Reauth Period
This scenario shows how to configure the reauthentication period in a device with 802.1x/MAB authentication.
Test Reauth Period In 802.1X Mode
Description
This scenario shows how to configure the reauthentication period in a device with 802.1x authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode only-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 20 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX19RbVn++Bzd9/2L1WmqhUa6cfT1ohp+byoJ8YVh128lpGnz5QnQjF1Rn2D8IJycrxRAr6axzIS7WQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.271 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.271/0.271/0.271/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX196tnvPGvDkmvX4JAYTU4pMeevB4HzDJQ0= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: authenticatedShow output
Feb 12 20:22:11.370300 osdx hostapd[489243]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Feb 12 20:22:11.370613 osdx hostapd[489243]: connect[radius]: Network is unreachable Feb 12 20:22:11.370314 osdx hostapd[489243]: eth2: RADIUS Authentication server 10.215.168.1:1812 Feb 12 20:22:11.370349 osdx hostapd[489243]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X, eap_server=0, eap_quiet_period=60, eap_max_retrans=2 Feb 12 20:22:11.370352 osdx hostapd[489243]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Feb 12 20:22:11.390143 osdx hostapd[489243]: Discovery mode enabled on eth2 Feb 12 20:22:11.390203 osdx hostapd[489243]: eth2: interface state UNINITIALIZED->ENABLED Feb 12 20:22:11.390203 osdx hostapd[489243]: eth2: AP-ENABLED Feb 12 20:22:11.390143 osdx hostapd[489243]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: enabling transmission of periodic EAP-Request frames Feb 12 20:22:12.731302 osdx OSDxCLI[453798]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Feb 12 20:22:14.573877 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Feb 12 20:22:14.573890 osdx hostapd[489244]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Feb 12 20:22:14.590187 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: start authentication Feb 12 20:22:14.590216 osdx hostapd[489244]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Feb 12 20:22:14.590232 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAPOL-Start from STA Feb 12 20:22:14.590241 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Feb 12 20:22:14.590253 osdx hostapd[489244]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Feb 12 20:22:14.590279 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 4) Feb 12 20:22:14.590606 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=4 len=12) from STA: EAP Response-Identity (1) Feb 12 20:22:14.590619 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: STA identity 'testing' Feb 12 20:22:14.590649 osdx hostapd[489244]: eth2: RADIUS Authentication server 10.215.168.1:1812 Feb 12 20:22:14.592422 osdx hostapd[489244]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:22:14.592449 osdx hostapd[489244]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:22:14.592706 osdx hostapd[489244]: eth2: RADIUS Received 80 bytes from RADIUS server Feb 12 20:22:14.592711 osdx hostapd[489244]: eth2: RADIUS Received RADIUS message Feb 12 20:22:14.592715 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:22:14.592735 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=5 len=22) from RADIUS server: EAP-Request-MD5 (4) Feb 12 20:22:14.592741 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 5) Feb 12 20:22:14.592938 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=5 len=6) from STA: EAP Response-unknown (3) Feb 12 20:22:14.592977 osdx hostapd[489244]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:22:14.592987 osdx hostapd[489244]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:22:14.593170 osdx hostapd[489244]: eth2: RADIUS Received 64 bytes from RADIUS server Feb 12 20:22:14.593175 osdx hostapd[489244]: eth2: RADIUS Received RADIUS message Feb 12 20:22:14.593178 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:22:14.593190 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=6 len=6) from RADIUS server: EAP-Request-PEAP (25) Feb 12 20:22:14.593195 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 6) Feb 12 20:22:14.593535 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=6 len=194) from STA: EAP Response-PEAP (25) Feb 12 20:22:14.593570 osdx hostapd[489244]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:22:14.593580 osdx hostapd[489244]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:22:14.594660 osdx hostapd[489244]: eth2: RADIUS Received 1068 bytes from RADIUS server Feb 12 20:22:14.594666 osdx hostapd[489244]: eth2: RADIUS Received RADIUS message Feb 12 20:22:14.594669 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:22:14.594690 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=7 len=1004) from RADIUS