Mab First
This scenario shows how to configure the MAB-first
authentication mode.
Test Successful MAB Authentication With Successful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses a correct MAC address and correct 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX19Ft3LNpmfefCQ5ZlJ8UJwQgWPDAS0fqwwW6U8Ld+WK73jgSXax+ylG5Cgfq2q1Jl3q+i2oKhGgvQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.205 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.205/0.205/0.205/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1+CHLodp4vSiw8h/HRcmAAiFI6pd5oRZZA= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 1 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name N/A
Step 5: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.239 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.239/0.239/0.239/0.000 ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
802.1X: MAB: station successfully authenticatedShow output
Feb 12 20:12:37.419080 osdx hostapd[474176]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Feb 12 20:12:37.419093 osdx hostapd[474176]: eth2: RADIUS Authentication server 10.215.168.1:1812 Feb 12 20:12:37.419420 osdx hostapd[474176]: connect[radius]: Network is unreachable Feb 12 20:12:37.419135 osdx hostapd[474176]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Feb 12 20:12:37.419138 osdx hostapd[474176]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Feb 12 20:12:37.442961 osdx hostapd[474176]: Discovery mode enabled on eth2 Feb 12 20:12:37.443054 osdx hostapd[474176]: eth2: interface state UNINITIALIZED->ENABLED Feb 12 20:12:37.443054 osdx hostapd[474176]: eth2: AP-ENABLED Feb 12 20:12:40.487666 osdx hostapd[474177]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Feb 12 20:12:40.487681 osdx hostapd[474177]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Feb 12 20:12:40.503009 osdx hostapd[474177]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB-first mode: Starting MAB authentication Feb 12 20:12:40.503049 osdx hostapd[474177]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Feb 12 20:12:40.503068 osdx hostapd[474177]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Feb 12 20:12:40.505437 osdx hostapd[474177]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Feb 12 20:12:40.505452 osdx hostapd[474177]: eth2: RADIUS Authentication server 10.215.168.1:1812 Feb 12 20:12:40.505544 osdx hostapd[474177]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:12:40.505577 osdx hostapd[474177]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:12:40.505608 osdx hostapd[474177]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAPOL-Start from STA Feb 12 20:12:40.505908 osdx hostapd[474177]: eth2: RADIUS Received 20 bytes from RADIUS server Feb 12 20:12:40.505917 osdx hostapd[474177]: eth2: RADIUS Received RADIUS message Feb 12 20:12:40.505922 osdx hostapd[474177]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:12:40.505927 osdx hostapd[474177]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Feb 12 20:12:40.505948 osdx hostapd[474177]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Feb 12 20:12:40.505951 osdx hostapd[474177]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Feb 12 20:12:40.505955 osdx hostapd[474177]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Feb 12 20:12:40.505967 osdx hostapd[474177]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Feb 12 20:12:40.505970 osdx hostapd[474177]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 2AF7612079C3429F
Test Successful MAB Authentication With Unsuccessful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses a correct MAC address, but wrong 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18aPvLN8zkRtUPpuQ3wEq1P6x7M2qZo4vx/E9irfbypoLWoRRZQvXkKH+odROFghUzK3U+whzB81Q== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.255 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.255/0.255/0.255/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX19Wnha7KTQBz+ONGRaUFGDPLLT2U8NHIJA= set interfaces ethernet eth2 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 1 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name N/A
Step 5: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.238 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.238/0.238/0.238/0.000 ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
802.1X: MAB: station successfully authenticatedShow output
