Mab Fallback
This scenario shows how to configure the MAB-fallback
authentication mode.
Test Successful 802.1x Authentication With Successful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses the correct username and password.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/yPDTiE+fnUqvSs2CzL39cDhWK1p2pCKofyjIIQ/RTKlWylYLhwXWtCj52oJ7DjKyooxAQWFROww== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.214 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.214/0.214/0.214/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX18uq4zcTodFyJXmKOhQfgyCutKlvPrgkEE= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 6: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name testing
Step 7: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.215 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.215/0.215/0.215/0.000 ms
Step 8: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: authenticated - EAP type: 25 (PEAP)Show output
Jan 27 14:59:59.461696 osdx hostapd[589315]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Jan 27 14:59:59.461958 osdx hostapd[589315]: connect[radius]: Network is unreachable Jan 27 14:59:59.461709 osdx hostapd[589315]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jan 27 14:59:59.461743 osdx hostapd[589315]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Jan 27 14:59:59.461746 osdx hostapd[589315]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Jan 27 14:59:59.489537 osdx hostapd[589315]: Discovery mode enabled on eth2 Jan 27 14:59:59.489612 osdx hostapd[589315]: eth2: interface state UNINITIALIZED->ENABLED Jan 27 14:59:59.489612 osdx hostapd[589315]: eth2: AP-ENABLED Jan 27 15:00:02.616715 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Jan 27 15:00:02.616731 osdx hostapd[589316]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Jan 27 15:00:02.629573 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: start authentication Jan 27 15:00:02.629605 osdx hostapd[589316]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Jan 27 15:00:02.629610 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Jan 27 15:00:02.629613 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Jan 27 15:00:02.629628 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response Jan 27 15:00:02.629631 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAPOL-Start from STA Jan 27 15:00:02.629641 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Jan 27 15:00:02.629650 osdx hostapd[589316]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Jan 27 15:00:02.629679 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 183) Jan 27 15:00:02.629955 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=183 len=12) from STA: EAP Response-Identity (1) Jan 27 15:00:02.629967 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: STA identity 'testing' Jan 27 15:00:02.629993 osdx hostapd[589316]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jan 27 15:00:02.632411 osdx hostapd[589316]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:00:02.632443 osdx hostapd[589316]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:00:02.632717 osdx hostapd[589316]: eth2: RADIUS Received 80 bytes from RADIUS server Jan 27 15:00:02.632724 osdx hostapd[589316]: eth2: RADIUS Received RADIUS message Jan 27 15:00:02.632729 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:00:02.632752 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=184 len=22) from RADIUS server: EAP-Request-MD5 (4) Jan 27 15:00:02.632760 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 184) Jan 27 15:00:02.632938 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=184 len=6) from STA: EAP Response-unknown (3) Jan 27 15:00:02.632984 osdx hostapd[589316]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:00:02.632996 osdx hostapd[589316]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:00:02.633164 osdx hostapd[589316]: eth2: RADIUS Received 64 bytes from RADIUS server Jan 27 15:00:02.633170 osdx hostapd[589316]: eth2: RADIUS Received RADIUS message Jan 27 15:00:02.633174 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:00:02.633190 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=185 len=6) from RADIUS server: EAP-Request-PEAP (25) Jan 27 15:00:02.633197 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 185) Jan 27 15:00:02.633566 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=185 len=194) from STA: EAP Response-PEAP (25) Jan 27 15:00:02.633609 osdx hostapd[589316]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:00:02.633622 osdx hostapd[589316]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:00:02.634655 osdx hostapd[589316]: eth2: RADIUS Received 1068 bytes from RADIUS server Jan 27 15:00:02.634661 osdx hostapd[589316]: eth2: RADIUS Received RADIUS message Jan 27 15:00:02.634666 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:00:02.634685 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=186 len=1004) from RADIUS server: EAP-Request-PEAP (25) Jan 27 15:00:02.634692 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 186) Jan 27 15:00:02.634843 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=186 len=6) from STA: EAP Response-PEAP (25) Jan 27 15:00:02.634879 osdx hostapd[589316]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:00:02.634890 osdx hostapd[589316]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:00:02.635027 osdx hostapd[589316]: eth2: RADIUS Received 229 bytes from RADIUS server Jan 27 15:00:02.635033 osdx hostapd[589316]: eth2: RADIUS Received RADIUS message Jan 27 15:00:02.635038 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:00:02.635053 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=187 len=171) from RADIUS server: EAP-Request-PEAP (25) Jan 27 15:00:02.635061 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 187) Jan 27 15:00:02.636337 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=187 len=103) from STA: EAP Response-PEAP (25) Jan 27 15:00:02.636374 osdx hostapd[589316]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:00:02.636384 osdx hostapd[589316]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:00:02.636742 osdx hostapd[589316]: eth2: RADIUS Received 115 bytes from RADIUS server Jan 27 15:00:02.636748 osdx hostapd[589316]: eth2: RADIUS Received RADIUS message Jan 27 15:00:02.636753 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:00:02.636767 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=188 len=57) from RADIUS server: EAP-Request-PEAP (25) Jan 27 15:00:02.636774 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 188) Jan 27 15:00:02.636996 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=188 len=6) from STA: EAP Response-PEAP (25) Jan 27 15:00:02.637055 osdx hostapd[589316]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:00:02.637071 osdx