Mab Fallback

Contents

This scenario shows how to configure the MAB-fallback authentication mode.

Test Successful 802.1x Authentication With Successful MAB Fallback

Description

This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses the correct username and password.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set interfaces ethernet eth2 address 192.168.100.1/24
set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2
set interfaces ethernet eth2 authenticator aaa authentication list1
set interfaces ethernet eth2 authenticator log-level debug
set interfaces ethernet eth2 authenticator mode 802.1x-MAB
set interfaces ethernet eth2 authenticator quiet-period 60
set interfaces ethernet eth2 authenticator reauth-period 0
set system aaa group radius radgroup1 server serv1
set system aaa list list1 method 1 group radius radgroup1
set system aaa server radius serv1 address 10.215.168.1
set system aaa server radius serv1 encrypted-key U2FsdGVkX1+twFiQZKvTHtkDoEDaPWgRS9oh0JAUVaSlKEoKjvLg0UDoeiNJhc2dvR9U+uXvWs9GSQEOfW/ixw==
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Ping IP address 10.215.168.1 from DUT0:

admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1

Show output

PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data.
64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.419 ms

--- 10.215.168.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.419/0.419/0.419/0.000 ms

Step 3: Set the following configuration in DUT1 :

set interfaces ethernet eth2 address 192.168.100.2/24
set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX18JJMNVxRzNfs5ywB0AzVMXAl9zafxM1zE=
set interfaces ethernet eth2 supplicant username testing
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 4: Run command interfaces ethernet eth2 supplicant show status at DUT1 and check if output contains the following tokens:

Authorized

Show output

---------------------------------------------------
        Field                      Value
---------------------------------------------------
EAP State                                   SUCCESS
EAP TLS Cipher          ECDHE-RSA-AES256-GCM-SHA384
EAP TLS Version                             TLSv1.2
PAE State                             AUTHENTICATED
Supplicant Port Status                   Authorized
WPA State                                 COMPLETED

Step 5: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:

Port Status\s+Authorized

Show output

-------------------------------
       Field           Value
-------------------------------
EAPoL Frames (Rx)            11
EAPoL Frames (Tx)            11
Invalid Frames (Rx)           0
Logoff Frames (Tx)            0
Port Status          Authorized
Req Frames (Rx)               9
Req ID Frames (Rx)            1
Resp Frames (Tx)             10
Start Frames (Tx)             1

Step 6: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:

Authentication Successes\s+1
Authentication Mode\s+802\.1X

Show output

---------------------------------------------
         Field                   Value
---------------------------------------------
Access Challenges                           9
Authentication Backend                 RADIUS
Authentication Failures                     0
Authentication Mode                    802.1X
Authentication Status     Authorized (802.1X)
Authentication Successes                    1
EAPoL frames (Rx)                          11
EAPoL frames (Tx)                          11
Quiet Period                               60
Reauthenticate                          FALSE
Reauthenticate Period                       0
Session Time                                0
Session User MAC            de:ad:be:ef:6c:12
Session User Name                     testing

Step 7: Ping IP address 192.168.100.1 from DUT1:

admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1

Show output

PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data.
64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.244 ms

--- 192.168.100.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.244/0.244/0.244/0.000 ms

Step 8: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:

IEEE 802.1X: authenticated - EAP type: 25 (PEAP)