server: EAP-Request-PEAP (25) Feb 12 20:22:14.594696 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 7) Feb 12 20:22:14.594868 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=7 len=6) from STA: EAP Response-PEAP (25) Feb 12 20:22:14.594919 osdx hostapd[489244]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:22:14.594934 osdx hostapd[489244]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:22:14.595086 osdx hostapd[489244]: eth2: RADIUS Received 229 bytes from RADIUS server Feb 12 20:22:14.595093 osdx hostapd[489244]: eth2: RADIUS Received RADIUS message Feb 12 20:22:14.595096 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:22:14.595113 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=8 len=171) from RADIUS server: EAP-Request-PEAP (25) Feb 12 20:22:14.595119 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 8) Feb 12 20:22:14.596442 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=8 len=103) from STA: EAP Response-PEAP (25) Feb 12 20:22:14.596485 osdx hostapd[489244]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:22:14.596495 osdx hostapd[489244]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:22:14.596742 osdx hostapd[489244]: eth2: RADIUS Received 115 bytes from RADIUS server Feb 12 20:22:14.596748 osdx hostapd[489244]: eth2: RADIUS Received RADIUS message Feb 12 20:22:14.596752 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:22:14.596769 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=9 len=57) from RADIUS server: EAP-Request-PEAP (25) Feb 12 20:22:14.596775 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 9) Feb 12 20:22:14.596995 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=9 len=6) from STA: EAP Response-PEAP (25) Feb 12 20:22:14.597033 osdx hostapd[489244]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:22:14.597043 osdx hostapd[489244]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:22:14.597159 osdx hostapd[489244]: eth2: RADIUS Received 98 bytes from RADIUS server Feb 12 20:22:14.597163 osdx hostapd[489244]: eth2: RADIUS Received RADIUS message Feb 12 20:22:14.597166 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:22:14.597179 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=10 len=40) from RADIUS server: EAP-Request-PEAP (25) Feb 12 20:22:14.597184 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 10) Feb 12 20:22:14.597326 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=10 len=43) from STA: EAP Response-PEAP (25) Feb 12 20:22:14.597371 osdx hostapd[489244]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:22:14.597383 osdx hostapd[489244]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:22:14.597535 osdx hostapd[489244]: eth2: RADIUS Received 131 bytes from RADIUS server Feb 12 20:22:14.597540 osdx hostapd[489244]: eth2: RADIUS Received RADIUS message Feb 12 20:22:14.597545 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:22:14.597560 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=11 len=73) from RADIUS server: EAP-Request-PEAP (25) Feb 12 20:22:14.597566 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 11) Feb 12 20:22:14.597794 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=11 len=97) from STA: EAP Response-PEAP (25) Feb 12 20:22:14.597831 osdx hostapd[489244]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:22:14.597844 osdx hostapd[489244]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:22:14.598036 osdx hostapd[489244]: eth2: RADIUS Received 140 bytes from RADIUS server Feb 12 20:22:14.598041 osdx hostapd[489244]: eth2: RADIUS Received RADIUS message Feb 12 20:22:14.598044 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:22:14.598057 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=12 len=82) from RADIUS server: EAP-Request-PEAP (25) Feb 12 20:22:14.598062 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 12) Feb 12 20:22:14.598239 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=12 len=37) from STA: EAP Response-PEAP (25) Feb 12 20:22:14.598270 osdx hostapd[489244]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:22:14.598281 osdx hostapd[489244]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:22:14.598420 osdx hostapd[489244]: eth2: RADIUS Received 104 bytes from RADIUS server Feb 12 20:22:14.598424 osdx hostapd[489244]: eth2: RADIUS Received RADIUS message Feb 12 20:22:14.598428 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:22:14.598443 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=13 len=46) from RADIUS server: EAP-Request-PEAP (25) Feb 12 20:22:14.598448 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 13) Feb 12 20:22:14.598625 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=13 len=46) from STA: EAP Response-PEAP (25) Feb 12 20:22:14.598660 osdx hostapd[489244]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:22:14.598669 osdx