Reauth Period
This scenario shows how to configure the reauthentication period in a device with 802.1x/MAB authentication.
Test Reauth Period In 802.1X Mode
Description
This scenario shows how to configure the reauthentication period in a device with 802.1x authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode only-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 20 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX19wCQC5XVWXSYq0vShEQTdV4p5y5iSKON4ZJGjcbcmDUXN4ybcaCJuRjBFE9pKHij7AJVUWroKuSg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.207 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.207/0.207/0.207/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX18b1tw6jeD5ORn4FDd+ZFJsNObkBN25ssE= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: authenticatedShow output
Jan 27 14:51:32.349599 osdx hostapd[577924]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Jan 27 14:51:32.349621 osdx hostapd[577924]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jan 27 14:51:32.349857 osdx hostapd[577924]: connect[radius]: Network is unreachable Jan 27 14:51:32.349668 osdx hostapd[577924]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X, eap_server=0, eap_quiet_period=60, eap_max_retrans=2 Jan 27 14:51:32.349672 osdx hostapd[577924]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Jan 27 14:51:32.365476 osdx hostapd[577924]: Discovery mode enabled on eth2 Jan 27 14:51:32.365563 osdx hostapd[577924]: eth2: interface state UNINITIALIZED->ENABLED Jan 27 14:51:32.365563 osdx hostapd[577924]: eth2: AP-ENABLED Jan 27 14:51:32.365476 osdx hostapd[577924]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: enabling transmission of periodic EAP-Request frames Jan 27 14:51:33.660754 osdx OSDxCLI[421648]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jan 27 14:51:35.588712 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Jan 27 14:51:35.588728 osdx hostapd[577925]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Jan 27 14:51:35.601592 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: start authentication Jan 27 14:51:35.601626 osdx hostapd[577925]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Jan 27 14:51:35.601646 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAPOL-Start from STA Jan 27 14:51:35.601657 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Jan 27 14:51:35.601667 osdx hostapd[577925]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Jan 27 14:51:35.601693 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 214) Jan 27 14:51:35.602535 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=214 len=12) from STA: EAP Response-Identity (1) Jan 27 14:51:35.602550 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: STA identity 'testing' Jan 27 14:51:35.602582 osdx hostapd[577925]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jan 27 14:51:35.605153 osdx hostapd[577925]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 14:51:35.605487 osdx hostapd[577925]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 14:51:35.799951 osdx OSDxCLI[421648]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jan 27 14:51:35.804327 osdx hostapd[577925]: eth2: RADIUS Received 80 bytes from RADIUS server Jan 27 14:51:35.804335 osdx hostapd[577925]: eth2: RADIUS Received RADIUS message Jan 27 14:51:35.804338 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.19 sec Jan 27 14:51:35.804390 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=215 len=22) from RADIUS server: EAP-Request-MD5 (4) Jan 27 14:51:35.804405 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 215) Jan 27 14:51:35.804777 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=215 len=6) from STA: EAP Response-unknown (3) Jan 27 14:51:35.804835 osdx hostapd[577925]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 14:51:35.804853 osdx hostapd[577925]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 14:51:35.829136 osdx hostapd[577925]: eth2: RADIUS Received 64 bytes from RADIUS server Jan 27 14:51:35.829146 osdx hostapd[577925]: eth2: RADIUS Received RADIUS message Jan 27 14:51:35.829150 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.02 sec Jan 27 14:51:35.829202 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=216 len=6) from RADIUS server: EAP-Request-PEAP (25) Jan 27 14:51:35.829214 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 216) Jan 27 14:51:35.832155 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=216 len=194) from STA: EAP Response-PEAP (25) Jan 27 14:51:35.832243 osdx hostapd[577925]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 14:51:35.832269 osdx hostapd[577925]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 14:51:35.940544 osdx hostapd[577925]: eth2: RADIUS Received 1068 bytes from RADIUS server Jan 27 14:51:35.940556 osdx hostapd[577925]: eth2: RADIUS Received RADIUS message Jan 27 14:51:35.940559 