Mab First
This scenario shows how to configure the MAB-first
authentication mode.
Test Successful MAB Authentication With Successful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses a correct MAC address and correct 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18JCHzyaKngufqZnX1OtetzHY/rtiiHs46mMMlQUkAPDG9nNMzbMh2JN9DRaFfLx8Svjs921bc74A== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.229 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.229/0.229/0.229/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1+NY1kdmhvx9mYLd7/L72vpjmoNeBX5NuE= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 1 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name N/A
Step 5: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.238 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.238/0.238/0.238/0.000 ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
802.1X: MAB: station successfully authenticatedShow output
Jan 27 15:02:02.304253 osdx hostapd[592420]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Jan 27 15:02:02.304272 osdx hostapd[592420]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jan 27 15:02:02.304521 osdx hostapd[592420]: connect[radius]: Network is unreachable Jan 27 15:02:02.304327 osdx hostapd[592420]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Jan 27 15:02:02.304331 osdx hostapd[592420]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Jan 27 15:02:02.328113 osdx hostapd[592420]: Discovery mode enabled on eth2 Jan 27 15:02:02.328191 osdx hostapd[592420]: eth2: interface state UNINITIALIZED->ENABLED Jan 27 15:02:02.328191 osdx hostapd[592420]: eth2: AP-ENABLED Jan 27 15:02:05.486270 osdx hostapd[592421]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Jan 27 15:02:05.486282 osdx hostapd[592421]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Jan 27 15:02:05.500106 osdx hostapd[592421]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB-first mode: Starting MAB authentication Jan 27 15:02:05.500131 osdx hostapd[592421]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Jan 27 15:02:05.500145 osdx hostapd[592421]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Jan 27 15:02:05.502426 osdx hostapd[592421]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Jan 27 15:02:05.502440 osdx hostapd[592421]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jan 27 15:02:05.502530 osdx hostapd[592421]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:02:05.502564 osdx hostapd[592421]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:02:05.502595 osdx hostapd[592421]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAPOL-Start from STA Jan 27 15:02:05.502834 osdx hostapd[592421]: eth2: RADIUS Received 20 bytes from RADIUS server Jan 27 15:02:05.502839 osdx hostapd[592421]: eth2: RADIUS Received RADIUS message Jan 27 15:02:05.502844 osdx hostapd[592421]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:02:05.502849 osdx hostapd[592421]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Jan 27 15:02:05.502868 osdx hostapd[592421]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Jan 27 15:02:05.502871 osdx hostapd[592421]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Jan 27 15:02:05.502876 osdx hostapd[592421]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Jan 27 15:02:05.502886 osdx hostapd[592421]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Jan 27 15:02:05.502890 osdx hostapd[592421]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 7980323BE5C4A2ED
Test Successful MAB Authentication With Unsuccessful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses a correct MAC address, but wrong 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/+uRdhd7dOMYP3wCCwpoSIvdOfk1DcNAk7mmfq9kXxBBCjkyKVt+xsmm8P/kc/TiDANaMoydn18g== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.196 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.196/0.196/0.196/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1++4oGqXgAq9EuviJk3YmmpVKor65pITx0= set interfaces ethernet eth2 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 1 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name N/A
Step 5: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.235 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.235/0.235/0.235/0.000 ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
802.1X: MAB: station successfully authenticatedShow output