hostapd[489244]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:22:14.598868 osdx hostapd[489244]: eth2: RADIUS Received 175 bytes from RADIUS server Feb 12 20:22:14.598874 osdx hostapd[489244]: eth2: RADIUS Received RADIUS message Feb 12 20:22:14.598877 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:22:14.598897 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing' Feb 12 20:22:14.598901 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=3 id=13 len=4) from RADIUS server: EAP Success Feb 12 20:22:14.598919 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 13) Feb 12 20:22:14.598951 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Feb 12 20:22:14.598958 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 4D7931D04C3016C9 Feb 12 20:22:14.598962 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Step 5: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: Re-authentication period expiredShow output
Feb 12 20:22:15.078321 osdx OSDxCLI[453798]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Feb 12 20:22:17.213467 osdx OSDxCLI[453798]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Feb 12 20:22:19.291100 osdx OSDxCLI[453798]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Feb 12 20:22:21.361961 osdx OSDxCLI[453798]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Feb 12 20:22:23.437664 osdx OSDxCLI[453798]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Feb 12 20:22:25.506930 osdx OSDxCLI[453798]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Feb 12 20:22:27.579199 osdx OSDxCLI[453798]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Feb 12 20:22:29.648423 osdx OSDxCLI[453798]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Feb 12 20:22:31.721219 osdx OSDxCLI[453798]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Feb 12 20:22:33.795624 osdx OSDxCLI[453798]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Feb 12 20:22:34.607460 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Re-authentication period expired (20 seconds), triggering re-authentication Feb 12 20:22:34.607471 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Starting re-authentication (port will be unauthorized until authentication succeeds) Feb 12 20:22:34.607475 osdx hostapd[489244]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Feb 12 20:22:34.607512 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 141) Feb 12 20:22:34.607870 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=141 len=12) from STA: EAP Response-Identity (1) Feb 12 20:22:34.607884 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: STA identity 'testing' Feb 12 20:22:34.607954 osdx hostapd[489244]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:22:34.607990 osdx hostapd[489244]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:22:34.608233 osdx hostapd[489244]: eth2: RADIUS Received 80 bytes from RADIUS server Feb 12 20:22:34.608239 osdx hostapd[489244]: eth2: RADIUS Received RADIUS message Feb 12 20:22:34.608243 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:22:34.608270 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=142 len=22) from RADIUS server: EAP-Request-MD5 (4) Feb 12 20:22:34.608277 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 142) Feb 12 20:22:34.608425 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=142 len=6) from STA: EAP Response-unknown (3) Feb 12 20:22:34.608460 osdx hostapd[489244]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:22:34.608470 osdx hostapd[489244]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:22:34.608653 osdx hostapd[489244]: eth2: RADIUS Received 64 bytes from RADIUS server Feb 12 20:22:34.608658 osdx hostapd[489244]: eth2: RADIUS Received RADIUS message Feb 12 20:22:34.608661 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:22:34.608680 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=143 len=6) from RADIUS server: EAP-Request-PEAP (25) Feb 12 20:22:34.608687 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 143) Feb 12 20:22:34.608910 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=143 len=194) from STA: EAP Response-PEAP (25) Feb 12 20:22:34.608953 osdx hostapd[489244]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:22:34.608964 osdx hostapd[489244]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:22:34.610381 osdx hostapd[489244]: eth2: RADIUS Received 1068 bytes from RADIUS server Feb 12 20:22:34.610397 osdx hostapd[489244]: eth2: RADIUS Received RADIUS message Feb 12 20:22:34.610420 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:22:34.610482 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=144 len=1004) from RADIUS server: EAP-Request-PEAP (25) Feb 12 20:22:34.610502 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 144) Feb 12 20:22:34.610840 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=144 len=6) from STA: EAP Response-PEAP (25) Feb 