Feb 12 20:12:49.129444 osdx hostapd[474699]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Feb 12 20:12:49.129465 osdx hostapd[474699]: eth2: RADIUS Authentication server 10.215.168.1:1812 Feb 12 20:12:49.129701 osdx hostapd[474699]: connect[radius]: Network is unreachable Feb 12 20:12:49.129508 osdx hostapd[474699]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Feb 12 20:12:49.129511 osdx hostapd[474699]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Feb 12 20:12:49.149307 osdx hostapd[474699]: Discovery mode enabled on eth2 Feb 12 20:12:49.149358 osdx hostapd[474699]: eth2: interface state UNINITIALIZED->ENABLED Feb 12 20:12:49.149358 osdx hostapd[474699]: eth2: AP-ENABLED Feb 12 20:12:52.257051 osdx hostapd[474700]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Feb 12 20:12:52.257064 osdx hostapd[474700]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Feb 12 20:12:52.277459 osdx hostapd[474700]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB-first mode: Starting MAB authentication Feb 12 20:12:52.277526 osdx hostapd[474700]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Feb 12 20:12:52.277575 osdx hostapd[474700]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Feb 12 20:12:52.281909 osdx hostapd[474700]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Feb 12 20:12:52.281935 osdx hostapd[474700]: eth2: RADIUS Authentication server 10.215.168.1:1812 Feb 12 20:12:52.282111 osdx hostapd[474700]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:12:52.282167 osdx hostapd[474700]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:12:52.282218 osdx hostapd[474700]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAPOL-Start from STA Feb 12 20:12:52.282773 osdx hostapd[474700]: eth2: RADIUS Received 20 bytes from RADIUS server Feb 12 20:12:52.282786 osdx hostapd[474700]: eth2: RADIUS Received RADIUS message Feb 12 20:12:52.282794 osdx hostapd[474700]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:12:52.282802 osdx hostapd[474700]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Feb 12 20:12:52.282846 osdx hostapd[474700]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Feb 12 20:12:52.282854 osdx hostapd[474700]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Feb 12 20:12:52.282862 osdx hostapd[474700]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Feb 12 20:12:52.282884 osdx hostapd[474700]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Feb 12 20:12:52.282892 osdx hostapd[474700]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session E31B5E8BE791CC65
Test Successful MAB Authentication With Unsupported 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 does not support 802.1x authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/FCwhJUoIf6oa29TzmRH2IcqJ8AFH0EeH2p1LLLjsaoin7JWpfiA5ns7uraOzMlL0benYMlLGRfA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.241 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.241/0.241/0.241/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.393 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.393/0.393/0.393/0.000 ms
Step 5: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 0 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name N/A
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.269 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.269/0.269/0.269/0.000 ms
Step 7: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
802.1X: MAB: station successfully authenticatedShow output
Feb 12 20:13:00.325315 osdx hostapd[475222]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Feb 12 20:13:00.325328 osdx hostapd[475222]: eth2: RADIUS Authentication server 10.215.168.1:1812 Feb 12 20:13:00.325565 osdx hostapd[475222]: connect[radius]: Network is unreachable Feb 12 20:13:00.325366 osdx hostapd[475222]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Feb 12 20:13:00.325369 osdx hostapd[475222]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Feb 12 20:13:00.353172 osdx hostapd[475222]: Discovery mode enabled on eth2 Feb 12 20:13:00.353250 osdx hostapd[475222]: eth2: interface state UNINITIALIZED->ENABLED Feb 12 20:13:00.353250 osdx hostapd[475222]: eth2: AP-ENABLED Feb 12 20:13:05.353527 osdx hostapd[475223]: eth2: STA de:ad:be:ef:6c:12 DRIVER: Device discovered, triggering MAB authentication Feb 12 20:13:05.353565 osdx hostapd[475223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Feb 12 20:13:05.353573 osdx hostapd[475223]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Feb 12 20:13:05.369215 osdx hostapd[475223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB-first mode: Starting MAB authentication Feb 12 20:13:05.369246 osdx hostapd[475223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Feb 12 20:13:05.369264 osdx hostapd[475223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Feb 12 20:13:05.371638 osdx hostapd[475223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Feb 12 20:13:05.371652 osdx hostapd[475223]: eth2: RADIUS Authentication server 10.215.168.1:1812 Feb 12 20:13:05.371734 osdx hostapd[475223]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:13:05.371770 osdx hostapd[475223]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:13:05.372051 osdx hostapd[475223]: eth2: RADIUS Received 20 bytes from RADIUS server Feb 