Jan 27 15:02:14.381223 osdx hostapd[592924]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Jan 27 15:02:14.381244 osdx hostapd[592924]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jan 27 15:02:14.381483 osdx hostapd[592924]: connect[radius]: Network is unreachable Jan 27 15:02:14.381295 osdx hostapd[592924]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Jan 27 15:02:14.381299 osdx hostapd[592924]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Jan 27 15:02:14.397072 osdx hostapd[592924]: Discovery mode enabled on eth2 Jan 27 15:02:14.397176 osdx hostapd[592924]: eth2: interface state UNINITIALIZED->ENABLED Jan 27 15:02:14.397176 osdx hostapd[592924]: eth2: AP-ENABLED Jan 27 15:02:17.500242 osdx hostapd[592925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Jan 27 15:02:17.500258 osdx hostapd[592925]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Jan 27 15:02:17.513091 osdx hostapd[592925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB-first mode: Starting MAB authentication Jan 27 15:02:17.513115 osdx hostapd[592925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Jan 27 15:02:17.513130 osdx hostapd[592925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Jan 27 15:02:17.514742 osdx hostapd[592925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Jan 27 15:02:17.514751 osdx hostapd[592925]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jan 27 15:02:17.514816 osdx hostapd[592925]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:02:17.514840 osdx hostapd[592925]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:02:17.514859 osdx hostapd[592925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAPOL-Start from STA Jan 27 15:02:17.515084 osdx hostapd[592925]: eth2: RADIUS Received 20 bytes from RADIUS server Jan 27 15:02:17.515089 osdx hostapd[592925]: eth2: RADIUS Received RADIUS message Jan 27 15:02:17.515092 osdx hostapd[592925]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:02:17.515095 osdx hostapd[592925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Jan 27 15:02:17.515110 osdx hostapd[592925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Jan 27 15:02:17.515112 osdx hostapd[592925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Jan 27 15:02:17.515115 osdx hostapd[592925]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Jan 27 15:02:17.515122 osdx hostapd[592925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Jan 27 15:02:17.515125 osdx hostapd[592925]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 03AF2F71DCC96B92
Test Successful MAB Authentication With Unsupported 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 does not support 802.1x authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX183kqXiZklwndp4AVA6lYOAnGEN9rUxGWL61+VoLvPmuO7aHFVAw0F6VyF8UzWVzFTC3LEkHUPp0Q== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.284 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.284/0.284/0.284/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.361 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.361/0.361/0.361/0.000 ms
Step 5: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 0 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name N/A
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.216 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.216/0.216/0.216/0.000 ms
Step 7: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
802.1X: MAB: station successfully authenticatedShow output
Jan 27 15:02:25.311899 osdx hostapd[593428]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Jan 27 15:02:25.311912 osdx hostapd[593428]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jan 27 15:02:25.312223 osdx hostapd[593428]: connect[radius]: Network is unreachable Jan 27 15:02:25.311952 osdx hostapd[593428]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Jan 27 15:02:25.311955 osdx hostapd[593428]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Jan 27 15:02:25.327719 osdx hostapd[593428]: Discovery mode enabled on eth2 Jan 27 15:02:25.327775 osdx hostapd[593428]: eth2: interface state UNINITIALIZED->ENABLED Jan 27 15:02:25.327775 osdx hostapd[593428]: eth2: AP-ENABLED Jan 27 15:02:30.328606 osdx hostapd[593429]: eth2: STA de:ad:be:ef:6c:12 DRIVER: Device discovered, triggering MAB authentication Jan 27 15:02:30.328649 osdx hostapd[593429]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Jan 27 15:02:30.328657 osdx hostapd[593429]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Jan 27 15:02:30.343719 osdx hostapd[593429]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB-first mode: Starting MAB authentication Jan 27 15:02:30.343756 osdx hostapd[593429]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Jan 27 15:02:30.343775 osdx hostapd[593429]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Jan 27 15:02:30.345778 osdx hostapd[593429]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Jan 27 15:02:30.345797 osdx hostapd[593429]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jan 27 15:02:30.345902 osdx hostapd[593429]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:02:30.345939 osdx hostapd[593429]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:02:30.346230 osdx