hostapd[589316]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:00:02.637224 osdx hostapd[589316]: eth2: RADIUS Received 98 bytes from RADIUS server Jan 27 15:00:02.637230 osdx hostapd[589316]: eth2: RADIUS Received RADIUS message Jan 27 15:00:02.637235 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:00:02.637251 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=189 len=40) from RADIUS server: EAP-Request-PEAP (25) Jan 27 15:00:02.637257 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 189) Jan 27 15:00:02.637434 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=189 len=43) from STA: EAP Response-PEAP (25) Jan 27 15:00:02.637494 osdx hostapd[589316]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:00:02.637510 osdx hostapd[589316]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:00:02.637671 osdx hostapd[589316]: eth2: RADIUS Received 131 bytes from RADIUS server Jan 27 15:00:02.637676 osdx hostapd[589316]: eth2: RADIUS Received RADIUS message Jan 27 15:00:02.637680 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:00:02.637699 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=190 len=73) from RADIUS server: EAP-Request-PEAP (25) Jan 27 15:00:02.637706 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 190) Jan 27 15:00:02.637944 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=190 len=97) from STA: EAP Response-PEAP (25) Jan 27 15:00:02.637979 osdx hostapd[589316]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:00:02.637989 osdx hostapd[589316]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:00:02.638199 osdx hostapd[589316]: eth2: RADIUS Received 140 bytes from RADIUS server Jan 27 15:00:02.638204 osdx hostapd[589316]: eth2: RADIUS Received RADIUS message Jan 27 15:00:02.638208 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:00:02.638222 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=191 len=82) from RADIUS server: EAP-Request-PEAP (25) Jan 27 15:00:02.638228 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 191) Jan 27 15:00:02.638378 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=191 len=37) from STA: EAP Response-PEAP (25) Jan 27 15:00:02.638410 osdx hostapd[589316]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:00:02.638420 osdx hostapd[589316]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:00:02.638603 osdx hostapd[589316]: eth2: RADIUS Received 104 bytes from RADIUS server Jan 27 15:00:02.638609 osdx hostapd[589316]: eth2: RADIUS Received RADIUS message Jan 27 15:00:02.638612 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:00:02.638626 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=192 len=46) from RADIUS server: EAP-Request-PEAP (25) Jan 27 15:00:02.638636 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 192) Jan 27 15:00:02.638793 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=192 len=46) from STA: EAP Response-PEAP (25) Jan 27 15:00:02.638826 osdx hostapd[589316]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:00:02.638835 osdx hostapd[589316]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:00:02.639012 osdx hostapd[589316]: eth2: RADIUS Received 175 bytes from RADIUS server Jan 27 15:00:02.639017 osdx hostapd[589316]: eth2: RADIUS Received RADIUS message Jan 27 15:00:02.639021 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:00:02.639042 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing' Jan 27 15:00:02.639046 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=3 id=192 len=4) from RADIUS server: EAP Success Jan 27 15:00:02.639140 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 192) Jan 27 15:00:02.639158 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Jan 27 15:00:02.639176 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 6CD416E317C94CC8 Jan 27 15:00:02.639181 osdx hostapd[589316]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Test Successful 802.1x Authentication With Unsuccessful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses the correct username and password, but an incorrect MAC address.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18y1jlI/NVrsz/GVFLniNwIy1dsP8hzyW4edOprao9oDorwfFRAMp6HZQhkNl5DpxsPRwfaZohkPA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.307 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.307/0.307/0.307/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1/y6IZlhifevtrCtVqeJxaIIJBF7m/3NsA= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 6: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name testing
Step 7: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.324 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.324/0.324/0.324/0.000 ms
Step 8: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: authenticated - EAP type: 25 (PEAP)Show output
Jan 27 15:00:11.114840 osdx hostapd[589826]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Jan 27 15:00:11.114853 osdx hostapd[589826]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jan 27 15:00:11.115108 osdx hostapd[589826]: connect[radius]: Network is unreachable Jan 27 15:00:11.114892 osdx hostapd[589826]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Jan 27 15:00:11.114896 osdx hostapd[589826]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Jan 27 15:00:11.142707 osdx hostapd[589826]: Discovery mode enabled on eth2 Jan 27 15:00:11.142782 osdx hostapd[589826]: eth2: interface state UNINITIALIZED->ENABLED Jan 27 15:00:11.142782 osdx hostapd[589826]: eth2: AP-ENABLED Jan 27 15:00:14.342162 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Jan 27 15:00:14.342191 osdx hostapd[589827]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Jan 27 15:00:14.366881 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: start authentication Jan 27 15:00:14.366972 osdx hostapd[589827]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Jan 27 15:00:14.366983 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Jan 27 15:00:14.366992 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Jan 27 15:00:14.367027 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response Jan 27 15:00:14.367045 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA Jan 27 15:00:14.367077 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port Jan 27 15:00:14.367106 osdx hostapd[589827]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Jan 27 15:00:14.367192 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 200) Jan 27 15:00:14.368161 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=200 len=12) from STA: EAP Response-Identity (1) Jan 27 15:00:14.368199 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'testing' Jan 27 15:00:14.368275 osdx hostapd[589827]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jan 27 15:00:14.373453 osdx hostapd[589827]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:00:14.373777 osdx