12 20:13:05.372061 osdx hostapd[475223]: eth2: RADIUS Received RADIUS message Feb 12 20:13:05.372068 osdx hostapd[475223]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:13:05.372072 osdx hostapd[475223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Feb 12 20:13:05.372103 osdx hostapd[475223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Feb 12 20:13:05.372106 osdx hostapd[475223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Feb 12 20:13:05.372112 osdx hostapd[475223]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Feb 12 20:13:05.372128 osdx hostapd[475223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Feb 12 20:13:05.372132 osdx hostapd[475223]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 12ED556BB1562E3F
Test Unsuccessful MAB Authentication With Successful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses an incorrect MAC address, but correct 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+xZ1Z29ArC/UCAPIiGhFsRrSjyE+5MOitRp2nAbUOI9D/Ewn+ykTG0z2JYV5u6WNFQwp8hid3VfA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.194 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.194/0.194/0.194/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX18lQRJaacrl85r3de6Tj0NGRSFmwXRNRPA= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 6: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name testing
Step 7: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.347 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.347/0.347/0.347/0.000 ms
Step 8: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X IEEE 802.1X: authenticated - EAP type: 25 (PEAP)Show output
Feb 12 20:13:15.666321 osdx hostapd[475757]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Feb 12 20:13:15.666335 osdx hostapd[475757]: eth2: RADIUS Authentication server 10.215.168.1:1812 Feb 12 20:13:15.666615 osdx hostapd[475757]: connect[radius]: Network is unreachable Feb 12 20:13:15.666374 osdx hostapd[475757]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Feb 12 20:13:15.666379 osdx hostapd[475757]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Feb 12 20:13:15.682187 osdx hostapd[475757]: Discovery mode enabled on eth2 Feb 12 20:13:15.682242 osdx hostapd[475757]: eth2: interface state UNINITIALIZED->ENABLED Feb 12 20:13:15.682263 osdx hostapd[475757]: eth2: AP-ENABLED Feb 12 20:13:19.029937 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Feb 12 20:13:19.029960 osdx hostapd[475758]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Feb 12 20:13:19.050270 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: Starting MAB authentication Feb 12 20:13:19.050311 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Feb 12 20:13:19.050331 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Feb 12 20:13:19.052813 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Feb 12 20:13:19.052827 osdx hostapd[475758]: eth2: RADIUS Authentication server 10.215.168.1:1812 Feb 12 20:13:19.052914 osdx hostapd[475758]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:13:19.053277 osdx hostapd[475758]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:13:19.058245 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA Feb 12 20:13:20.053358 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Feb 12 20:13:20.053386 osdx hostapd[475758]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Feb 12 20:13:20.053397 osdx hostapd[475758]: eth2: RADIUS Received 20 bytes from RADIUS server Feb 12 20:13:20.053401 osdx hostapd[475758]: eth2: RADIUS Received RADIUS message Feb 12 20:13:20.053405 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:13:20.053409 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Feb 12 20:13:20.053467 osdx hostapd[475758]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Feb 12 20:13:20.053469 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X Feb 12 20:13:20.053472 osdx hostapd[475758]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Feb 12 20:13:20.053474 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first: 802.1X authentication started Feb 12 20:13:20.053480 osdx hostapd[475758]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Feb 12 20:13:20.053494 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 175) Feb 12 20:13:20.053507 osdx hostapd[475758]: eth2: RADIUS Received 20 bytes from RADIUS server Feb 12 20:13:20.053510 osdx hostapd[475758]: eth2: RADIUS Received RADIUS message Feb 12 20:13:20.053514 osdx hostapd[475758]: eth2: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet Feb 12 20:13:20.053841 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=175 len=12) from STA: EAP Response-Identity (1) Feb 12 20:13:20.053854 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'testing' Feb 12 20:13:20.053918 osdx hostapd[475758]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:13:20.053934 