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.10 sec Jan 27 14:51:35.940613 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=217 len=1004) from RADIUS server: EAP-Request-PEAP (25) Jan 27 14:51:35.940623 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 217) Jan 27 14:51:35.940926 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=217 len=6) from STA: EAP Response-PEAP (25) Jan 27 14:51:35.940999 osdx hostapd[577925]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 14:51:35.941019 osdx hostapd[577925]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 14:51:35.947250 osdx hostapd[577925]: eth2: RADIUS Received 229 bytes from RADIUS server Jan 27 14:51:35.947261 osdx hostapd[577925]: eth2: RADIUS Received RADIUS message Jan 27 14:51:35.947265 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 14:51:35.947314 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=218 len=171) from RADIUS server: EAP-Request-PEAP (25) Jan 27 14:51:35.947325 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 218) Jan 27 14:51:35.966538 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=218 len=103) from STA: EAP Response-PEAP (25) Jan 27 14:51:35.966645 osdx hostapd[577925]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 14:51:35.966672 osdx hostapd[577925]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 14:51:35.983563 osdx hostapd[577925]: eth2: RADIUS Received 115 bytes from RADIUS server Jan 27 14:51:35.983573 osdx hostapd[577925]: eth2: RADIUS Received RADIUS message Jan 27 14:51:35.983580 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.01 sec Jan 27 14:51:35.983623 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=219 len=57) from RADIUS server: EAP-Request-PEAP (25) Jan 27 14:51:35.983632 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 219) Jan 27 14:51:35.984074 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=219 len=6) from STA: EAP Response-PEAP (25) Jan 27 14:51:35.984127 osdx hostapd[577925]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 14:51:35.984142 osdx hostapd[577925]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 14:51:35.984345 osdx hostapd[577925]: eth2: RADIUS Received 98 bytes from RADIUS server Jan 27 14:51:35.984350 osdx hostapd[577925]: eth2: RADIUS Received RADIUS message Jan 27 14:51:35.984353 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 14:51:35.984369 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=220 len=40) from RADIUS server: EAP-Request-PEAP (25) Jan 27 14:51:35.984374 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 220) Jan 27 14:51:35.984565 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=220 len=43) from STA: EAP Response-PEAP (25) Jan 27 14:51:35.984601 osdx hostapd[577925]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 14:51:35.984613 osdx hostapd[577925]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 14:51:36.007941 osdx hostapd[577925]: eth2: RADIUS Received 131 bytes from RADIUS server Jan 27 14:51:36.007951 osdx hostapd[577925]: eth2: RADIUS Received RADIUS message Jan 27 14:51:36.007957 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.02 sec Jan 27 14:51:36.007995 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=221 len=73) from RADIUS server: EAP-Request-PEAP (25) Jan 27 14:51:36.008004 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 221) Jan 27 14:51:36.010454 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=221 len=97) from STA: EAP Response-PEAP (25) Jan 27 14:51:36.010514 osdx hostapd[577925]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 14:51:36.010534 osdx hostapd[577925]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 14:51:36.027075 osdx hostapd[577925]: eth2: RADIUS Received 140 bytes from RADIUS server Jan 27 14:51:36.027085 osdx hostapd[577925]: eth2: RADIUS Received RADIUS message Jan 27 14:51:36.027089 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.01 sec Jan 27 14:51:36.027125 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=222 len=82) from RADIUS server: EAP-Request-PEAP (25) Jan 27 14:51:36.027134 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 222) Jan 27 14:51:36.027460 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=222 len=37) from STA: EAP Response-PEAP (25) Jan 27 14:51:36.027520 osdx hostapd[577925]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 14:51:36.027541 osdx hostapd[577925]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 14:51:36.027749 osdx hostapd[577925]: eth2: RADIUS Received 104 bytes from RADIUS server Jan 27 14:51:36.027754 osdx hostapd[577925]: eth2: RADIUS Received RADIUS message Jan 27 14:51:36.027757 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 14:51:36.027775 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=223 len=46) from RADIUS server: EAP-Request-PEAP (25) Jan 27 14:51:36.027782 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 223) Jan 27 14:51:36.027994 