12 20:22:34.610879 osdx hostapd[489244]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:22:34.610889 osdx hostapd[489244]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:22:34.610996 osdx hostapd[489244]: eth2: RADIUS Received 229 bytes from RADIUS server Feb 12 20:22:34.611001 osdx hostapd[489244]: eth2: RADIUS Received RADIUS message Feb 12 20:22:34.611005 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:22:34.611020 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=145 len=171) from RADIUS server: EAP-Request-PEAP (25) Feb 12 20:22:34.611025 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 145) Feb 12 20:22:34.612557 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=145 len=103) from STA: EAP Response-PEAP (25) Feb 12 20:22:34.612646 osdx hostapd[489244]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:22:34.612674 osdx hostapd[489244]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:22:34.612983 osdx hostapd[489244]: eth2: RADIUS Received 115 bytes from RADIUS server Feb 12 20:22:34.612988 osdx hostapd[489244]: eth2: RADIUS Received RADIUS message Feb 12 20:22:34.612991 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:22:34.613004 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=146 len=57) from RADIUS server: EAP-Request-PEAP (25) Feb 12 20:22:34.613009 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 146) Feb 12 20:22:34.613174 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=146 len=6) from STA: EAP Response-PEAP (25) Feb 12 20:22:34.613200 osdx hostapd[489244]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:22:34.613209 osdx hostapd[489244]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:22:34.613323 osdx hostapd[489244]: eth2: RADIUS Received 98 bytes from RADIUS server Feb 12 20:22:34.613328 osdx hostapd[489244]: eth2: RADIUS Received RADIUS message Feb 12 20:22:34.613330 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:22:34.613342 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=147 len=40) from RADIUS server: EAP-Request-PEAP (25) Feb 12 20:22:34.613346 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 147) Feb 12 20:22:34.613475 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=147 len=43) from STA: EAP Response-PEAP (25) Feb 12 20:22:34.613500 osdx hostapd[489244]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:22:34.613508 osdx hostapd[489244]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:22:34.613640 osdx hostapd[489244]: eth2: RADIUS Received 131 bytes from RADIUS server Feb 12 20:22:34.613644 osdx hostapd[489244]: eth2: RADIUS Received RADIUS message Feb 12 20:22:34.613647 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:22:34.613658 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=148 len=73) from RADIUS server: EAP-Request-PEAP (25) Feb 12 20:22:34.613662 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 148) Feb 12 20:22:34.613904 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=148 len=97) from STA: EAP Response-PEAP (25) Feb 12 20:22:34.613930 osdx hostapd[489244]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:22:34.613937 osdx hostapd[489244]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:22:34.614074 osdx hostapd[489244]: eth2: RADIUS Received 140 bytes from RADIUS server Feb 12 20:22:34.614078 osdx hostapd[489244]: eth2: RADIUS Received RADIUS message Feb 12 20:22:34.614080 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:22:34.614091 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=149 len=82) from RADIUS server: EAP-Request-PEAP (25) Feb 12 20:22:34.614102 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 149) Feb 12 20:22:34.614233 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=149 len=37) from STA: EAP Response-PEAP (25) Feb 12 20:22:34.614259 osdx hostapd[489244]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:22:34.614268 osdx hostapd[489244]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:22:34.614363 osdx hostapd[489244]: eth2: RADIUS Received 104 bytes from RADIUS server Feb 12 20:22:34.614367 osdx hostapd[489244]: eth2: RADIUS Received RADIUS message Feb 12 20:22:34.614370 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:22:34.614382 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=150 len=46) from RADIUS server: EAP-Request-PEAP (25) Feb 12 20:22:34.614387 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 150) Feb 12 20:22:34.614495 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=150 len=46) from STA: EAP Response-PEAP (25) Feb 12 20:22:34.614562 osdx hostapd[489244]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:22:34.614584 osdx hostapd[489244]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:22:34.615000 osdx hostapd[489244]: eth2: RADIUS Received 175 bytes from RADIUS server Feb 12 20:22:34.615014 osdx hostapd[489244]: eth2: RADIUS Received RADIUS message Feb 12 20:22:34.615023 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:22:34.615081 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing' Feb 12 20:22:34.615091 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=3 id=150 len=4) from RADIUS server: EAP Success Feb 12 20:22:34.615124 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 150) Feb 12 20:22:34.615143 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Feb 12 20:22:34.615150 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 4D7931D04C3016C9 Feb 12 20:22:34.615158 osdx hostapd[489244]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Test Reauth Period In MAB Mode
Description
This scenario shows how to configure the reauthentication period in a device with MAB authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode only-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 20 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+FIlsVlBV5GLVoBmgrXTLgs0HYw5j4HXZicg1beQgERZv8nRZWl2nXtkdJqmH75Rh8q4WT6KKG1g== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.208 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.208/0.208/0.208/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
MAB: station successfully authenticatedShow output
Feb 12 20:22:43.405163 osdx hostapd[489843]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Feb 12 20:22:43.405185 osdx hostapd[489843]: eth2: RADIUS Authentication server 10.215.168.1:1812 Feb 12 20:22:43.405587 osdx hostapd[489843]: connect[radius]: Network is unreachable Feb 12 20:22:43.405257 osdx hostapd[489843]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-only, eap_server=0, eap_quiet_period=60, eap_max_retrans=5 Feb 12 20:22:43.405264 osdx hostapd[489843]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Feb 12 20:22:43.432871 osdx hostapd[489843]: Discovery mode enabled on eth2 Feb 12 20:22:43.432932 osdx hostapd[489843]: eth2: interface state UNINITIALIZED->ENABLED Feb 12 20:22:43.432948 osdx hostapd[489843]: eth2: AP-ENABLED Feb 12 20:22:46.676442 osdx OSDxCLI[453798]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Feb 12 20:22:48.435223 osdx hostapd[489844]: eth2: STA de:ad:be:ef:6c:12 DRIVER: Device discovered, triggering MAB authentication Feb 12 20:22:48.435267 osdx hostapd[489844]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Feb 12 20:22:48.435278 osdx hostapd[489844]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Feb 12 20:22:48.448895 osdx hostapd[489844]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB-only mode: Starting MAB authentication Feb 12 20:22:48.448922 osdx hostapd[489844]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Feb 12 20:22:48.448936 osdx hostapd[489844]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Feb 12 20:22:48.450614 osdx hostapd[489844]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Feb 12 20:22:48.450624 osdx hostapd[489844]: eth2: RADIUS Authentication server 10.215.168.1:1812 Feb 12 20:22:48.450696 osdx hostapd[489844]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:22:48.450727 osdx hostapd[489844]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:22:48.451004 osdx hostapd[489844]: eth2: RADIUS Received 20 bytes from RADIUS server Feb 12 20:22:48.451009 osdx hostapd[489844]: eth2: RADIUS Received RADIUS message Feb 12 20:22:48.451014 osdx hostapd[489844]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:22:48.451019 osdx hostapd[489844]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Feb 12 20:22:48.451038 osdx hostapd[489844]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Feb 12 20:22:48.451041 osdx hostapd[489844]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Feb 12 20:22:48.451044 osdx hostapd[489844]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Re-authentication enabled (next reauth in 20 seconds) Feb 12 20:22:48.451047 osdx hostapd[489844]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Feb 12 20:22:48.451057 osdx hostapd[489844]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Feb 12 20:22:48.451061 osdx hostapd[489844]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session B2EEF36AC411BC84
Step 5: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: Re-authentication period expiredShow output
Feb 12 20:22:51.236397 osdx OSDxCLI[453798]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Feb 12 20:22:54.426387 osdx OSDxCLI[453798]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Feb 12 20:22:57.623797 osdx OSDxCLI[453798]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Feb 12 20:23:00.814777 osdx OSDxCLI[453798]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Feb 12 20:23:03.984231 osdx OSDxCLI[453798]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Feb 12 20:23:07.198912 osdx OSDxCLI[453798]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Feb 12 20:23:08.466168 osdx hostapd[489844]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Re-authentication period expired (20 seconds), triggering re-authentication Feb 12 20:23:08.466189 osdx hostapd[489844]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Feb 12 20:23:08.466235 osdx hostapd[489844]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Feb 12 20:23:08.466265 osdx hostapd[489844]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Feb 12 20:23:08.466286 osdx hostapd[489844]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:23:08.466319 osdx hostapd[489844]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:23:08.466601 osdx hostapd[489844]: eth2: RADIUS Received 20 bytes from RADIUS server Feb 12 20:23:08.466606 osdx hostapd[489844]: eth2: RADIUS Received RADIUS message Feb 12 20:23:08.466609 osdx hostapd[489844]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:23:08.466613 osdx hostapd[489844]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Feb 12 20:23:08.466629 osdx hostapd[489844]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Feb 12 20:23:08.466632 osdx hostapd[489844]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Re-authentication enabled (next reauth in 20 seconds) Feb 12 20:23:08.466634 osdx hostapd[489844]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Feb 12 20:23:08.466637 osdx hostapd[489844]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Feb 12 20:23:08.466645 osdx hostapd[489844]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session B2EEF36AC411BC84
Test Reauth Period In MAB-Fallback Mode
Description
This scenario shows how to configure the reauthentication period in a device with 802.1x-MAB authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 20 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX19Hhj2UGQhqvib68ti2+naz59kNo4VIzc8c7D/Ju2/xf3Xlt71T/YX6mZW4zyUqhsBMu7zFudGmJQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.173 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.173/0.173/0.173/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
MAB: station successfully authenticatedShow output
Feb 12 20:23:17.646478 osdx hostapd[490427]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Feb 12 20:23:17.646496 osdx hostapd[490427]: eth2: RADIUS Authentication server 10.215.168.1:1812 Feb 12 20:23:17.646825 osdx hostapd[490427]: connect[radius]: Network is unreachable Feb 12 20:23:17.646546 osdx hostapd[490427]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Feb 12 20:23:17.646550 osdx hostapd[490427]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Feb 12 20:23:17.678281 osdx hostapd[490427]: Discovery mode enabled on eth2 Feb 12 20:23:17.678382 osdx hostapd[490427]: eth2: interface state UNINITIALIZED->ENABLED Feb 12 20:23:17.678382 osdx hostapd[490427]: eth2: AP-ENABLED Feb 12 20:23:17.678277 osdx hostapd[490427]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: enabling transmission of periodic EAP-Request frames Feb 12 20:23:21.057747 osdx OSDxCLI[453798]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Feb 12 20:23:22.681591 osdx hostapd[490428]: eth2: STA de:ad:be:ef:6c:12 DRIVER: Device discovered, triggering MAB authentication Feb 12 20:23:22.681631 osdx hostapd[490428]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Feb 12 20:23:22.681639 osdx hostapd[490428]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Feb 12 20:23:22.698299 osdx hostapd[490428]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: start authentication Feb 12 20:23:22.698322 osdx hostapd[490428]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Feb 12 20:23:22.698326 osdx hostapd[490428]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Feb 12 20:23:22.698329 osdx hostapd[490428]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Feb 12 20:23:22.698342 osdx hostapd[490428]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Feb 12 20:23:22.698348 osdx hostapd[490428]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Feb 12 20:23:22.698370 osdx hostapd[490428]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 97) Feb 12 20:23:25.263022 osdx OSDxCLI[453798]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Feb 12 20:23:25.700576 osdx hostapd[490428]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 97) Feb 12 20:23:29.472166 osdx OSDxCLI[453798]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Feb 12 20:23:31.705601 osdx hostapd[490428]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 97) Feb 12 20:23:33.677067 osdx OSDxCLI[453798]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Feb 12 20:23:37.888606 osdx OSDxCLI[453798]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Feb 12 20:23:42.096067 osdx OSDxCLI[453798]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Feb 12 20:23:43.716600 osdx hostapd[490428]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: aborting authentication Feb 12 20:23:43.716609 osdx hostapd[490428]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately Feb 12 20:23:43.716614 osdx hostapd[490428]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Feb 12 20:23:43.716645 osdx hostapd[490428]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Feb 12 20:23:43.718728 osdx hostapd[490428]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Feb 12 20:23:43.718741 osdx hostapd[490428]: eth2: RADIUS Authentication server 10.215.168.1:1812 Feb 12 20:23:43.718822 osdx hostapd[490428]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:23:43.718968 osdx hostapd[490428]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:23:43.718996 osdx hostapd[490428]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Feb 12 20:23:43.719013 osdx hostapd[490428]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 102) Feb 12 20:23:43.719188 osdx hostapd[490428]: eth2: RADIUS Received 20 bytes from RADIUS server Feb 12 20:23:43.719195 osdx hostapd[490428]: eth2: RADIUS Received RADIUS message Feb 12 20:23:43.719200 osdx hostapd[490428]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:23:43.719204 osdx hostapd[490428]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Feb 12 20:23:43.719228 osdx hostapd[490428]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Feb 12 20:23:43.719232 osdx hostapd[490428]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Feb 12 20:23:43.719235 osdx hostapd[490428]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Re-authentication enabled (next reauth in 20 seconds) Feb 12 20:23:43.719239 osdx hostapd[490428]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Feb 12 20:23:43.719249 osdx hostapd[490428]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Feb 12 20:23:43.719252 osdx hostapd[490428]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session FE1EC1C5F32EED17
Step 5: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: Re-authentication period expiredShow output
Feb 12 20:23:46.554843 osdx OSDxCLI[453798]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Feb 12 20:23:49.733139 osdx OSDxCLI[453798]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Feb 12 20:23:52.927658 osdx OSDxCLI[453798]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Feb 12 20:23:56.112744 osdx OSDxCLI[453798]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Feb 12 20:23:59.328890 osdx OSDxCLI[453798]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Feb 12 20:24:02.640901 osdx OSDxCLI[453798]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Feb 12 20:24:03.737846 osdx hostapd[490428]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Re-authentication period expired (20 seconds), triggering re-authentication Feb 12 20:24:03.737868 osdx hostapd[490428]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB fallback: Scheduling MAB trigger in 30 seconds if no 802.1X response Feb 12 20:24:03.737873 osdx hostapd[490428]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Feb 12 20:24:03.737905 osdx hostapd[490428]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Feb 12 20:24:03.737911 osdx hostapd[490428]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Feb 12 20:24:03.737928 osdx hostapd[490428]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 3) Feb 12 20:24:06.740595 osdx hostapd[490428]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 3)
Test Reauth Period In MAB-First Mode
Description
This scenario shows how to configure the reauthentication period in a device with MAB-802.1X authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 20 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/Izf2fXAtfNhnsLz4cIrGUIC6zl/nmheM+mglYJYdFjWDNAQHaW6S36sdGZMHdLmO7gsc7X36fiw== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.203 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.203/0.203/0.203/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
MAB: station successfully authenticatedShow output
Feb 12 20:24:14.647669 osdx hostapd[491040]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Feb 12 20:24:14.647685 osdx hostapd[491040]: eth2: RADIUS Authentication server 10.215.168.1:1812 Feb 12 20:24:14.647916 osdx hostapd[491040]: connect[radius]: Network is unreachable Feb 12 20:24:14.647737 osdx hostapd[491040]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Feb 12 20:24:14.647741 osdx hostapd[491040]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Feb 12 20:24:14.663527 osdx hostapd[491040]: Discovery mode enabled on eth2 Feb 12 20:24:14.663572 osdx hostapd[491040]: eth2: interface state UNINITIALIZED->ENABLED Feb 12 20:24:14.663527 osdx hostapd[491040]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: enabling transmission of periodic EAP-Request frames Feb 12 20:24:14.663612 osdx hostapd[491040]: eth2: AP-ENABLED Feb 12 20:24:17.829538 osdx OSDxCLI[453798]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Feb 12 20:24:19.665906 osdx hostapd[491041]: eth2: STA de:ad:be:ef:6c:12 DRIVER: Device discovered, triggering MAB authentication Feb 12 20:24:19.665938 osdx hostapd[491041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Feb 12 20:24:19.665948 osdx hostapd[491041]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Feb 12 20:24:19.679599 osdx hostapd[491041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB-first mode: Starting MAB authentication Feb 12 20:24:19.679627 osdx hostapd[491041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Feb 12 20:24:19.679641 osdx hostapd[491041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Feb 12 20:24:19.681598 osdx hostapd[491041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Feb 12 20:24:19.681614 osdx hostapd[491041]: eth2: RADIUS Authentication server 10.215.168.1:1812 Feb 12 20:24:19.681693 osdx hostapd[491041]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:24:19.681836 osdx hostapd[491041]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:24:19.681953 osdx hostapd[491041]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Sending EAP-Request/Identity frame Feb 12 20:24:19.681967 osdx hostapd[491041]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Next EAP-Request/Identity retransmit in 20 seconds Feb 12 20:24:19.682128 osdx hostapd[491041]: eth2: RADIUS Received 20 bytes from RADIUS server Feb 12 20:24:19.682133 osdx hostapd[491041]: eth2: RADIUS Received RADIUS message Feb 12 20:24:19.682138 osdx hostapd[491041]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:24:19.682143 osdx hostapd[491041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Feb 12 20:24:19.682179 osdx hostapd[491041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Feb 12 20:24:19.682182 osdx hostapd[491041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Feb 12 20:24:19.682186 osdx hostapd[491041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Re-authentication enabled (next reauth in 20 seconds) Feb 12 20:24:19.682189 osdx hostapd[491041]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Feb 12 20:24:19.682206 osdx hostapd[491041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Feb 12 20:24:19.682210 osdx hostapd[491041]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session B84D4C626EBBC6DF
Step 5: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: Re-authentication period expiredShow output
Feb 12 20:24:22.295913 osdx OSDxCLI[453798]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Feb 12 20:24:25.486954 osdx OSDxCLI[453798]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Feb 12 20:24:28.681002 osdx OSDxCLI[453798]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Feb 12 20:24:31.868432 osdx OSDxCLI[453798]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Feb 12 20:24:35.045519 osdx OSDxCLI[453798]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Feb 12 20:24:38.215252 osdx OSDxCLI[453798]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Feb 12 20:24:39.682897 osdx hostapd[491041]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Sending EAP-Request/Identity frame Feb 12 20:24:39.682922 osdx hostapd[491041]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Next EAP-Request/Identity retransmit in 20 seconds Feb 12 20:24:39.695909 osdx hostapd[491041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Re-authentication period expired (20 seconds), triggering re-authentication Feb 12 20:24:39.695922 osdx hostapd[491041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Feb 12 20:24:39.695954 osdx hostapd[491041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Feb 12 20:24:39.695982 osdx hostapd[491041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Feb 12 20:24:39.696001 osdx hostapd[491041]: eth2: RADIUS Sending RADIUS message to authentication server Feb 12 20:24:39.696036 osdx hostapd[491041]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 12 20:24:39.696312 osdx hostapd[491041]: eth2: RADIUS Received 20 bytes from RADIUS server Feb 12 20:24:39.696319 osdx hostapd[491041]: eth2: RADIUS Received RADIUS message Feb 12 20:24:39.696326 osdx hostapd[491041]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 12 20:24:39.696335 osdx hostapd[491041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Feb 12 20:24:39.696354 osdx hostapd[491041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Feb 12 20:24:39.696359 osdx hostapd[491041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Re-authentication enabled (next reauth in 20 seconds) Feb 12 20:24:39.696361 osdx hostapd[491041]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Feb 12 20:24:39.696364 osdx hostapd[491041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Feb 12 20:24:39.696367 osdx hostapd[491041]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session B84D4C626EBBC6DF