osdx hostapd[475758]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:13:20.054167 osdx hostapd[475758]: eth2: RADIUS Received 80 bytes from RADIUS server Feb 12 20:13:20.054174 osdx hostapd[475758]: eth2: RADIUS Received RADIUS message Feb 12 20:13:20.054178 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:13:20.054198 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=176 len=22) from RADIUS server: EAP-Request-MD5 (4) Feb 12 20:13:20.054205 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 176) Feb 12 20:13:20.054374 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=176 len=6) from STA: EAP Response-unknown (3) Feb 12 20:13:20.054414 osdx hostapd[475758]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:13:20.054424 osdx hostapd[475758]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:13:20.054584 osdx hostapd[475758]: eth2: RADIUS Received 64 bytes from RADIUS server Feb 12 20:13:20.054590 osdx hostapd[475758]: eth2: RADIUS Received RADIUS message Feb 12 20:13:20.054593 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:13:20.054608 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=177 len=6) from RADIUS server: EAP-Request-PEAP (25) Feb 12 20:13:20.054614 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 177) Feb 12 20:13:20.054925 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=177 len=194) from STA: EAP Response-PEAP (25) Feb 12 20:13:20.054962 osdx hostapd[475758]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:13:20.054973 osdx hostapd[475758]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:13:20.055960 osdx hostapd[475758]: eth2: RADIUS Received 1068 bytes from RADIUS server Feb 12 20:13:20.055969 osdx hostapd[475758]: eth2: RADIUS Received RADIUS message Feb 12 20:13:20.055974 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:13:20.056002 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=178 len=1004) from RADIUS server: EAP-Request-PEAP (25) Feb 12 20:13:20.056011 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 178) Feb 12 20:13:20.056219 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=178 len=6) from STA: EAP Response-PEAP (25) Feb 12 20:13:20.056271 osdx hostapd[475758]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:13:20.056286 osdx hostapd[475758]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:13:20.056419 osdx hostapd[475758]: eth2: RADIUS Received 229 bytes from RADIUS server Feb 12 20:13:20.056426 osdx hostapd[475758]: eth2: RADIUS Received RADIUS message Feb 12 20:13:20.056436 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:13:20.056455 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=179 len=171) from RADIUS server: EAP-Request-PEAP (25) Feb 12 20:13:20.056463 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 179) Feb 12 20:13:20.057999 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=179 len=103) from STA: EAP Response-PEAP (25) Feb 12 20:13:20.058053 osdx hostapd[475758]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:13:20.058068 osdx hostapd[475758]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:13:20.058388 osdx hostapd[475758]: eth2: RADIUS Received 115 bytes from RADIUS server Feb 12 20:13:20.058395 osdx hostapd[475758]: eth2: RADIUS Received RADIUS message Feb 12 20:13:20.058400 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:13:20.058418 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=180 len=57) from RADIUS server: EAP-Request-PEAP (25) Feb 12 20:13:20.058426 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 180) Feb 12 20:13:20.058756 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=180 len=6) from STA: EAP Response-PEAP (25) Feb 12 20:13:20.058819 osdx hostapd[475758]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:13:20.058835 osdx hostapd[475758]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:13:20.059015 osdx hostapd[475758]: eth2: RADIUS Received 98 bytes from RADIUS server Feb 12 20:13:20.059024 osdx hostapd[475758]: eth2: RADIUS Received RADIUS message Feb 12 20:13:20.059029 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:13:20.059070 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=181 len=40) from RADIUS server: EAP-Request-PEAP (25) Feb 12 20:13:20.059082 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 181) Feb 12 20:13:20.059267 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=181 len=43) from STA: EAP Response-PEAP (25) Feb 12 20:13:20.059318 osdx hostapd[475758]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:13:20.059334 osdx hostapd[475758]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:13:20.059505 osdx hostapd[475758]: eth2: RADIUS Received 131 bytes from RADIUS server Feb 12 20:13:20.059512 osdx hostapd[475758]: eth2: RADIUS Received RADIUS message Feb 12 20:13:20.059516 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:13:20.059535 