJox/W/JjYwFrVbTwT/NQiBUsSnYo= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode only-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set service dhcp-server shared-network LAN subnet 192.168.100.0/24 start 192.168.100.2 stop 192.168.100.20 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/fabWsI3++i4UZXgjMR7koJzxUzk22c2mfVgBPVqsV+Wcs6k1aRAwHELkLYigpP8qtnIv5PUW1ow== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.245 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.245/0.245/0.245/0.000 ms
Step 4: Run command interfaces ethernet eth2 authenticator show status at DUT0 and check if output contains the following tokens:
Current status: AuthorizedShow output
Current status: Authorized (802.1X)
Step 5: Run command interfaces ethernet show at DUT1 and check if output contains the following tokens:
192.168.100Show output
----------------------------------------------------------------- Name IP Address Admin Oper Vrf Description ----------------------------------------------------------------- eth0 down down eth1 down down eth2 192.168.100.2/24 up up fe80::dcad:beff:feef:6c12/64 eth3 down down
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.267 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.267/0.267/0.267/0.000 ms
Test MAB Authentication With DHCP Client
Description
This scenario shows how to configure MAB authentication in a device with a DHCP-Server. A DHCP-Client is connected and successfully authenticated using MAB.
Scenario
Step 1: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address dhcp set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode only-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set service dhcp-server shared-network LAN subnet 192.168.100.0/24 start 192.168.100.2 stop 192.168.100.20 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18Fuq0lm1JrPIcc9gAyjkQMXUDxdyCrFiEHZorlqB0BY+c5gjE1LEx1ktFcfBJBl93SFQSLoPQjjg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.207 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.207/0.207/0.207/0.000 ms
Step 4: Run command interfaces ethernet eth2 authenticator show status at DUT0 and check if output contains the following tokens:
Current status: AuthorizedShow output
Current status: Authorized (MAB)
Step 5: Run command interfaces ethernet show at DUT1 and check if output contains the following tokens:
192.168.100Show output
----------------------------------------------------------------- Name IP Address Admin Oper Vrf Description ----------------------------------------------------------------- eth0 down down eth1 down down eth2 192.168.100.2/24 up up fe80::dcad:beff:feef:6c12/64 eth3 down down
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.222 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.222/0.222/0.222/0.000 ms
Test 802.1X Authentication With Bridge And Multiple DHCP Clients
Description
This scenario shows how to configure 802.1X authentication in a device with a DHCP-Server. Two DHCP-Clients are connected: DUT1 and DUT2. DUT1 is successfully authenticated, but DUT2 fails to authenticate and it does not receive a DHCP lease.
Scenario
Step 1: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address dhcp set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1+cW6e2r43A3G8V0qzEhxtjBAdvcxhExJQ= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT2 :
set interfaces ethernet eth3 address dhcp set interfaces ethernet eth3 supplicant encrypted-password U2FsdGVkX1/df7qVXv3/dWdTEz3bnFxhwC/NHqyKC6w= set interfaces ethernet eth3 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT0 :
set interfaces bridge br0 address 192.168.100.1/24 set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level info set interfaces ethernet eth2 authenticator mode only-802.1x set interfaces ethernet eth2 bridge-group bridge br0 set interfaces ethernet eth3 authenticator aaa authentication list1 set interfaces ethernet eth3 authenticator log-level info set interfaces ethernet eth3 authenticator mode only-802.1x set interfaces ethernet eth3 bridge-group bridge br0 set service dhcp-server shared-network LAN subnet 192.168.100.0/24 start 192.168.100.2 stop 192.168.100.20 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18gVfr4rPORARK83qfWSdRR0b3Yl+BPS2ZOneAlRg5E7kYY+wC3Xl4Kw9LFinrdrvRBO5wX1Jf/Dw== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.155 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.155/0.155/0.155/0.000 ms
Step 5: Run command interfaces ethernet eth2 authenticator show status at DUT0 and check if output contains the following tokens:
Current status: AuthorizedShow output
Current status: Authorized (802.1X)
Step 6: Run command interfaces ethernet show at DUT1 and check if output contains the following tokens:
192.168.100Show output
----------------------------------------------------------------- Name IP Address Admin Oper Vrf Description ----------------------------------------------------------------- eth0 down down eth1 down down eth2 192.168.100.2/24 up up fe80::dcad:beff:feef:6c12/64 eth3 down down
Step 7: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.293 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.293/0.293/0.293/0.000 ms
Step 8: Run command interfaces ethernet eth3 authenticator show status at DUT0 and check if output contains the following tokens:
Current status: UnauthorizedShow output
Current status: Unauthorized
Step 9: Run command interfaces ethernet show at DUT2 and check if output does not contain the following tokens:
192.168.100Show output
----------------------------------------------------------------- Name IP Address Admin Oper Vrf Description ----------------------------------------------------------------- eth0 down down eth1 down down eth2 down down eth3 fe80::dcad:beff:feef:6c23/64 up up
Step 10: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT2:
admin@DUT2$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
ping: connect: Network is unreachable
Test MAB Authentication With Bridge And Multiple DHCP Clients
Description
This scenario shows how to configure MAB authentication in a device with a DHCP-Server. Two DHCP-Clients are connected: DUT1 and DUT2. DUT1 is successfully authenticated, but DUT2 fails to authenticate and it does not receive a DHCP lease.
Scenario
Step 1: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address dhcp set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT2 :
set interfaces ethernet eth3 address dhcp set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT0 :
set interfaces bridge br0 address 192.168.100.1/24 set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level info set interfaces ethernet eth2 authenticator mode only-MAB set interfaces ethernet eth2 bridge-group bridge br0 set interfaces ethernet eth3 authenticator aaa authentication list1 set interfaces ethernet eth3 authenticator log-level info set interfaces ethernet eth3 authenticator mode only-MAB set interfaces ethernet eth3 bridge-group bridge br0 set service dhcp-server shared-network LAN subnet 192.168.100.0/24 start 192.168.100.2 stop 192.168.100.20 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18xuDuAX2R3lN2Y4w5d6FS7H2ga9NNow06IDnYmMBnm4lLcj7Qghn2qcR43aD8ZSDyzwM4YN+RKhw== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.123 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.123/0.123/0.123/0.000 ms
Step 5: Run command interfaces ethernet eth2 authenticator show status at DUT0 and check if output contains the following tokens:
Current status: AuthorizedShow output
Current status: Authorized (MAB)
Step 6: Run command interfaces ethernet show at DUT1 and check if output contains the following tokens:
192.168.100Show output
----------------------------------------------------------------- Name IP Address Admin Oper Vrf Description ----------------------------------------------------------------- eth0 down down eth1 down down eth2 192.168.100.2/24 up up fe80::dcad:beff:feef:6c12/64 eth3 down down
Step 7: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.415 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.415/0.415/0.415/0.000 ms
Step 8: Run command interfaces ethernet eth3 authenticator show status at DUT0 and check if output contains the following tokens:
Current status: UnauthorizedShow output
Current status: Unauthorized
Step 9: Run command interfaces ethernet show at DUT2 and check if output does not contain the following tokens:
192.168.100Show output
----------------------------------------------------------------- Name IP Address Admin Oper Vrf Description ----------------------------------------------------------------- eth0 down down eth1 down down eth2 down down eth3 fe80::dcad:beff:feef:6c23/64 up up
Step 10: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT2:
admin@DUT2$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
ping: connect: Network is unreachable