Show output

Feb 12 20:10:31.465989 osdx hostapd[470961]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported.
Feb 12 20:10:31.466003 osdx hostapd[470961]: eth2: RADIUS Authentication server 10.215.168.1:1812
Feb 12 20:10:31.466232 osdx hostapd[470961]: connect[radius]: Network is unreachable
Feb 12 20:10:31.466041 osdx hostapd[470961]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30
Feb 12 20:10:31.466044 osdx hostapd[470961]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode
Feb 12 20:10:31.481888 osdx hostapd[470961]: Discovery mode enabled on eth2
Feb 12 20:10:31.481950 osdx hostapd[470961]: eth2: interface state UNINITIALIZED->ENABLED
Feb 12 20:10:31.481970 osdx hostapd[470961]: eth2: AP-ENABLED
Feb 12 20:10:34.589606 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added
Feb 12 20:10:34.589618 osdx hostapd[470962]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode
Feb 12 20:10:34.601910 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: start authentication
Feb 12 20:10:34.601933 osdx hostapd[470962]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames
Feb 12 20:10:34.601937 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response
Feb 12 20:10:34.601939 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response
Feb 12 20:10:34.601952 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response
Feb 12 20:10:34.601954 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAPOL-Start from STA
Feb 12 20:10:34.601961 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port
Feb 12 20:10:34.601968 osdx hostapd[470962]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication
Feb 12 20:10:34.601985 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 194)
Feb 12 20:10:34.602328 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=194 len=12) from STA: EAP Response-Identity (1)
Feb 12 20:10:34.602340 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: STA identity 'testing'
Feb 12 20:10:34.602364 osdx hostapd[470962]: eth2: RADIUS Authentication server 10.215.168.1:1812
Feb 12 20:10:34.604110 osdx hostapd[470962]: eth2: RADIUS Sending RADIUS message to authentication server
Feb 12 20:10:34.604141 osdx hostapd[470962]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds
Feb 12 20:10:34.604372 osdx hostapd[470962]: eth2: RADIUS Received 80 bytes from RADIUS server
Feb 12 20:10:34.604377 osdx hostapd[470962]: eth2: RADIUS Received RADIUS message
Feb 12 20:10:34.604380 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
Feb 12 20:10:34.604398 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=195 len=22) from RADIUS server: EAP-Request-MD5 (4)
Feb 12 20:10:34.604404 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 195)
Feb 12 20:10:34.604590 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=195 len=6) from STA: EAP Response-unknown (3)
Feb 12 20:10:34.604632 osdx hostapd[470962]: eth2: RADIUS Sending RADIUS message to authentication server
Feb 12 20:10:34.604645 osdx hostapd[470962]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds
Feb 12 20:10:34.604850 osdx hostapd[470962]: eth2: RADIUS Received 64 bytes from RADIUS server
Feb 12 20:10:34.604855 osdx hostapd[470962]: eth2: RADIUS Received RADIUS message
Feb 12 20:10:34.604858 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
Feb 12 20:10:34.604872 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=196 len=6) from RADIUS server: EAP-Request-PEAP (25)
Feb 12 20:10:34.604877 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 196)
Feb 12 20:10:34.605236 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=196 len=194) from STA: EAP Response-PEAP (25)
Feb 12 20:10:34.605273 osdx hostapd[470962]: eth2: RADIUS Sending RADIUS message to authentication server
Feb 12 20:10:34.605285 osdx hostapd[470962]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds
Feb 12 20:10:34.606161 osdx hostapd[470962]: eth2: RADIUS Received 1068 bytes from RADIUS server
Feb 12 20:10:34.606168 osdx hostapd[470962]: eth2: RADIUS Received RADIUS message
Feb 12 20:10:34.606171 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
Feb 12 20:10:34.606190 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=197 len=1004) from RADIUS server: EAP-Request-PEAP (25)
Feb 12 20:10:34.606196 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 197)
Feb 12 20:10:34.606355 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=197 len=6) from STA: EAP Response-PEAP (25)
Feb 12 20:10:34.606392 osdx hostapd[470962]: eth2: RADIUS Sending RADIUS message to authentication server
Feb 12 20:10:34.606404 osdx hostapd[470962]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds
Feb 12 20:10:34.606519 osdx hostapd[470962]: eth2: RADIUS Received 229 bytes from RADIUS server
Feb 12 20:10:34.606523 osdx hostapd[470962]: eth2: RADIUS Received RADIUS message
Feb 12 20:10:34.606526 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
Feb 12 20:10:34.606538 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=198 len=171) from RADIUS server: EAP-Request-PEAP (25)
Feb 12 20:10:34.606544 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 198)
Feb 12 20:10:34.608351 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=198 len=103) from STA: EAP Response-PEAP (25)
Feb 12 20:10:34.608399 osdx hostapd[470962]: eth2: RADIUS Sending RADIUS message to authentication server
Feb 12 20:10:34.608412 osdx hostapd[470962]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds
Feb 12 20:10:34.608695 osdx hostapd[470962]: eth2: RADIUS Received 115 bytes from RADIUS server
Feb 12 20:10:34.608700 osdx hostapd[470962]: eth2: RADIUS Received RADIUS message
Feb 12 20:10:34.608703 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
Feb 12 20:10:34.608724 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=199 len=57) from RADIUS server: EAP-Request-PEAP (25)
Feb 12 20:10:34.608729 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 199)
Feb 12 20:10:34.609010 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=199 len=6) from STA: EAP Response-PEAP (25)
Feb 12 20:10:34.609049 osdx hostapd[470962]: eth2: RADIUS Sending RADIUS message to authentication server
Feb 12 20:10:34.609062 osdx hostapd[470962]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds
Feb 12 20:10:34.609193 osdx hostapd[470962]: eth2: RADIUS Received 98 bytes from RADIUS server
Feb 12 20:10:34.609200 osdx hostapd[470962]: eth2: RADIUS Received RADIUS message
Feb 12 20:10:34.609203 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
Feb 12 20:10:34.609230 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=200 len=40) from RADIUS server: EAP-Request-PEAP (25)
Feb 12 20:10:34.609236 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 200)
Feb 12 20:10:34.609419 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=200 len=43) from STA: EAP Response-PEAP (25)
Feb 12 20:10:34.609460 osdx hostapd[470962]: eth2: RADIUS Sending RADIUS message to authentication server
Feb 12 20:10:34.609472 osdx hostapd[470962]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds
Feb 12 20:10:34.609624 osdx hostapd[470962]: eth2: RADIUS Received 131 bytes from RADIUS server
Feb 12 20:10:34.609630 osdx hostapd[470962]: eth2: RADIUS Received RADIUS message
Feb 12 20:10:34.609634 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
Feb 12 20:10:34.609649 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=201 len=73) from RADIUS server: EAP-Request-PEAP (25)
Feb 12 20:10:34.609655 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 201)
Feb 12 20:10:34.609908 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=201 len=97) from STA: EAP Response-PEAP (25)
Feb 12 20:10:34.609947 osdx hostapd[470962]: eth2: RADIUS Sending RADIUS message to authentication server
Feb 12 20:10:34.609957 osdx hostapd[470962]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds
Feb 12 20:10:34.610154 osdx hostapd[470962]: eth2: RADIUS Received 140 bytes from RADIUS server
Feb 12 20:10:34.610159 osdx hostapd[470962]: eth2: RADIUS Received RADIUS message
Feb 12 20:10:34.610163 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
Feb 12 20:10:34.610177 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=202 len=82) from RADIUS server: EAP-Request-PEAP (25)
Feb 12 20:10:34.610183 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 202)
Feb 12 20:10:34.610374 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=202 len=37) from STA: EAP Response-PEAP (25)
Feb 12 20:10:34.610408 osdx hostapd[470962]: eth2: RADIUS Sending RADIUS message to authentication server
Feb 12 20:10:34.610417 osdx hostapd[470962]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds
Feb 12 20:10:34.610546 osdx hostapd[470962]: eth2: RADIUS Received 104 bytes from RADIUS server
Feb 12 20:10:34.610550 osdx hostapd[470962]: eth2: RADIUS Received RADIUS message
Feb 12 20:10:34.610554 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
Feb 12 20:10:34.610576 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=203 len=46) from RADIUS server: EAP-Request-PEAP (25)
Feb 12 20:10:34.610582 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 203)
Feb 12 20:10:34.610735 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=203 len=46) from STA: EAP Response-PEAP (25)
Feb 12 20:10:34.610768 osdx hostapd[470962]: eth2: RADIUS Sending RADIUS message to authentication server
Feb 12 20:10:34.610777 osdx hostapd[470962]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds
Feb 12 20:10:34.610943 osdx hostapd[470962]: eth2: RADIUS Received 175 bytes from RADIUS server
Feb 12 20:10:34.610948 osdx hostapd[470962]: eth2: RADIUS Received RADIUS message
Feb 12 20:10:34.610952 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
Feb 12 20:10:34.610973 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing'
Feb 12 20:10:34.610978 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=3 id=203 len=4) from RADIUS server: EAP Success
Feb 12 20:10:34.611053 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 203)
Feb 12 20:10:34.611069 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port
Feb 12 20:10:34.611073 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 1CB665372F6CAEEB
Feb 12 20:10:34.611077 osdx hostapd[470962]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)

---

Test Successful 802.1x Authentication With Unsuccessful MAB Fallback

Description

This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses the correct username and password, but an incorrect MAC address.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set interfaces ethernet eth2 address 192.168.100.1/24
set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2
set interfaces ethernet eth2 authenticator aaa authentication list1
set interfaces ethernet eth2 authenticator log-level debug
set interfaces ethernet eth2 authenticator mode 802.1x-MAB
set interfaces ethernet eth2 authenticator quiet-period 60
set interfaces ethernet eth2 authenticator reauth-period 0
set system aaa group radius radgroup1 server serv1
set system aaa list list1 method 1 group radius radgroup1
set system aaa server radius serv1 address 10.215.168.1
set system aaa server radius serv1 encrypted-key U2FsdGVkX1/y/N8bqPfLbYsr2U7EXmOL23Y5lnIZ2K2zkmnb8E72C1HfRaYkqzTRoZfKMojkA1jTms24WLnlTQ==
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Ping IP address 10.215.168.1 from DUT0:

admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1

Show output

PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data.
64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.218 ms

--- 10.215.168.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.218/0.218/0.218/0.000 ms

Step 3: Set the following configuration in DUT1 :

set interfaces ethernet eth2 address 192.168.100.2/24
set interfaces ethernet eth2 mac '00:11:22:33:44:55'
set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX19ZFMTOdenXOPxMCpzITP63Mfa/3Wo4BdQ=
set interfaces ethernet eth2 supplicant username testing
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 4: Run command interfaces ethernet eth2 supplicant show status at DUT1 and check if output contains the following tokens:

Authorized

Show output

---------------------------------------------------
        Field                      Value
---------------------------------------------------
EAP State                                   SUCCESS
EAP TLS Cipher          ECDHE-RSA-AES256-GCM-SHA384
EAP TLS Version                             TLSv1.2
PAE State                             AUTHENTICATED
Supplicant Port Status                   Authorized
WPA State                                 COMPLETED

Step 5: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:

Port Status\s+Authorized

Show output

-------------------------------
       Field           Value
-------------------------------
EAPoL Frames (Rx)            11
EAPoL Frames (Tx)            11
Invalid Frames (Rx)           0
Logoff Frames (Tx)            0
Port Status          Authorized
Req Frames (Rx)               9
Req ID Frames (Rx)            1
Resp Frames (Tx)             10
Start Frames (Tx)             1

Step 6: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:

Authentication Successes\s+1
Authentication Mode\s+802\.1X

Show output

---------------------------------------------
         Field                   Value
---------------------------------------------
Access Challenges                           9
Authentication Backend                 RADIUS
Authentication Failures                     0
Authentication Mode                    802.1X
Authentication Status     Authorized (802.1X)
Authentication Successes                    1
EAPoL frames (Rx)                          11
EAPoL frames (Tx)                          11
Quiet Period                               60
Reauthenticate                          FALSE
Reauthenticate Period                       0
Session Time                                0
Session User MAC            00:11:22:33:44:55
Session User Name                     testing