hostapd[593429]: eth2: RADIUS Received 20 bytes from RADIUS server Jan 27 15:02:30.346238 osdx hostapd[593429]: eth2: RADIUS Received RADIUS message Jan 27 15:02:30.346243 osdx hostapd[593429]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:02:30.346247 osdx hostapd[593429]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Jan 27 15:02:30.346267 osdx hostapd[593429]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Jan 27 15:02:30.346271 osdx hostapd[593429]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Jan 27 15:02:30.346274 osdx hostapd[593429]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Jan 27 15:02:30.346292 osdx hostapd[593429]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Jan 27 15:02:30.346295 osdx hostapd[593429]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 190A4ACFD7FFD4F2
Test Unsuccessful MAB Authentication With Successful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses an incorrect MAC address, but correct 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+koakOD2bsEWUZNLUvn+Pnr+f83xE/W9LLZ+tttXh8Xmvp9YL16RfDKqZbRarSNz8dyrqdI2s8eA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.203 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.203/0.203/0.203/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1/hF48VVIMCe3HTMdAvkI6nWTxZ8Old7Z8= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 6: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name testing
Step 7: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.312 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.312/0.312/0.312/0.000 ms
Step 8: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X IEEE 802.1X: authenticated - EAP type: 25 (PEAP)Show output
Jan 27 15:02:40.355619 osdx hostapd[593940]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Jan 27 15:02:40.355638 osdx hostapd[593940]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jan 27 15:02:40.355839 osdx hostapd[593940]: connect[radius]: Network is unreachable Jan 27 15:02:40.355687 osdx hostapd[593940]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Jan 27 15:02:40.355691 osdx hostapd[593940]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Jan 27 15:02:40.367466 osdx hostapd[593940]: Discovery mode enabled on eth2 Jan 27 15:02:40.367514 osdx hostapd[593940]: eth2: interface state UNINITIALIZED->ENABLED Jan 27 15:02:40.367543 osdx hostapd[593940]: eth2: AP-ENABLED Jan 27 15:02:43.543675 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Jan 27 15:02:43.543690 osdx hostapd[593941]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Jan 27 15:02:43.563531 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: Starting MAB authentication Jan 27 15:02:43.563558 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Jan 27 15:02:43.563575 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Jan 27 15:02:43.565312 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Jan 27 15:02:43.565324 osdx hostapd[593941]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jan 27 15:02:43.565409 osdx hostapd[593941]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:02:43.565437 osdx hostapd[593941]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:02:43.565467 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA Jan 27 15:02:44.565523 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Jan 27 15:02:44.565562 osdx hostapd[593941]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Jan 27 15:02:44.565723 osdx hostapd[593941]: eth2: RADIUS Received 20 bytes from RADIUS server Jan 27 15:02:44.565727 osdx hostapd[593941]: eth2: RADIUS Received RADIUS message Jan 27 15:02:44.565732 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:02:44.565737 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Jan 27 15:02:44.565788 osdx hostapd[593941]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Jan 27 15:02:44.565795 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X Jan 27 15:02:44.565802 osdx hostapd[593941]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Jan 27 15:02:44.565805 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first: 802.1X authentication started Jan 27 15:02:44.565813 osdx hostapd[593941]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Jan 27 15:02:44.565830 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 58) Jan 27 15:02:44.565844 osdx hostapd[593941]: eth2: RADIUS Received 20 bytes from RADIUS server Jan 27 15:02:44.565847 osdx hostapd[593941]: eth2: RADIUS Received RADIUS message Jan 27 15:02:44.565851 osdx hostapd[593941]: eth2: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet Jan 27 15:02:44.566114 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=58 len=12) from STA: EAP Response-Identity (1) Jan 27 15:02:44.566127 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'testing' Jan 