Mab First
This scenario shows how to configure the MAB-first
authentication mode.
Test Successful MAB Authentication With Successful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses a correct MAC address and correct 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/yHnqeRaxJm8Ps9pDCrT/mOM/FnMxFZgNLzRcf8g+6jxAfgdMXNt+difsUvWoCY+ep5ihMyx79bA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.233 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.233/0.233/0.233/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1+/kbbmYdxYDGCXdFojYkmXIP+lv4R0lYE= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 1 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name N/A
Step 5: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.204 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.204/0.204/0.204/0.000 ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
802.1X: MAB: station successfully authenticatedShow output
Feb 19 07:43:04.506758 osdx hostapd[39401]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Feb 19 07:43:04.506770 osdx hostapd[39401]: eth2: RADIUS Authentication server 10.215.168.1:1812 Feb 19 07:43:04.506986 osdx hostapd[39401]: connect[radius]: Network is unreachable Feb 19 07:43:04.506803 osdx hostapd[39401]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Feb 19 07:43:04.506806 osdx hostapd[39401]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Feb 19 07:43:04.522623 osdx hostapd[39401]: Discovery mode enabled on eth2 Feb 19 07:43:04.522681 osdx hostapd[39401]: eth2: interface state UNINITIALIZED->ENABLED Feb 19 07:43:04.522681 osdx hostapd[39401]: eth2: AP-ENABLED Feb 19 07:43:07.613913 osdx hostapd[39402]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Feb 19 07:43:07.613927 osdx hostapd[39402]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Feb 19 07:43:07.626667 osdx hostapd[39402]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB-first mode: Starting MAB authentication Feb 19 07:43:07.626693 osdx hostapd[39402]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Feb 19 07:43:07.626706 osdx hostapd[39402]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Feb 19 07:43:07.628573 osdx hostapd[39402]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Feb 19 07:43:07.628592 osdx hostapd[39402]: eth2: RADIUS Authentication server 10.215.168.1:1812 Feb 19 07:43:07.628673 osdx hostapd[39402]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:43:07.628706 osdx hostapd[39402]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:43:07.628735 osdx hostapd[39402]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAPOL-Start from STA Feb 19 07:43:07.628992 osdx hostapd[39402]: eth2: RADIUS Received 20 bytes from RADIUS server Feb 19 07:43:07.628998 osdx hostapd[39402]: eth2: RADIUS Received RADIUS message Feb 19 07:43:07.629003 osdx hostapd[39402]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:43:07.629007 osdx hostapd[39402]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Feb 19 07:43:07.629030 osdx hostapd[39402]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Feb 19 07:43:07.629033 osdx hostapd[39402]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Feb 19 07:43:07.629037 osdx hostapd[39402]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Feb 19 07:43:07.629047 osdx hostapd[39402]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Feb 19 07:43:07.629051 osdx hostapd[39402]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session F269AA193D28A88B
Test Successful MAB Authentication With Unsuccessful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses a correct MAC address, but wrong 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18gSUivvMOdd3tFhqg/xjOZH4OOOT5gdp7VdRaJY/2tZmZ+w9qseDwS55G1YgwbT9cdyzRUTKuXsw== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.224 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.224/0.224/0.224/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1+uYi7ta2nE4NyOI6RXUDPVoK6o+HxcrzQ= set interfaces ethernet eth2 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 1 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name N/A
Step 5: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.219 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.219/0.219/0.219/0.000 ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
802.1X: MAB: station successfully authenticatedShow output