Step 7: Ping IP address 192.168.100.1 from DUT1:

admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1

Show output

PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data.
64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.286 ms

--- 192.168.100.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.286/0.286/0.286/0.000 ms

Step 8: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:

IEEE 802.1X: authenticated - EAP type: 25 (PEAP)

Show output

Feb 12 20:10:43.652324 osdx hostapd[471486]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported.
Feb 12 20:10:43.652341 osdx hostapd[471486]: eth2: RADIUS Authentication server 10.215.168.1:1812
Feb 12 20:10:43.652636 osdx hostapd[471486]: connect[radius]: Network is unreachable
Feb 12 20:10:43.652403 osdx hostapd[471486]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30
Feb 12 20:10:43.652407 osdx hostapd[471486]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode
Feb 12 20:10:43.676142 osdx hostapd[471486]: Discovery mode enabled on eth2
Feb 12 20:10:43.676236 osdx hostapd[471486]: eth2: interface state UNINITIALIZED->ENABLED
Feb 12 20:10:43.676236 osdx hostapd[471486]: eth2: AP-ENABLED
Feb 12 20:10:46.800909 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added
Feb 12 20:10:46.800924 osdx hostapd[471487]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode
Feb 12 20:10:46.816178 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: start authentication
Feb 12 20:10:46.816204 osdx hostapd[471487]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames
Feb 12 20:10:46.816207 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response
Feb 12 20:10:46.816210 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response
Feb 12 20:10:46.816224 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response
Feb 12 20:10:46.816226 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA
Feb 12 20:10:46.816233 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port
Feb 12 20:10:46.816240 osdx hostapd[471487]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication
Feb 12 20:10:46.816256 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 203)
Feb 12 20:10:46.816611 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=203 len=12) from STA: EAP Response-Identity (1)
Feb 12 20:10:46.816628 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'testing'
Feb 12 20:10:46.816658 osdx hostapd[471487]: eth2: RADIUS Authentication server 10.215.168.1:1812
Feb 12 20:10:46.818448 osdx hostapd[471487]: eth2: RADIUS Sending RADIUS message to authentication server
Feb 12 20:10:46.818475 osdx hostapd[471487]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds
Feb 12 20:10:46.818724 osdx hostapd[471487]: eth2: RADIUS Received 80 bytes from RADIUS server
Feb 12 20:10:46.818729 osdx hostapd[471487]: eth2: RADIUS Received RADIUS message
Feb 12 20:10:46.818732 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
Feb 12 20:10:46.818751 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=204 len=22) from RADIUS server: EAP-Request-MD5 (4)
Feb 12 20:10:46.818757 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 204)
Feb 12 20:10:46.818970 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=204 len=6) from STA: EAP Response-unknown (3)
Feb 12 20:10:46.819030 osdx hostapd[471487]: eth2: RADIUS Sending RADIUS message to authentication server
Feb 12 20:10:46.819045 osdx hostapd[471487]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds
Feb 12 20:10:46.819204 osdx hostapd[471487]: eth2: RADIUS Received 64 bytes from RADIUS server
Feb 12 20:10:46.819210 osdx hostapd[471487]: eth2: RADIUS Received RADIUS message
Feb 12 20:10:46.819214 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
Feb 12 20:10:46.819230 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=205 len=6) from RADIUS server: EAP-Request-PEAP (25)
Feb 12 20:10:46.819237 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 205)
Feb 12 20:10:46.819574 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=205 len=194) from STA: EAP Response-PEAP (25)
Feb 12 20:10:46.819612 osdx hostapd[471487]: eth2: RADIUS Sending RADIUS message to authentication server
Feb 12 20:10:46.819623 osdx hostapd[471487]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds
Feb 12 20:10:46.820477 osdx hostapd[471487]: eth2: RADIUS Received 1068 bytes from RADIUS server
Feb 12 20:10:46.820484 osdx hostapd[471487]: eth2: RADIUS Received RADIUS message
Feb 12 20:10:46.820487 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
Feb 12 20:10:46.820506 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=206 len=1004) from RADIUS server: EAP-Request-PEAP (25)
Feb 12 20:10:46.820512 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 206)
Feb 12 20:10:46.820704 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=206 len=6) from STA: EAP Response-PEAP (25)
Feb 12 20:10:46.820754 osdx hostapd[471487]: eth2: RADIUS Sending RADIUS message to authentication server
Feb 12 20:10:46.820769 osdx hostapd[471487]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds
Feb 12 20:10:46.820889 osdx hostapd[471487]: eth2: RADIUS Received 229 bytes from RADIUS server
Feb 12 20:10:46.820894 osdx hostapd[471487]: eth2: RADIUS Received RADIUS message
Feb 12 20:10:46.820898 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
Feb 12 20:10:46.820915 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=207 len=171) from RADIUS server: EAP-Request-PEAP (25)
Feb 12 20:10:46.820922 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 207)
Feb 12 20:10:46.822222 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=207 len=103) from STA: EAP Response-PEAP (25)
Feb 12 20:10:46.822264 osdx hostapd[471487]: eth2: RADIUS Sending RADIUS message to authentication server
Feb 12 20:10:46.822275 osdx hostapd[471487]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds
Feb 12 20:10:46.822501 osdx hostapd[471487]: eth2: RADIUS Received 115 bytes from RADIUS server
Feb 12 20:10:46.822506 osdx hostapd[471487]: eth2: RADIUS Received RADIUS message
Feb 12 20:10:46.822510 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
Feb 12 20:10:46.822527 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=208 len=57) from RADIUS server: EAP-Request-PEAP (25)
Feb 12 20:10:46.822533 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 208)
Feb 12 20:10:46.822746 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=208 len=6) from STA: EAP Response-PEAP (25)
Feb 12 20:10:46.822776 osdx hostapd[471487]: eth2: RADIUS Sending RADIUS message to authentication server
Feb 12 20:10:46.822783 osdx hostapd[471487]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds
Feb 12 20:10:46.822900 osdx hostapd[471487]: eth2: RADIUS Received 98 bytes from RADIUS server
Feb 12 20:10:46.822905 osdx hostapd[471487]: eth2: RADIUS Received RADIUS message
Feb 12 20:10:46.822908 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
Feb 12 20:10:46.822921 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=209 len=40) from RADIUS server: EAP-Request-PEAP (25)
Feb 12 20:10:46.822925 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 209)
Feb 12 20:10:46.823064 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=209 len=43) from STA: EAP Response-PEAP (25)
Feb 12 20:10:46.823093 osdx hostapd[471487]: eth2: RADIUS Sending RADIUS message to authentication server
Feb 12 20:10:46.823101 osdx hostapd[471487]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds
Feb 12 20:10:46.823244 osdx hostapd[471487]: eth2: RADIUS Received 131 bytes from RADIUS server
Feb 12 20:10:46.823248 osdx hostapd[471487]: eth2: RADIUS Received RADIUS message
Feb 12 20:10:46.823251 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
Feb 12 20:10:46.823261 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=210 len=73) from RADIUS server: EAP-Request-PEAP (25)
Feb 12 20:10:46.823266 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 210)
Feb 12 20:10:46.823470 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=210 len=97) from STA: EAP Response-PEAP (25)
Feb 12 20:10:46.823498 osdx hostapd[471487]: eth2: RADIUS Sending RADIUS message to authentication server
Feb 12 20:10:46.823506 osdx hostapd[471487]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds
Feb 12 20:10:46.823661 osdx hostapd[471487]: eth2: RADIUS Received 140 bytes from RADIUS server
Feb 12 20:10:46.823666 osdx hostapd[471487]: eth2: RADIUS Received RADIUS message
Feb 12 20:10:46.823670 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
Feb 12 20:10:46.823681 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=211 len=82) from RADIUS server: EAP-Request-PEAP (25)
Feb 12 20:10:46.823686 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 211)
Feb 12 20:10:46.823809 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=211 len=37) from STA: EAP Response-PEAP (25)
Feb 12 20:10:46.823845 osdx hostapd[471487]: eth2: RADIUS Sending RADIUS message to authentication server
Feb 12 20:10:46.823855 osdx hostapd[471487]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds
Feb 12 20:10:46.823980 osdx hostapd[471487]: eth2: RADIUS Received 104 bytes from RADIUS server
Feb 12 20:10:46.823984 osdx hostapd[471487]: eth2: RADIUS Received RADIUS message
Feb 12 20:10:46.823987 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
Feb 12 20:10:46.823998 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=212 len=46) from RADIUS server: EAP-Request-PEAP (25)
Feb 12 20:10:46.824002 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 212)
Feb 12 20:10:46.824137 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=212 len=46) from STA: EAP Response-PEAP (25)
Feb 12 20:10:46.824166 osdx hostapd[471487]: eth2: RADIUS Sending RADIUS message to authentication server
Feb 12 20:10:46.824175 osdx hostapd[471487]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds
Feb 12 20:10:46.824314 osdx hostapd[471487]: eth2: RADIUS Received 175 bytes from RADIUS server
Feb 12 20:10:46.824319 osdx hostapd[471487]: eth2: RADIUS Received RADIUS message
Feb 12 20:10:46.824323 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
Feb 12 20:10:46.824339 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing'
Feb 12 20:10:46.824342 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=3 id=212 len=4) from RADIUS server: EAP Success
Feb 12 20:10:46.824415 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 212)
Feb 12 20:10:46.824429 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authorizing port
Feb 12 20:10:46.824432 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 RADIUS: starting accounting session DD5B62EAA184AC25
Feb 12 20:10:46.824435 osdx hostapd[471487]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)