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=182 len=73) from RADIUS server: EAP-Request-PEAP (25) Feb 12 20:13:20.059542 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 182) Feb 12 20:13:20.059815 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=182 len=97) from STA: EAP Response-PEAP (25) Feb 12 20:13:20.059854 osdx hostapd[475758]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:13:20.059866 osdx hostapd[475758]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:13:20.060075 osdx hostapd[475758]: eth2: RADIUS Received 140 bytes from RADIUS server Feb 12 20:13:20.060082 osdx hostapd[475758]: eth2: RADIUS Received RADIUS message Feb 12 20:13:20.060087 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:13:20.060106 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=183 len=82) from RADIUS server: EAP-Request-PEAP (25) Feb 12 20:13:20.060120 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 183) Feb 12 20:13:20.060358 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=183 len=37) from STA: EAP Response-PEAP (25) Feb 12 20:13:20.060402 osdx hostapd[475758]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:13:20.060413 osdx hostapd[475758]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:13:20.060577 osdx hostapd[475758]: eth2: RADIUS Received 104 bytes from RADIUS server Feb 12 20:13:20.060584 osdx hostapd[475758]: eth2: RADIUS Received RADIUS message Feb 12 20:13:20.060589 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:13:20.060606 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=184 len=46) from RADIUS server: EAP-Request-PEAP (25) Feb 12 20:13:20.060614 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 184) Feb 12 20:13:20.060842 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=184 len=46) from STA: EAP Response-PEAP (25) Feb 12 20:13:20.060888 osdx hostapd[475758]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:13:20.060902 osdx hostapd[475758]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:13:20.061147 osdx hostapd[475758]: eth2: RADIUS Received 175 bytes from RADIUS server Feb 12 20:13:20.061156 osdx hostapd[475758]: eth2: RADIUS Received RADIUS message Feb 12 20:13:20.061160 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:13:20.061192 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing' Feb 12 20:13:20.061197 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=3 id=184 len=4) from RADIUS server: EAP Success Feb 12 20:13:20.061233 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 184) Feb 12 20:13:20.061255 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authorizing port Feb 12 20:13:20.061259 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 RADIUS: starting accounting session 1C6297925EF885E0 Feb 12 20:13:20.061270 osdx hostapd[475758]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Test Unsuccessful MAB Authentication With Unsuccessful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses an incorrect MAC address and incorrect 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/I51aAnqNfQR+FRdBMaKkn/OgJfyCQIsoS38d4HrplNRlSaUBBqfJUNUzy1O2tJtH0LPd9POXcwQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.184 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.184/0.184/0.184/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1/YdLJHa+4gLzEW26T1Moyu1nfzoqcfjkw= set interfaces ethernet eth2 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+UnauthorizedShow output
--------------------------------- Field Value --------------------------------- EAPoL Frames (Rx) 9 EAPoL Frames (Tx) 10 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Unauthorized Req Frames (Rx) 8 Req ID Frames (Rx) 1 Resp Frames (Tx) 9 Start Frames (Tx) 1
Step 5: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 8 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 10 EAPoL frames (Tx) 9 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 6: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 7: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X IEEE 802.1X: authentication failed - EAP type: 25 (PEAP)Show output
Feb 12 20:13:28.263557 osdx hostapd[476288]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Feb 12 20:13:28.263577 osdx hostapd[476288]: eth2: RADIUS Authentication server 10.215.168.1:1812 Feb 12 20:13:28.263848 osdx hostapd[476288]: connect[radius]: Network is unreachable Feb 12 20:13:28.263634 osdx hostapd[476288]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Feb 12 20:13:28.263638 osdx hostapd[476288]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Feb 12 20:13:28.295358 osdx hostapd[476288]: Discovery mode enabled on eth2 Feb 12 20:13:28.295470 osdx hostapd[476288]: eth2: interface state UNINITIALIZED->ENABLED Feb 12 20:13:28.295470 osdx hostapd[476288]: eth2: AP-ENABLED Feb 12 20:13:31.431060 