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=223 len=46) from STA: EAP Response-PEAP (25) Jan 27 14:51:36.028038 osdx hostapd[577925]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 14:51:36.028050 osdx hostapd[577925]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 14:51:36.045719 osdx hostapd[577925]: eth2: RADIUS Received 175 bytes from RADIUS server Jan 27 14:51:36.045729 osdx hostapd[577925]: eth2: RADIUS Received RADIUS message Jan 27 14:51:36.045732 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.01 sec Jan 27 14:51:36.045774 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing' Jan 27 14:51:36.045777 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=3 id=223 len=4) from RADIUS server: EAP Success Jan 27 14:51:36.045800 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 223) Jan 27 14:51:36.045819 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Jan 27 14:51:36.045823 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session B2F1CAD127C6E131 Jan 27 14:51:36.045827 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Step 5: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: Re-authentication period expiredShow output
Jan 27 14:51:38.229312 osdx OSDxCLI[421648]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jan 27 14:51:40.295928 osdx OSDxCLI[421648]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jan 27 14:51:42.367006 osdx OSDxCLI[421648]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jan 27 14:51:44.495976 osdx OSDxCLI[421648]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jan 27 14:51:46.577937 osdx OSDxCLI[421648]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jan 27 14:51:48.694259 osdx OSDxCLI[421648]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jan 27 14:51:50.778562 osdx OSDxCLI[421648]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jan 27 14:51:52.862880 osdx OSDxCLI[421648]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jan 27 14:51:54.936556 osdx OSDxCLI[421648]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jan 27 14:51:55.618455 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Re-authentication period expired (20 seconds), triggering re-authentication Jan 27 14:51:55.618466 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Starting re-authentication (port will be unauthorized until authentication succeeds) Jan 27 14:51:55.618470 osdx hostapd[577925]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Jan 27 14:51:55.618510 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 189) Jan 27 14:51:55.618896 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=189 len=12) from STA: EAP Response-Identity (1) Jan 27 14:51:55.618909 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: STA identity 'testing' Jan 27 14:51:55.618988 osdx hostapd[577925]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 14:51:55.619024 osdx hostapd[577925]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 14:51:55.619302 osdx hostapd[577925]: eth2: RADIUS Received 80 bytes from RADIUS server Jan 27 14:51:55.619308 osdx hostapd[577925]: eth2: RADIUS Received RADIUS message Jan 27 14:51:55.619315 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 14:51:55.619341 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=190 len=22) from RADIUS server: EAP-Request-MD5 (4) Jan 27 14:51:55.619351 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 190) Jan 27 14:51:55.619592 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=190 len=6) from STA: EAP Response-unknown (3) Jan 27 14:51:55.619647 osdx hostapd[577925]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 14:51:55.619663 osdx hostapd[577925]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 14:51:55.619893 osdx hostapd[577925]: eth2: RADIUS Received 64 bytes from RADIUS server Jan 27 14:51:55.619899 osdx hostapd[577925]: eth2: RADIUS Received RADIUS message Jan 27 14:51:55.619904 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 14:51:55.619920 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=191 len=6) from RADIUS server: EAP-Request-PEAP (25) Jan 27 14:51:55.619926 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 191) Jan 27 14:51:55.620246 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=191 len=194) from STA: EAP Response-PEAP (25) Jan 27 14:51:55.620303 osdx hostapd[577925]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 14:51:55.620367 osdx hostapd[577925]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 14:51:55.621335 osdx hostapd[577925]: eth2: RADIUS Received 1068 bytes from RADIUS server Jan 27 14:51:55.621341 osdx hostapd[577925]: eth2: RADIUS Received RADIUS message Jan 27 14:51:55.621345 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 14:51:55.621370 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=192 len=1004) from RADIUS server: EAP-Request-PEAP (25) Jan 27 14:51:55.621377 