---

Test Unsuccessful 802.1x Authentication With Successful MAB Fallback

Description

This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses an incorrect username.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set interfaces ethernet eth2 address 192.168.100.1/24
set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2
set interfaces ethernet eth2 authenticator aaa authentication list1
set interfaces ethernet eth2 authenticator log-level debug
set interfaces ethernet eth2 authenticator mode 802.1x-MAB
set interfaces ethernet eth2 authenticator quiet-period 60
set interfaces ethernet eth2 authenticator reauth-period 0
set system aaa group radius radgroup1 server serv1
set system aaa list list1 method 1 group radius radgroup1
set system aaa server radius serv1 address 10.215.168.1
set system aaa server radius serv1 encrypted-key U2FsdGVkX1/KBEP/KG7ADLpMcmCEhUvAjXBLDPAp2rSkNRf2fkIVV81N5tad2YVaT6EIVk7cO1wk4IgV+bmN0A==
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Ping IP address 10.215.168.1 from DUT0:

admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1

Show output

PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data.
64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.330 ms

--- 10.215.168.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.330/0.330/0.330/0.000 ms

Step 3: Set the following configuration in DUT1 :

set interfaces ethernet eth2 address 192.168.100.2/24
set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1/fUSoB0vyN56e/PgqPrclpyQdmQCfkEIE=
set interfaces ethernet eth2 supplicant username wrong
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:

Authentication Successes\s+1
Authentication Mode\s+MAB

Show output

-------------------------------------------
         Field                  Value
-------------------------------------------
Access Challenges                         8
Authentication Backend               RADIUS
Authentication Failures                   1
Authentication Mode                     MAB
Authentication Status      Authorized (MAB)
Authentication Successes                  1
EAPoL frames (Rx)                        10
EAPoL frames (Tx)                        10
Quiet Period                             60
Reauthenticate                        FALSE
Reauthenticate Period                     0
Session Time                              0
Session User MAC          de:ad:be:ef:6c:12
Session User Name                     wrong

Step 5: Ping IP address 192.168.100.1 from DUT1:

admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1

Show output

PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data.
64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.739 ms

--- 192.168.100.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.739/0.739/0.739/0.000 ms

Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:

IEEE 802.1X: authentication failed - EAP type: 25 (PEAP)
IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately
802.1X: MAB: station successfully authenticated