hostapd[589827]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:00:14.374064 osdx hostapd[589827]: eth2: RADIUS Received 80 bytes from RADIUS server Jan 27 15:00:14.374079 osdx hostapd[589827]: eth2: RADIUS Received RADIUS message Jan 27 15:00:14.374089 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:00:14.374147 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=201 len=22) from RADIUS server: EAP-Request-MD5 (4) Jan 27 15:00:14.374164 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 201) Jan 27 15:00:14.374873 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=201 len=6) from STA: EAP Response-unknown (3) Jan 27 15:00:14.375015 osdx hostapd[589827]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:00:14.375049 osdx hostapd[589827]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:00:14.375542 osdx hostapd[589827]: eth2: RADIUS Received 64 bytes from RADIUS server Jan 27 15:00:14.375554 osdx hostapd[589827]: eth2: RADIUS Received RADIUS message Jan 27 15:00:14.375561 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:00:14.375612 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=202 len=6) from RADIUS server: EAP-Request-PEAP (25) Jan 27 15:00:14.375642 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 202) Jan 27 15:00:14.376436 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=202 len=194) from STA: EAP Response-PEAP (25) Jan 27 15:00:14.376549 osdx hostapd[589827]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:00:14.376580 osdx hostapd[589827]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:00:14.378768 osdx hostapd[589827]: eth2: RADIUS Received 1068 bytes from RADIUS server Jan 27 15:00:14.378782 osdx hostapd[589827]: eth2: RADIUS Received RADIUS message Jan 27 15:00:14.378791 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:00:14.378849 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=203 len=1004) from RADIUS server: EAP-Request-PEAP (25) Jan 27 15:00:14.378865 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 203) Jan 27 15:00:14.379532 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=203 len=6) from STA: EAP Response-PEAP (25) Jan 27 15:00:14.379649 osdx hostapd[589827]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:00:14.379840 osdx hostapd[589827]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:00:14.380015 osdx hostapd[589827]: eth2: RADIUS Received 229 bytes from RADIUS server Jan 27 15:00:14.380025 osdx hostapd[589827]: eth2: RADIUS Received RADIUS message Jan 27 15:00:14.380030 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:00:14.380068 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=204 len=171) from RADIUS server: EAP-Request-PEAP (25) Jan 27 15:00:14.380082 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 204) Jan 27 15:00:14.383386 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=204 len=103) from STA: EAP Response-PEAP (25) Jan 27 15:00:14.383477 osdx hostapd[589827]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:00:14.383713 osdx hostapd[589827]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:00:14.384101 osdx hostapd[589827]: eth2: RADIUS Received 115 bytes from RADIUS server Jan 27 15:00:14.384128 osdx hostapd[589827]: eth2: RADIUS Received RADIUS message Jan 27 15:00:14.384137 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:00:14.384174 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=205 len=57) from RADIUS server: EAP-Request-PEAP (25) Jan 27 15:00:14.384185 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 205) Jan 27 15:00:14.384678 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=205 len=6) from STA: EAP Response-PEAP (25) Jan 27 15:00:14.384758 osdx hostapd[589827]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:00:14.385058 osdx hostapd[589827]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:00:14.385080 osdx hostapd[589827]: eth2: RADIUS Received 98 bytes from RADIUS server Jan 27 15:00:14.385086 osdx hostapd[589827]: eth2: RADIUS Received RADIUS message Jan 27 15:00:14.385096 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:00:14.385136 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=206 len=40) from RADIUS server: EAP-Request-PEAP (25) Jan 27 15:00:14.385148 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 206) Jan 27 15:00:14.385537 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=206 len=43) from STA: EAP Response-PEAP (25) Jan 27 15:00:14.385607 osdx hostapd[589827]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:00:14.385637 osdx hostapd[589827]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:00:14.385914 osdx hostapd[589827]: eth2: RADIUS Received 131 bytes from RADIUS server Jan 27 15:00:14.385926 osdx hostapd[589827]: eth2: RADIUS Received RADIUS message Jan 27 15:00:14.385933 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:00:14.385971 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=207 len=73) from RADIUS server: EAP-Request-PEAP (25) Jan 27 15:00:14.385984 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 207) Jan 27 15:00:14.386466 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=207 len=97) from STA: EAP Response-PEAP (25) Jan 27 15:00:14.386537 osdx hostapd[589827]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:00:14.386668 osdx hostapd[589827]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:00:14.386888 osdx hostapd[589827]: eth2: RADIUS Received 140 bytes from RADIUS server Jan 27 15:00:14.386897 osdx hostapd[589827]: eth2: RADIUS Received RADIUS message Jan 27 15:00:14.386903 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:00:14.386931 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=208 len=82) from RADIUS server: EAP-Request-PEAP (25) Jan 27 15:00:14.386942 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 208) Jan 27 15:00:14.387366 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=208 len=37) from STA: EAP Response-PEAP (25) Jan 27 15:00:14.387441 osdx hostapd[589827]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:00:14.387462 osdx hostapd[589827]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:00:14.387741 osdx hostapd[589827]: eth2: RADIUS Received 104 bytes from RADIUS server Jan 27 15:00:14.387750 osdx hostapd[589827]: eth2: RADIUS Received RADIUS message Jan 27 15:00:14.387756 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:00:14.387783 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=209 len=46) from RADIUS server: EAP-Request-PEAP (25) Jan 27 15:00:14.387792 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 209) Jan 27 15:00:14.388161 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=209 len=46) from STA: EAP Response-PEAP (25) Jan 27 15:00:14.388229 osdx hostapd[589827]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:00:14.388247 osdx hostapd[589827]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:00:14.388559 osdx hostapd[589827]: eth2: RADIUS Received 175 bytes from RADIUS server Jan 27 15:00:14.388571 osdx hostapd[589827]: eth2: RADIUS Received RADIUS message Jan 27 15:00:14.388577 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:00:14.388628 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing' Jan 27 15:00:14.388633 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=3 id=209 len=4) from RADIUS server: EAP Success Jan 27 15:00:14.388656 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 209) Jan 27 15:00:14.388677 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authorizing port Jan 27 15:00:14.388682 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 RADIUS: starting accounting session 236A6CC653AF90CB Jan 27 15:00:14.388688 osdx hostapd[589827]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Test Unsuccessful 802.1x Authentication With Successful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses an incorrect username.