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 192) Jan 27 14:51:55.621583 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=192 len=6) from STA: EAP Response-PEAP (25) Jan 27 14:51:55.621631 osdx hostapd[577925]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 14:51:55.621645 osdx hostapd[577925]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 14:51:55.621823 osdx hostapd[577925]: eth2: RADIUS Received 229 bytes from RADIUS server Jan 27 14:51:55.621832 osdx hostapd[577925]: eth2: RADIUS Received RADIUS message Jan 27 14:51:55.621837 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 14:51:55.621862 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=193 len=171) from RADIUS server: EAP-Request-PEAP (25) Jan 27 14:51:55.621871 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 193) Jan 27 14:51:55.622870 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=193 len=103) from STA: EAP Response-PEAP (25) Jan 27 14:51:55.622923 osdx hostapd[577925]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 14:51:55.622937 osdx hostapd[577925]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 14:51:55.623318 osdx hostapd[577925]: eth2: RADIUS Received 115 bytes from RADIUS server Jan 27 14:51:55.623324 osdx hostapd[577925]: eth2: RADIUS Received RADIUS message Jan 27 14:51:55.623328 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 14:51:55.623343 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=194 len=57) from RADIUS server: EAP-Request-PEAP (25) Jan 27 14:51:55.623349 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 194) Jan 27 14:51:55.623591 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=194 len=6) from STA: EAP Response-PEAP (25) Jan 27 14:51:55.623631 osdx hostapd[577925]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 14:51:55.623645 osdx hostapd[577925]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 14:51:55.623802 osdx hostapd[577925]: eth2: RADIUS Received 98 bytes from RADIUS server Jan 27 14:51:55.623808 osdx hostapd[577925]: eth2: RADIUS Received RADIUS message Jan 27 14:51:55.623811 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 14:51:55.623826 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=195 len=40) from RADIUS server: EAP-Request-PEAP (25) Jan 27 14:51:55.623832 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 195) Jan 27 14:51:55.623971 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=195 len=43) from STA: EAP Response-PEAP (25) Jan 27 14:51:55.624003 osdx hostapd[577925]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 14:51:55.624012 osdx hostapd[577925]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 14:51:55.624177 osdx hostapd[577925]: eth2: RADIUS Received 131 bytes from RADIUS server Jan 27 14:51:55.624186 osdx hostapd[577925]: eth2: RADIUS Received RADIUS message Jan 27 14:51:55.624189 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 14:51:55.624203 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=196 len=73) from RADIUS server: EAP-Request-PEAP (25) Jan 27 14:51:55.624211 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 196) Jan 27 14:51:55.624468 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=196 len=97) from STA: EAP Response-PEAP (25) Jan 27 14:51:55.624509 osdx hostapd[577925]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 14:51:55.624524 osdx hostapd[577925]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 14:51:55.624734 osdx hostapd[577925]: eth2: RADIUS Received 140 bytes from RADIUS server Jan 27 14:51:55.624739 osdx hostapd[577925]: eth2: RADIUS Received RADIUS message Jan 27 14:51:55.624742 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 14:51:55.624755 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=197 len=82) from RADIUS server: EAP-Request-PEAP (25) Jan 27 14:51:55.624760 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 197) Jan 27 14:51:55.624923 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=197 len=37) from STA: EAP Response-PEAP (25) Jan 27 14:51:55.624956 osdx hostapd[577925]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 14:51:55.624970 osdx hostapd[577925]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 14:51:55.625163 osdx hostapd[577925]: eth2: RADIUS Received 104 bytes from RADIUS server Jan 27 14:51:55.625168 osdx hostapd[577925]: eth2: RADIUS Received RADIUS message Jan 27 14:51:55.625171 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 14:51:55.625186 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=198 len=46) from RADIUS server: EAP-Request-PEAP (25) Jan 27 14:51:55.625192 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 198) Jan 27 14:51:55.625388 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=198 len=46) from STA: EAP Response-PEAP (25) Jan 27 14:51:55.625438 osdx hostapd[577925]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 14:51:55.625468 osdx