Show output

Feb 12 20:10:56.519669 osdx hostapd[472010]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported.
Feb 12 20:10:56.519681 osdx hostapd[472010]: eth2: RADIUS Authentication server 10.215.168.1:1812
Feb 12 20:10:56.519955 osdx hostapd[472010]: connect[radius]: Network is unreachable
Feb 12 20:10:56.519728 osdx hostapd[472010]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30
Feb 12 20:10:56.519731 osdx hostapd[472010]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode
Feb 12 20:10:56.551489 osdx hostapd[472010]: Discovery mode enabled on eth2
Feb 12 20:10:56.551568 osdx hostapd[472010]: eth2: interface state UNINITIALIZED->ENABLED
Feb 12 20:10:56.551568 osdx hostapd[472010]: eth2: AP-ENABLED
Feb 12 20:10:59.760250 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added
Feb 12 20:10:59.760265 osdx hostapd[472011]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode
Feb 12 20:10:59.775584 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: start authentication
Feb 12 20:10:59.775622 osdx hostapd[472011]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames
Feb 12 20:10:59.775627 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response
Feb 12 20:10:59.775631 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response
Feb 12 20:10:59.775649 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response
Feb 12 20:10:59.775652 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAPOL-Start from STA
Feb 12 20:10:59.775667 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port
Feb 12 20:10:59.775675 osdx hostapd[472011]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication
Feb 12 20:10:59.775701 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 181)
Feb 12 20:10:59.776154 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=181 len=10) from STA: EAP Response-Identity (1)
Feb 12 20:10:59.776168 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: STA identity 'wrong'
Feb 12 20:10:59.776205 osdx hostapd[472011]: eth2: RADIUS Authentication server 10.215.168.1:1812
Feb 12 20:10:59.778660 osdx hostapd[472011]: eth2: RADIUS Sending RADIUS message to authentication server
Feb 12 20:10:59.778699 osdx hostapd[472011]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds
Feb 12 20:10:59.779009 osdx hostapd[472011]: eth2: RADIUS Received 80 bytes from RADIUS server
Feb 12 20:10:59.779017 osdx hostapd[472011]: eth2: RADIUS Received RADIUS message
Feb 12 20:10:59.779022 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
Feb 12 20:10:59.779045 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=182 len=22) from RADIUS server: EAP-Request-MD5 (4)
Feb 12 20:10:59.779054 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 182)
Feb 12 20:10:59.779403 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=182 len=6) from STA: EAP Response-unknown (3)
Feb 12 20:10:59.779471 osdx hostapd[472011]: eth2: RADIUS Sending RADIUS message to authentication server
Feb 12 20:10:59.779487 osdx hostapd[472011]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds
Feb 12 20:10:59.779692 osdx hostapd[472011]: eth2: RADIUS Received 64 bytes from RADIUS server
Feb 12 20:10:59.779699 osdx hostapd[472011]: eth2: RADIUS Received RADIUS message
Feb 12 20:10:59.779703 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
Feb 12 20:10:59.779732 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=183 len=6) from RADIUS server: EAP-Request-PEAP (25)
Feb 12 20:10:59.779742 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 183)
Feb 12 20:10:59.780182 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=183 len=194) from STA: EAP Response-PEAP (25)
Feb 12 20:10:59.780235 osdx hostapd[472011]: eth2: RADIUS Sending RADIUS message to authentication server
Feb 12 20:10:59.780250 osdx hostapd[472011]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds
Feb 12 20:10:59.781373 osdx hostapd[472011]: eth2: RADIUS Received 1068 bytes from RADIUS server
Feb 12 20:10:59.781382 osdx hostapd[472011]: eth2: RADIUS Received RADIUS message
Feb 12 20:10:59.781386 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
Feb 12 20:10:59.781418 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=184 len=1004) from RADIUS server: EAP-Request-PEAP (25)
Feb 12 20:10:59.781428 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 184)
Feb 12 20:10:59.781697 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=184 len=6) from STA: EAP Response-PEAP (25)
Feb 12 20:10:59.781758 osdx hostapd[472011]: eth2: RADIUS Sending RADIUS message to authentication server
Feb 12 20:10:59.781774 osdx hostapd[472011]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds
Feb 12 20:10:59.781958 osdx hostapd[472011]: eth2: RADIUS Received 229 bytes from RADIUS server
Feb 12 20:10:59.781965 osdx hostapd[472011]: eth2: RADIUS Received RADIUS message
Feb 12 20:10:59.781970 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
Feb 12 20:10:59.781991 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=185 len=171) from RADIUS server: EAP-Request-PEAP (25)
Feb 12 20:10:59.781998 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 185)
Feb 12 20:10:59.783746 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=185 len=103) from STA: EAP Response-PEAP (25)
Feb 12 20:10:59.783824 osdx hostapd[472011]: eth2: RADIUS Sending RADIUS message to authentication server
Feb 12 20:10:59.783843 osdx hostapd[472011]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds
Feb 12 20:10:59.784413 osdx hostapd[472011]: eth2: RADIUS Received 115 bytes from RADIUS server
Feb 12 20:10:59.784423 osdx hostapd[472011]: eth2: RADIUS Received RADIUS message
Feb 12 20:10:59.784429 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
Feb 12 20:10:59.784458 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=186 len=57) from RADIUS server: EAP-Request-PEAP (25)
Feb 12 20:10:59.784467 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 186)
Feb 12 20:10:59.784835 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=186 len=6) from STA: EAP Response-PEAP (25)
Feb 12 20:10:59.784894 osdx hostapd[472011]: eth2: RADIUS Sending RADIUS message to authentication server
Feb 12 20:10:59.784909 osdx hostapd[472011]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds
Feb 12 20:10:59.785093 osdx hostapd[472011]: eth2: RADIUS Received 98 bytes from RADIUS server
Feb 12 20:10:59.785099 osdx hostapd[472011]: eth2: RADIUS Received RADIUS message
Feb 12 20:10:59.785103 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
Feb 12 20:10:59.785136 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=187 len=40) from RADIUS server: EAP-Request-PEAP (25)
Feb 12 20:10:59.785143 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 187)
Feb 12 20:10:59.785416 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=187 len=41) from STA: EAP Response-PEAP (25)
Feb 12 20:10:59.785465 osdx hostapd[472011]: eth2: RADIUS Sending RADIUS message to authentication server
Feb 12 20:10:59.785480 osdx hostapd[472011]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds
Feb 12 20:10:59.785662 osdx hostapd[472011]: eth2: RADIUS Received 131 bytes from RADIUS server
Feb 12 20:10:59.785667 osdx hostapd[472011]: eth2: RADIUS Received RADIUS message
Feb 12 20:10:59.785670 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
Feb 12 20:10:59.785687 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=188 len=73) from RADIUS server: EAP-Request-PEAP (25)
Feb 12 20:10:59.785694 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 188)
Feb 12 20:10:59.786008 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=188 len=95) from STA: EAP Response-PEAP (25)
Feb 12 20:10:59.786057 osdx hostapd[472011]: eth2: RADIUS Sending RADIUS message to authentication server
Feb 12 20:10:59.786073 osdx hostapd[472011]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds
Feb 12 20:10:59.786269 osdx hostapd[472011]: eth2: RADIUS Received 104 bytes from RADIUS server
Feb 12 20:10:59.786275 osdx hostapd[472011]: eth2: RADIUS Received RADIUS message
Feb 12 20:10:59.786280 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
Feb 12 20:10:59.786300 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=189 len=46) from RADIUS server: EAP-Request-PEAP (25)
Feb 12 20:10:59.786307 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 189)
Feb 12 20:10:59.786524 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=189 len=46) from STA: EAP Response-PEAP (25)
Feb 12 20:10:59.786568 osdx hostapd[472011]: eth2: RADIUS Sending RADIUS message to authentication server
Feb 12 20:10:59.786583 osdx hostapd[472011]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds
Feb 12 20:11:00.786677 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Resending RADIUS message (id=8)
Feb 12 20:11:00.786716 osdx hostapd[472011]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds
Feb 12 20:11:00.786898 osdx hostapd[472011]: eth2: RADIUS Received 44 bytes from RADIUS server
Feb 12 20:11:00.786902 osdx hostapd[472011]: eth2: RADIUS Received RADIUS message
Feb 12 20:11:00.786908 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
Feb 12 20:11:00.786958 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=4 id=189 len=4) from RADIUS server: EAP Failure
Feb 12 20:11:00.786986 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 189)
Feb 12 20:11:00.787001 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port
Feb 12 20:11:00.787006 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authentication failed - EAP type: 25 (PEAP)
Feb 12 20:11:00.787009 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately
Feb 12 20:11:00.787015 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query
Feb 12 20:11:00.787046 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12
Feb 12 20:11:00.787054 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12
Feb 12 20:11:00.787068 osdx hostapd[472011]: eth2: RADIUS Sending RADIUS message to authentication server
Feb 12 20:11:00.787080 osdx hostapd[472011]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds
Feb 12 20:11:00.787092 osdx hostapd[472011]: eth2: RADIUS Received 44 bytes from RADIUS server
Feb 12 20:11:00.787096 osdx hostapd[472011]: eth2: RADIUS Received RADIUS message
Feb 12 20:11:00.787117 osdx hostapd[472011]: eth2: RADIUS No matching RADIUS request found (type=0 id=8) - dropping packet
Feb 12 20:11:00.787575 osdx hostapd[472011]: eth2: RADIUS Received 20 bytes from RADIUS server
Feb 12 20:11:00.787581 osdx hostapd[472011]: eth2: RADIUS Received RADIUS message
Feb 12 20:11:00.787585 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
Feb 12 20:11:00.787590 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response
Feb 12 20:11:00.787617 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated
Feb 12 20:11:00.787621 osdx hostapd[472011]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled
Feb 12 20:11:00.787630 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port
Feb 12 20:11:00.787634 osdx hostapd[472011]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 4859FDA156766FB5

---

Test Unsuccessful 802.1x Authentication With Unsuccessful MAB Fallback

Description

This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses an incorrect username and MAC address.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set interfaces ethernet eth2 address 192.168.100.1/24
set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2
set interfaces ethernet eth2 authenticator aaa authentication list1
set interfaces ethernet eth2 authenticator log-level debug
set interfaces ethernet eth2 authenticator mode 802.1x-MAB
set interfaces ethernet eth2 authenticator quiet-period 60
set interfaces ethernet eth2 authenticator reauth-period 0
set system aaa group radius radgroup1 server serv1
set system aaa list list1 method 1 group radius radgroup1
set system aaa server radius serv1 address 10.215.168.1
set system aaa server radius serv1 encrypted-key U2FsdGVkX18ckT0xJ6BcCNy7uE44xjRjbxTfrO4eiVMp/X46rHcpCfbuDoUUkzx6aNpznnEo4vcA9keSXIwdxA==
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Ping IP address 10.215.168.1 from DUT0:

admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1

Show output

PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data.
64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.274 ms

--- 10.215.168.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.274/0.274/0.274/0.000 ms

Step 3: Set the following configuration in DUT1 :

set interfaces ethernet eth2 address 192.168.100.2/24
set interfaces ethernet eth2 mac '00:11:22:33:44:55'
set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX19r1if0QWpHtr1s/Nw0raFmC4ZMpDddU7M=
set interfaces ethernet eth2 supplicant username wrong
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 4: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:

Port Status\s+Unauthorized

Show output

---------------------------------
       Field            Value
---------------------------------
EAPoL Frames (Rx)              10
EAPoL Frames (Tx)              10
Invalid Frames (Rx)             0
Logoff Frames (Tx)              0
Port Status          Unauthorized
Req Frames (Rx)                 8
Req ID Frames (Rx)              1
Resp Frames (Tx)                9
Start Frames (Tx)               1

Step 5: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:

Authentication Failures\s+[1-9]\d?