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Feb 12 20:13:31.431074 osdx hostapd[476289]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Feb 12 20:13:31.443364 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: Starting MAB authentication Feb 12 20:13:31.443387 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Feb 12 20:13:31.443400 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Feb 12 20:13:31.445043 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Feb 12 20:13:31.445054 osdx hostapd[476289]: eth2: RADIUS Authentication server 10.215.168.1:1812 Feb 12 20:13:31.445120 osdx hostapd[476289]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:13:31.445149 osdx hostapd[476289]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:13:31.445172 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA Feb 12 20:13:32.445228 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Feb 12 20:13:32.445258 osdx hostapd[476289]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Feb 12 20:13:32.445440 osdx hostapd[476289]: eth2: RADIUS Received 20 bytes from RADIUS server Feb 12 20:13:32.445445 osdx hostapd[476289]: eth2: RADIUS Received RADIUS message Feb 12 20:13:32.445449 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:13:32.445454 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Feb 12 20:13:32.445508 osdx hostapd[476289]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Feb 12 20:13:32.445516 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X Feb 12 20:13:32.445521 osdx hostapd[476289]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Feb 12 20:13:32.445524 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first: 802.1X authentication started Feb 12 20:13:32.445532 osdx hostapd[476289]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Feb 12 20:13:32.445548 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 98) Feb 12 20:13:32.445627 osdx hostapd[476289]: eth2: RADIUS Received 20 bytes from RADIUS server Feb 12 20:13:32.445630 osdx hostapd[476289]: eth2: RADIUS Received RADIUS message Feb 12 20:13:32.445634 osdx hostapd[476289]: eth2: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet Feb 12 20:13:32.445915 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=98 len=10) from STA: EAP Response-Identity (1) Feb 12 20:13:32.445927 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'wrong' Feb 12 20:13:32.445993 osdx hostapd[476289]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:13:32.446010 osdx hostapd[476289]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:13:32.446282 osdx hostapd[476289]: eth2: RADIUS Received 80 bytes from RADIUS server Feb 12 20:13:32.446287 osdx hostapd[476289]: eth2: RADIUS Received RADIUS message Feb 12 20:13:32.446291 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:13:32.446315 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=99 len=22) from RADIUS server: EAP-Request-MD5 (4) Feb 12 20:13:32.446322 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 99) Feb 12 20:13:32.446565 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=99 len=6) from STA: EAP Response-unknown (3) Feb 12 20:13:32.446629 osdx hostapd[476289]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:13:32.446644 osdx hostapd[476289]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:13:32.446905 osdx hostapd[476289]: eth2: RADIUS Received 64 bytes from RADIUS server Feb 12 20:13:32.446910 osdx hostapd[476289]: eth2: RADIUS Received RADIUS message Feb 12 20:13:32.446913 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:13:32.446933 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=100 len=6) from RADIUS server: EAP-Request-PEAP (25) Feb 12 20:13:32.446939 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 100) Feb 12 20:13:32.447322 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=100 len=194) from STA: EAP Response-PEAP (25) Feb 12 20:13:32.447378 osdx hostapd[476289]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:13:32.447394 osdx hostapd[476289]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:13:32.448517 osdx hostapd[476289]: eth2: RADIUS Received 1068 bytes from RADIUS server Feb 12 20:13:32.448524 osdx hostapd[476289]: eth2: RADIUS Received RADIUS message Feb 12 20:13:32.448529 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:13:32.448559 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=101 len=1004) from RADIUS server: EAP-Request-PEAP (25) Feb 12 20:13:32.448568 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 101) Feb 12 20:13:32.448803 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=101 len=6) from STA: EAP Response-PEAP (25) Feb 12 20:13:32.448850 osdx hostapd[476289]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:13:32.448862 osdx hostapd[476289]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:13:32.449003 osdx hostapd[476289]: eth2: RADIUS