27 15:02:44.566187 osdx hostapd[593941]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:02:44.566202 osdx hostapd[593941]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:02:44.566393 osdx hostapd[593941]: eth2: RADIUS Received 80 bytes from RADIUS server Jan 27 15:02:44.566400 osdx hostapd[593941]: eth2: RADIUS Received RADIUS message Jan 27 15:02:44.566404 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:02:44.566422 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=59 len=22) from RADIUS server: EAP-Request-MD5 (4) Jan 27 15:02:44.566429 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 59) Jan 27 15:02:44.566591 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=59 len=6) from STA: EAP Response-unknown (3) Jan 27 15:02:44.566628 osdx hostapd[593941]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:02:44.566637 osdx hostapd[593941]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:02:44.566792 osdx hostapd[593941]: eth2: RADIUS Received 64 bytes from RADIUS server Jan 27 15:02:44.566796 osdx hostapd[593941]: eth2: RADIUS Received RADIUS message Jan 27 15:02:44.566800 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:02:44.566815 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=60 len=6) from RADIUS server: EAP-Request-PEAP (25) Jan 27 15:02:44.566821 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 60) Jan 27 15:02:44.567172 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=60 len=194) from STA: EAP Response-PEAP (25) Jan 27 15:02:44.567209 osdx hostapd[593941]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:02:44.567219 osdx hostapd[593941]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:02:44.568220 osdx hostapd[593941]: eth2: RADIUS Received 1068 bytes from RADIUS server Jan 27 15:02:44.568226 osdx hostapd[593941]: eth2: RADIUS Received RADIUS message Jan 27 15:02:44.568230 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:02:44.568248 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=61 len=1004) from RADIUS server: EAP-Request-PEAP (25) Jan 27 15:02:44.568255 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 61) Jan 27 15:02:44.568425 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=61 len=6) from STA: EAP Response-PEAP (25) Jan 27 15:02:44.568464 osdx hostapd[593941]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:02:44.568473 osdx hostapd[593941]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:02:44.568595 osdx hostapd[593941]: eth2: RADIUS Received 229 bytes from RADIUS server Jan 27 15:02:44.568601 osdx hostapd[593941]: eth2: RADIUS Received RADIUS message Jan 27 15:02:44.568605 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:02:44.568635 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=62 len=171) from RADIUS server: EAP-Request-PEAP (25) Jan 27 15:02:44.568643 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 62) Jan 27 15:02:44.570040 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=62 len=103) from STA: EAP Response-PEAP (25) Jan 27 15:02:44.570085 osdx hostapd[593941]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:02:44.570101 osdx hostapd[593941]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:02:44.570364 osdx hostapd[593941]: eth2: RADIUS Received 115 bytes from RADIUS server Jan 27 15:02:44.570369 osdx hostapd[593941]: eth2: RADIUS Received RADIUS message Jan 27 15:02:44.570372 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:02:44.570398 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=63 len=57) from RADIUS server: EAP-Request-PEAP (25) Jan 27 15:02:44.570405 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 63) Jan 27 15:02:44.570630 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=63 len=6) from STA: EAP Response-PEAP (25) Jan 27 15:02:44.570670 osdx hostapd[593941]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:02:44.570683 osdx hostapd[593941]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:02:44.570778 osdx hostapd[593941]: eth2: RADIUS Received 98 bytes from RADIUS server Jan 27 15:02:44.570784 osdx hostapd[593941]: eth2: RADIUS Received RADIUS message Jan 27 15:02:44.570787 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:02:44.570801 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=64 len=40) from RADIUS server: EAP-Request-PEAP (25) Jan 27 15:02:44.570807 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 64) Jan 27 15:02:44.570947 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=64 len=43) from STA: EAP Response-PEAP (25) Jan 27 15:02:44.570985 osdx hostapd[593941]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:02:44.570996 osdx hostapd[593941]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:02:44.571093 osdx hostapd[593941]: eth2: RADIUS Received 131 bytes from RADIUS server Jan 27 15:02:44.571098 