hostapd[577925]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 14:51:55.625655 osdx hostapd[577925]: eth2: RADIUS Received 175 bytes from RADIUS server Jan 27 14:51:55.625660 osdx hostapd[577925]: eth2: RADIUS Received RADIUS message Jan 27 14:51:55.625664 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 14:51:55.625685 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing' Jan 27 14:51:55.625689 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=3 id=198 len=4) from RADIUS server: EAP Success Jan 27 14:51:55.625703 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 198) Jan 27 14:51:55.625712 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Jan 27 14:51:55.625716 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session B2F1CAD127C6E131 Jan 27 14:51:55.625720 osdx hostapd[577925]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Test Reauth Period In MAB Mode
Description
This scenario shows how to configure the reauthentication period in a device with MAB authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode only-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 20 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18UWD9Bwv08IRjHB7QXS5cpmLa7X3SzpN2SbWHB7kWE94nQDbIxIfehpkq5MAkrJBTmXUvn+kIy5Q== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.255 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.255/0.255/0.255/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
MAB: station successfully authenticatedShow output
Jan 27 14:52:04.415996 osdx hostapd[578507]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Jan 27 14:52:04.416007 osdx hostapd[578507]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jan 27 14:52:04.416291 osdx hostapd[578507]: connect[radius]: Network is unreachable Jan 27 14:52:04.416050 osdx hostapd[578507]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-only, eap_server=0, eap_quiet_period=60, eap_max_retrans=5 Jan 27 14:52:04.416053 osdx hostapd[578507]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Jan 27 14:52:04.439898 osdx hostapd[578507]: Discovery mode enabled on eth2 Jan 27 14:52:04.439982 osdx hostapd[578507]: eth2: interface state UNINITIALIZED->ENABLED Jan 27 14:52:04.440009 osdx hostapd[578507]: eth2: AP-ENABLED Jan 27 14:52:07.690694 osdx OSDxCLI[421648]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jan 27 14:52:09.441869 osdx hostapd[578508]: eth2: STA de:ad:be:ef:6c:12 DRIVER: Device discovered, triggering MAB authentication Jan 27 14:52:09.441913 osdx hostapd[578508]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Jan 27 14:52:09.441923 osdx hostapd[578508]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Jan 27 14:52:09.455912 osdx hostapd[578508]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB-only mode: Starting MAB authentication Jan 27 14:52:09.455948 osdx hostapd[578508]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Jan 27 14:52:09.455964 osdx hostapd[578508]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Jan 27 14:52:09.457716 osdx hostapd[578508]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Jan 27 14:52:09.457729 osdx hostapd[578508]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jan 27 14:52:09.457812 osdx hostapd[578508]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 14:52:09.457840 osdx hostapd[578508]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 14:52:09.458144 osdx hostapd[578508]: eth2: RADIUS Received 20 bytes from RADIUS server Jan 27 14:52:09.458149 osdx hostapd[578508]: eth2: RADIUS Received RADIUS message Jan 27 14:52:09.458153 osdx hostapd[578508]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 14:52:09.458156 osdx hostapd[578508]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Jan 27 14:52:09.458173 osdx hostapd[578508]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Jan 27 14:52:09.458175 osdx hostapd[578508]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Jan 27 14:52:09.458178 osdx hostapd[578508]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Re-authentication enabled (next reauth in 20 seconds) Jan 27 14:52:09.458180 osdx hostapd[578508]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Jan 27 14:52:09.458196 osdx hostapd[578508]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Jan 27 14:52:09.458199 osdx hostapd[578508]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 0F30284836CBE090
Step 5: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: Re-authentication period expiredShow output