Feb 19 07:43:16.422340 osdx hostapd[39920]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Feb 19 07:43:16.422356 osdx hostapd[39920]: eth2: RADIUS Authentication server 10.215.168.1:1812 Feb 19 07:43:16.422697 osdx hostapd[39920]: connect[radius]: Network is unreachable Feb 19 07:43:16.422401 osdx hostapd[39920]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Feb 19 07:43:16.422405 osdx hostapd[39920]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Feb 19 07:43:16.442153 osdx hostapd[39920]: Discovery mode enabled on eth2 Feb 19 07:43:16.442232 osdx hostapd[39920]: eth2: interface state UNINITIALIZED->ENABLED Feb 19 07:43:16.442232 osdx hostapd[39920]: eth2: AP-ENABLED Feb 19 07:43:19.713470 osdx hostapd[39921]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Feb 19 07:43:19.713483 osdx hostapd[39921]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Feb 19 07:43:19.726197 osdx hostapd[39921]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB-first mode: Starting MAB authentication Feb 19 07:43:19.726226 osdx hostapd[39921]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Feb 19 07:43:19.726244 osdx hostapd[39921]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Feb 19 07:43:19.728575 osdx hostapd[39921]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Feb 19 07:43:19.728592 osdx hostapd[39921]: eth2: RADIUS Authentication server 10.215.168.1:1812 Feb 19 07:43:19.728675 osdx hostapd[39921]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:43:19.728708 osdx hostapd[39921]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:43:19.728737 osdx hostapd[39921]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAPOL-Start from STA Feb 19 07:43:19.728945 osdx hostapd[39921]: eth2: RADIUS Received 20 bytes from RADIUS server Feb 19 07:43:19.728951 osdx hostapd[39921]: eth2: RADIUS Received RADIUS message Feb 19 07:43:19.728955 osdx hostapd[39921]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:43:19.728960 osdx hostapd[39921]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Feb 19 07:43:19.728978 osdx hostapd[39921]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Feb 19 07:43:19.728981 osdx hostapd[39921]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Feb 19 07:43:19.728985 osdx hostapd[39921]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Feb 19 07:43:19.728995 osdx hostapd[39921]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Feb 19 07:43:19.728999 osdx hostapd[39921]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 8046A93A8FD92298
Test Successful MAB Authentication With Unsupported 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 does not support 802.1x authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+VIpYWSXNZPfWstkME67HtKEwe9h9GRteppc4XJJwCUAfeLdKtZeYWLiysQmtc7HBNxL6S8GHkQg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.468 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.468/0.468/0.468/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.612 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.612/0.612/0.612/0.000 ms
Step 5: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 0 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name N/A
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.322 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.322/0.322/0.322/0.000 ms
Step 7: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
802.1X: MAB: station successfully authenticatedShow output
Feb 19 07:43:27.204072 osdx hostapd[40437]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Feb 19 07:43:27.204372 osdx hostapd[40437]: connect[radius]: Network is unreachable Feb 19 07:43:27.204085 osdx hostapd[40437]: eth2: RADIUS Authentication server 10.215.168.1:1812 Feb 19 07:43:27.204121 osdx hostapd[40437]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Feb 19 07:43:27.204125 osdx hostapd[40437]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Feb 19 07:43:27.219896 osdx hostapd[40437]: Discovery mode enabled on eth2 Feb 19 07:43:27.219957 osdx hostapd[40437]: eth2: interface state UNINITIALIZED->ENABLED Feb 19 07:43:27.219957 osdx hostapd[40437]: eth2: AP-ENABLED Feb 19 07:43:32.220793 osdx hostapd[40438]: eth2: STA de:ad:be:ef:6c:12 DRIVER: Device discovered, triggering MAB authentication Feb 19 07:43:32.220829 osdx hostapd[40438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Feb 19 07:43:32.220837 osdx hostapd[40438]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Feb 19 07:43:32.235940 osdx hostapd[40438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB-first mode: Starting MAB authentication Feb 19 07:43:32.235968 osdx hostapd[40438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Feb 19 07:43:32.235988 osdx hostapd[40438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Feb 19 07:43:32.238307 osdx hostapd[40438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Feb 19 07:43:32.238323 osdx hostapd[40438]: eth2: RADIUS Authentication server 10.215.168.1:1812 Feb 19 07:43:32.238407 osdx hostapd[40438]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:43:32.238441 osdx hostapd[40438]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:43:32.238722 osdx hostapd[40438]: eth2: RADIUS Received 20 bytes from RADIUS server Feb 19 07:43:32.238728 osdx hostapd[40438]: eth2: RADIUS Received RADIUS message Feb 19 07:43:32.238732 osdx hostapd[40438]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:43:32.238737 osdx hostapd[40438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Feb 19 07:43:32.238756 osdx hostapd[40438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Feb 19 07:43:32.238759 osdx hostapd[40438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Feb 19 07:43:32.238763 osdx hostapd[40438]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Feb 19 07:43:32.238777 osdx hostapd[40438]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Feb 19 07:43:32.238781 osdx hostapd[40438]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session F72756BE2203E9B9
Test Unsuccessful MAB Authentication With Successful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses an incorrect MAC address, but correct 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX19+NWipKeYfK1c41enzRVYTUTcNEDB5jcB1OZjIoXV7t3EjObunLb+UITSC8uVA6bCERuk0yyE2AQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.255 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.255/0.255/0.255/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1+N8g0HrwTrofZD0QduCKv/8Ey4qbGBK1o= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 6: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name testing
Step 7: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.355 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.355/0.355/0.355/0.000 ms
Step 8: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X IEEE 802.1X: authenticated - EAP type: 25 (PEAP)Show output
Feb 19 07:43:42.362602 osdx hostapd[40963]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Feb 19 07:43:42.362614 osdx hostapd[40963]: eth2: RADIUS Authentication server 10.215.168.1:1812 Feb 19 07:43:42.362881 osdx hostapd[40963]: connect[radius]: Network is unreachable Feb 19 07:43:42.362650 osdx hostapd[40963]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Feb 19 07:43:42.362653 osdx hostapd[40963]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Feb 19 07:43:42.378471 osdx hostapd[40963]: Discovery mode enabled on eth2 Feb 19 07:43:42.378536 osdx hostapd[40963]: eth2: interface state UNINITIALIZED->ENABLED Feb 19 07:43:42.378536 osdx hostapd[40963]: eth2: AP-ENABLED Feb 19 07:43:45.672773 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Feb 19 07:43:45.672787 osdx hostapd[40964]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Feb 19 07:43:45.694511 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: Starting MAB authentication Feb 19 07:43:45.694545 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Feb 19 07:43:45.694562 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Feb 19 07:43:45.696323 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Feb 19 07:43:45.696333 osdx hostapd[40964]: eth2: RADIUS Authentication server 10.215.168.1:1812 Feb 19 07:43:45.696414 osdx hostapd[40964]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:43:45.696447 osdx hostapd[40964]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:43:45.696474 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA Feb 19 07:43:46.696529 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Feb 19 07:43:46.696561 osdx hostapd[40964]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Feb 19 07:43:46.696755 osdx hostapd[40964]: eth2: RADIUS Received 20 bytes from RADIUS server Feb 19 07:43:46.696760 osdx hostapd[40964]: eth2: RADIUS Received RADIUS message Feb 19 07:43:46.696773 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:43:46.696778 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Feb 19 07:43:46.696832 osdx hostapd[40964]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Feb 19 07:43:46.696836 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X Feb 19 07:43:46.696840 osdx hostapd[40964]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Feb 19 07:43:46.696844 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first: 802.1X authentication started Feb 19 07:43:46.696852 osdx hostapd[40964]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Feb 19 07:43:46.696879 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 113) Feb 19 07:43:46.696894 osdx hostapd[40964]: eth2: RADIUS Received 20 bytes from RADIUS server Feb 19 07:43:46.696897 osdx hostapd[40964]: eth2: RADIUS Received RADIUS message Feb 19 07:43:46.696901 osdx hostapd[40964]: eth2: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet Feb 19 07:43:46.697200 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=113 len=12) from STA: EAP Response-Identity (1) Feb 19 07:43:46.697210 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'testing' Feb 19 07:43:46.697282 osdx hostapd[40964]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:43:46.697297 osdx hostapd[40964]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:43:46.697538 osdx hostapd[40964]: eth2: RADIUS Received 80 bytes from RADIUS server Feb 19 07:43:46.697545 osdx hostapd[40964]: eth2: RADIUS Received RADIUS message Feb 19 07:43:46.697550 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:43:46.697581 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=114 len=22) from RADIUS server: EAP-Request-MD5 (4) Feb 19 07:43:46.697592 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 114) Feb 19 07:43:46.697780 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=114 len=6) from STA: EAP Response-unknown (3) Feb 19 07:43:46.697825 osdx hostapd[40964]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:43:46.697837 osdx hostapd[40964]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:43:46.698019 osdx hostapd[40964]: eth2: RADIUS Received 64 bytes from RADIUS server Feb 19 07:43:46.698024 osdx hostapd[40964]: eth2: RADIUS Received RADIUS message Feb 19 07:43:46.698028 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:43:46.698045 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=115 len=6) from RADIUS server: EAP-Request-PEAP (25) Feb 19 07:43:46.698051 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 115) Feb 19 07:43:46.698393 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=115 len=194) from STA: EAP Response-PEAP (25) Feb 19 07:43:46.698456 osdx hostapd[40964]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:43:46.698472 osdx hostapd[40964]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:43:46.699539 osdx hostapd[40964]: eth2: RADIUS Received 1068 bytes from RADIUS server Feb 19 07:43:46.699547 osdx hostapd[40964]: eth2: RADIUS Received RADIUS message Feb 19 07:43:46.699550 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:43:46.699573 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=116 len=1004) from RADIUS server: EAP-Request-PEAP (25) Feb 19 07:43:46.699580 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 116) Feb 19 07:43:46.699782 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=116 len=6) from STA: EAP Response-PEAP (25) Feb 19 07:43:46.699830 osdx hostapd[40964]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:43:46.699842 osdx hostapd[40964]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:43:46.699962 osdx hostapd[40964]: eth2: RADIUS Received 229 bytes from RADIUS server Feb 19 07:43:46.699971 osdx hostapd[40964]: eth2: RADIUS Received RADIUS message Feb 19 07:43:46.699974 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:43:46.699988 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=117 len=171) from RADIUS server: EAP-Request-PEAP (25) Feb 19 07:43:46.699993 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 117) Feb 19 07:43:46.701286 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=117 len=103) from STA: EAP Response-PEAP (25) Feb 19 07:43:46.701333 osdx hostapd[40964]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:43:46.701346 osdx hostapd[40964]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:43:46.701670 osdx hostapd[40964]: eth2: RADIUS Received 115 bytes from RADIUS server Feb 19 07:43:46.701675 osdx hostapd[40964]: eth2: RADIUS Received RADIUS message Feb 19 07:43:46.701679 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:43:46.701699 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=118 len=57) from RADIUS server: EAP-Request-PEAP (25) Feb 19 07:43:46.701705 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 118) Feb 19 07:43:46.701948 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=118 len=6) from STA: EAP Response-PEAP (25) Feb 19 07:43:46.701986 osdx hostapd[40964]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:43:46.702000 osdx hostapd[40964]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:43:46.702155 osdx hostapd[40964]: eth2: RADIUS Received 98 bytes from RADIUS server Feb 19 07:43:46.702160 osdx hostapd[40964]: eth2: RADIUS Received RADIUS message Feb 19 07:43:46.702163 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:43:46.702175 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=119 len=40) from RADIUS server: EAP-Request-PEAP (25) Feb 19 07:43:46.702180 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 119) Feb 19 07:43:46.702340 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=119 len=43) from STA: EAP Response-PEAP (25) Feb 19 07:43:46.702368 osdx hostapd[40964]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:43:46.702378 osdx hostapd[40964]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:43:46.702540 osdx hostapd[40964]: eth2: RADIUS Received 131 bytes from RADIUS server Feb 19 07:43:46.702545 osdx hostapd[40964]: eth2: RADIUS Received RADIUS message Feb 19 07:43:46.702548 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:43:46.702559 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=120 len=73) from RADIUS server: EAP-Request-PEAP (25) Feb 19 07:43:46.702566 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 120) Feb 19 07:43:46.702788 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=120 len=97) from STA: EAP Response-PEAP (25) Feb 19 07:43:46.702823 osdx hostapd[40964]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:43:46.702833 osdx hostapd[40964]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:43:46.702990 osdx hostapd[40964]: eth2: RADIUS Received 140 bytes from RADIUS server Feb 19 07:43:46.702994 osdx hostapd[40964]: eth2: RADIUS Received RADIUS message Feb 19 07:43:46.702997 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:43:46.703011 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=121 len=82) from RADIUS server: EAP-Request-PEAP (25) Feb 19 07:43:46.703016 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 121) Feb 19 07:43:46.703166 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=121 len=37) from STA: EAP Response-PEAP (25) Feb 19 07:43:46.703195 osdx hostapd[40964]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:43:46.703207 osdx hostapd[40964]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:43:46.703335 osdx hostapd[40964]: eth2: RADIUS Received 104 bytes from RADIUS server Feb 19 07:43:46.703340 osdx hostapd[40964]: eth2: RADIUS Received RADIUS message Feb 19 07:43:46.703343 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:43:46.703354 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=122 len=46) from RADIUS server: EAP-Request-PEAP (25) Feb 19 07:43:46.703359 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 122) Feb 19 07:43:46.703541 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=122 len=46) from STA: EAP Response-PEAP (25) Feb 19 07:43:46.703572 osdx hostapd[40964]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:43:46.703584 osdx hostapd[40964]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:43:46.703733 osdx hostapd[40964]: eth2: RADIUS Received 175 bytes from RADIUS server Feb 19 07:43:46.703737 osdx hostapd[40964]: eth2: RADIUS Received RADIUS message Feb 19 07:43:46.703740 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:43:46.703758 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing' Feb 19 07:43:46.703761 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=3 id=122 len=4) from RADIUS server: EAP Success Feb 19 07:43:46.703773 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 122) Feb 19 07:43:46.703788 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authorizing port Feb 19 07:43:46.703791 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 RADIUS: starting accounting session FCE2ABC5C0FBB114 Feb 19 07:43:46.703800 osdx hostapd[40964]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Test Unsuccessful MAB Authentication With Unsuccessful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses an incorrect MAC address and incorrect 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+V9kPT8LojXk2BG7oJN0urUbXYO2JvAshBMYqaWF0gPPRdukUuwZDzWcHntEbvc2iFOQS15EEbBA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.194 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.194/0.194/0.194/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX19tP15BK5XRVesKpa0+q6jOx7PJj16g/+g= set interfaces ethernet eth2 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+UnauthorizedShow output
--------------------------------- Field Value --------------------------------- EAPoL Frames (Rx) 9 EAPoL Frames (Tx) 10 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Unauthorized Req Frames (Rx) 8 Req ID Frames (Rx) 1 Resp Frames (Tx) 9 Start Frames (Tx) 1
Step 5: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 8 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 10 EAPoL frames (Tx) 9 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 6: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 7: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X IEEE 802.1X: authentication failed - EAP type: 25 (PEAP)Show output
Feb 19 07:43:54.198719 osdx hostapd[41485]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Feb 19 07:43:54.198732 osdx hostapd[41485]: eth2: RADIUS Authentication server 10.215.168.1:1812 Feb 19 07:43:54.198926 osdx hostapd[41485]: connect[radius]: Network is unreachable Feb 19 07:43:54.198772 osdx hostapd[41485]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Feb 19 07:43:54.198776 osdx hostapd[41485]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Feb 19 07:43:54.226555 osdx hostapd[41485]: Discovery mode enabled on eth2 Feb 19 07:43:54.226607 osdx hostapd[41485]: eth2: interface state UNINITIALIZED->ENABLED Feb 19 07:43:54.226607 osdx hostapd[41485]: eth2: AP-ENABLED Feb 19 07:43:57.357842 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Feb 19 07:43:57.357854 osdx hostapd[41486]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Feb 19 07:43:57.370576 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: Starting MAB authentication Feb 19 07:43:57.370604 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Feb 19 07:43:57.370618 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Feb 19 07:43:57.372318 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Feb 19 07:43:57.372331 osdx hostapd[41486]: eth2: RADIUS Authentication server 10.215.168.1:1812 Feb 19 07:43:57.372400 osdx hostapd[41486]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:43:57.372426 osdx hostapd[41486]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:43:57.372450 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA Feb 19 07:43:58.372521 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Feb 19 07:43:58.372554 osdx hostapd[41486]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Feb 19 07:43:58.372741 osdx hostapd[41486]: eth2: RADIUS Received 20 bytes from RADIUS server Feb 19 07:43:58.372744 osdx hostapd[41486]: eth2: RADIUS Received RADIUS message Feb 19 07:43:58.372748 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:43:58.372751 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Feb 19 07:43:58.372797 osdx hostapd[41486]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Feb 19 07:43:58.372800 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X Feb 19 07:43:58.372802 osdx hostapd[41486]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Feb 19 07:43:58.372805 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first: 802.1X authentication started Feb 19 07:43:58.372811 osdx hostapd[41486]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Feb 19 07:43:58.372824 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 64) Feb 19 07:43:58.372835 osdx hostapd[41486]: eth2: RADIUS Received 20 bytes from RADIUS server Feb 19 07:43:58.372837 osdx hostapd[41486]: eth2: RADIUS Received RADIUS message Feb 19 07:43:58.372840 osdx hostapd[41486]: eth2: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet Feb 19 07:43:58.373132 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=64 len=10) from STA: EAP Response-Identity (1) Feb 19 07:43:58.373142 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'wrong' Feb 19 07:43:58.373189 osdx hostapd[41486]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:43:58.373202 osdx hostapd[41486]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:43:58.373408 osdx hostapd[41486]: eth2: RADIUS Received 80 bytes from RADIUS server Feb 19 07:43:58.373413 osdx hostapd[41486]: eth2: RADIUS Received RADIUS message Feb 19 07:43:58.373417 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:43:58.373437 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=65 len=22) from RADIUS server: EAP-Request-MD5 (4) Feb 19 07:43:58.373442 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 65) Feb 19 07:43:58.373638 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=65 len=6) from STA: EAP Response-unknown (3) Feb 19 07:43:58.373683 osdx hostapd[41486]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:43:58.373695 osdx hostapd[41486]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:43:58.373873 osdx hostapd[41486]: eth2: RADIUS Received 64 bytes from RADIUS server Feb 19 07:43:58.373878 osdx hostapd[41486]: eth2: RADIUS Received RADIUS message Feb 19 07:43:58.373882 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:43:58.373897 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=66 len=6) from RADIUS server: EAP-Request-PEAP (25) Feb 19 07:43:58.373904 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 66) Feb 19 07:43:58.374294 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=66 len=194) from STA: EAP Response-PEAP (25) Feb 19 07:43:58.374351 osdx hostapd[41486]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:43:58.374369 osdx hostapd[41486]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:43:58.375615 osdx hostapd[41486]: eth2: RADIUS Received 1068 bytes from RADIUS server Feb 19 07:43:58.375624 osdx hostapd[41486]: eth2: RADIUS Received RADIUS message Feb 19 07:43:58.375628 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:43:58.375657 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=67 len=1004) from RADIUS server: EAP-Request-PEAP (25) Feb 19 07:43:58.375666 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 67) Feb 19 07:43:58.379647 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=67 len=6) from STA: EAP Response-PEAP (25) Feb 19 07:43:58.379721 osdx hostapd[41486]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:43:58.379743 osdx hostapd[41486]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:43:58.379946 osdx hostapd[41486]: eth2: RADIUS Received 229 bytes from RADIUS server Feb 19 07:43:58.379951 osdx hostapd[41486]: eth2: RADIUS Received RADIUS message Feb 19 07:43:58.379954 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:43:58.379973 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=68 len=171) from RADIUS server: EAP-Request-PEAP (25) Feb 19 07:43:58.379981 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 68) Feb 19 07:43:58.381765 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=68 len=103) from STA: EAP Response-PEAP (25) Feb 19 07:43:58.381824 osdx hostapd[41486]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:43:58.381839 osdx hostapd[41486]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:43:58.382183 osdx hostapd[41486]: eth2: RADIUS Received 115 bytes from RADIUS server Feb 19 07:43:58.382188 osdx hostapd[41486]: eth2: RADIUS Received RADIUS message Feb 19 07:43:58.382192 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:43:58.382208 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=69 len=57) from RADIUS server: EAP-Request-PEAP (25) Feb 19 07:43:58.382213 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 69) Feb 19 07:43:58.382445 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=69 len=6) from STA: EAP Response-PEAP (25) Feb 19 07:43:58.382478 osdx hostapd[41486]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:43:58.382492 osdx hostapd[41486]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:43:58.382638 osdx hostapd[41486]: eth2: RADIUS Received 98 bytes from RADIUS server Feb 19 07:43:58.382644 osdx hostapd[41486]: eth2: RADIUS Received RADIUS message Feb 19 07:43:58.382648 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:43:58.382664 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=70 len=40) from RADIUS server: EAP-Request-PEAP (25) Feb 19 07:43:58.382670 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 70) Feb 19 07:43:58.382831 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=70 len=41) from STA: EAP Response-PEAP (25) Feb 19 07:43:58.382867 osdx hostapd[41486]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:43:58.382878 osdx hostapd[41486]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:43:58.383012 osdx hostapd[41486]: eth2: RADIUS Received 131 bytes from RADIUS server Feb 19 07:43:58.383018 osdx hostapd[41486]: eth2: RADIUS Received RADIUS message Feb 19 07:43:58.383021 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:43:58.383038 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=71 len=73) from RADIUS server: EAP-Request-PEAP (25) Feb 19 07:43:58.383047 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 71) Feb 19 07:43:58.383313 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=71 len=95) from STA: EAP Response-PEAP (25) Feb 19 07:43:58.383344 osdx hostapd[41486]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:43:58.383358 osdx hostapd[41486]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:43:58.383561 osdx hostapd[41486]: eth2: RADIUS Received 104 bytes from RADIUS server Feb 19 07:43:58.383567 osdx hostapd[41486]: eth2: RADIUS Received RADIUS message Feb 19 07:43:58.383570 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:43:58.383590 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=72 len=46) from RADIUS server: EAP-Request-PEAP (25) Feb 19 07:43:58.383601 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 72) Feb 19 07:43:58.383757 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=72 len=46) from STA: EAP Response-PEAP (25) Feb 19 07:43:58.383792 osdx hostapd[41486]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:43:58.383803 osdx hostapd[41486]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:43:59.383904 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=8) Feb 19 07:43:59.383945 osdx hostapd[41486]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Feb 19 07:43:59.384114 osdx hostapd[41486]: eth2: RADIUS Received 44 bytes from RADIUS server Feb 19 07:43:59.384119 osdx hostapd[41486]: eth2: RADIUS Received RADIUS message Feb 19 07:43:59.384124 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:43:59.384186 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=4 id=72 len=4) from RADIUS server: EAP Failure Feb 19 07:43:59.384215 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 72) Feb 19 07:43:59.384230 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port Feb 19 07:43:59.384235 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) Feb 19 07:43:59.384239 osdx hostapd[41486]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Authentication failed, enforcing quiet period (60 seconds) Feb 19 07:43:59.384244 osdx hostapd[41486]: eth2: RADIUS Received 44 bytes from RADIUS server Feb 19 07:43:59.384247 osdx hostapd[41486]: eth2: RADIUS Received RADIUS message Feb 19 07:43:59.384250 osdx hostapd[41486]: eth2: RADIUS No matching RADIUS request found (type=0 id=8) - dropping packet
Test Unsuccessful MAB Authentication With Unsupported 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 does not support 802.1x authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1990C1DHkOkLj9jhe5ehW4QkPUIibyWoTPgACQ6XBhnoUx0SBEOk53aAcHE23Haooho0KtN43/drw== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.202 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.202/0.202/0.202/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 0 EAPoL frames (Tx) 2 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 5: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X IEEE 802.1X: EAP authentication timeoutShow output
Feb 19 07:44:06.489239 osdx hostapd[42002]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Feb 19 07:44:06.489251 osdx hostapd[42002]: eth2: RADIUS Authentication server 10.215.168.1:1812 Feb 19 07:44:06.489461 osdx hostapd[42002]: connect[radius]: Network is unreachable Feb 19 07:44:06.489286 osdx hostapd[42002]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Feb 19 07:44:06.489289 osdx hostapd[42002]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Feb 19 07:44:06.509143 osdx hostapd[42002]: Discovery mode enabled on eth2 Feb 19 07:44:06.509202 osdx hostapd[42002]: eth2: interface state UNINITIALIZED->ENABLED Feb 19 07:44:06.509202 osdx hostapd[42002]: eth2: AP-ENABLED Feb 19 07:44:11.509981 osdx hostapd[42003]: eth2: STA 00:11:22:33:44:55 DRIVER: Device discovered, triggering MAB authentication Feb 19 07:44:11.510042 osdx hostapd[42003]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Feb 19 07:44:11.510061 osdx hostapd[42003]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Feb 19 07:44:11.525267 osdx hostapd[42003]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: Starting MAB authentication Feb 19 07:44:11.525342 osdx hostapd[42003]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Feb 19 07:44:11.525392 osdx hostapd[42003]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Feb 19 07:44:11.531344 osdx hostapd[42003]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Feb 19 07:44:11.531377 osdx hostapd[42003]: eth2: RADIUS Authentication server 10.215.168.1:1812 Feb 19 07:44:11.531582 osdx hostapd[42003]: eth2: RADIUS Sending RADIUS message to authentication server Feb 19 07:44:11.531648 osdx hostapd[42003]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Feb 19 07:44:12.531722 osdx hostapd[42003]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Feb 19 07:44:12.531759 osdx hostapd[42003]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Feb 19 07:44:12.532260 osdx hostapd[42003]: eth2: RADIUS Received 20 bytes from RADIUS server Feb 19 07:44:12.532269 osdx hostapd[42003]: eth2: RADIUS Received RADIUS message Feb 19 07:44:12.532275 osdx hostapd[42003]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Feb 19 07:44:12.532280 osdx hostapd[42003]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Feb 19 07:44:12.532336 osdx hostapd[42003]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Feb 19 07:44:12.532340 osdx hostapd[42003]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X Feb 19 07:44:12.532344 osdx hostapd[42003]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Feb 19 07:44:12.532348 osdx hostapd[42003]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first: 802.1X authentication started Feb 19 07:44:12.532356 osdx hostapd[42003]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Feb 19 07:44:12.532374 osdx hostapd[42003]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 16) Feb 19 07:44:15.529178 osdx hostapd[42003]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 16) Feb 19 07:44:20.233149 osdx OSDxCLI[6022]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Feb 19 07:44:21.534170 osdx hostapd[42003]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 16) Feb 19 07:44:28.420307 osdx OSDxCLI[6022]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Feb 19 07:44:33.545179 osdx hostapd[42003]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: aborting authentication Feb 19 07:44:33.545194 osdx hostapd[42003]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: EAP authentication timeout - enforcing 60 second quiet period before retrying Feb 19 07:44:33.545217 osdx hostapd[42003]: eth2: STA 00:11:22:33:44:55 MLME: MLME-DEAUTHENTICATE.indication(00:11:22:33:44:55, 2) Feb 19 07:44:33.545220 osdx hostapd[42003]: eth2: STA 00:11:22:33:44:55 MLME: MLME-DELETEKEYS.request(00:11:22:33:44:55)