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX191f2FzCRHNQc+ClXZh6OJWnLGbU5tC7w/RkaNPLc3mpt1LVwuTrYQOKc86T33jfs66ztAAlatviQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.198 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.198/0.198/0.198/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1/Z7ZxJTl2MXAvsfptzwT//8nif6sAkrPA= set interfaces ethernet eth2 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 8 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 10 EAPoL frames (Tx) 10 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name wrong
Step 5: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.378 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.378/0.378/0.378/0.000 ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately 802.1X: MAB: station successfully authenticatedShow output
Jan 27 15:00:23.587560 osdx hostapd[590330]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Jan 27 15:00:23.587584 osdx hostapd[590330]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jan 27 15:00:23.587839 osdx hostapd[590330]: connect[radius]: Network is unreachable Jan 27 15:00:23.587636 osdx hostapd[590330]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Jan 27 15:00:23.587640 osdx hostapd[590330]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Jan 27 15:00:23.603420 osdx hostapd[590330]: Discovery mode enabled on eth2 Jan 27 15:00:23.603505 osdx hostapd[590330]: eth2: interface state UNINITIALIZED->ENABLED Jan 27 15:00:23.603505 osdx hostapd[590330]: eth2: AP-ENABLED Jan 27 15:00:26.667546 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Jan 27 15:00:26.667562 osdx hostapd[590331]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Jan 27 15:00:26.683420 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: start authentication Jan 27 15:00:26.683453 osdx hostapd[590331]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Jan 27 15:00:26.683458 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Jan 27 15:00:26.683461 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Jan 27 15:00:26.683479 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response Jan 27 15:00:26.683482 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAPOL-Start from STA Jan 27 15:00:26.683492 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Jan 27 15:00:26.683502 osdx hostapd[590331]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Jan 27 15:00:26.683531 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 224) Jan 27 15:00:26.683865 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=224 len=10) from STA: EAP Response-Identity (1) Jan 27 15:00:26.683878 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: STA identity 'wrong' Jan 27 15:00:26.683904 osdx hostapd[590331]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jan 27 15:00:26.686343 osdx hostapd[590331]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:00:26.686378 osdx hostapd[590331]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:00:26.686628 osdx hostapd[590331]: eth2: RADIUS Received 80 bytes from RADIUS server Jan 27 15:00:26.686635 osdx hostapd[590331]: eth2: RADIUS Received RADIUS message Jan 27 15:00:26.686640 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:00:26.686663 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=225 len=22) from RADIUS server: EAP-Request-MD5 (4) Jan 27 15:00:26.686672 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 225) Jan 27 15:00:26.686881 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=225 len=6) from STA: EAP Response-unknown (3) Jan 27 15:00:26.686936 osdx hostapd[590331]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:00:26.686951 osdx hostapd[590331]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:00:26.687116 osdx hostapd[590331]: eth2: RADIUS Received 64 bytes from RADIUS server Jan 27 15:00:26.687122 osdx hostapd[590331]: eth2: RADIUS Received RADIUS message Jan 27 15:00:26.687126 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:00:26.687144 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=226 len=6) from RADIUS server: EAP-Request-PEAP (25) Jan 27 15:00:26.687151 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 226) Jan 27 15:00:26.687479 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=226 len=194) from STA: EAP Response-PEAP (25) Jan 27 15:00:26.687521 osdx hostapd[590331]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:00:26.687534 osdx hostapd[590331]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:00:26.688507 osdx hostapd[590331]: eth2: RADIUS Received 1068 bytes from RADIUS server Jan 27 15:00:26.688513 osdx hostapd[590331]: eth2: RADIUS Received RADIUS message Jan 27 15:00:26.688517 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:00:26.688534 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=227 len=1004) from RADIUS server: EAP-Request-PEAP (25) Jan 27 15:00:26.688541 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 227) Jan 27 15:00:26.688680 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=227 len=6) from STA: EAP Response-PEAP (25) Jan 27 15:00:26.688717 osdx hostapd[590331]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:00:26.688728 osdx hostapd[590331]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:00:26.688892 osdx hostapd[590331]: eth2: RADIUS Received 229 bytes from RADIUS server Jan 27 15:00:26.688898 osdx hostapd[590331]: eth2: RADIUS Received RADIUS message Jan 27 15:00:26.688902 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:00:26.688930 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=228 len=171) from RADIUS server: EAP-Request-PEAP (25) Jan 27 15:00:26.688937 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 228) Jan 27 15:00:26.690292 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=228 len=103) from STA: EAP Response-PEAP (25) Jan 27 15:00:26.690333 osdx hostapd[590331]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:00:26.690343 osdx hostapd[590331]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:00:26.690636 osdx hostapd[590331]: eth2: RADIUS Received 115 bytes from RADIUS server Jan 27 15:00:26.690642 osdx hostapd[590331]: eth2: RADIUS Received RADIUS message Jan 27 15:00:26.690646 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:00:26.690663 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=229 len=57) from RADIUS server: EAP-Request-PEAP (25) Jan 27 15:00:26.690670 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 229) Jan 27 15:00:26.690942 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=229 len=6) from STA: EAP Response-PEAP (25) Jan 27 15:00:26.690990 osdx hostapd[590331]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:00:26.691002 osdx hostapd[590331]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:00:26.691150 osdx hostapd[590331]: eth2: RADIUS Received 98 bytes from RADIUS server Jan 27 15:00:26.691155 osdx hostapd[590331]: eth2: RADIUS Received RADIUS message Jan 27 15:00:26.691160 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:00:26.691175 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=230 len=40) from RADIUS server: EAP-Request-PEAP (25) Jan 27 15:00:26.691181 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 230) Jan 27 15:00:26.691349 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=230 len=41) from STA: EAP Response-PEAP (25) Jan 27 15:00:26.691392 osdx hostapd[590331]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:00:26.691403 osdx hostapd[590331]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:00:26.691559 osdx hostapd[590331]: eth2: RADIUS Received 131 bytes from RADIUS server Jan 27 15:00:26.691564 osdx hostapd[590331]: eth2: RADIUS Received RADIUS message Jan 27 15:00:26.691568 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:00:26.691583 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=231 len=73) from RADIUS server: EAP-Request-PEAP (25) Jan 27 15:00:26.691589 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 231) Jan 27 15:00:26.691828 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=231 len=95) from STA: EAP Response-PEAP (25) Jan 27 15:00:26.691861 osdx hostapd[590331]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:00:26.691871 osdx hostapd[590331]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:00:26.692036 osdx hostapd[590331]: eth2: RADIUS Received 104 bytes from RADIUS server Jan 27 15:00:26.692041 osdx hostapd[590331]: eth2: RADIUS Received RADIUS message Jan 27 15:00:26.692045 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:00:26.692058 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=232 len=46) from RADIUS server: EAP-Request-PEAP (25) Jan 27 15:00:26.692065 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 232) Jan 27 15:00:26.692221 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=232 len=46) from STA: EAP Response-PEAP (25) Jan 27 15:00:26.692254 osdx hostapd[590331]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:00:26.692265 osdx hostapd[590331]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:00:27.692333 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Resending RADIUS message (id=8) Jan 27 15:00:27.692364 osdx hostapd[590331]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Jan 27 15:00:27.692521 osdx hostapd[590331]: eth2: RADIUS Received 44 bytes from RADIUS server Jan 27 15:00:27.692524 osdx hostapd[590331]: eth2: RADIUS Received RADIUS message Jan 27 15:00:27.692528 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:00:27.692569 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=4 id=232 len=4) from RADIUS server: EAP Failure Jan 27 15:00:27.692594 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 232) Jan 27 15:00:27.692605 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Jan 27 15:00:27.692608 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) Jan 27 15:00:27.692611 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately Jan 27 15:00:27.692615 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Jan 27 15:00:27.692640 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Jan 27 15:00:27.692646 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Jan 27 15:00:27.692657 osdx hostapd[590331]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:00:27.692664 osdx hostapd[590331]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:00:27.692675 osdx hostapd[590331]: eth2: RADIUS Received 44 bytes from RADIUS server Jan 27 15:00:27.692678 osdx hostapd[590331]: eth2: RADIUS Received RADIUS message Jan 27 15:00:27.692681 osdx hostapd[590331]: eth2: RADIUS No matching RADIUS request found (type=0 id=8) - dropping packet Jan 27 15:00:27.692900 osdx hostapd[590331]: eth2: RADIUS Received 20 bytes from RADIUS server Jan 27 15:00:27.692903 osdx hostapd[590331]: eth2: RADIUS Received RADIUS message Jan 27 15:00:27.692907 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:00:27.692910 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Jan 27 15:00:27.692934 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Jan 27 15:00:27.692937 osdx hostapd[590331]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Jan 27 15:00:27.692945 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Jan 27 15:00:27.692948 osdx hostapd[590331]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 87D3F1E3898D7FD8
Test Unsuccessful 802.1x Authentication With Unsuccessful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses an incorrect username and MAC address.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+IBXAt05M0B4jyUgAY/sQJf5NqRxmuoz7OSNpkr2XuWfLtZR1avX4XMsGdyvt0w6OgTob+FLItkw== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.204 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.204/0.204/0.204/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1/PKlNkYdEWi1PMSfoaxbM+E5owUGEOoW8= set interfaces ethernet eth2 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+UnauthorizedShow output
--------------------------------- Field Value --------------------------------- EAPoL Frames (Rx) 10 EAPoL Frames (Tx) 10 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Unauthorized Req Frames (Rx) 8 Req ID Frames (Rx) 1 Resp Frames (Tx) 9 Start Frames (Tx) 1
Step 5: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 8 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 10 EAPoL frames (Tx) 10 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 6: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 7: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately 802.1X: MAB: Authentication failedShow output