osdx hostapd[593941]: eth2: RADIUS Received RADIUS message Jan 27 15:02:44.571101 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:02:44.571116 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=65 len=73) from RADIUS server: EAP-Request-PEAP (25) Jan 27 15:02:44.571122 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 65) Jan 27 15:02:44.571301 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=65 len=97) from STA: EAP Response-PEAP (25) Jan 27 15:02:44.571334 osdx hostapd[593941]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:02:44.571344 osdx hostapd[593941]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:02:44.571552 osdx hostapd[593941]: eth2: RADIUS Received 140 bytes from RADIUS server Jan 27 15:02:44.571558 osdx hostapd[593941]: eth2: RADIUS Received RADIUS message Jan 27 15:02:44.571561 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:02:44.571576 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=66 len=82) from RADIUS server: EAP-Request-PEAP (25) Jan 27 15:02:44.571582 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 66) Jan 27 15:02:44.571706 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=66 len=37) from STA: EAP Response-PEAP (25) Jan 27 15:02:44.571736 osdx hostapd[593941]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:02:44.571744 osdx hostapd[593941]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:02:44.571863 osdx hostapd[593941]: eth2: RADIUS Received 104 bytes from RADIUS server Jan 27 15:02:44.571868 osdx hostapd[593941]: eth2: RADIUS Received RADIUS message Jan 27 15:02:44.571872 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:02:44.571884 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=67 len=46) from RADIUS server: EAP-Request-PEAP (25) Jan 27 15:02:44.571890 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 67) Jan 27 15:02:44.572030 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=67 len=46) from STA: EAP Response-PEAP (25) Jan 27 15:02:44.572060 osdx hostapd[593941]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:02:44.572069 osdx hostapd[593941]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:02:44.572222 osdx hostapd[593941]: eth2: RADIUS Received 175 bytes from RADIUS server Jan 27 15:02:44.572227 osdx hostapd[593941]: eth2: RADIUS Received RADIUS message Jan 27 15:02:44.572230 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:02:44.572252 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing' Jan 27 15:02:44.572255 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=3 id=67 len=4) from RADIUS server: EAP Success Jan 27 15:02:44.572269 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 67) Jan 27 15:02:44.572282 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authorizing port Jan 27 15:02:44.572286 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 RADIUS: starting accounting session 45FFF9F9E1FE3E03 Jan 27 15:02:44.572295 osdx hostapd[593941]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Test Unsuccessful MAB Authentication With Unsuccessful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses an incorrect MAC address and incorrect 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/DJ++yCRvxawVsWnYPUKyLd8KBDXm0Q4E8nRxBrGlwk0KYXB5KC61F4Xo3t9UdqJ/VDKhTvBKOfg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.272 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.272/0.272/0.272/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1/NPC6MWr95ymD0asVlZIvQEi6nAhFB0Gw= set interfaces ethernet eth2 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+UnauthorizedShow output
--------------------------------- Field Value --------------------------------- EAPoL Frames (Rx) 9 EAPoL Frames (Tx) 10 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Unauthorized Req Frames (Rx) 8 Req ID Frames (Rx) 1 Resp Frames (Tx) 9 Start Frames (Tx) 1
Step 5: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 8 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 10 EAPoL frames (Tx) 9 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 6: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 7: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X IEEE 802.1X: authentication failed - EAP type: 25 (PEAP)Show output