Jan 27 14:52:12.237195 osdx OSDxCLI[421648]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jan 27 14:52:15.401769 osdx OSDxCLI[421648]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jan 27 14:52:18.597058 osdx OSDxCLI[421648]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jan 27 14:52:21.770977 osdx OSDxCLI[421648]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jan 27 14:52:24.969929 osdx OSDxCLI[421648]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jan 27 14:52:28.186916 osdx OSDxCLI[421648]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jan 27 14:52:29.473806 osdx hostapd[578508]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Re-authentication period expired (20 seconds), triggering re-authentication Jan 27 14:52:29.473822 osdx hostapd[578508]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Jan 27 14:52:29.473869 osdx hostapd[578508]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Jan 27 14:52:29.473895 osdx hostapd[578508]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Jan 27 14:52:29.473914 osdx hostapd[578508]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 14:52:29.473949 osdx hostapd[578508]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 14:52:29.474222 osdx hostapd[578508]: eth2: RADIUS Received 20 bytes from RADIUS server Jan 27 14:52:29.474226 osdx hostapd[578508]: eth2: RADIUS Received RADIUS message Jan 27 14:52:29.474229 osdx hostapd[578508]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 14:52:29.474233 osdx hostapd[578508]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Jan 27 14:52:29.474253 osdx hostapd[578508]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Jan 27 14:52:29.474257 osdx hostapd[578508]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Re-authentication enabled (next reauth in 20 seconds) Jan 27 14:52:29.474260 osdx hostapd[578508]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Jan 27 14:52:29.474264 osdx hostapd[578508]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Jan 27 14:52:29.474267 osdx hostapd[578508]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 0F30284836CBE090
Test Reauth Period In MAB-Fallback Mode
Description
This scenario shows how to configure the reauthentication period in a device with 802.1x-MAB authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 20 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/VvmgxLqMLxBraq9XEmWgLMMsXUWf90/nu+OYTzV4n70ASGvlT10pZZPFlLdY4vWDBpLeOsGIWKg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.189 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.189/0.189/0.189/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
MAB: station successfully authenticatedShow output
Jan 27 14:52:38.478401 osdx hostapd[579067]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Jan 27 14:52:38.478417 osdx hostapd[579067]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jan 27 14:52:38.478723 osdx hostapd[579067]: connect[radius]: Network is unreachable Jan 27 14:52:38.478471 osdx hostapd[579067]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Jan 27 14:52:38.478480 osdx hostapd[579067]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Jan 27 14:52:38.494249 osdx hostapd[579067]: Discovery mode enabled on eth2 Jan 27 14:52:38.494249 osdx hostapd[579067]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: enabling transmission of periodic EAP-Request frames Jan 27 14:52:38.494367 osdx hostapd[579067]: eth2: interface state UNINITIALIZED->ENABLED Jan 27 14:52:38.494367 osdx hostapd[579067]: eth2: AP-ENABLED Jan 27 14:52:41.692065 osdx OSDxCLI[421648]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jan 27 14:52:43.497231 osdx hostapd[579068]: eth2: STA de:ad:be:ef:6c:12 DRIVER: Device discovered, triggering MAB authentication Jan 27 14:52:43.497276 osdx hostapd[579068]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Jan 27 14:52:43.497288 osdx hostapd[579068]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Jan 27 14:52:43.510288 osdx hostapd[579068]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: start authentication Jan 27 14:52:43.510327 osdx hostapd[579068]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Jan 27 14:52:43.510332 osdx hostapd[579068]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Jan 27 14:52:43.510335 osdx hostapd[579068]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Jan 27 14:52:43.510352 osdx hostapd[579068]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Jan 27 14:52:43.510361 osdx hostapd[579068]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Jan 27 14:52:43.510396 osdx hostapd[579068]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 184) Jan 27 14:52:45.901833 osdx OSDxCLI[421648]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jan 27 14:52:46.513212 osdx hostapd[579068]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 184) Jan 27 14:52:50.097686 osdx OSDxCLI[421648]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jan 27 14:52:52.518254 osdx hostapd[579068]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 184) Jan 27 14:52:54.296326 osdx OSDxCLI[421648]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jan 27 14:52:58.486705 osdx OSDxCLI[421648]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jan 27 14:53:02.703745 osdx OSDxCLI[421648]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jan 