Jan 27 15:00:35.631896 osdx hostapd[590835]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Jan 27 15:00:35.631909 osdx hostapd[590835]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jan 27 15:00:35.632219 osdx hostapd[590835]: connect[radius]: Network is unreachable Jan 27 15:00:35.631944 osdx hostapd[590835]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Jan 27 15:00:35.631948 osdx hostapd[590835]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Jan 27 15:00:35.659741 osdx hostapd[590835]: Discovery mode enabled on eth2 Jan 27 15:00:35.659823 osdx hostapd[590835]: eth2: interface state UNINITIALIZED->ENABLED Jan 27 15:00:35.659823 osdx hostapd[590835]: eth2: AP-ENABLED Jan 27 15:00:38.978873 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Jan 27 15:00:38.978885 osdx hostapd[590836]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Jan 27 15:00:38.991765 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: start authentication Jan 27 15:00:38.991788 osdx hostapd[590836]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Jan 27 15:00:38.991793 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Jan 27 15:00:38.991796 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Jan 27 15:00:38.991808 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response Jan 27 15:00:38.991810 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA Jan 27 15:00:38.991818 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port Jan 27 15:00:38.991828 osdx hostapd[590836]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Jan 27 15:00:38.991842 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 14) Jan 27 15:00:38.992073 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=14 len=10) from STA: EAP Response-Identity (1) Jan 27 15:00:38.992091 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'wrong' Jan 27 15:00:38.992112 osdx hostapd[590836]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jan 27 15:00:38.993922 osdx hostapd[590836]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:00:38.993947 osdx hostapd[590836]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:00:38.994222 osdx hostapd[590836]: eth2: RADIUS Received 80 bytes from RADIUS server Jan 27 15:00:38.994227 osdx hostapd[590836]: eth2: RADIUS Received RADIUS message Jan 27 15:00:38.994230 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:00:38.994249 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=15 len=22) from RADIUS server: EAP-Request-MD5 (4) Jan 27 15:00:38.994256 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 15) Jan 27 15:00:38.994455 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=15 len=6) from STA: EAP Response-unknown (3) Jan 27 15:00:38.994500 osdx hostapd[590836]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:00:38.994513 osdx hostapd[590836]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:00:38.994666 osdx hostapd[590836]: eth2: RADIUS Received 64 bytes from RADIUS server Jan 27 15:00:38.994671 osdx hostapd[590836]: eth2: RADIUS Received RADIUS message Jan 27 15:00:38.994674 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:00:38.994688 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=16 len=6) from RADIUS server: EAP-Request-PEAP (25) Jan 27 15:00:38.994693 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 16) Jan 27 15:00:38.995018 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=16 len=194) from STA: EAP Response-PEAP (25) Jan 27 15:00:38.995069 osdx hostapd[590836]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:00:38.995084 osdx hostapd[590836]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:00:38.996055 osdx hostapd[590836]: eth2: RADIUS Received 1068 bytes from RADIUS server Jan 27 15:00:38.996060 osdx hostapd[590836]: eth2: RADIUS Received RADIUS message Jan 27 15:00:38.996063 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:00:38.996089 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=17 len=1004) from RADIUS server: EAP-Request-PEAP (25) Jan 27 15:00:38.996095 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 17) Jan 27 15:00:38.996241 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=17 len=6) from STA: EAP Response-PEAP (25) Jan 27 15:00:38.996278 osdx hostapd[590836]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:00:38.996289 osdx hostapd[590836]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:00:38.996452 osdx hostapd[590836]: eth2: RADIUS Received 229 bytes from RADIUS server Jan 27 15:00:38.996457 osdx hostapd[590836]: eth2: RADIUS Received RADIUS message Jan 27 15:00:38.996460 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:00:38.996472 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=18 len=171) from RADIUS server: EAP-Request-PEAP (25) Jan 27 15:00:38.996478 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 18) Jan 27 15:00:38.997805 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=18 len=103) from STA: EAP Response-PEAP (25) Jan 27 15:00:38.997842 osdx hostapd[590836]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:00:38.997855 osdx hostapd[590836]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:00:38.998112 osdx hostapd[590836]: eth2: RADIUS Received 115 bytes from RADIUS server Jan 27 15:00:38.998117 osdx hostapd[590836]: eth2: RADIUS Received RADIUS message Jan 27 15:00:38.998120 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:00:38.998132 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=19 len=57) from RADIUS server: EAP-Request-PEAP (25) Jan 27 15:00:38.998137 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 19) Jan 27 15:00:38.998345 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=19 len=6) from STA: EAP Response-PEAP (25) Jan 27 15:00:38.998380 osdx hostapd[590836]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:00:38.998390 osdx hostapd[590836]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:00:38.998492 osdx hostapd[590836]: eth2: RADIUS Received 98 bytes from RADIUS server Jan 27 15:00:38.998497 osdx hostapd[590836]: eth2: RADIUS Received RADIUS message Jan 27 15:00:38.998500 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:00:38.998511 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=20 len=40) from RADIUS server: EAP-Request-PEAP (25) Jan 27 15:00:38.998516 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 20) Jan 27 15:00:38.998665 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=20 len=41) from STA: EAP Response-PEAP (25) Jan 27 15:00:38.998709 osdx hostapd[590836]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:00:38.998721 osdx hostapd[590836]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:00:38.998871 osdx hostapd[590836]: eth2: RADIUS Received 131 bytes from RADIUS server Jan 27 15:00:38.998876 osdx hostapd[590836]: eth2: RADIUS Received RADIUS message Jan 27 15:00:38.998879 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:00:38.998892 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=21 