Jan 27 15:02:52.791928 osdx hostapd[594451]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Jan 27 15:02:52.792306 osdx hostapd[594451]: connect[radius]: Network is unreachable Jan 27 15:02:52.791950 osdx hostapd[594451]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jan 27 15:02:52.792000 osdx hostapd[594451]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Jan 27 15:02:52.792004 osdx hostapd[594451]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Jan 27 15:02:52.807740 osdx hostapd[594451]: Discovery mode enabled on eth2 Jan 27 15:02:52.807858 osdx hostapd[594451]: eth2: interface state UNINITIALIZED->ENABLED Jan 27 15:02:52.807886 osdx hostapd[594451]: eth2: AP-ENABLED Jan 27 15:02:55.983897 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Jan 27 15:02:55.983911 osdx hostapd[594452]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Jan 27 15:02:55.999788 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: Starting MAB authentication Jan 27 15:02:55.999818 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Jan 27 15:02:55.999839 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Jan 27 15:02:56.001941 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Jan 27 15:02:56.001956 osdx hostapd[594452]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jan 27 15:02:56.002035 osdx hostapd[594452]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:02:56.002066 osdx hostapd[594452]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:02:56.002090 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA Jan 27 15:02:57.002157 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Jan 27 15:02:57.002195 osdx hostapd[594452]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Jan 27 15:02:57.002380 osdx hostapd[594452]: eth2: RADIUS Received 20 bytes from RADIUS server Jan 27 15:02:57.002385 osdx hostapd[594452]: eth2: RADIUS Received RADIUS message Jan 27 15:02:57.002390 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:02:57.002395 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Jan 27 15:02:57.002453 osdx hostapd[594452]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Jan 27 15:02:57.002457 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X Jan 27 15:02:57.002461 osdx hostapd[594452]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Jan 27 15:02:57.002465 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first: 802.1X authentication started Jan 27 15:02:57.002474 osdx hostapd[594452]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Jan 27 15:02:57.002492 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 51) Jan 27 15:02:57.002507 osdx hostapd[594452]: eth2: RADIUS Received 20 bytes from RADIUS server Jan 27 15:02:57.002511 osdx hostapd[594452]: eth2: RADIUS Received RADIUS message Jan 27 15:02:57.002514 osdx hostapd[594452]: eth2: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet Jan 27 15:02:57.002836 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=51 len=10) from STA: EAP Response-Identity (1) Jan 27 15:02:57.002846 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'wrong' Jan 27 15:02:57.002904 osdx hostapd[594452]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:02:57.002920 osdx hostapd[594452]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:02:57.003160 osdx hostapd[594452]: eth2: RADIUS Received 80 bytes from RADIUS server Jan 27 15:02:57.003166 osdx hostapd[594452]: eth2: RADIUS Received RADIUS message Jan 27 15:02:57.003170 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:02:57.003203 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=52 len=22) from RADIUS server: EAP-Request-MD5 (4) Jan 27 15:02:57.003212 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 52) Jan 27 15:02:57.003433 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=52 len=6) from STA: EAP Response-unknown (3) Jan 27 15:02:57.003479 osdx hostapd[594452]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:02:57.003493 osdx hostapd[594452]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:02:57.003745 osdx hostapd[594452]: eth2: RADIUS Received 64 bytes from RADIUS server Jan 27 15:02:57.003752 osdx hostapd[594452]: eth2: RADIUS Received RADIUS message Jan 27 15:02:57.003757 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:02:57.003774 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=53 len=6) from RADIUS server: EAP-Request-PEAP (25) Jan 27 15:02:57.003781 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 53) Jan 27 15:02:57.004167 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=53 len=194) from STA: EAP Response-PEAP (25) Jan 27 15:02:57.004209 osdx hostapd[594452]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:02:57.004220 osdx hostapd[594452]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:02:57.005558 osdx hostapd[594452]: eth2: RADIUS Received 1068 bytes from RADIUS server Jan 27 15:02:57.005565 osdx hostapd[594452]: eth2: RADIUS Received RADIUS message Jan 27 15:02:57.005570 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:02:57.005608 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=54 len=1004) from RADIUS server: EAP-Request-PEAP (25) Jan 27 15:02:57.005616 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 54) Jan 27 15:02:57.005861 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=54 len=6) from STA: EAP Response-PEAP (25) Jan 27 15:02:57.005911 osdx