Received 229 bytes from RADIUS server Feb 12 20:13:32.449009 osdx hostapd[476289]: eth2: RADIUS Received RADIUS message Feb 12 20:13:32.449019 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:13:32.449037 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=102 len=171) from RADIUS server: EAP-Request-PEAP (25) Feb 12 20:13:32.449044 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 102) Feb 12 20:13:32.450502 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=102 len=103) from STA: EAP Response-PEAP (25) Feb 12 20:13:32.450553 osdx hostapd[476289]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:13:32.450585 osdx hostapd[476289]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:13:32.450905 osdx hostapd[476289]: eth2: RADIUS Received 115 bytes from RADIUS server Feb 12 20:13:32.450910 osdx hostapd[476289]: eth2: RADIUS Received RADIUS message Feb 12 20:13:32.450913 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:13:32.450932 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=103 len=57) from RADIUS server: EAP-Request-PEAP (25) Feb 12 20:13:32.450937 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 103) Feb 12 20:13:32.451203 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=103 len=6) from STA: EAP Response-PEAP (25) Feb 12 20:13:32.451252 osdx hostapd[476289]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:13:32.451264 osdx hostapd[476289]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:13:32.451392 osdx hostapd[476289]: eth2: RADIUS Received 98 bytes from RADIUS server Feb 12 20:13:32.451397 osdx hostapd[476289]: eth2: RADIUS Received RADIUS message Feb 12 20:13:32.451399 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:13:32.451413 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=104 len=40) from RADIUS server: EAP-Request-PEAP (25) Feb 12 20:13:32.451419 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 104) Feb 12 20:13:32.451612 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=104 len=41) from STA: EAP Response-PEAP (25) Feb 12 20:13:32.451645 osdx hostapd[476289]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:13:32.451657 osdx hostapd[476289]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:13:32.451789 osdx hostapd[476289]: eth2: RADIUS Received 131 bytes from RADIUS server Feb 12 20:13:32.451793 osdx hostapd[476289]: eth2: RADIUS Received RADIUS message Feb 12 20:13:32.451796 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:13:32.451808 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=105 len=73) from RADIUS server: EAP-Request-PEAP (25) Feb 12 20:13:32.451813 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 105) Feb 12 20:13:32.452080 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=105 len=95) from STA: EAP Response-PEAP (25) Feb 12 20:13:32.452116 osdx hostapd[476289]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:13:32.452125 osdx hostapd[476289]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:13:32.452334 osdx hostapd[476289]: eth2: RADIUS Received 104 bytes from RADIUS server Feb 12 20:13:32.452340 osdx hostapd[476289]: eth2: RADIUS Received RADIUS message Feb 12 20:13:32.452343 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:13:32.452357 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=106 len=46) from RADIUS server: EAP-Request-PEAP (25) Feb 12 20:13:32.452362 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 106) Feb 12 20:13:32.452547 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=106 len=46) from STA: EAP Response-PEAP (25) Feb 12 20:13:32.452601 osdx hostapd[476289]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:13:32.452610 osdx hostapd[476289]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:13:33.452707 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=8) Feb 12 20:13:33.452739 osdx hostapd[476289]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Feb 12 20:13:33.452942 osdx hostapd[476289]: eth2: RADIUS Received 44 bytes from RADIUS server Feb 12 20:13:33.452945 osdx hostapd[476289]: eth2: RADIUS Received RADIUS message Feb 12 20:13:33.452949 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:13:33.452990 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=4 id=106 len=4) from RADIUS server: EAP Failure Feb 12 20:13:33.453020 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 106) Feb 12 20:13:33.453035 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port Feb 12 20:13:33.453039 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) Feb 12 20:13:33.453042 osdx hostapd[476289]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Authentication failed, enforcing quiet period (60 seconds) Feb 12 20:13:33.453047 osdx hostapd[476289]: eth2: RADIUS Received 44 bytes from RADIUS server Feb 12 20:13:33.453050 osdx hostapd[476289]: eth2: RADIUS Received RADIUS message Feb 12 20:13:33.453053 osdx hostapd[476289]: eth2: RADIUS No matching RADIUS request found (type=0 id=8) - dropping packet