27 14:53:04.529234 osdx hostapd[579068]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: aborting authentication Jan 27 14:53:04.529243 osdx hostapd[579068]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately Jan 27 14:53:04.529249 osdx hostapd[579068]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Jan 27 14:53:04.529292 osdx hostapd[579068]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Jan 27 14:53:04.531649 osdx hostapd[579068]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Jan 27 14:53:04.531663 osdx hostapd[579068]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jan 27 14:53:04.531745 osdx hostapd[579068]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 14:53:04.531778 osdx hostapd[579068]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 14:53:04.531799 osdx hostapd[579068]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Jan 27 14:53:04.531818 osdx hostapd[579068]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 73) Jan 27 14:53:04.532074 osdx hostapd[579068]: eth2: RADIUS Received 20 bytes from RADIUS server Jan 27 14:53:04.532080 osdx hostapd[579068]: eth2: RADIUS Received RADIUS message Jan 27 14:53:04.532085 osdx hostapd[579068]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 14:53:04.532090 osdx hostapd[579068]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Jan 27 14:53:04.532109 osdx hostapd[579068]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Jan 27 14:53:04.532112 osdx hostapd[579068]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Jan 27 14:53:04.532116 osdx hostapd[579068]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Re-authentication enabled (next reauth in 20 seconds) Jan 27 14:53:04.532120 osdx hostapd[579068]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Jan 27 14:53:04.532130 osdx hostapd[579068]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Jan 27 14:53:04.532139 osdx hostapd[579068]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 2BFEE93C0D73A1C4
Step 5: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: Re-authentication period expiredShow output
Jan 27 14:53:07.167997 osdx OSDxCLI[421648]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jan 27 14:53:10.321173 osdx OSDxCLI[421648]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jan 27 14:53:13.493505 osdx OSDxCLI[421648]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jan 27 14:53:16.665810 osdx OSDxCLI[421648]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jan 27 14:53:19.861269 osdx OSDxCLI[421648]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jan 27 14:53:23.049129 osdx OSDxCLI[421648]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jan 27 14:53:24.549203 osdx hostapd[579068]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Re-authentication period expired (20 seconds), triggering re-authentication Jan 27 14:53:24.549223 osdx hostapd[579068]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB fallback: Scheduling MAB trigger in 30 seconds if no 802.1X response Jan 27 14:53:24.549227 osdx hostapd[579068]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Jan 27 14:53:24.549256 osdx hostapd[579068]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Jan 27 14:53:24.549262 osdx hostapd[579068]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Jan 27 14:53:24.549279 osdx hostapd[579068]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 98)
Test Reauth Period In MAB-First Mode
Description
This scenario shows how to configure the reauthentication period in a device with MAB-802.1X authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 20 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18L+X46IMOYIN5ySPOsLMDxkuwgASmsMO/ICNo8tHEMYoW9ZWtr9yINPfkLjyr42gTKbCpdZuRBOg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.234 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.234/0.234/0.234/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
MAB: station successfully authenticatedShow output
Jan 27 14:53:34.224853 osdx hostapd[579662]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Jan 27 14:53:34.224867 osdx hostapd[579662]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jan 27 14:53:34.225102 osdx hostapd[579662]: connect[radius]: Network is unreachable Jan 27 14:53:34.224909 osdx hostapd[579662]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Jan 27 14:53:34.224914 osdx hostapd[579662]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Jan 27 14:53:34.252688 osdx hostapd[579662]: Discovery mode enabled on eth2 Jan 27 14:53:34.252778 osdx hostapd[579662]: eth2: interface state UNINITIALIZED->ENABLED Jan 27 14:53:34.252778 osdx hostapd[579662]: eth2: AP-ENABLED Jan 27 14:53:34.252685 osdx hostapd[579662]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: enabling transmission of periodic EAP-Request frames Jan 27 14:53:37.460393 osdx OSDxCLI[421648]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jan 27 14:53:39.255716 osdx hostapd[579663]: eth2: STA de:ad:be:ef:6c:12 DRIVER: Device discovered, triggering MAB authentication Jan 27 14:53:39.255757 osdx hostapd[579663]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Jan 27 14:53:39.255766 osdx hostapd[579663]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Jan 27 14:53:39.268777 osdx hostapd[579663]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB-first mode: Starting MAB authentication Jan 27 14:53:39.268819 osdx hostapd[579663]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Jan 27 14:53:39.268836 osdx hostapd[579663]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Jan 27 14:53:39.271059 osdx hostapd[579663]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Jan 27 14:53:39.271076 osdx hostapd[579663]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jan 27 14:53:39.271173 osdx hostapd[579663]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 14:53:39.271205 osdx hostapd[579663]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 14:53:39.271265 osdx hostapd[579663]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Sending EAP-Request/Identity frame Jan 27 14:53:39.271281 osdx hostapd[579663]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Next EAP-Request/Identity retransmit in 20 seconds Jan 27 14:53:39.271540 osdx hostapd[579663]: eth2: RADIUS Received 20 bytes from RADIUS server Jan 27 14:53:39.271547 osdx hostapd[579663]: eth2: RADIUS Received RADIUS message Jan 27 14:53:39.271552 osdx hostapd[579663]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 14:53:39.271557 osdx hostapd[579663]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Jan 27 14:53:39.271585 osdx hostapd[579663]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Jan 27 14:53:39.271588 osdx hostapd[579663]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Jan 27 14:53:39.271592 osdx hostapd[579663]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Re-authentication enabled (next reauth in 20 seconds) Jan 27 14:53:39.271595 osdx hostapd[579663]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Jan 27 14:53:39.271620 osdx hostapd[579663]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Jan 27 14:53:39.271624 osdx hostapd[579663]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session E5414035CB035A5C
Step 5: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: Re-authentication period expiredShow output
Jan 27 14:53:41.980760 osdx OSDxCLI[421648]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jan 27 14:53:45.176894 osdx OSDxCLI[421648]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jan 27 14:53:48.462128 osdx OSDxCLI[421648]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jan 27 14:53:51.698151 osdx OSDxCLI[421648]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jan 27 14:53:55.087591 osdx OSDxCLI[421648]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jan 27 14:53:58.252110 osdx OSDxCLI[421648]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jan 27 14:53:59.271693 osdx hostapd[579663]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Sending EAP-Request/Identity frame Jan 27 14:53:59.271716 osdx hostapd[579663]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Next EAP-Request/Identity retransmit in 20 seconds Jan 27 14:53:59.285726 osdx hostapd[579663]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Re-authentication period expired (20 seconds), triggering re-authentication Jan 27 14:53:59.285743 osdx hostapd[579663]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Jan 27 14:53:59.285777 osdx hostapd[579663]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Jan 27 14:53:59.285810 osdx hostapd[579663]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Jan 27 14:53:59.285835 osdx hostapd[579663]: eth2: RADIUS Sending RADIUS message to authentication server Jan 27 14:53:59.285959 osdx hostapd[579663]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jan 27 14:53:59.286179 osdx hostapd[579663]: eth2: RADIUS Received 20 bytes from RADIUS server Jan 27 14:53:59.286186 osdx hostapd[579663]: eth2: RADIUS Received RADIUS message Jan 27 14:53:59.286191 osdx hostapd[579663]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jan 27 14:53:59.286196 osdx hostapd[579663]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Jan 27 14:53:59.286219 osdx hostapd[579663]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Jan 27 14:53:59.286223 osdx hostapd[579663]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Re-authentication enabled (next reauth in 20 seconds) Jan 27 14:53:59.286227 osdx hostapd[579663]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Jan 27 14:53:59.286231 osdx hostapd[579663]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Jan 27 14:53:59.286235 osdx hostapd[579663]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session E5414035CB035A5C