hostapd[594452]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:02:57.005923 osdx hostapd[594452]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:02:57.006091 osdx hostapd[594452]: eth2: RADIUS Received 229 bytes from RADIUS server Jan 27 15:02:57.006096 osdx hostapd[594452]: eth2: RADIUS Received RADIUS message Jan 27 15:02:57.006099 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:02:57.006114 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=55 len=171) from RADIUS server: EAP-Request-PEAP (25) Jan 27 15:02:57.006119 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 55) Jan 27 15:02:57.007468 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=55 len=103) from STA: EAP Response-PEAP (25) Jan 27 15:02:57.007513 osdx hostapd[594452]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:02:57.007526 osdx hostapd[594452]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:02:57.007936 osdx hostapd[594452]: eth2: RADIUS Received 115 bytes from RADIUS server Jan 27 15:02:57.007942 osdx hostapd[594452]: eth2: RADIUS Received RADIUS message Jan 27 15:02:57.007945 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:02:57.007963 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=56 len=57) from RADIUS server: EAP-Request-PEAP (25) Jan 27 15:02:57.007968 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 56) Jan 27 15:02:57.008249 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=56 len=6) from STA: EAP Response-PEAP (25) Jan 27 15:02:57.008292 osdx hostapd[594452]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:02:57.008305 osdx hostapd[594452]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:02:57.008464 osdx hostapd[594452]: eth2: RADIUS Received 98 bytes from RADIUS server Jan 27 15:02:57.008470 osdx hostapd[594452]: eth2: RADIUS Received RADIUS message Jan 27 15:02:57.008473 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:02:57.008488 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=57 len=40) from RADIUS server: EAP-Request-PEAP (25) Jan 27 15:02:57.008494 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 57) Jan 27 15:02:57.008656 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=57 len=41) from STA: EAP Response-PEAP (25) Jan 27 15:02:57.008688 osdx hostapd[594452]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:02:57.008700 osdx hostapd[594452]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:02:57.008866 osdx hostapd[594452]: eth2: RADIUS Received 131 bytes from RADIUS server Jan 27 15:02:57.008871 osdx hostapd[594452]: eth2: RADIUS Received RADIUS message Jan 27 15:02:57.008874 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:02:57.008888 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=58 len=73) from RADIUS server: EAP-Request-PEAP (25) Jan 27 15:02:57.008893 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 58) Jan 27 15:02:57.009139 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=58 len=95) from STA: EAP Response-PEAP (25) Jan 27 15:02:57.009169 osdx hostapd[594452]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:02:57.009177 osdx hostapd[594452]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:02:57.009400 osdx hostapd[594452]: eth2: RADIUS Received 104 bytes from RADIUS server Jan 27 15:02:57.009408 osdx hostapd[594452]: eth2: RADIUS Received RADIUS message Jan 27 15:02:57.009412 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:02:57.009435 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=59 len=46) from RADIUS server: EAP-Request-PEAP (25) Jan 27 15:02:57.009447 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 59) Jan 27 15:02:57.009645 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=59 len=46) from STA: EAP Response-PEAP (25) Jan 27 15:02:57.009688 osdx hostapd[594452]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:02:57.009702 osdx hostapd[594452]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:02:58.009800 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=8) Jan 27 15:02:58.009839 osdx hostapd[594452]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Jan 27 15:02:58.010023 osdx hostapd[594452]: eth2: RADIUS Received 44 bytes from RADIUS server Jan 27 15:02:58.010029 osdx hostapd[594452]: eth2: RADIUS Received RADIUS message Jan 27 15:02:58.010034 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:02:58.010086 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=4 id=59 len=4) from RADIUS server: EAP Failure Jan 27 15:02:58.010118 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 59) Jan 27 15:02:58.010195 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port Jan 27 15:02:58.010200 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) Jan 27 15:02:58.010208 osdx hostapd[594452]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Authentication failed, enforcing quiet period (60 seconds) Jan 27 15:02:58.010214 osdx hostapd[594452]: eth2: RADIUS Received 44 bytes from RADIUS server Jan 27 15:02:58.010218 osdx hostapd[594452]: eth2: RADIUS Received RADIUS message Jan 27 15:02:58.010221 osdx hostapd[594452]: eth2: RADIUS No matching RADIUS request found (type=0 id=8) - dropping packet
Test Unsuccessful MAB Authentication With Unsupported 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 does not support 802.1x authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/J3CZce+HqioCMuNYzkl8PhlT3DJecHqtDOSzMn3wihr6hRWA+fgTezNCTsRBWSelZ8Br0e7fd+g== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.236 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.236/0.236/0.236/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 0 EAPoL frames (Tx) 2 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 5: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X IEEE 802.1X: EAP authentication timeoutShow output
Jan 27 15:03:05.219368 osdx hostapd[594951]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Jan 27 15:03:05.219623 osdx hostapd[594951]: connect[radius]: Network is unreachable Jan 27 15:03:05.219384 osdx hostapd[594951]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jan 27 15:03:05.219430 osdx hostapd[594951]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Jan 27 15:03:05.219437 osdx hostapd[594951]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Jan 27 15:03:05.239202 osdx hostapd[594951]: Discovery mode enabled on eth2 Jan 27 15:03:05.239285 osdx hostapd[594951]: eth2: interface state UNINITIALIZED->ENABLED Jan 27 15:03:05.239285 osdx hostapd[594951]: eth2: AP-ENABLED Jan 27 15:03:10.239942 osdx hostapd[594952]: eth2: STA 00:11:22:33:44:55 DRIVER: Device discovered, triggering MAB authentication Jan 27 15:03:10.239980 osdx hostapd[594952]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Jan 27 15:03:10.239991 osdx hostapd[594952]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Jan 27 15:03:10.259253 osdx hostapd[594952]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: Starting MAB authentication Jan 27 15:03:10.259284 osdx hostapd[594952]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Jan 27 15:03:10.259305 osdx hostapd[594952]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Jan 27 15:03:10.261349 osdx hostapd[594952]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Jan 27 15:03:10.261362 osdx hostapd[594952]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jan 27 15:03:10.261454 osdx hostapd[594952]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 15:03:10.261486 osdx hostapd[594952]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 15:03:11.261565 osdx hostapd[594952]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Jan 27 15:03:11.261594 osdx hostapd[594952]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Jan 27 15:03:11.261832 osdx hostapd[594952]: eth2: RADIUS Received 20 bytes from RADIUS server Jan 27 15:03:11.261834 osdx hostapd[594952]: eth2: RADIUS Received RADIUS message Jan 27 15:03:11.261838 osdx hostapd[594952]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 15:03:11.261842 osdx hostapd[594952]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Jan 27 15:03:11.261883 osdx hostapd[594952]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Jan 27 15:03:11.261885 osdx hostapd[594952]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X Jan 27 15:03:11.261889 osdx hostapd[594952]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Jan 27 15:03:11.261891 osdx hostapd[594952]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first: 802.1X authentication started Jan 27 15:03:11.261897 osdx hostapd[594952]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Jan 27 15:03:11.261909 osdx hostapd[594952]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 141) Jan 27 15:03:14.263213 osdx hostapd[594952]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 141) Jan 27 15:03:19.054237 osdx OSDxCLI[421648]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jan 27 15:03:20.268188 osdx hostapd[594952]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 141) Jan 27 15:03:27.299918 osdx OSDxCLI[421648]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jan 27 15:03:32.279206 osdx hostapd[594952]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: aborting authentication Jan 27 15:03:32.279223 osdx hostapd[594952]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: EAP authentication timeout - enforcing 60 second quiet period before retrying Jan 27 15:03:32.279235 osdx hostapd[594952]: eth2: STA 00:11:22:33:44:55 MLME: MLME-DEAUTHENTICATE.indication(00:11:22:33:44:55, 2) Jan 27 15:03:32.279239 osdx hostapd[594952]: eth2: STA 00:11:22:33:44:55 MLME: MLME-DELETEKEYS.request(00:11:22:33:44:55)