Test Unsuccessful MAB Authentication With Unsupported 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 does not support 802.1x authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/+EapEciQMK36Begdcs2XoBcL1lxBgXK6YgWNJUV/ryyr0ez2j8tOeLk+gGw30UKFtLckPYKVMuw== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.216 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.216/0.216/0.216/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 0 EAPoL frames (Tx) 2 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 5: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X IEEE 802.1X: EAP authentication timeoutShow output
Feb 12 20:13:40.299113 osdx hostapd[476809]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Feb 12 20:13:40.299128 osdx hostapd[476809]: eth2: RADIUS Authentication server 10.215.168.1:1812 Feb 12 20:13:40.299346 osdx hostapd[476809]: connect[radius]: Network is unreachable Feb 12 20:13:40.299167 osdx hostapd[476809]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Feb 12 20:13:40.299171 osdx hostapd[476809]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Feb 12 20:13:40.326934 osdx hostapd[476809]: Discovery mode enabled on eth2 Feb 12 20:13:40.326996 osdx hostapd[476809]: eth2: interface state UNINITIALIZED->ENABLED Feb 12 20:13:40.326996 osdx hostapd[476809]: eth2: AP-ENABLED Feb 12 20:13:45.327323 osdx hostapd[476810]: eth2: STA 00:11:22:33:44:55 DRIVER: Device discovered, triggering MAB authentication Feb 12 20:13:45.327380 osdx hostapd[476810]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Feb 12 20:13:45.327390 osdx hostapd[476810]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Feb 12 20:13:45.351019 osdx hostapd[476810]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: Starting MAB authentication Feb 12 20:13:45.351052 osdx hostapd[476810]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Feb 12 20:13:45.351070 osdx hostapd[476810]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Feb 12 20:13:45.353305 osdx hostapd[476810]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Feb 12 20:13:45.353318 osdx hostapd[476810]: eth2: RADIUS Authentication server 10.215.168.1:1812 Feb 12 20:13:45.353403 osdx hostapd[476810]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:13:45.353437 osdx hostapd[476810]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:13:46.353526 osdx hostapd[476810]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Feb 12 20:13:46.353559 osdx hostapd[476810]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Feb 12 20:13:46.353736 osdx hostapd[476810]: eth2: RADIUS Received 20 bytes from RADIUS server Feb 12 20:13:46.353739 osdx hostapd[476810]: eth2: RADIUS Received RADIUS message Feb 12 20:13:46.353743 osdx hostapd[476810]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:13:46.353747 osdx hostapd[476810]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Feb 12 20:13:46.353797 osdx hostapd[476810]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Feb 12 20:13:46.353799 osdx hostapd[476810]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X Feb 12 20:13:46.353803 osdx hostapd[476810]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Feb 12 20:13:46.353807 osdx hostapd[476810]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first: 802.1X authentication started Feb 12 20:13:46.353814 osdx hostapd[476810]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Feb 12 20:13:46.353830 osdx hostapd[476810]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 27) Feb 12 20:13:46.353844 osdx hostapd[476810]: eth2: RADIUS Received 20 bytes from RADIUS server Feb 12 20:13:46.353847 osdx hostapd[476810]: eth2: RADIUS Received RADIUS message Feb 12 20:13:46.353849 osdx hostapd[476810]: eth2: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet Feb 12 20:13:49.354303 osdx hostapd[476810]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 27) Feb 12 20:13:54.200617 osdx OSDxCLI[453798]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Feb 12 20:13:55.359287 osdx hostapd[476810]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 27) Feb 12 20:14:02.419860 osdx OSDxCLI[453798]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Feb 12 20:14:07.370284 osdx hostapd[476810]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: aborting authentication Feb 12 20:14:07.370295 osdx hostapd[476810]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: EAP authentication timeout - enforcing 60 second quiet period before retrying Feb 12 20:14:07.370306 osdx hostapd[476810]: eth2: STA 00:11:22:33:44:55 MLME: MLME-DEAUTHENTICATE.indication(00:11:22:33:44:55, 2) Feb 12 20:14:07.370309 osdx hostapd[476810]: eth2: STA 00:11:22:33:44:55 MLME: MLME-DELETEKEYS.request(00:11:22:33:44:55)