Show output

-------------------------------------------
         Field                  Value
-------------------------------------------
Access Challenges                         8
Authentication Backend               RADIUS
Authentication Failures                   1
Authentication Mode                     N/A
Authentication Status          Unauthorized
Authentication Successes                  0
EAPoL frames (Rx)                        10
EAPoL frames (Tx)                        10
Quiet Period                             60
Reauthenticate                        FALSE
Reauthenticate Period                     0
Session Time                              0
Session User MAC          00:11:22:33:44:55
Session User Name                       N/A

Step 6: Expect a failure in the following command: Ping IP address 192.168.100.1 from DUT1:

admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1

Show output

PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data.

--- 192.168.100.1 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

Step 7: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:

IEEE 802.1X: authentication failed - EAP type: 25 (PEAP)
IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately
802.1X: MAB: Authentication failed

Show output

Feb 12 20:11:08.567532 osdx hostapd[472538]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported.
Feb 12 20:11:08.567549 osdx hostapd[472538]: eth2: RADIUS Authentication server 10.215.168.1:1812
Feb 12 20:11:08.567848 osdx hostapd[472538]: connect[radius]: Network is unreachable
Feb 12 20:11:08.567596 osdx hostapd[472538]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30
Feb 12 20:11:08.567599 osdx hostapd[472538]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode
Feb 12 20:11:08.584789 osdx hostapd[472538]: Discovery mode enabled on eth2
Feb 12 20:11:08.584884 osdx hostapd[472538]: eth2: interface state UNINITIALIZED->ENABLED
Feb 12 20:11:08.584884 osdx hostapd[472538]: eth2: AP-ENABLED
Feb 12 20:11:11.966514 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added
Feb 12 20:11:11.966531 osdx hostapd[472539]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode
Feb 12 20:11:11.980855 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: start authentication
Feb 12 20:11:11.980891 osdx hostapd[472539]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames
Feb 12 20:11:11.980897 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response
Feb 12 20:11:11.980900 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response
Feb 12 20:11:11.980918 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response
Feb 12 20:11:11.980922 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA
Feb 12 20:11:11.980940 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port
Feb 12 20:11:11.980949 osdx hostapd[472539]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication
Feb 12 20:11:11.980979 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 148)
Feb 12 20:11:11.981387 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=148 len=10) from STA: EAP Response-Identity (1)
Feb 12 20:11:11.981399 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'wrong'
Feb 12 20:11:11.981425 osdx hostapd[472539]: eth2: RADIUS Authentication server 10.215.168.1:1812
Feb 12 20:11:11.983862 osdx hostapd[472539]: eth2: RADIUS Sending RADIUS message to authentication server
Feb 12 20:11:11.983896 osdx hostapd[472539]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds
Feb 12 20:11:11.984160 osdx hostapd[472539]: eth2: RADIUS Received 80 bytes from RADIUS server
Feb 12 20:11:11.984168 osdx hostapd[472539]: eth2: RADIUS Received RADIUS message
Feb 12 20:11:11.984173 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
Feb 12 20:11:11.984195 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=149 len=22) from RADIUS server: EAP-Request-MD5 (4)
Feb 12 20:11:11.984204 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 149)
Feb 12 20:11:11.984517 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=149 len=6) from STA: EAP Response-unknown (3)
Feb 12 20:11:11.984565 osdx hostapd[472539]: eth2: RADIUS Sending RADIUS message to authentication server
Feb 12 20:11:11.984580 osdx hostapd[472539]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds
Feb 12 20:11:11.984783 osdx hostapd[472539]: eth2: RADIUS Received 64 bytes from RADIUS server
Feb 12 20:11:11.984788 osdx hostapd[472539]: eth2: RADIUS Received RADIUS message
Feb 12 20:11:11.984792 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
Feb 12 20:11:11.984806 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=150 len=6) from RADIUS server: EAP-Request-PEAP (25)
Feb 12 20:11:11.984813 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 150)
Feb 12 20:11:11.985220 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=150 len=194) from STA: EAP Response-PEAP (25)
Feb 12 20:11:11.985262 osdx hostapd[472539]: eth2: RADIUS Sending RADIUS message to authentication server
Feb 12 20:11:11.985275 osdx hostapd[472539]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds
Feb 12 20:11:11.986175 osdx hostapd[472539]: eth2: RADIUS Received 1068 bytes from RADIUS server
Feb 12 20:11:11.986182 osdx hostapd[472539]: eth2: RADIUS Received RADIUS message
Feb 12 20:11:11.986186 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
Feb 12 20:11:11.986208 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=151 len=1004) from RADIUS server: EAP-Request-PEAP (25)
Feb 12 20:11:11.986216 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 151)
Feb 12 20:11:11.986412 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=151 len=6) from STA: EAP Response-PEAP (25)
Feb 12 20:11:11.986462 osdx hostapd[472539]: eth2: RADIUS Sending RADIUS message to authentication server
Feb 12 20:11:11.986475 osdx hostapd[472539]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds
Feb 12 20:11:11.986599 osdx hostapd[472539]: eth2: RADIUS Received 229 bytes from RADIUS server
Feb 12 20:11:11.986606 osdx hostapd[472539]: eth2: RADIUS Received RADIUS message
Feb 12 20:11:11.986610 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
Feb 12 20:11:11.986626 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=152 len=171) from RADIUS server: EAP-Request-PEAP (25)
Feb 12 20:11:11.986633 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 152)
Feb 12 20:11:11.988497 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=152 len=103) from STA: EAP Response-PEAP (25)
Feb 12 20:11:11.988559 osdx hostapd[472539]: eth2: RADIUS Sending RADIUS message to authentication server
Feb 12 20:11:11.988576 osdx hostapd[472539]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds
Feb 12 20:11:11.988834 osdx hostapd[472539]: eth2: RADIUS Received 115 bytes from RADIUS server
Feb 12 20:11:11.988839 osdx hostapd[472539]: eth2: RADIUS Received RADIUS message
Feb 12 20:11:11.988842 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
Feb 12 20:11:11.988856 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=153 len=57) from RADIUS server: EAP-Request-PEAP (25)
Feb 12 20:11:11.988861 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 153)
Feb 12 20:11:11.989145 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=153 len=6) from STA: EAP Response-PEAP (25)
Feb 12 20:11:11.989181 osdx hostapd[472539]: eth2: RADIUS Sending RADIUS message to authentication server
Feb 12 20:11:11.989192 osdx hostapd[472539]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds
Feb 12 20:11:11.989327 osdx hostapd[472539]: eth2: RADIUS Received 98 bytes from RADIUS server
Feb 12 20:11:11.989331 osdx hostapd[472539]: eth2: RADIUS Received RADIUS message
Feb 12 20:11:11.989334 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
Feb 12 20:11:11.989347 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=154 len=40) from RADIUS server: EAP-Request-PEAP (25)
Feb 12 20:11:11.989353 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 154)
Feb 12 20:11:11.989534 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=154 len=41) from STA: EAP Response-PEAP (25)
Feb 12 20:11:11.989568 osdx hostapd[472539]: eth2: RADIUS Sending RADIUS message to authentication server
Feb 12 20:11:11.989576 osdx hostapd[472539]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds
Feb 12 20:11:11.989750 osdx hostapd[472539]: eth2: RADIUS Received 131 bytes from RADIUS server
Feb 12 20:11:11.989757 osdx hostapd[472539]: eth2: RADIUS Received RADIUS message
Feb 12 20:11:11.989761 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
Feb 12 20:11:11.989784 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=155 len=73) from RADIUS server: EAP-Request-PEAP (25)
Feb 12 20:11:11.989792 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 155)
Feb 12 20:11:11.990060 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=155 len=95) from STA: EAP Response-PEAP (25)
Feb 12 20:11:11.990103 osdx hostapd[472539]: eth2: RADIUS Sending RADIUS message to authentication server
Feb 12 20:11:11.990115 osdx hostapd[472539]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds
Feb 12 20:11:11.990291 osdx hostapd[472539]: eth2: RADIUS Received 104 bytes from RADIUS server
Feb 12 20:11:11.990297 osdx hostapd[472539]: eth2: RADIUS Received RADIUS message
Feb 12 20:11:11.990301 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
Feb 12 20:11:11.990316 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=156 len=46) from RADIUS server: EAP-Request-PEAP (25)
Feb 12 20:11:11.990322 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 156)
Feb 12 20:11:11.990535 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=156 len=46) from STA: EAP Response-PEAP (25)
Feb 12 20:11:11.990584 osdx hostapd[472539]: eth2: RADIUS Sending RADIUS message to authentication server
Feb 12 20:11:11.990596 osdx hostapd[472539]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds
Feb 12 20:11:12.990710 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=8)
Feb 12 20:11:12.990744 osdx hostapd[472539]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds
Feb 12 20:11:12.990968 osdx hostapd[472539]: eth2: RADIUS Received 44 bytes from RADIUS server
Feb 12 20:11:12.990974 osdx hostapd[472539]: eth2: RADIUS Received RADIUS message
Feb 12 20:11:12.990983 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
Feb 12 20:11:12.991043 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=4 id=156 len=4) from RADIUS server: EAP Failure
Feb 12 20:11:12.991072 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 156)
Feb 12 20:11:12.991093 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port
Feb 12 20:11:12.991097 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authentication failed - EAP type: 25 (PEAP)
Feb 12 20:11:12.991101 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately
Feb 12 20:11:12.991106 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query
Feb 12 20:11:12.991138 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55
Feb 12 20:11:12.991147 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55
Feb 12 20:11:12.991161 osdx hostapd[472539]: eth2: RADIUS Sending RADIUS message to authentication server
Feb 12 20:11:12.991176 osdx hostapd[472539]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds
Feb 12 20:11:12.991190 osdx hostapd[472539]: eth2: RADIUS Received 44 bytes from RADIUS server
Feb 12 20:11:12.991197 osdx hostapd[472539]: eth2: RADIUS Received RADIUS message
Feb 12 20:11:12.991201 osdx hostapd[472539]: eth2: RADIUS No matching RADIUS request found (type=0 id=8) - dropping packet
Feb 12 20:11:13.991275 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128)
Feb 12 20:11:13.991314 osdx hostapd[472539]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds
Feb 12 20:11:13.991468 osdx hostapd[472539]: eth2: RADIUS Received 20 bytes from RADIUS server
Feb 12 20:11:13.991472 osdx hostapd[472539]: eth2: RADIUS Received RADIUS message
Feb 12 20:11:13.991477 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
Feb 12 20:11:13.991482 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response
Feb 12 20:11:13.991539 osdx hostapd[472539]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled
Feb 12 20:11:13.991543 osdx hostapd[472539]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled
Feb 12 20:11:13.991546 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Authentication failed, entering held state (quiet period 60 sec)
Feb 12 20:11:13.991550 osdx hostapd[472539]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Retry timeout registered for 60 seconds
Feb 12 20:11:13.991558 osdx hostapd[472539]: eth2: RADIUS Received 20 bytes from RADIUS server
Feb 12 20:11:13.991561 osdx hostapd[472539]: eth2: RADIUS Received RADIUS message
Feb 12 20:11:13.991565 osdx hostapd[472539]: eth2: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet

---

Test Unsupported 802.1x Authentication With Successful MAB Fallback

Description

This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 does not support 802.1x authentication.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set interfaces ethernet eth2 address 192.168.100.1/24
set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2
set interfaces ethernet eth2 authenticator aaa authentication list1
set interfaces ethernet eth2 authenticator log-level debug
set interfaces ethernet eth2 authenticator mode 802.1x-MAB
set interfaces ethernet eth2 authenticator quiet-period 60
set interfaces ethernet eth2 authenticator reauth-period 0
set system aaa group radius radgroup1 server serv1
set system aaa list list1 method 1 group radius radgroup1
set system aaa server radius serv1 address 10.215.168.1
set system aaa server radius serv1 encrypted-key U2FsdGVkX1+hiDCsi9O5SUr2Xh+y/tmcE7QXVy50OebMF7xncEv+J3tJZai2G8Oij2vmhnJ2tSTRudvn0oB6PQ==
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Ping IP address 10.215.168.1 from DUT0:

admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1

Show output

PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data.
64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.197 ms

--- 10.215.168.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.197/0.197/0.197/0.000 ms

Step 3: Set the following configuration in DUT1 :

set interfaces ethernet eth2 address 192.168.100.2/24
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 4: Ping IP address 192.168.100.1 from DUT1:

admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1

Show output

PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data.
64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.387 ms

--- 192.168.100.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.387/0.387/0.387/0.000 ms

Step 5: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:

Authentication Successes\s+1
Authentication Mode\s+MAB

Show output

-------------------------------------------
         Field                  Value
-------------------------------------------
Access Challenges                         0
Authentication Backend               RADIUS
Authentication Failures                   0
Authentication Mode                     MAB
Authentication Status      Authorized (MAB)
Authentication Successes                  1
EAPoL frames (Rx)                         0
EAPoL frames (Tx)                         4
Quiet Period                             60
Reauthenticate                        FALSE
Reauthenticate Period                     0
Session Time                              0
Session User MAC          de:ad:be:ef:6c:12
Session User Name                       N/A

Step 6: Ping IP address 192.168.100.1 from DUT1:

admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1

Show output

PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data.
64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.249 ms

--- 192.168.100.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.249/0.249/0.249/0.000 ms

Step 7: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:

IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately
802.1X: MAB: station successfully authenticated

Show output

Feb 12 20:11:22.560601 osdx hostapd[473052]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported.
Feb 12 20:11:22.560613 osdx hostapd[473052]: eth2: RADIUS Authentication server 10.215.168.1:1812
Feb 12 20:11:22.560826 osdx hostapd[473052]: connect[radius]: Network is unreachable
Feb 12 20:11:22.560649 osdx hostapd[473052]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30
Feb 12 20:11:22.560652 osdx hostapd[473052]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode
Feb 12 20:11:22.580485 osdx hostapd[473052]: Discovery mode enabled on eth2
Feb 12 20:11:22.580538 osdx hostapd[473052]: eth2: interface state UNINITIALIZED->ENABLED
Feb 12 20:11:22.580538 osdx hostapd[473052]: eth2: AP-ENABLED
Feb 12 20:11:27.580864 osdx hostapd[473053]: eth2: STA de:ad:be:ef:6c:12 DRIVER: Device discovered, triggering MAB authentication
Feb 12 20:11:27.580913 osdx hostapd[473053]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added
Feb 12 20:11:27.580924 osdx hostapd[473053]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode
Feb 12 20:11:27.596586 osdx hostapd[473053]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: start authentication
Feb 12 20:11:27.596623 osdx hostapd[473053]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames
Feb 12 20:11:27.596628 osdx hostapd[473053]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response
Feb 12 20:11:27.596632 osdx hostapd[473053]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response
Feb 12 20:11:27.596654 osdx hostapd[473053]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port
Feb 12 20:11:27.596663 osdx hostapd[473053]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication
Feb 12 20:11:27.596699 osdx hostapd[473053]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 61)
Feb 12 20:11:30.598847 osdx hostapd[473053]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 61)
Feb 12 20:11:36.603830 osdx hostapd[473053]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 61)
Feb 12 20:11:48.613794 osdx hostapd[473053]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: aborting authentication
Feb 12 20:11:48.613802 osdx hostapd[473053]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately
Feb 12 20:11:48.613806 osdx hostapd[473053]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query
Feb 12 20:11:48.613841 osdx hostapd[473053]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12
Feb 12 20:11:48.615503 osdx hostapd[473053]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12
Feb 12 20:11:48.615515 osdx hostapd[473053]: eth2: RADIUS Authentication server 10.215.168.1:1812
Feb 12 20:11:48.615580 osdx hostapd[473053]: eth2: RADIUS Sending RADIUS message to authentication server
Feb 12 20:11:48.615605 osdx hostapd[473053]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds
Feb 12 20:11:48.615623 osdx hostapd[473053]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication
Feb 12 20:11:48.615639 osdx hostapd[473053]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 213)
Feb 12 20:11:48.615910 osdx hostapd[473053]: eth2: RADIUS Received 20 bytes from RADIUS server
Feb 12 20:11:48.615917 osdx hostapd[473053]: eth2: RADIUS Received RADIUS message
Feb 12 20:11:48.615921 osdx hostapd[473053]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
Feb 12 20:11:48.615926 osdx hostapd[473053]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response
Feb 12 20:11:48.615960 osdx hostapd[473053]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12'
Feb 12 20:11:48.615963 osdx hostapd[473053]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated
Feb 12 20:11:48.615967 osdx hostapd[473053]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled
Feb 12 20:11:48.615976 osdx hostapd[473053]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port
Feb 12 20:11:48.615980 osdx hostapd[473053]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 9621B9B0A87CD758

---

Test Unsupported 802.1x Authentication With Unsuccessful MAB Fallback

Description

This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 does not support 802.1x authentication and uses an incorrect MAC address.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set interfaces ethernet eth2 address 192.168.100.1/24
set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2
set interfaces ethernet eth2 authenticator aaa authentication list1
set interfaces ethernet eth2 authenticator log-level debug
set interfaces ethernet eth2 authenticator mode 802.1x-MAB
set interfaces ethernet eth2 authenticator quiet-period 60
set interfaces ethernet eth2 authenticator reauth-period 0
set system aaa group radius radgroup1 server serv1
set system aaa list list1 method 1 group radius radgroup1
set system aaa server radius serv1 address 10.215.168.1
set system aaa server radius serv1 encrypted-key U2FsdGVkX18vaWm8/w6yPg7yjXyw08cgiaWknTCz4R4eA4Omne/CQRdB/DHTSeI8AwKH4mIED+cHXMbEJk/neQ==
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Ping IP address 10.215.168.1 from DUT0:

admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1

Show output

PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data.
64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.205 ms

--- 10.215.168.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.205/0.205/0.205/0.000 ms

Step 3: Set the following configuration in DUT1 :

set interfaces ethernet eth2 address 192.168.100.2/24
set interfaces ethernet eth2 mac '00:11:22:33:44:55'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:

Authentication Failures\s+[1-9]\d?

Show output

-------------------------------------------
         Field                  Value
-------------------------------------------
Access Challenges                         0
Authentication Backend               RADIUS
Authentication Failures                   2
Authentication Mode                     N/A
Authentication Status          Unauthorized
Authentication Successes                  0
EAPoL frames (Rx)                         0
EAPoL frames (Tx)                         4
Quiet Period                             60
Reauthenticate                        FALSE
Reauthenticate Period                     0
Session Time                              0
Session User MAC          00:11:22:33:44:55
Session User Name                       N/A

Step 5: Expect a failure in the following command: Ping IP address 192.168.100.1 from DUT1:

admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1

Show output

PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data.

--- 192.168.100.1 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:

IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately
802.1X: MAB: Authentication failed

Show output

Feb 12 20:11:59.295176 osdx hostapd[473618]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported.
Feb 12 20:11:59.295199 osdx hostapd[473618]: eth2: RADIUS Authentication server 10.215.168.1:1812
Feb 12 20:11:59.295460 osdx hostapd[473618]: connect[radius]: Network is unreachable
Feb 12 20:11:59.295254 osdx hostapd[473618]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30
Feb 12 20:11:59.295258 osdx hostapd[473618]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode
Feb 12 20:11:59.311007 osdx hostapd[473618]: Discovery mode enabled on eth2
Feb 12 20:11:59.311068 osdx hostapd[473618]: eth2: interface state UNINITIALIZED->ENABLED
Feb 12 20:11:59.311068 osdx hostapd[473618]: eth2: AP-ENABLED
Feb 12 20:12:04.311373 osdx hostapd[473619]: eth2: STA 00:11:22:33:44:55 DRIVER: Device discovered, triggering MAB authentication
Feb 12 20:12:04.311413 osdx hostapd[473619]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added
Feb 12 20:12:04.311428 osdx hostapd[473619]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode
Feb 12 20:12:04.327034 osdx hostapd[473619]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: start authentication
Feb 12 20:12:04.327056 osdx hostapd[473619]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames
Feb 12 20:12:04.327059 osdx hostapd[473619]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response
Feb 12 20:12:04.327062 osdx hostapd[473619]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response
Feb 12 20:12:04.327075 osdx hostapd[473619]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port
Feb 12 20:12:04.327082 osdx hostapd[473619]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication
Feb 12 20:12:04.327103 osdx hostapd[473619]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 237)
Feb 12 20:12:07.329353 osdx hostapd[473619]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 237)
Feb 12 20:12:13.334342 osdx hostapd[473619]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 237)
Feb 12 20:12:25.343362 osdx hostapd[473619]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: aborting authentication
Feb 12 20:12:25.343371 osdx hostapd[473619]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately
Feb 12 20:12:25.343376 osdx hostapd[473619]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query
Feb 12 20:12:25.343408 osdx hostapd[473619]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55
Feb 12 20:12:25.345096 osdx hostapd[473619]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55
Feb 12 20:12:25.345107 osdx hostapd[473619]: eth2: RADIUS Authentication server 10.215.168.1:1812
Feb 12 20:12:25.345174 osdx hostapd[473619]: eth2: RADIUS Sending RADIUS message to authentication server
Feb 12 20:12:25.345204 osdx hostapd[473619]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds
Feb 12 20:12:25.345221 osdx hostapd[473619]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication
Feb 12 20:12:25.345237 osdx hostapd[473619]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 26)
Feb 12 20:12:26.345328 osdx hostapd[473619]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128)
Feb 12 20:12:26.345373 osdx hostapd[473619]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds
Feb 12 20:12:26.345551 osdx hostapd[473619]: eth2: RADIUS Received 20 bytes from RADIUS server
Feb 12 20:12:26.345555 osdx hostapd[473619]: eth2: RADIUS Received RADIUS message
Feb 12 20:12:26.345558 osdx hostapd[473619]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
Feb 12 20:12:26.345562 osdx hostapd[473619]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response
Feb 12 20:12:26.345602 osdx hostapd[473619]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled
Feb 12 20:12:26.345604 osdx hostapd[473619]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled
Feb 12 20:12:26.345607 osdx hostapd[473619]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Authentication failed, entering held state (quiet period 60 sec)
Feb 12 20:12:26.345609 osdx hostapd[473619]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Retry timeout registered for 60 seconds
Feb 12 20:12:26.345615 osdx hostapd[473619]: eth2: RADIUS Received 20 bytes from RADIUS server
Feb 12 20:12:26.345617 osdx hostapd[473619]: eth2: RADIUS Received RADIUS message
Feb 12 20:12:26.345620 osdx hostapd[473619]: eth2: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet

---