len=73) from RADIUS server: EAP-Request-PEAP (25) Jan 27 15:00:38.998897 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 21) Jan 27 15:00:38.999113 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=21 len=95) from STA: EAP Response-PEAP (25) Jan 27 15:00:38.999143 osdx hostapd[590836]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:00:38.999152 osdx hostapd[590836]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:00:38.999319 osdx hostapd[590836]: eth2: RADIUS Received 104 bytes from RADIUS server Jan 27 15:00:38.999324 osdx hostapd[590836]: eth2: RADIUS Received RADIUS message Jan 27 15:00:38.999327 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:00:38.999340 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=22 len=46) from RADIUS server: EAP-Request-PEAP (25) Jan 27 15:00:38.999346 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 22) Jan 27 15:00:38.999485 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=22 len=46) from STA: EAP Response-PEAP (25) Jan 27 15:00:38.999522 osdx hostapd[590836]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:00:38.999533 osdx hostapd[590836]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:00:39.999614 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=8) Jan 27 15:00:39.999649 osdx hostapd[590836]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Jan 27 15:00:39.999832 osdx hostapd[590836]: eth2: RADIUS Received 44 bytes from RADIUS server Jan 27 15:00:39.999837 osdx hostapd[590836]: eth2: RADIUS Received RADIUS message Jan 27 15:00:39.999842 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:00:39.999894 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=4 id=22 len=4) from RADIUS server: EAP Failure Jan 27 15:00:39.999922 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 22) Jan 27 15:00:39.999937 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port Jan 27 15:00:39.999942 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) Jan 27 15:00:39.999946 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately Jan 27 15:00:39.999951 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Jan 27 15:00:39.999983 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Jan 27 15:00:39.999992 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Jan 27 15:00:40.000007 osdx hostapd[590836]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:00:40.000017 osdx hostapd[590836]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:00:40.000030 osdx hostapd[590836]: eth2: RADIUS Received 44 bytes from RADIUS server Jan 27 15:00:40.000034 osdx hostapd[590836]: eth2: RADIUS Received RADIUS message Jan 27 15:00:40.000038 osdx hostapd[590836]: eth2: RADIUS No matching RADIUS request found (type=0 id=8) - dropping packet Jan 27 15:00:41.000116 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Jan 27 15:00:41.000160 osdx hostapd[590836]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Jan 27 15:00:41.000319 osdx hostapd[590836]: eth2: RADIUS Received 20 bytes from RADIUS server Jan 27 15:00:41.000324 osdx hostapd[590836]: eth2: RADIUS Received RADIUS message Jan 27 15:00:41.000329 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:00:41.000334 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Jan 27 15:00:41.000395 osdx hostapd[590836]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Jan 27 15:00:41.000398 osdx hostapd[590836]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Jan 27 15:00:41.000402 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Authentication failed, entering held state (quiet period 60 sec) Jan 27 15:00:41.000406 osdx hostapd[590836]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Retry timeout registered for 60 seconds Jan 27 15:00:41.000413 osdx hostapd[590836]: eth2: RADIUS Received 20 bytes from RADIUS server Jan 27 15:00:41.000417 osdx hostapd[590836]: eth2: RADIUS Received RADIUS message Jan 27 15:00:41.000420 osdx hostapd[590836]: eth2: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet
Test Unsupported 802.1x Authentication With Successful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 does not support 802.1x authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18Kofb4hawof3nfjIF9STpVnmVTohcW7Wt2+tQHannPo3Ccz9J5kkOtQctwBrsqG7fWrTa8QlhHGA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.180 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.180/0.180/0.180/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.363 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.363/0.363/0.363/0.000 ms
Step 5: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 0 EAPoL frames (Tx) 4 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name N/A
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.256 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.256/0.256/0.256/0.000 ms
Step 7: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately 802.1X: MAB: station successfully authenticatedShow output
Jan 27 15:00:48.371576 osdx hostapd[591330]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Jan 27 15:00:48.371593 osdx hostapd[591330]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jan 27 15:00:48.371901 osdx hostapd[591330]: connect[radius]: Network is unreachable Jan 27 15:00:48.371638 osdx hostapd[591330]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Jan 27 15:00:48.371641 osdx hostapd[591330]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Jan 27 15:00:48.399398 osdx hostapd[591330]: Discovery mode enabled on eth2 Jan 27 15:00:48.399509 osdx hostapd[591330]: eth2: interface state UNINITIALIZED->ENABLED Jan 27 15:00:48.399509 osdx hostapd[591330]: eth2: AP-ENABLED Jan 27 15:00:53.400310 osdx hostapd[591331]: eth2: STA de:ad:be:ef:6c:12 DRIVER: Device discovered, triggering MAB authentication Jan 27 15:00:53.400356 osdx hostapd[591331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Jan 27 15:00:53.400365 osdx hostapd[591331]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Jan 27 15:00:53.415485 osdx hostapd[591331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: start authentication Jan 27 15:00:53.415518 osdx hostapd[591331]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Jan 27 15:00:53.415523 osdx hostapd[591331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Jan 27 15:00:53.415527 osdx hostapd[591331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Jan 27 15:00:53.415547 osdx hostapd[591331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Jan 27 15:00:53.415557 osdx hostapd[591331]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Jan 27 15:00:53.415589 osdx hostapd[591331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 171) Jan 27 15:00:56.418425 osdx hostapd[591331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 171) Jan 27 15:01:02.423430 osdx hostapd[591331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 171) Jan 27 15:01:14.433386 osdx hostapd[591331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: aborting authentication Jan 27 15:01:14.433393 osdx hostapd[591331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately Jan 27 15:01:14.433398 osdx hostapd[591331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Jan 27 15:01:14.433429 osdx hostapd[591331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Jan 27 15:01:14.435085 osdx hostapd[591331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Jan 27 15:01:14.435096 osdx hostapd[591331]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jan 27 15:01:14.435160 osdx hostapd[591331]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:01:14.435187 osdx hostapd[591331]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:01:14.435203 osdx hostapd[591331]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Jan 27 15:01:14.435215 osdx hostapd[591331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 225) Jan 27 15:01:14.435492 osdx hostapd[591331]: eth2: RADIUS Received 20 bytes from RADIUS server Jan 27 15:01:14.435500 osdx hostapd[591331]: eth2: RADIUS Received RADIUS message Jan 27 15:01:14.435503 osdx hostapd[591331]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:01:14.435507 osdx hostapd[591331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Jan 27 15:01:14.435534 osdx hostapd[591331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Jan 27 15:01:14.435536 osdx hostapd[591331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Jan 27 15:01:14.435539 osdx hostapd[591331]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Jan 27 15:01:14.435547 osdx hostapd[591331]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Jan 27 15:01:14.435549 osdx hostapd[591331]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session D4D6DDFBEBD04B56
Test Unsupported 802.1x Authentication With Unsuccessful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 does not support 802.1x authentication and uses an incorrect MAC address.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/CEx5C14gUZJVLjdPEQUH3OGL7h8v4q8ecml9v0a0WvI/BrF1mJ753Gr+VO7AJVp84Fap55HcPZQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.235 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.235/0.235/0.235/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 2 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 0 EAPoL frames (Tx) 4 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 5: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately 802.1X: MAB: Authentication failedShow output
Jan 27 15:01:24.360257 osdx hostapd[591881]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Jan 27 15:01:24.360269 osdx hostapd[591881]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jan 27 15:01:24.360496 osdx hostapd[591881]: connect[radius]: Network is unreachable Jan 27 15:01:24.360303 osdx hostapd[591881]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Jan 27 15:01:24.360306 osdx hostapd[591881]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Jan 27 15:01:24.380150 osdx hostapd[591881]: Discovery mode enabled on eth2 Jan 27 15:01:24.380222 osdx hostapd[591881]: eth2: interface state UNINITIALIZED->ENABLED Jan 27 15:01:24.380222 osdx hostapd[591881]: eth2: AP-ENABLED Jan 27 15:01:29.381003 osdx hostapd[591882]: eth2: STA 00:11:22:33:44:55 DRIVER: Device discovered, triggering MAB authentication Jan 27 15:01:29.381051 osdx hostapd[591882]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Jan 27 15:01:29.381070 osdx hostapd[591882]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Jan 27 15:01:29.396199 osdx hostapd[591882]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: start authentication Jan 27 15:01:29.396230 osdx hostapd[591882]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Jan 27 15:01:29.396234 osdx hostapd[591882]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Jan 27 15:01:29.396236 osdx hostapd[591882]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Jan 27 15:01:29.396259 osdx hostapd[591882]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port Jan 27 15:01:29.396267 osdx hostapd[591882]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Jan 27 15:01:29.396291 osdx hostapd[591882]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 44) Jan 27 15:01:32.399137 osdx hostapd[591882]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 44) Jan 27 15:01:38.404139 osdx hostapd[591882]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 44) Jan 27 15:01:50.414147 osdx hostapd[591882]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: aborting authentication Jan 27 15:01:50.414155 osdx hostapd[591882]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately Jan 27 15:01:50.414159 osdx hostapd[591882]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Jan 27 15:01:50.414188 osdx hostapd[591882]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Jan 27 15:01:50.415895 osdx hostapd[591882]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Jan 27 15:01:50.415906 osdx hostapd[591882]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jan 27 15:01:50.415979 osdx hostapd[591882]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:01:50.416005 osdx hostapd[591882]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:01:50.416025 osdx hostapd[591882]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Jan 27 15:01:50.416040 osdx hostapd[591882]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 141) Jan 27 15:01:51.416138 osdx hostapd[591882]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Jan 27 15:01:51.416179 osdx hostapd[591882]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Jan 27 15:01:51.416359 osdx hostapd[591882]: eth2: RADIUS Received 20 bytes from RADIUS server Jan 27 15:01:51.416362 osdx hostapd[591882]: eth2: RADIUS Received RADIUS message Jan 27 15:01:51.416367 osdx hostapd[591882]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:01:51.416372 osdx hostapd[591882]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Jan 27 15:01:51.416425 osdx hostapd[591882]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Jan 27 15:01:51.416428 osdx hostapd[591882]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Jan 27 15:01:51.416432 osdx hostapd[591882]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Authentication failed, entering held state (quiet period 60 sec) Jan 27 15:01:51.416435 osdx hostapd[591882]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Retry timeout registered for 60 seconds Jan 27 15:01:51.416443 osdx hostapd[591882]: eth2: RADIUS Received 20 bytes from RADIUS server Jan 27 15:01:51.416446 osdx hostapd[591882]: eth2: RADIUS Received RADIUS message Jan 27 15:01:51.416449 osdx hostapd[591882]: eth2: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet