Mab Fallback
This scenario shows how to configure the MAB-fallback
authentication mode.
Test Successful 802.1x Authentication With Successful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses the correct username and password.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18Jwf5wlACjH51mN3+GV1ZT3s7yUsDpViStWvKjjAHGFkAl5Ug7JeOAgOo0ore3+Rshm1SSl6ZdRQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.314 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.314/0.314/0.314/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1+Y6/LE6rLUWpO7a/BQ9pj/sRCwXDiGqm0= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 6: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name testing
Step 7: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.326 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.326/0.326/0.326/0.000 ms
Step 8: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: authenticated - EAP type: 25 (PEAP)Show output
Feb 19 07:41:01.349614 osdx hostapd[36222]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Feb 19 07:41:01.349625 osdx hostapd[36222]: eth2: RADIUS Authentication server 10.215.168.1:1812 Feb 19 07:41:01.349861 osdx hostapd[36222]: connect[radius]: Network is unreachable Feb 19 07:41:01.349668 osdx hostapd[36222]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Feb 19 07:41:01.349672 osdx hostapd[36222]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Feb 19 07:41:01.369394 osdx hostapd[36222]: Discovery mode enabled on eth2 Feb 19 07:41:01.369464 osdx hostapd[36222]: eth2: interface state UNINITIALIZED->ENABLED Feb 19 07:41:01.369464 osdx hostapd[36222]: eth2: AP-ENABLED Feb 19 07:41:04.603702 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Feb 19 07:41:04.603715 osdx hostapd[36223]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Feb 19 07:41:04.617464 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: start authentication Feb 19 07:41:04.617496 osdx hostapd[36223]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Feb 19 07:41:04.617501 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Feb 19 07:41:04.617505 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Feb 19 07:41:04.617522 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response Feb 19 07:41:04.617525 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAPOL-Start from STA Feb 19 07:41:04.617535 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Feb 19 07:41:04.617543 osdx hostapd[36223]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Feb 19 07:41:04.617570 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 131) Feb 19 07:41:04.617926 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=131 len=12) from STA: EAP Response-Identity (1) Feb 19 07:41:04.617941 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: STA identity 'testing' Feb 19 07:41:04.617967 osdx hostapd[36223]: eth2: RADIUS Authentication server 10.215.168.1:1812 Feb 19 07:41:04.620376 osdx hostapd[36223]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:41:04.624668 osdx hostapd[36223]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:41:04.624920 osdx hostapd[36223]: eth2: RADIUS Received 80 bytes from RADIUS server Feb 19 07:41:04.624927 osdx hostapd[36223]: eth2: RADIUS Received RADIUS message Feb 19 07:41:04.624931 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:41:04.624960 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=132 len=22) from RADIUS server: EAP-Request-MD5 (4) Feb 19 07:41:04.624967 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 132) Feb 19 07:41:04.625220 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=132 len=6) from STA: EAP Response-unknown (3) Feb 19 07:41:04.625276 osdx hostapd[36223]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:41:04.625291 osdx hostapd[36223]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:41:04.625516 osdx hostapd[36223]: eth2: RADIUS Received 64 bytes from RADIUS server Feb 19 07:41:04.625521 osdx hostapd[36223]: eth2: RADIUS Received RADIUS message Feb 19 07:41:04.625525 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:41:04.625545 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=133 len=6) from RADIUS server: EAP-Request-PEAP (25) Feb 19 07:41:04.625551 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 133) Feb 19 07:41:04.625886 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=133 len=194) from STA: EAP Response-PEAP (25) Feb 19 07:41:04.625937 osdx hostapd[36223]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:41:04.625952 osdx hostapd[36223]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:41:04.627009 osdx hostapd[36223]: eth2: RADIUS Received 1068 bytes from RADIUS server Feb 19 07:41:04.627016 osdx hostapd[36223]: eth2: RADIUS Received RADIUS message Feb 19 07:41:04.627020 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:41:04.627047 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=134 len=1004) from RADIUS server: EAP-Request-PEAP (25) Feb 19 07:41:04.627054 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 134) Feb 19 07:41:04.627241 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=134 len=6) from STA: EAP Response-PEAP (25) Feb 19 07:41:04.627285 osdx hostapd[36223]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:41:04.627299 osdx hostapd[36223]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:41:04.627450 osdx hostapd[36223]: eth2: RADIUS Received 229 bytes from RADIUS server Feb 19 07:41:04.627455 osdx hostapd[36223]: eth2: RADIUS Received RADIUS message Feb 19 07:41:04.627458 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:41:04.627475 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=135 len=171) from RADIUS server: EAP-Request-PEAP (25) Feb 19 07:41:04.627480 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 135) Feb 19 07:41:04.628901 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=135 len=103) from STA: EAP Response-PEAP (25) Feb 19 07:41:04.628943 osdx hostapd[36223]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:41:04.628956 osdx hostapd[36223]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:41:04.629267 osdx hostapd[36223]: eth2: RADIUS Received 115 bytes from RADIUS server Feb 19 07:41:04.629272 osdx hostapd[36223]: eth2: RADIUS Received RADIUS message Feb 19 07:41:04.629275 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:41:04.629291 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=136 len=57) from RADIUS server: EAP-Request-PEAP (25) Feb 19 07:41:04.629296 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 136) Feb 19 07:41:04.629520 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=136 len=6) from STA: EAP Response-PEAP (25) Feb 19 07:41:04.629567 osdx hostapd[36223]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:41:04.629586 osdx hostapd[36223]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:41:04.629737 osdx hostapd[36223]: eth2: RADIUS Received 98 bytes from RADIUS server Feb 19 07:41:04.629745 osdx hostapd[36223]: eth2: RADIUS Received RADIUS message Feb 19 07:41:04.629750 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:41:04.629774 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=137 len=40) from RADIUS server: EAP-Request-PEAP (25) Feb 19 07:41:04.629782 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 137) Feb 19 07:41:04.629981 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=137 len=43) from STA: EAP Response-PEAP (25) Feb 19 07:41:04.630031 osdx hostapd[36223]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:41:04.630046 osdx hostapd[36223]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:41:04.630238 osdx hostapd[36223]: eth2: RADIUS Received 131 bytes from RADIUS server Feb 19 07:41:04.630244 osdx hostapd[36223]: eth2: RADIUS Received RADIUS message Feb 19 07:41:04.630248 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:41:04.630264 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=138 len=73) from RADIUS server: EAP-Request-PEAP (25) Feb 19 07:41:04.630271 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 138) Feb 19 07:41:04.630559 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=138 len=97) from STA: EAP Response-PEAP (25) Feb 19 07:41:04.630596 osdx hostapd[36223]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:41:04.630607 osdx hostapd[36223]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:41:04.630792 osdx hostapd[36223]: eth2: RADIUS Received 140 bytes from RADIUS server Feb 19 07:41:04.630798 osdx hostapd[36223]: eth2: RADIUS Received RADIUS message Feb 19 07:41:04.630802 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:41:04.630818 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=139 len=82) from RADIUS server: EAP-Request-PEAP (25) Feb 19 07:41:04.630824 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 139) Feb 19 07:41:04.631022 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=139 len=37) from STA: EAP Response-PEAP (25) Feb 19 07:41:04.631074 osdx hostapd[36223]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:41:04.631136 osdx hostapd[36223]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:41:04.631263 osdx hostapd[36223]: eth2: RADIUS Received 104 bytes from RADIUS server Feb 19 07:41:04.631268 osdx hostapd[36223]: eth2: RADIUS Received RADIUS message Feb 19 07:41:04.631272 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:41:04.631289 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=140 len=46) from RADIUS server: EAP-Request-PEAP (25) Feb 19 07:41:04.631296 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 140) Feb 19 07:41:04.631515 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=140 len=46) from STA: EAP Response-PEAP (25) Feb 19 07:41:04.631555 osdx hostapd[36223]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:41:04.631696 osdx hostapd[36223]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:41:04.631779 osdx hostapd[36223]: eth2: RADIUS Received 175 bytes from RADIUS server Feb 19 07:41:04.631787 osdx hostapd[36223]: eth2: RADIUS Received RADIUS message Feb 19 07:41:04.631791 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:41:04.631821 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing' Feb 19 07:41:04.631825 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=3 id=140 len=4) from RADIUS server: EAP Success Feb 19 07:41:04.631845 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 140) Feb 19 07:41:04.631862 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Feb 19 07:41:04.631865 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 522D2779A32CA7A0 Feb 19 07:41:04.631870 osdx hostapd[36223]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Test Successful 802.1x Authentication With Unsuccessful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses the correct username and password, but an incorrect MAC address.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+7/hpIpnTz/g1KGrlFL0NhH2yRZHF2sF4SBUmT1DXC2P6R/MQrHGFEkFHE8u7zqg9hQ9V8wEXJJQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.196 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.196/0.196/0.196/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1+K9QP3ea0kvE9tsiBiaoYJ1nPCVKS7EnM= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 6: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name testing
Step 7: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.282 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.282/0.282/0.282/0.000 ms
Step 8: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: authenticated - EAP type: 25 (PEAP)Show output
Feb 19 07:41:13.808912 osdx hostapd[36742]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Feb 19 07:41:13.808925 osdx hostapd[36742]: eth2: RADIUS Authentication server 10.215.168.1:1812 Feb 19 07:41:13.809152 osdx hostapd[36742]: connect[radius]: Network is unreachable Feb 19 07:41:13.808967 osdx hostapd[36742]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Feb 19 07:41:13.808970 osdx hostapd[36742]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Feb 19 07:41:13.824799 osdx hostapd[36742]: Discovery mode enabled on eth2 Feb 19 07:41:13.824863 osdx hostapd[36742]: eth2: interface state UNINITIALIZED->ENABLED Feb 19 07:41:13.824887 osdx hostapd[36742]: eth2: AP-ENABLED Feb 19 07:41:17.041068 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Feb 19 07:41:17.041082 osdx hostapd[36743]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Feb 19 07:41:17.060952 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: start authentication Feb 19 07:41:17.061044 osdx hostapd[36743]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Feb 19 07:41:17.061047 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Feb 19 07:41:17.061050 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Feb 19 07:41:17.061065 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response Feb 19 07:41:17.061068 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA Feb 19 07:41:17.061079 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port Feb 19 07:41:17.061087 osdx hostapd[36743]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Feb 19 07:41:17.061107 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 28) Feb 19 07:41:17.061611 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=28 len=12) from STA: EAP Response-Identity (1) Feb 19 07:41:17.061624 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'testing' Feb 19 07:41:17.061649 osdx hostapd[36743]: eth2: RADIUS Authentication server 10.215.168.1:1812 Feb 19 07:41:17.063850 osdx hostapd[36743]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:41:17.063885 osdx hostapd[36743]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:41:17.064150 osdx hostapd[36743]: eth2: RADIUS Received 80 bytes from RADIUS server Feb 19 07:41:17.064157 osdx hostapd[36743]: eth2: RADIUS Received RADIUS message Feb 19 07:41:17.064162 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:41:17.064183 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=29 len=22) from RADIUS server: EAP-Request-MD5 (4) Feb 19 07:41:17.064191 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 29) Feb 19 07:41:17.064459 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=29 len=6) from STA: EAP Response-unknown (3) Feb 19 07:41:17.064504 osdx hostapd[36743]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:41:17.064515 osdx hostapd[36743]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:41:17.064811 osdx hostapd[36743]: eth2: RADIUS Received 64 bytes from RADIUS server Feb 19 07:41:17.064817 osdx hostapd[36743]: eth2: RADIUS Received RADIUS message Feb 19 07:41:17.064822 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:41:17.064838 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=30 len=6) from RADIUS server: EAP-Request-PEAP (25) Feb 19 07:41:17.064845 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 30) Feb 19 07:41:17.065197 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=30 len=194) from STA: EAP Response-PEAP (25) Feb 19 07:41:17.065239 osdx hostapd[36743]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:41:17.065252 osdx hostapd[36743]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:41:17.066883 osdx hostapd[36743]: eth2: RADIUS Received 1068 bytes from RADIUS server Feb 19 07:41:17.066890 osdx hostapd[36743]: eth2: RADIUS Received RADIUS message Feb 19 07:41:17.066899 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:41:17.066919 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=31 len=1004) from RADIUS server: EAP-Request-PEAP (25) Feb 19 07:41:17.066927 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 31) Feb 19 07:41:17.067127 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=31 len=6) from STA: EAP Response-PEAP (25) Feb 19 07:41:17.067170 osdx hostapd[36743]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:41:17.067182 osdx hostapd[36743]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:41:17.067316 osdx hostapd[36743]: eth2: RADIUS Received 229 bytes from RADIUS server Feb 19 07:41:17.067323 osdx hostapd[36743]: eth2: RADIUS Received RADIUS message Feb 19 07:41:17.067328 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:41:17.067343 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=32 len=171) from RADIUS server: EAP-Request-PEAP (25) Feb 19 07:41:17.067350 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 32) Feb 19 07:41:17.068904 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=32 len=103) from STA: EAP Response-PEAP (25) Feb 19 07:41:17.068969 osdx hostapd[36743]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:41:17.069015 osdx hostapd[36743]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:41:17.069458 osdx hostapd[36743]: eth2: RADIUS Received 115 bytes from RADIUS server Feb 19 07:41:17.069463 osdx hostapd[36743]: eth2: RADIUS Received RADIUS message Feb 19 07:41:17.069467 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:41:17.069525 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=33 len=57) from RADIUS server: EAP-Request-PEAP (25) Feb 19 07:41:17.069534 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 33) Feb 19 07:41:17.069888 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=33 len=6) from STA: EAP Response-PEAP (25) Feb 19 07:41:17.069936 osdx hostapd[36743]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:41:17.069974 osdx hostapd[36743]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:41:17.070140 osdx hostapd[36743]: eth2: RADIUS Received 98 bytes from RADIUS server Feb 19 07:41:17.070146 osdx hostapd[36743]: eth2: RADIUS Received RADIUS message Feb 19 07:41:17.070150 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:41:17.070167 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=34 len=40) from RADIUS server: EAP-Request-PEAP (25) Feb 19 07:41:17.070174 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 34) Feb 19 07:41:17.070442 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=34 len=43) from STA: EAP Response-PEAP (25) Feb 19 07:41:17.070481 osdx hostapd[36743]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:41:17.070493 osdx hostapd[36743]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:41:17.070685 osdx hostapd[36743]: eth2: RADIUS Received 131 bytes from RADIUS server Feb 19 07:41:17.070693 osdx hostapd[36743]: eth2: RADIUS Received RADIUS message Feb 19 07:41:17.070698 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:41:17.070722 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=35 len=73) from RADIUS server: EAP-Request-PEAP (25) Feb 19 07:41:17.070730 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 35) Feb 19 07:41:17.071096 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=35 len=97) from STA: EAP Response-PEAP (25) Feb 19 07:41:17.071138 osdx hostapd[36743]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:41:17.071152 osdx hostapd[36743]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:41:17.071375 osdx hostapd[36743]: eth2: RADIUS Received 140 bytes from RADIUS server Feb 19 07:41:17.071382 osdx hostapd[36743]: eth2: RADIUS Received RADIUS message Feb 19 07:41:17.071386 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:41:17.071409 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=36 len=82) from RADIUS server: EAP-Request-PEAP (25) Feb 19 07:41:17.071417 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 36) Feb 19 07:41:17.071636 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=36 len=37) from STA: EAP Response-PEAP (25) Feb 19 07:41:17.071680 osdx hostapd[36743]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:41:17.071692 osdx hostapd[36743]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:41:17.071857 osdx hostapd[36743]: eth2: RADIUS Received 104 bytes from RADIUS server Feb 19 07:41:17.071864 osdx hostapd[36743]: eth2: RADIUS Received RADIUS message Feb 19 07:41:17.071867 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:41:17.071888 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=37 len=46) from RADIUS server: EAP-Request-PEAP (25) Feb 19 07:41:17.071900 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 37) Feb 19 07:41:17.072099 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=37 len=46) from STA: EAP Response-PEAP (25) Feb 19 07:41:17.072132 osdx hostapd[36743]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:41:17.072144 osdx hostapd[36743]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:41:17.072346 osdx hostapd[36743]: eth2: RADIUS Received 175 bytes from RADIUS server Feb 19 07:41:17.072351 osdx hostapd[36743]: eth2: RADIUS Received RADIUS message Feb 19 07:41:17.072355 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:41:17.072373 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing' Feb 19 07:41:17.072376 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=3 id=37 len=4) from RADIUS server: EAP Success Feb 19 07:41:17.072388 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 37) Feb 19 07:41:17.072404 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authorizing port Feb 19 07:41:17.072407 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 RADIUS: starting accounting session BE72397359BA0F44 Feb 19 07:41:17.072411 osdx hostapd[36743]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Test Unsuccessful 802.1x Authentication With Successful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses an incorrect username.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+NfUNpfe5MDNEQ5oKY4DGdKfm87sxW+o32ebd7N1j5vTNSCBRLFVL/1qpCnMP3L9CMmj8oE6lLzA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.194 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.194/0.194/0.194/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX19UVSN37/EXH/9h6vdJIVaiEMpm63UyAbw= set interfaces ethernet eth2 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 8 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 10 EAPoL frames (Tx) 10 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name wrong
Step 5: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.314 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.314/0.314/0.314/0.000 ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately 802.1X: MAB: station successfully authenticatedShow output
Feb 19 07:41:25.346283 osdx hostapd[37260]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Feb 19 07:41:25.346299 osdx hostapd[37260]: eth2: RADIUS Authentication server 10.215.168.1:1812 Feb 19 07:41:25.346561 osdx hostapd[37260]: connect[radius]: Network is unreachable Feb 19 07:41:25.346346 osdx hostapd[37260]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Feb 19 07:41:25.346349 osdx hostapd[37260]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Feb 19 07:41:25.366128 osdx hostapd[37260]: Discovery mode enabled on eth2 Feb 19 07:41:25.366210 osdx hostapd[37260]: eth2: interface state UNINITIALIZED->ENABLED Feb 19 07:41:25.366210 osdx hostapd[37260]: eth2: AP-ENABLED Feb 19 07:41:28.404421 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Feb 19 07:41:28.404433 osdx hostapd[37261]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Feb 19 07:41:28.418244 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: start authentication Feb 19 07:41:28.418276 osdx hostapd[37261]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Feb 19 07:41:28.418282 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Feb 19 07:41:28.418285 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Feb 19 07:41:28.418305 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response Feb 19 07:41:28.418309 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAPOL-Start from STA Feb 19 07:41:28.418320 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Feb 19 07:41:28.418328 osdx hostapd[37261]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Feb 19 07:41:28.418352 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 8) Feb 19 07:41:28.418901 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=8 len=10) from STA: EAP Response-Identity (1) Feb 19 07:41:28.418922 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: STA identity 'wrong' Feb 19 07:41:28.418956 osdx hostapd[37261]: eth2: RADIUS Authentication server 10.215.168.1:1812 Feb 19 07:41:28.421444 osdx hostapd[37261]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:41:28.421475 osdx hostapd[37261]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:41:28.421793 osdx hostapd[37261]: eth2: RADIUS Received 80 bytes from RADIUS server Feb 19 07:41:28.421801 osdx hostapd[37261]: eth2: RADIUS Received RADIUS message Feb 19 07:41:28.421805 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:41:28.421835 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=9 len=22) from RADIUS server: EAP-Request-MD5 (4) Feb 19 07:41:28.421847 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 9) Feb 19 07:41:28.422169 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=9 len=6) from STA: EAP Response-unknown (3) Feb 19 07:41:28.422235 osdx hostapd[37261]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:41:28.422251 osdx hostapd[37261]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:41:28.422459 osdx hostapd[37261]: eth2: RADIUS Received 64 bytes from RADIUS server Feb 19 07:41:28.422468 osdx hostapd[37261]: eth2: RADIUS Received RADIUS message Feb 19 07:41:28.422473 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:41:28.422494 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=10 len=6) from RADIUS server: EAP-Request-PEAP (25) Feb 19 07:41:28.422502 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 10) Feb 19 07:41:28.422932 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=10 len=194) from STA: EAP Response-PEAP (25) Feb 19 07:41:28.422985 osdx hostapd[37261]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:41:28.423002 osdx hostapd[37261]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:41:28.424350 osdx hostapd[37261]: eth2: RADIUS Received 1068 bytes from RADIUS server Feb 19 07:41:28.424362 osdx hostapd[37261]: eth2: RADIUS Received RADIUS message Feb 19 07:41:28.424366 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:41:28.424396 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=11 len=1004) from RADIUS server: EAP-Request-PEAP (25) Feb 19 07:41:28.424406 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 11) Feb 19 07:41:28.424672 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=11 len=6) from STA: EAP Response-PEAP (25) Feb 19 07:41:28.424726 osdx hostapd[37261]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:41:28.424810 osdx hostapd[37261]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:41:28.424926 osdx hostapd[37261]: eth2: RADIUS Received 229 bytes from RADIUS server Feb 19 07:41:28.424937 osdx hostapd[37261]: eth2: RADIUS Received RADIUS message Feb 19 07:41:28.424941 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:41:28.424967 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=12 len=171) from RADIUS server: EAP-Request-PEAP (25) Feb 19 07:41:28.424975 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 12) Feb 19 07:41:28.426501 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=12 len=103) from STA: EAP Response-PEAP (25) Feb 19 07:41:28.426548 osdx hostapd[37261]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:41:28.426562 osdx hostapd[37261]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:41:28.426904 osdx hostapd[37261]: eth2: RADIUS Received 115 bytes from RADIUS server Feb 19 07:41:28.426910 osdx hostapd[37261]: eth2: RADIUS Received RADIUS message Feb 19 07:41:28.426918 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:41:28.426939 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=13 len=57) from RADIUS server: EAP-Request-PEAP (25) Feb 19 07:41:28.426946 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 13) Feb 19 07:41:28.427240 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=13 len=6) from STA: EAP Response-PEAP (25) Feb 19 07:41:28.427289 osdx hostapd[37261]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:41:28.427302 osdx hostapd[37261]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:41:28.427472 osdx hostapd[37261]: eth2: RADIUS Received 98 bytes from RADIUS server Feb 19 07:41:28.427478 osdx hostapd[37261]: eth2: RADIUS Received RADIUS message Feb 19 07:41:28.427481 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:41:28.427498 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=14 len=40) from RADIUS server: EAP-Request-PEAP (25) Feb 19 07:41:28.427506 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 14) Feb 19 07:41:28.427727 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=14 len=41) from STA: EAP Response-PEAP (25) Feb 19 07:41:28.427775 osdx hostapd[37261]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:41:28.427790 osdx hostapd[37261]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:41:28.427971 osdx hostapd[37261]: eth2: RADIUS Received 131 bytes from RADIUS server Feb 19 07:41:28.427977 osdx hostapd[37261]: eth2: RADIUS Received RADIUS message Feb 19 07:41:28.427981 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:41:28.427998 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=15 len=73) from RADIUS server: EAP-Request-PEAP (25) Feb 19 07:41:28.428005 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 15) Feb 19 07:41:28.428367 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=15 len=95) from STA: EAP Response-PEAP (25) Feb 19 07:41:28.428403 osdx hostapd[37261]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:41:28.428414 osdx hostapd[37261]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:41:28.428577 osdx hostapd[37261]: eth2: RADIUS Received 104 bytes from RADIUS server Feb 19 07:41:28.428583 osdx hostapd[37261]: eth2: RADIUS Received RADIUS message Feb 19 07:41:28.428588 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:41:28.428604 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=16 len=46) from RADIUS server: EAP-Request-PEAP (25) Feb 19 07:41:28.428610 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 16) Feb 19 07:41:28.428845 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=16 len=46) from STA: EAP Response-PEAP (25) Feb 19 07:41:28.428894 osdx hostapd[37261]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:41:28.428910 osdx hostapd[37261]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:41:29.428990 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Resending RADIUS message (id=8) Feb 19 07:41:29.429021 osdx hostapd[37261]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Feb 19 07:41:29.429179 osdx hostapd[37261]: eth2: RADIUS Received 44 bytes from RADIUS server Feb 19 07:41:29.429184 osdx hostapd[37261]: eth2: RADIUS Received RADIUS message Feb 19 07:41:29.429187 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:41:29.429238 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=4 id=16 len=4) from RADIUS server: EAP Failure Feb 19 07:41:29.429263 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 16) Feb 19 07:41:29.429276 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Feb 19 07:41:29.429279 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) Feb 19 07:41:29.429282 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately Feb 19 07:41:29.429286 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Feb 19 07:41:29.429333 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Feb 19 07:41:29.429340 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Feb 19 07:41:29.429351 osdx hostapd[37261]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:41:29.429363 osdx hostapd[37261]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:41:29.429374 osdx hostapd[37261]: eth2: RADIUS Received 44 bytes from RADIUS server Feb 19 07:41:29.429376 osdx hostapd[37261]: eth2: RADIUS Received RADIUS message Feb 19 07:41:29.429378 osdx hostapd[37261]: eth2: RADIUS No matching RADIUS request found (type=0 id=8) - dropping packet Feb 19 07:41:29.429558 osdx hostapd[37261]: eth2: RADIUS Received 20 bytes from RADIUS server Feb 19 07:41:29.429561 osdx hostapd[37261]: eth2: RADIUS Received RADIUS message Feb 19 07:41:29.429563 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:41:29.429566 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Feb 19 07:41:29.429579 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Feb 19 07:41:29.429582 osdx hostapd[37261]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Feb 19 07:41:29.429589 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Feb 19 07:41:29.429592 osdx hostapd[37261]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 371382B0DD239D74
Test Unsuccessful 802.1x Authentication With Unsuccessful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses an incorrect username and MAC address.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX197oXPWoRnHCBMu2t3PC3FXbb0gJyp1hmlICfYGu+izBcwiD7DZut6JHYlMss3k8T6LKKFCL/BkzQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.182 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.182/0.182/0.182/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1+RccpKgi2pWOFf08/tOiUBf1xOdUxRPHI= set interfaces ethernet eth2 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+UnauthorizedShow output
--------------------------------- Field Value --------------------------------- EAPoL Frames (Rx) 10 EAPoL Frames (Tx) 10 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Unauthorized Req Frames (Rx) 8 Req ID Frames (Rx) 1 Resp Frames (Tx) 9 Start Frames (Tx) 1
Step 5: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 8 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 10 EAPoL frames (Tx) 10 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 6: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 7: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately 802.1X: MAB: Authentication failedShow output
Feb 19 07:41:36.337542 osdx hostapd[37778]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Feb 19 07:41:36.337556 osdx hostapd[37778]: eth2: RADIUS Authentication server 10.215.168.1:1812 Feb 19 07:41:36.337854 osdx hostapd[37778]: connect[radius]: Network is unreachable Feb 19 07:41:36.337606 osdx hostapd[37778]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Feb 19 07:41:36.337612 osdx hostapd[37778]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Feb 19 07:41:36.377358 osdx hostapd[37778]: Discovery mode enabled on eth2 Feb 19 07:41:36.377455 osdx hostapd[37778]: eth2: interface state UNINITIALIZED->ENABLED Feb 19 07:41:36.377474 osdx hostapd[37778]: eth2: AP-ENABLED Feb 19 07:41:39.667628 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Feb 19 07:41:39.667641 osdx hostapd[37779]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Feb 19 07:41:39.681364 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: start authentication Feb 19 07:41:39.681387 osdx hostapd[37779]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Feb 19 07:41:39.681391 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Feb 19 07:41:39.681393 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Feb 19 07:41:39.681406 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response Feb 19 07:41:39.681408 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA Feb 19 07:41:39.681415 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port Feb 19 07:41:39.681423 osdx hostapd[37779]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Feb 19 07:41:39.681446 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 161) Feb 19 07:41:39.681749 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=161 len=10) from STA: EAP Response-Identity (1) Feb 19 07:41:39.681759 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'wrong' Feb 19 07:41:39.681778 osdx hostapd[37779]: eth2: RADIUS Authentication server 10.215.168.1:1812 Feb 19 07:41:39.683568 osdx hostapd[37779]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:41:39.683598 osdx hostapd[37779]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:41:39.683831 osdx hostapd[37779]: eth2: RADIUS Received 80 bytes from RADIUS server Feb 19 07:41:39.683837 osdx hostapd[37779]: eth2: RADIUS Received RADIUS message Feb 19 07:41:39.683841 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:41:39.683868 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=162 len=22) from RADIUS server: EAP-Request-MD5 (4) Feb 19 07:41:39.683874 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 162) Feb 19 07:41:39.684111 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=162 len=6) from STA: EAP Response-unknown (3) Feb 19 07:41:39.684156 osdx hostapd[37779]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:41:39.684169 osdx hostapd[37779]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:41:39.684372 osdx hostapd[37779]: eth2: RADIUS Received 64 bytes from RADIUS server Feb 19 07:41:39.684378 osdx hostapd[37779]: eth2: RADIUS Received RADIUS message Feb 19 07:41:39.684381 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:41:39.684395 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=163 len=6) from RADIUS server: EAP-Request-PEAP (25) Feb 19 07:41:39.684401 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 163) Feb 19 07:41:39.684778 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=163 len=194) from STA: EAP Response-PEAP (25) Feb 19 07:41:39.684820 osdx hostapd[37779]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:41:39.684830 osdx hostapd[37779]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:41:39.686104 osdx hostapd[37779]: eth2: RADIUS Received 1068 bytes from RADIUS server Feb 19 07:41:39.686111 osdx hostapd[37779]: eth2: RADIUS Received RADIUS message Feb 19 07:41:39.686114 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:41:39.686144 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=164 len=1004) from RADIUS server: EAP-Request-PEAP (25) Feb 19 07:41:39.686152 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 164) Feb 19 07:41:39.686329 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=164 len=6) from STA: EAP Response-PEAP (25) Feb 19 07:41:39.686382 osdx hostapd[37779]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:41:39.686396 osdx hostapd[37779]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:41:39.686523 osdx hostapd[37779]: eth2: RADIUS Received 229 bytes from RADIUS server Feb 19 07:41:39.686528 osdx hostapd[37779]: eth2: RADIUS Received RADIUS message Feb 19 07:41:39.686530 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:41:39.686543 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=165 len=171) from RADIUS server: EAP-Request-PEAP (25) Feb 19 07:41:39.686548 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 165) Feb 19 07:41:39.687852 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=165 len=103) from STA: EAP Response-PEAP (25) Feb 19 07:41:39.687890 osdx hostapd[37779]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:41:39.687899 osdx hostapd[37779]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:41:39.688178 osdx hostapd[37779]: eth2: RADIUS Received 115 bytes from RADIUS server Feb 19 07:41:39.688183 osdx hostapd[37779]: eth2: RADIUS Received RADIUS message Feb 19 07:41:39.688187 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:41:39.688203 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=166 len=57) from RADIUS server: EAP-Request-PEAP (25) Feb 19 07:41:39.688209 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 166) Feb 19 07:41:39.688464 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=166 len=6) from STA: EAP Response-PEAP (25) Feb 19 07:41:39.688502 osdx hostapd[37779]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:41:39.688513 osdx hostapd[37779]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:41:39.688604 osdx hostapd[37779]: eth2: RADIUS Received 98 bytes from RADIUS server Feb 19 07:41:39.688609 osdx hostapd[37779]: eth2: RADIUS Received RADIUS message Feb 19 07:41:39.688613 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:41:39.688628 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=167 len=40) from RADIUS server: EAP-Request-PEAP (25) Feb 19 07:41:39.688641 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 167) Feb 19 07:41:39.688798 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=167 len=41) from STA: EAP Response-PEAP (25) Feb 19 07:41:39.688827 osdx hostapd[37779]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:41:39.688838 osdx hostapd[37779]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:41:39.689013 osdx hostapd[37779]: eth2: RADIUS Received 131 bytes from RADIUS server Feb 19 07:41:39.689021 osdx hostapd[37779]: eth2: RADIUS Received RADIUS message Feb 19 07:41:39.689025 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:41:39.689052 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=168 len=73) from RADIUS server: EAP-Request-PEAP (25) Feb 19 07:41:39.689063 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 168) Feb 19 07:41:39.689299 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=168 len=95) from STA: EAP Response-PEAP (25) Feb 19 07:41:39.689342 osdx hostapd[37779]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:41:39.689356 osdx hostapd[37779]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:41:39.689510 osdx hostapd[37779]: eth2: RADIUS Received 104 bytes from RADIUS server Feb 19 07:41:39.689515 osdx hostapd[37779]: eth2: RADIUS Received RADIUS message Feb 19 07:41:39.689519 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:41:39.689534 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=169 len=46) from RADIUS server: EAP-Request-PEAP (25) Feb 19 07:41:39.689540 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 169) Feb 19 07:41:39.689688 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=169 len=46) from STA: EAP Response-PEAP (25) Feb 19 07:41:39.689722 osdx hostapd[37779]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:41:39.689732 osdx hostapd[37779]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:41:40.689814 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=8) Feb 19 07:41:40.689852 osdx hostapd[37779]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Feb 19 07:41:40.690057 osdx hostapd[37779]: eth2: RADIUS Received 44 bytes from RADIUS server Feb 19 07:41:40.690066 osdx hostapd[37779]: eth2: RADIUS Received RADIUS message Feb 19 07:41:40.690070 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:41:40.690111 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=4 id=169 len=4) from RADIUS server: EAP Failure Feb 19 07:41:40.690200 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 169) Feb 19 07:41:40.690213 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port Feb 19 07:41:40.690217 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) Feb 19 07:41:40.690219 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately Feb 19 07:41:40.690223 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Feb 19 07:41:40.690244 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Feb 19 07:41:40.690252 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Feb 19 07:41:40.690265 osdx hostapd[37779]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:41:40.690275 osdx hostapd[37779]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:41:40.690290 osdx hostapd[37779]: eth2: RADIUS Received 44 bytes from RADIUS server Feb 19 07:41:40.690292 osdx hostapd[37779]: eth2: RADIUS Received RADIUS message Feb 19 07:41:40.690307 osdx hostapd[37779]: eth2: RADIUS No matching RADIUS request found (type=0 id=8) - dropping packet Feb 19 07:41:41.690334 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Feb 19 07:41:41.690539 osdx hostapd[37779]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Feb 19 07:41:41.690550 osdx hostapd[37779]: eth2: RADIUS Received 20 bytes from RADIUS server Feb 19 07:41:41.690554 osdx hostapd[37779]: eth2: RADIUS Received RADIUS message Feb 19 07:41:41.690559 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:41:41.690564 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Feb 19 07:41:41.690622 osdx hostapd[37779]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Feb 19 07:41:41.690626 osdx hostapd[37779]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Feb 19 07:41:41.690629 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Authentication failed, entering held state (quiet period 60 sec) Feb 19 07:41:41.690633 osdx hostapd[37779]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Retry timeout registered for 60 seconds Feb 19 07:41:41.690642 osdx hostapd[37779]: eth2: RADIUS Received 20 bytes from RADIUS server Feb 19 07:41:41.690645 osdx hostapd[37779]: eth2: RADIUS Received RADIUS message Feb 19 07:41:41.690648 osdx hostapd[37779]: eth2: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet
Test Unsupported 802.1x Authentication With Successful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 does not support 802.1x authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18ElIdhgJDvRijji4R3YNWgk2/7Vmp41Sled00jF+0ad65bHtVy40/JGlaaK5aabQB0AatqegLW9Q== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.304 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.304/0.304/0.304/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.480 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.480/0.480/0.480/0.000 ms
Step 5: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 0 EAPoL frames (Tx) 4 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name N/A
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.267 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.267/0.267/0.267/0.000 ms
Step 7: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately 802.1X: MAB: station successfully authenticatedShow output
Feb 19 07:41:49.349874 osdx hostapd[38288]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Feb 19 07:41:49.349890 osdx hostapd[38288]: eth2: RADIUS Authentication server 10.215.168.1:1812 Feb 19 07:41:49.350149 osdx hostapd[38288]: connect[radius]: Network is unreachable Feb 19 07:41:49.349935 osdx hostapd[38288]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Feb 19 07:41:49.349939 osdx hostapd[38288]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Feb 19 07:41:49.381719 osdx hostapd[38288]: Discovery mode enabled on eth2 Feb 19 07:41:49.381829 osdx hostapd[38288]: eth2: interface state UNINITIALIZED->ENABLED Feb 19 07:41:49.381829 osdx hostapd[38288]: eth2: AP-ENABLED Feb 19 07:41:54.382568 osdx hostapd[38289]: eth2: STA de:ad:be:ef:6c:12 DRIVER: Device discovered, triggering MAB authentication Feb 19 07:41:54.382605 osdx hostapd[38289]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Feb 19 07:41:54.382614 osdx hostapd[38289]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Feb 19 07:41:54.397759 osdx hostapd[38289]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: start authentication Feb 19 07:41:54.397795 osdx hostapd[38289]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Feb 19 07:41:54.397800 osdx hostapd[38289]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Feb 19 07:41:54.397803 osdx hostapd[38289]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Feb 19 07:41:54.397823 osdx hostapd[38289]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Feb 19 07:41:54.397829 osdx hostapd[38289]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Feb 19 07:41:54.397856 osdx hostapd[38289]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 236) Feb 19 07:41:57.400747 osdx hostapd[38289]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 236) Feb 19 07:42:03.405719 osdx hostapd[38289]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 236) Feb 19 07:42:15.415733 osdx hostapd[38289]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: aborting authentication Feb 19 07:42:15.415745 osdx hostapd[38289]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately Feb 19 07:42:15.415749 osdx hostapd[38289]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Feb 19 07:42:15.415780 osdx hostapd[38289]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Feb 19 07:42:15.417805 osdx hostapd[38289]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Feb 19 07:42:15.417824 osdx hostapd[38289]: eth2: RADIUS Authentication server 10.215.168.1:1812 Feb 19 07:42:15.417929 osdx hostapd[38289]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:42:15.417972 osdx hostapd[38289]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:42:15.418001 osdx hostapd[38289]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Feb 19 07:42:15.418022 osdx hostapd[38289]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 184) Feb 19 07:42:15.418366 osdx hostapd[38289]: eth2: RADIUS Received 20 bytes from RADIUS server Feb 19 07:42:15.418375 osdx hostapd[38289]: eth2: RADIUS Received RADIUS message Feb 19 07:42:15.418380 osdx hostapd[38289]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:42:15.418385 osdx hostapd[38289]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Feb 19 07:42:15.418414 osdx hostapd[38289]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Feb 19 07:42:15.418420 osdx hostapd[38289]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Feb 19 07:42:15.418426 osdx hostapd[38289]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Feb 19 07:42:15.418439 osdx hostapd[38289]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Feb 19 07:42:15.418444 osdx hostapd[38289]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session B467A5DDAFB16BDB
Test Unsupported 802.1x Authentication With Unsuccessful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 does not support 802.1x authentication and uses an incorrect MAC address.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+cW/FFeGoMas7r5+A0TaNtl1XyyakqAUm0/cki/HISWFToK4c285XwPM/MS2hUCMKYXEd59Vx0GA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.228 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.228/0.228/0.228/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 2 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 0 EAPoL frames (Tx) 4 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 5: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately 802.1X: MAB: Authentication failedShow output
Feb 19 07:42:26.377946 osdx hostapd[38851]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Feb 19 07:42:26.377964 osdx hostapd[38851]: eth2: RADIUS Authentication server 10.215.168.1:1812 Feb 19 07:42:26.378381 osdx hostapd[38851]: connect[radius]: Network is unreachable Feb 19 07:42:26.378015 osdx hostapd[38851]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Feb 19 07:42:26.378020 osdx hostapd[38851]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Feb 19 07:42:26.405729 osdx hostapd[38851]: Discovery mode enabled on eth2 Feb 19 07:42:26.405835 osdx hostapd[38851]: eth2: interface state UNINITIALIZED->ENABLED Feb 19 07:42:26.405835 osdx hostapd[38851]: eth2: AP-ENABLED Feb 19 07:42:31.406308 osdx hostapd[38852]: eth2: STA 00:11:22:33:44:55 DRIVER: Device discovered, triggering MAB authentication Feb 19 07:42:31.406349 osdx hostapd[38852]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Feb 19 07:42:31.406355 osdx hostapd[38852]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Feb 19 07:42:31.437754 osdx hostapd[38852]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: start authentication Feb 19 07:42:31.437784 osdx hostapd[38852]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Feb 19 07:42:31.437789 osdx hostapd[38852]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Feb 19 07:42:31.437793 osdx hostapd[38852]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Feb 19 07:42:31.437809 osdx hostapd[38852]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port Feb 19 07:42:31.437819 osdx hostapd[38852]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Feb 19 07:42:31.437847 osdx hostapd[38852]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 162) Feb 19 07:42:34.440720 osdx hostapd[38852]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 162) Feb 19 07:42:40.445749 osdx hostapd[38852]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 162) Feb 19 07:42:52.455532 osdx hostapd[38852]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: aborting authentication Feb 19 07:42:52.455540 osdx hostapd[38852]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately Feb 19 07:42:52.455545 osdx hostapd[38852]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Feb 19 07:42:52.455580 osdx hostapd[38852]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Feb 19 07:42:52.457294 osdx hostapd[38852]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Feb 19 07:42:52.457307 osdx hostapd[38852]: eth2: RADIUS Authentication server 10.215.168.1:1812 Feb 19 07:42:52.457386 osdx hostapd[38852]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:42:52.457421 osdx hostapd[38852]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:42:52.457442 osdx hostapd[38852]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Feb 19 07:42:52.457461 osdx hostapd[38852]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 9) Feb 19 07:42:53.457702 osdx hostapd[38852]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Feb 19 07:42:53.457755 osdx hostapd[38852]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Feb 19 07:42:53.457910 osdx hostapd[38852]: eth2: RADIUS Received 20 bytes from RADIUS server Feb 19 07:42:53.457914 osdx hostapd[38852]: eth2: RADIUS Received RADIUS message Feb 19 07:42:53.457918 osdx hostapd[38852]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:42:53.457922 osdx hostapd[38852]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Feb 19 07:42:53.457974 osdx hostapd[38852]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Feb 19 07:42:53.457977 osdx hostapd[38852]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Feb 19 07:42:53.457980 osdx hostapd[38852]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Authentication failed, entering held state (quiet period 60 sec) Feb 19 07:42:53.457983 osdx hostapd[38852]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Retry timeout registered for 60 seconds Feb 19 07:42:53.457991 osdx hostapd[38852]: eth2: RADIUS Received 20 bytes from RADIUS server Feb 19 07:42:53.457994 osdx hostapd[38852]: eth2: RADIUS Received RADIUS message Feb 19 07:42:53.457996 osdx hostapd[38852]: eth2: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet