Dhcp
This scenario shows how to configure a device to perform 802.1X/MAB authentication. The supplicant uses DHCP and no additional traffic is sent to start the authentication process.
Test Denied Authentication With DHCP Client
Description
This scenario shows how to configure 802.1X/MAB authentication in a device with a DHCP-Server. A DHCP-Client is connected, but authentication fails. This test-case ensures it does not get a DHCP lease.
Scenario
Step 1: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address dhcp set interfaces ethernet eth2 mac '00:11:22:33:44:55' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set service dhcp-server shared-network LAN subnet 192.168.100.0/24 start 192.168.100.2 stop 192.168.100.20 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX19+zYlAJu2SEBZMUNRb9bZJ7oK76+x396k881p7xqYklyL+JGe7PvTtAMUKq0gA9YeuM8YkkGhb2g== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.229 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.229/0.229/0.229/0.000 ms
Step 4: Run command interfaces ethernet eth2 authenticator show status at DUT0 and check if output contains the following tokens:
Current status: UnauthorizedShow output
Current status: Unauthorized
Step 5: Run command interfaces ethernet show at DUT1 and check if output does not contain the following tokens:
192.168.100Show output
----------------------------------------------------------------- Name IP Address Admin Oper Vrf Description ----------------------------------------------------------------- eth0 down down eth1 down down eth2 fe80::dcad:beff:feef:6c12/64 up up eth3 down down
Step 6: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
ping: connect: Network is unreachable
Test 802.1X Authentication With DHCP Client
Description
This scenario shows how to configure 802.1X authentication in a device with a DHCP-Server. A DHCP-Client is connected and successfully authenticated using 802.1X.
Scenario
Step 1: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address dhcp set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1/T1zKffwZ8SCR4IzGXkzTFSOzFltvT9YQ= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode only-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set service dhcp-server shared-network LAN subnet 192.168.100.0/24 start 192.168.100.2 stop 192.168.100.20 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1973CspPxp1Cg01gcgx5GQjXYeKNtW9Z6m2MSoiptj/5gQHew1jwbzFM5omlz77uikRPQBqCgsY4A== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.258 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.258/0.258/0.258/0.000 ms
Step 4: Run command interfaces ethernet eth2 authenticator show status at DUT0 and check if output contains the following tokens:
Current status: AuthorizedShow output
Current status: Authorized (802.1X)
Step 5: Run command interfaces ethernet show at DUT1 and check if output contains the following tokens:
192.168.100Show output
----------------------------------------------------------------- Name IP Address Admin Oper Vrf Description ----------------------------------------------------------------- eth0 down down eth1 down down eth2 192.168.100.2/24 up up fe80::dcad:beff:feef:6c12/64 eth3 down down
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.405 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.405/0.405/0.405/0.000 ms
Test MAB Authentication With DHCP Client
Description
This scenario shows how to configure MAB authentication in a device with a DHCP-Server. A DHCP-Client is connected and successfully authenticated using MAB.
Scenario
Step 1: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address dhcp set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode only-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set service dhcp-server shared-network LAN subnet 192.168.100.0/24 start 192.168.100.2 stop 192.168.100.20 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX19OGwF9hvZmFT5BQuwAJ857Q08d4y8fMKzm+bTQ9FAo6NZLRHGsLxPWrYCFwumZTgdhmy+bBvO9lg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.180 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.180/0.180/0.180/0.000 ms
Step 4: Run command interfaces ethernet eth2 authenticator show status at DUT0 and check if output contains the following tokens:
Current status: AuthorizedShow output
Current status: Authorized (MAB)
Step 5: Run command interfaces ethernet show at DUT1 and check if output contains the following tokens:
192.168.100Show output
----------------------------------------------------------------- Name IP Address Admin Oper Vrf Description ----------------------------------------------------------------- eth0 down down eth1 down down eth2 192.168.100.2/24 up up fe80::dcad:beff:feef:6c12/64 eth3 down down
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.274 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.274/0.274/0.274/0.000 ms
Test 802.1X Authentication With Bridge And Multiple DHCP Clients
Description
This scenario shows how to configure 802.1X authentication in a device with a DHCP-Server. Two DHCP-Clients are connected: DUT1 and DUT2. DUT1 is successfully authenticated, but DUT2 fails to authenticate and it does not receive a DHCP lease.
Scenario
Step 1: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address dhcp set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX18TxHHSt3BtPLqGQ1pcpGsNu3oH/OobT+o= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT2 :
set interfaces ethernet eth3 address dhcp set interfaces ethernet eth3 supplicant encrypted-password U2FsdGVkX1+w58FxhDjcylyBouvqnLfj/9E+QfZ1ByA= set interfaces ethernet eth3 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT0 :
set interfaces bridge br0 address 192.168.100.1/24 set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level info set interfaces ethernet eth2 authenticator mode only-802.1x set interfaces ethernet eth2 bridge-group bridge br0 set interfaces ethernet eth3 authenticator aaa authentication list1 set interfaces ethernet eth3 authenticator log-level info set interfaces ethernet eth3 authenticator mode only-802.1x set interfaces ethernet eth3 bridge-group bridge br0 set service dhcp-server shared-network LAN subnet 192.168.100.0/24 start 192.168.100.2 stop 192.168.100.20 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/XcvyyQlpSiiRe1+7ZNkkI3BniuE6jAOtXtbc68ZOQUX8OJO2D9TgOJxLHdSB+tzX+zQSU//lgww== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.169 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.169/0.169/0.169/0.000 ms
Step 5: Run command interfaces ethernet eth2 authenticator show status at DUT0 and check if output contains the following tokens:
Current status: AuthorizedShow output
Current status: Authorized (802.1X)
Step 6: Run command interfaces ethernet show at DUT1 and check if output contains the following tokens:
192.168.100Show output
----------------------------------------------------------------- Name IP Address Admin Oper Vrf Description ----------------------------------------------------------------- eth0 down down eth1 down down eth2 192.168.100.2/24 up up fe80::dcad:beff:feef:6c12/64 eth3 down down
Step 7: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.388 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.388/0.388/0.388/0.000 ms
Step 8: Run command interfaces ethernet eth3 authenticator show status at DUT0 and check if output contains the following tokens:
Current status: UnauthorizedShow output
Current status: Unauthorized
Step 9: Run command interfaces ethernet show at DUT2 and check if output does not contain the following tokens:
192.168.100Show output
----------------------------------------------------------------- Name IP Address Admin Oper Vrf Description ----------------------------------------------------------------- eth0 down down eth1 down down eth2 down down eth3 fe80::dcad:beff:feef:6c23/64 up up
Step 10: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT2:
admin@DUT2$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
ping: connect: Network is unreachable
Test MAB Authentication With Bridge And Multiple DHCP Clients
Description
This scenario shows how to configure MAB authentication in a device with a DHCP-Server. Two DHCP-Clients are connected: DUT1 and DUT2. DUT1 is successfully authenticated, but DUT2 fails to authenticate and it does not receive a DHCP lease.
Scenario
Step 1: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address dhcp set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT2 :
set interfaces ethernet eth3 address dhcp set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT0 :
set interfaces bridge br0 address 192.168.100.1/24 set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level info set interfaces ethernet eth2 authenticator mode only-MAB set interfaces ethernet eth2 bridge-group bridge br0 set interfaces ethernet eth3 authenticator aaa authentication list1 set interfaces ethernet eth3 authenticator log-level info set interfaces ethernet eth3 authenticator mode only-MAB set interfaces ethernet eth3 bridge-group bridge br0 set service dhcp-server shared-network LAN subnet 192.168.100.0/24 start 192.168.100.2 stop 192.168.100.20 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/ASzJVKwnVk71jowfSKHu+nJ+5jdcw4B12OY5t5H61PBwvZYrvUfQrgpGdcCvY1fnMnMAdeUnNyQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.213 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.213/0.213/0.213/0.000 ms
Step 5: Run command interfaces ethernet eth2 authenticator show status at DUT0 and check if output contains the following tokens:
Current status: AuthorizedShow output
Current status: Authorized (MAB)
Step 6: Run command interfaces ethernet show at DUT1 and check if output contains the following tokens:
192.168.100Show output
----------------------------------------------------------------- Name IP Address Admin Oper Vrf Description ----------------------------------------------------------------- eth0 down down eth1 down down eth2 192.168.100.2/24 up up fe80::dcad:beff:feef:6c12/64 eth3 down down
Step 7: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.288 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.288/0.288/0.288/0.000 ms
Step 8: Run command interfaces ethernet eth3 authenticator show status at DUT0 and check if output contains the following tokens:
Current status: UnauthorizedShow output
Current status: Unauthorized
Step 9: Run command interfaces ethernet show at DUT2 and check if output does not contain the following tokens:
192.168.100Show output
----------------------------------------------------------------- Name IP Address Admin Oper Vrf Description ----------------------------------------------------------------- eth0 down down eth1 down down eth2 down down eth3 fe80::dcad:beff:feef:6c23/64 up up
Step 10: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT2:
admin@DUT2$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
ping: connect: Network is unreachable