Mab Fallback
This scenario shows how to configure the MAB-fallback
authentication mode.
Test Successful 802.1x Authentication With Successful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses the correct username and password.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+WvLuI3WVzY10ssA/oh4CXdB3Njj92HhkDk24C1zJCN27Nk3pkFcmVfgxBPbygtBqV+PeOEH5wQg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.185 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.185/0.185/0.185/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX19+l8yN5wNzTQNp9IwddcMuFDXVUjURQQY= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 6: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name testing
Step 7: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.298 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.298/0.298/0.298/0.000 ms
Step 8: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: authenticated - EAP type: 25 (PEAP)Show output
Mar 20 09:21:45.597049 osdx hostapd[101040]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Mar 20 09:21:45.597067 osdx hostapd[101040]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 20 09:21:45.597325 osdx hostapd[101040]: connect[radius]: Network is unreachable Mar 20 09:21:45.597118 osdx hostapd[101040]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Mar 20 09:21:45.597122 osdx hostapd[101040]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Mar 20 09:21:45.628910 osdx hostapd[101040]: Discovery mode enabled on eth2 Mar 20 09:21:45.628980 osdx hostapd[101040]: eth2: interface state UNINITIALIZED->ENABLED Mar 20 09:21:45.628980 osdx hostapd[101040]: eth2: AP-ENABLED Mar 20 09:21:48.765677 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Mar 20 09:21:48.765690 osdx hostapd[101041]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Mar 20 09:21:48.797007 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: start authentication Mar 20 09:21:48.797045 osdx hostapd[101041]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Mar 20 09:21:48.797050 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Mar 20 09:21:48.797054 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Mar 20 09:21:48.797076 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response Mar 20 09:21:48.797079 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAPOL-Start from STA Mar 20 09:21:48.797091 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Mar 20 09:21:48.797100 osdx hostapd[101041]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Mar 20 09:21:48.797126 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 28) Mar 20 09:21:48.798021 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=28 len=12) from STA: EAP Response-Identity (1) Mar 20 09:21:48.798033 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: STA identity 'testing' Mar 20 09:21:48.798066 osdx hostapd[101041]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 20 09:21:48.800566 osdx hostapd[101041]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:21:48.800602 osdx hostapd[101041]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:21:48.800924 osdx hostapd[101041]: eth2: RADIUS Received 80 bytes from RADIUS server Mar 20 09:21:48.800932 osdx hostapd[101041]: eth2: RADIUS Received RADIUS message Mar 20 09:21:48.800937 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:21:48.800961 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=29 len=22) from RADIUS server: EAP-Request-MD5 (4) Mar 20 09:21:48.800970 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 29) Mar 20 09:21:48.801393 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=29 len=6) from STA: EAP Response-unknown (3) Mar 20 09:21:48.801446 osdx hostapd[101041]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:21:48.801693 osdx hostapd[101041]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:21:48.801933 osdx hostapd[101041]: eth2: RADIUS Received 64 bytes from RADIUS server Mar 20 09:21:48.801940 osdx hostapd[101041]: eth2: RADIUS Received RADIUS message Mar 20 09:21:48.801945 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:21:48.801966 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=30 len=6) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:21:48.801974 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 30) Mar 20 09:21:48.802531 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=30 len=194) from STA: EAP Response-PEAP (25) Mar 20 09:21:48.802596 osdx hostapd[101041]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:21:48.802668 osdx hostapd[101041]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:21:48.803932 osdx hostapd[101041]: eth2: RADIUS Received 1068 bytes from RADIUS server Mar 20 09:21:48.803939 osdx hostapd[101041]: eth2: RADIUS Received RADIUS message Mar 20 09:21:48.803944 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:21:48.803969 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=31 len=1004) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:21:48.803989 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 31) Mar 20 09:21:48.804231 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=31 len=6) from STA: EAP Response-PEAP (25) Mar 20 09:21:48.804289 osdx hostapd[101041]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:21:48.804307 osdx hostapd[101041]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:21:48.804507 osdx hostapd[101041]: eth2: RADIUS Received 229 bytes from RADIUS server Mar 20 09:21:48.804514 osdx hostapd[101041]: eth2: RADIUS Received RADIUS message Mar 20 09:21:48.804519 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:21:48.804537 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=32 len=171) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:21:48.804544 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 32) Mar 20 09:21:48.806815 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=32 len=103) from STA: EAP Response-PEAP (25) Mar 20 09:21:48.806883 osdx hostapd[101041]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:21:48.806901 osdx hostapd[101041]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:21:48.807463 osdx hostapd[101041]: eth2: RADIUS Received 115 bytes from RADIUS server Mar 20 09:21:48.807467 osdx hostapd[101041]: eth2: RADIUS Received RADIUS message Mar 20 09:21:48.807472 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:21:48.807493 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=33 len=57) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:21:48.807501 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 33) Mar 20 09:21:48.807939 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=33 len=6) from STA: EAP Response-PEAP (25) Mar 20 09:21:48.808006 osdx hostapd[101041]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:21:48.808167 osdx hostapd[101041]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:21:48.808246 osdx hostapd[101041]: eth2: RADIUS Received 98 bytes from RADIUS server Mar 20 09:21:48.808254 osdx hostapd[101041]: eth2: RADIUS Received RADIUS message Mar 20 09:21:48.808258 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:21:48.808280 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=34 len=40) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:21:48.808288 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 34) Mar 20 09:21:48.808567 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=34 len=43) from STA: EAP Response-PEAP (25) Mar 20 09:21:48.808613 osdx hostapd[101041]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:21:48.808697 osdx hostapd[101041]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:21:48.808895 osdx hostapd[101041]: eth2: RADIUS Received 131 bytes from RADIUS server Mar 20 09:21:48.808901 osdx hostapd[101041]: eth2: RADIUS Received RADIUS message Mar 20 09:21:48.808906 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:21:48.808925 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=35 len=73) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:21:48.808933 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 35) Mar 20 09:21:48.809302 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=35 len=97) from STA: EAP Response-PEAP (25) Mar 20 09:21:48.809400 osdx hostapd[101041]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:21:48.809447 osdx hostapd[101041]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:21:48.809649 osdx hostapd[101041]: eth2: RADIUS Received 140 bytes from RADIUS server Mar 20 09:21:48.809655 osdx hostapd[101041]: eth2: RADIUS Received RADIUS message Mar 20 09:21:48.809679 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:21:48.809699 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=36 len=82) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:21:48.809730 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 36) Mar 20 09:21:48.809991 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=36 len=37) from STA: EAP Response-PEAP (25) Mar 20 09:21:48.810055 osdx hostapd[101041]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:21:48.810119 osdx hostapd[101041]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:21:48.810271 osdx hostapd[101041]: eth2: RADIUS Received 104 bytes from RADIUS server Mar 20 09:21:48.810275 osdx hostapd[101041]: eth2: RADIUS Received RADIUS message Mar 20 09:21:48.810279 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:21:48.810470 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=37 len=46) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:21:48.810482 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 37) Mar 20 09:21:48.810771 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=37 len=46) from STA: EAP Response-PEAP (25) Mar 20 09:21:48.810826 osdx hostapd[101041]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:21:48.810856 osdx hostapd[101041]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:21:48.811099 osdx hostapd[101041]: eth2: RADIUS Received 175 bytes from RADIUS server Mar 20 09:21:48.811107 osdx hostapd[101041]: eth2: RADIUS Received RADIUS message Mar 20 09:21:48.811112 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:21:48.811139 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing' Mar 20 09:21:48.811143 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=3 id=37 len=4) from RADIUS server: EAP Success Mar 20 09:21:48.811163 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 37) Mar 20 09:21:48.811180 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Mar 20 09:21:48.811184 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 86E0043CF01BA064 Mar 20 09:21:48.811189 osdx hostapd[101041]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Test Successful 802.1x Authentication With Unsuccessful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses the correct username and password, but an incorrect MAC address.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX19NkHvML9joYiKBRuJfspLOVRvy+LDcLWutKdRvCZV1WN+QxVh/7HIaTa2fso32ecIFKay+g5vdvA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.179 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.179/0.179/0.179/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1+9YQMshHBbhDgla5EvuHuS7IHIvANpdtg= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 6: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name testing
Step 7: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.232 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.232/0.232/0.232/0.000 ms
Step 8: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: authenticated - EAP type: 25 (PEAP)Show output
Mar 20 09:21:57.331757 osdx hostapd[101561]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Mar 20 09:21:57.331775 osdx hostapd[101561]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 20 09:21:57.332038 osdx hostapd[101561]: connect[radius]: Network is unreachable Mar 20 09:21:57.331820 osdx hostapd[101561]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Mar 20 09:21:57.331823 osdx hostapd[101561]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Mar 20 09:21:57.359621 osdx hostapd[101561]: Discovery mode enabled on eth2 Mar 20 09:21:57.359734 osdx hostapd[101561]: eth2: interface state UNINITIALIZED->ENABLED Mar 20 09:21:57.359734 osdx hostapd[101561]: eth2: AP-ENABLED Mar 20 09:22:00.591333 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Mar 20 09:22:00.591347 osdx hostapd[101562]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Mar 20 09:22:00.603637 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: start authentication Mar 20 09:22:00.603675 osdx hostapd[101562]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Mar 20 09:22:00.603680 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Mar 20 09:22:00.603684 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Mar 20 09:22:00.603706 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response Mar 20 09:22:00.603710 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA Mar 20 09:22:00.603724 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port Mar 20 09:22:00.603734 osdx hostapd[101562]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Mar 20 09:22:00.603764 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 5) Mar 20 09:22:00.604102 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=5 len=12) from STA: EAP Response-Identity (1) Mar 20 09:22:00.604115 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'testing' Mar 20 09:22:00.604143 osdx hostapd[101562]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 20 09:22:00.606632 osdx hostapd[101562]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:22:00.606672 osdx hostapd[101562]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:22:00.606894 osdx hostapd[101562]: eth2: RADIUS Received 80 bytes from RADIUS server Mar 20 09:22:00.606901 osdx hostapd[101562]: eth2: RADIUS Received RADIUS message Mar 20 09:22:00.606905 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:22:00.606929 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=6 len=22) from RADIUS server: EAP-Request-MD5 (4) Mar 20 09:22:00.606938 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 6) Mar 20 09:22:00.607172 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=6 len=6) from STA: EAP Response-unknown (3) Mar 20 09:22:00.607223 osdx hostapd[101562]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:22:00.607237 osdx hostapd[101562]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:22:00.607401 osdx hostapd[101562]: eth2: RADIUS Received 64 bytes from RADIUS server Mar 20 09:22:00.607406 osdx hostapd[101562]: eth2: RADIUS Received RADIUS message Mar 20 09:22:00.607409 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:22:00.607424 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=7 len=6) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:22:00.607430 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 7) Mar 20 09:22:00.607766 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=7 len=194) from STA: EAP Response-PEAP (25) Mar 20 09:22:00.607804 osdx hostapd[101562]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:22:00.607816 osdx hostapd[101562]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:22:00.608839 osdx hostapd[101562]: eth2: RADIUS Received 1068 bytes from RADIUS server Mar 20 09:22:00.608846 osdx hostapd[101562]: eth2: RADIUS Received RADIUS message Mar 20 09:22:00.608849 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:22:00.608871 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=8 len=1004) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:22:00.608877 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 8) Mar 20 09:22:00.609069 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=8 len=6) from STA: EAP Response-PEAP (25) Mar 20 09:22:00.609106 osdx hostapd[101562]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:22:00.609119 osdx hostapd[101562]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:22:00.609239 osdx hostapd[101562]: eth2: RADIUS Received 229 bytes from RADIUS server Mar 20 09:22:00.609243 osdx hostapd[101562]: eth2: RADIUS Received RADIUS message Mar 20 09:22:00.609247 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:22:00.609266 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=9 len=171) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:22:00.609272 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 9) Mar 20 09:22:00.610559 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=9 len=103) from STA: EAP Response-PEAP (25) Mar 20 09:22:00.610606 osdx hostapd[101562]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:22:00.610622 osdx hostapd[101562]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:22:00.610894 osdx hostapd[101562]: eth2: RADIUS Received 115 bytes from RADIUS server Mar 20 09:22:00.610898 osdx hostapd[101562]: eth2: RADIUS Received RADIUS message Mar 20 09:22:00.610902 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:22:00.610915 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=10 len=57) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:22:00.610922 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 10) Mar 20 09:22:00.611180 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=10 len=6) from STA: EAP Response-PEAP (25) Mar 20 09:22:00.611213 osdx hostapd[101562]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:22:00.611222 osdx hostapd[101562]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:22:00.611374 osdx hostapd[101562]: eth2: RADIUS Received 98 bytes from RADIUS server Mar 20 09:22:00.611378 osdx hostapd[101562]: eth2: RADIUS Received RADIUS message Mar 20 09:22:00.611381 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:22:00.611393 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=11 len=40) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:22:00.611398 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 11) Mar 20 09:22:00.611577 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=11 len=43) from STA: EAP Response-PEAP (25) Mar 20 09:22:00.611629 osdx hostapd[101562]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:22:00.611646 osdx hostapd[101562]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:22:00.611799 osdx hostapd[101562]: eth2: RADIUS Received 131 bytes from RADIUS server Mar 20 09:22:00.611805 osdx hostapd[101562]: eth2: RADIUS Received RADIUS message Mar 20 09:22:00.611810 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:22:00.611826 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=12 len=73) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:22:00.611834 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 12) Mar 20 09:22:00.612070 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=12 len=97) from STA: EAP Response-PEAP (25) Mar 20 09:22:00.612107 osdx hostapd[101562]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:22:00.612119 osdx hostapd[101562]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:22:00.612317 osdx hostapd[101562]: eth2: RADIUS Received 140 bytes from RADIUS server Mar 20 09:22:00.612323 osdx hostapd[101562]: eth2: RADIUS Received RADIUS message Mar 20 09:22:00.612332 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:22:00.612346 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=13 len=82) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:22:00.612352 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 13) Mar 20 09:22:00.612493 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=13 len=37) from STA: EAP Response-PEAP (25) Mar 20 09:22:00.612527 osdx hostapd[101562]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:22:00.612538 osdx hostapd[101562]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:22:00.612706 osdx hostapd[101562]: eth2: RADIUS Received 104 bytes from RADIUS server Mar 20 09:22:00.612712 osdx hostapd[101562]: eth2: RADIUS Received RADIUS message Mar 20 09:22:00.612715 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:22:00.612732 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=14 len=46) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:22:00.612738 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 14) Mar 20 09:22:00.612900 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=14 len=46) from STA: EAP Response-PEAP (25) Mar 20 09:22:00.612942 osdx hostapd[101562]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:22:00.612957 osdx hostapd[101562]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:22:00.613130 osdx hostapd[101562]: eth2: RADIUS Received 175 bytes from RADIUS server Mar 20 09:22:00.613136 osdx hostapd[101562]: eth2: RADIUS Received RADIUS message Mar 20 09:22:00.613140 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:22:00.613164 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing' Mar 20 09:22:00.613169 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=3 id=14 len=4) from RADIUS server: EAP Success Mar 20 09:22:00.613184 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 14) Mar 20 09:22:00.613200 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authorizing port Mar 20 09:22:00.613204 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 RADIUS: starting accounting session C51E6926E577DFCC Mar 20 09:22:00.613208 osdx hostapd[101562]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Test Unsuccessful 802.1x Authentication With Successful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses an incorrect username.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+KD2WrUEfQRL4ZTyp7eqgUQ0l7YrGA78eTLyyn6EEf55z82ni/60mERtTWBoKXSztbsLLK0vavCA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.241 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.241/0.241/0.241/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1+ciFSr6Ccd1J6MoCWgWN8Sg54zNvD+oa4= set interfaces ethernet eth2 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 8 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 10 EAPoL frames (Tx) 10 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name wrong
Step 5: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.433 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.433/0.433/0.433/0.000 ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately 802.1X: MAB: station successfully authenticatedShow output
Mar 20 09:22:09.308783 osdx hostapd[102085]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Mar 20 09:22:09.308795 osdx hostapd[102085]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 20 09:22:09.309036 osdx hostapd[102085]: connect[radius]: Network is unreachable Mar 20 09:22:09.308829 osdx hostapd[102085]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Mar 20 09:22:09.308832 osdx hostapd[102085]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Mar 20 09:22:09.324627 osdx hostapd[102085]: Discovery mode enabled on eth2 Mar 20 09:22:09.324691 osdx hostapd[102085]: eth2: interface state UNINITIALIZED->ENABLED Mar 20 09:22:09.324691 osdx hostapd[102085]: eth2: AP-ENABLED Mar 20 09:22:12.537378 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Mar 20 09:22:12.537397 osdx hostapd[102086]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Mar 20 09:22:12.560674 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: start authentication Mar 20 09:22:12.560702 osdx hostapd[102086]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Mar 20 09:22:12.560706 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Mar 20 09:22:12.560713 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Mar 20 09:22:12.560725 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response Mar 20 09:22:12.560727 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAPOL-Start from STA Mar 20 09:22:12.560738 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Mar 20 09:22:12.560745 osdx hostapd[102086]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Mar 20 09:22:12.560769 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 9) Mar 20 09:22:12.561144 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=9 len=10) from STA: EAP Response-Identity (1) Mar 20 09:22:12.561160 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: STA identity 'wrong' Mar 20 09:22:12.561192 osdx hostapd[102086]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 20 09:22:12.563639 osdx hostapd[102086]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:22:12.563671 osdx hostapd[102086]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:22:12.563911 osdx hostapd[102086]: eth2: RADIUS Received 80 bytes from RADIUS server Mar 20 09:22:12.563917 osdx hostapd[102086]: eth2: RADIUS Received RADIUS message Mar 20 09:22:12.563922 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:22:12.563942 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=10 len=22) from RADIUS server: EAP-Request-MD5 (4) Mar 20 09:22:12.563949 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 10) Mar 20 09:22:12.564187 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=10 len=6) from STA: EAP Response-unknown (3) Mar 20 09:22:12.564229 osdx hostapd[102086]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:22:12.564241 osdx hostapd[102086]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:22:12.564428 osdx hostapd[102086]: eth2: RADIUS Received 64 bytes from RADIUS server Mar 20 09:22:12.564433 osdx hostapd[102086]: eth2: RADIUS Received RADIUS message Mar 20 09:22:12.564437 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:22:12.564451 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=11 len=6) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:22:12.564457 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 11) Mar 20 09:22:12.564741 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=11 len=194) from STA: EAP Response-PEAP (25) Mar 20 09:22:12.564777 osdx hostapd[102086]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:22:12.564788 osdx hostapd[102086]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:22:12.565745 osdx hostapd[102086]: eth2: RADIUS Received 1068 bytes from RADIUS server Mar 20 09:22:12.565751 osdx hostapd[102086]: eth2: RADIUS Received RADIUS message Mar 20 09:22:12.565755 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:22:12.565771 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=12 len=1004) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:22:12.565777 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 12) Mar 20 09:22:12.565938 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=12 len=6) from STA: EAP Response-PEAP (25) Mar 20 09:22:12.565972 osdx hostapd[102086]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:22:12.565982 osdx hostapd[102086]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:22:12.566106 osdx hostapd[102086]: eth2: RADIUS Received 229 bytes from RADIUS server Mar 20 09:22:12.566112 osdx hostapd[102086]: eth2: RADIUS Received RADIUS message Mar 20 09:22:12.566115 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:22:12.566130 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=13 len=171) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:22:12.566136 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 13) Mar 20 09:22:12.567448 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=13 len=103) from STA: EAP Response-PEAP (25) Mar 20 09:22:12.567485 osdx hostapd[102086]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:22:12.567494 osdx hostapd[102086]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:22:12.567771 osdx hostapd[102086]: eth2: RADIUS Received 115 bytes from RADIUS server Mar 20 09:22:12.567777 osdx hostapd[102086]: eth2: RADIUS Received RADIUS message Mar 20 09:22:12.567781 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:22:12.567795 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=14 len=57) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:22:12.567802 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 14) Mar 20 09:22:12.567997 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=14 len=6) from STA: EAP Response-PEAP (25) Mar 20 09:22:12.568032 osdx hostapd[102086]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:22:12.568042 osdx hostapd[102086]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:22:12.568172 osdx hostapd[102086]: eth2: RADIUS Received 98 bytes from RADIUS server Mar 20 09:22:12.568177 osdx hostapd[102086]: eth2: RADIUS Received RADIUS message Mar 20 09:22:12.568181 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:22:12.568195 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=15 len=40) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:22:12.568201 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 15) Mar 20 09:22:12.568330 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=15 len=41) from STA: EAP Response-PEAP (25) Mar 20 09:22:12.568362 osdx hostapd[102086]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:22:12.568372 osdx hostapd[102086]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:22:12.568529 osdx hostapd[102086]: eth2: RADIUS Received 131 bytes from RADIUS server Mar 20 09:22:12.568535 osdx hostapd[102086]: eth2: RADIUS Received RADIUS message Mar 20 09:22:12.568538 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:22:12.568551 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=16 len=73) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:22:12.568557 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 16) Mar 20 09:22:12.568764 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=16 len=95) from STA: EAP Response-PEAP (25) Mar 20 09:22:12.568796 osdx hostapd[102086]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:22:12.568807 osdx hostapd[102086]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:22:12.568963 osdx hostapd[102086]: eth2: RADIUS Received 104 bytes from RADIUS server Mar 20 09:22:12.568969 osdx hostapd[102086]: eth2: RADIUS Received RADIUS message Mar 20 09:22:12.568972 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:22:12.568985 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=17 len=46) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:22:12.568991 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 17) Mar 20 09:22:12.569170 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=17 len=46) from STA: EAP Response-PEAP (25) Mar 20 09:22:12.569202 osdx hostapd[102086]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:22:12.569211 osdx hostapd[102086]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:22:13.569308 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Resending RADIUS message (id=8) Mar 20 09:22:13.569349 osdx hostapd[102086]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Mar 20 09:22:13.569548 osdx hostapd[102086]: eth2: RADIUS Received 44 bytes from RADIUS server Mar 20 09:22:13.569552 osdx hostapd[102086]: eth2: RADIUS Received RADIUS message Mar 20 09:22:13.569557 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:22:13.569608 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=4 id=17 len=4) from RADIUS server: EAP Failure Mar 20 09:22:13.569635 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 17) Mar 20 09:22:13.569714 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Mar 20 09:22:13.569718 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) Mar 20 09:22:13.569722 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately Mar 20 09:22:13.569727 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Mar 20 09:22:13.569754 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Mar 20 09:22:13.569764 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Mar 20 09:22:13.569780 osdx hostapd[102086]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:22:13.570015 osdx hostapd[102086]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:22:13.570038 osdx hostapd[102086]: eth2: RADIUS Received 44 bytes from RADIUS server Mar 20 09:22:13.570041 osdx hostapd[102086]: eth2: RADIUS Received RADIUS message Mar 20 09:22:13.570045 osdx hostapd[102086]: eth2: RADIUS No matching RADIUS request found (type=0 id=8) - dropping packet Mar 20 09:22:13.570054 osdx hostapd[102086]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 20 09:22:13.570057 osdx hostapd[102086]: eth2: RADIUS Received RADIUS message Mar 20 09:22:13.570061 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:22:13.570064 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Mar 20 09:22:13.570083 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Mar 20 09:22:13.570086 osdx hostapd[102086]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Mar 20 09:22:13.570095 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Mar 20 09:22:13.570099 osdx hostapd[102086]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session B82BE85FA5B62F98
Test Unsuccessful 802.1x Authentication With Unsuccessful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses an incorrect username and MAC address.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/73Bu4mhV+Lf2z4htmPEK/P7hhi6ls7KUOnUuOJtQ8DBTY/t4IZY96SOkHadioKXxcarNswkAScA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.184 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.184/0.184/0.184/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1+sIJfhdI/55oY0T5KxKp6p2KFZ9Tw3LnU= set interfaces ethernet eth2 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+UnauthorizedShow output
--------------------------------- Field Value --------------------------------- EAPoL Frames (Rx) 10 EAPoL Frames (Tx) 10 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Unauthorized Req Frames (Rx) 8 Req ID Frames (Rx) 1 Resp Frames (Tx) 9 Start Frames (Tx) 1
Step 5: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 8 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 10 EAPoL frames (Tx) 10 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 6: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 7: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately 802.1X: MAB: Authentication failedShow output
Mar 20 09:22:20.161830 osdx hostapd[102608]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Mar 20 09:22:20.161849 osdx hostapd[102608]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 20 09:22:20.162077 osdx hostapd[102608]: connect[radius]: Network is unreachable Mar 20 09:22:20.161895 osdx hostapd[102608]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Mar 20 09:22:20.161899 osdx hostapd[102608]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Mar 20 09:22:20.181718 osdx hostapd[102608]: Discovery mode enabled on eth2 Mar 20 09:22:20.181791 osdx hostapd[102608]: eth2: interface state UNINITIALIZED->ENABLED Mar 20 09:22:20.181791 osdx hostapd[102608]: eth2: AP-ENABLED Mar 20 09:22:23.362542 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Mar 20 09:22:23.362559 osdx hostapd[102609]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Mar 20 09:22:23.377803 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: start authentication Mar 20 09:22:23.377840 osdx hostapd[102609]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Mar 20 09:22:23.377846 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Mar 20 09:22:23.377850 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Mar 20 09:22:23.377869 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response Mar 20 09:22:23.377873 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA Mar 20 09:22:23.377885 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port Mar 20 09:22:23.377895 osdx hostapd[102609]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Mar 20 09:22:23.377925 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 133) Mar 20 09:22:23.378317 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=133 len=10) from STA: EAP Response-Identity (1) Mar 20 09:22:23.378328 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'wrong' Mar 20 09:22:23.378353 osdx hostapd[102609]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 20 09:22:23.380093 osdx hostapd[102609]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:22:23.380118 osdx hostapd[102609]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:22:23.380350 osdx hostapd[102609]: eth2: RADIUS Received 80 bytes from RADIUS server Mar 20 09:22:23.380357 osdx hostapd[102609]: eth2: RADIUS Received RADIUS message Mar 20 09:22:23.380360 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:22:23.380388 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=134 len=22) from RADIUS server: EAP-Request-MD5 (4) Mar 20 09:22:23.380396 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 134) Mar 20 09:22:23.380608 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=134 len=6) from STA: EAP Response-unknown (3) Mar 20 09:22:23.380656 osdx hostapd[102609]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:22:23.380671 osdx hostapd[102609]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:22:23.380880 osdx hostapd[102609]: eth2: RADIUS Received 64 bytes from RADIUS server Mar 20 09:22:23.380885 osdx hostapd[102609]: eth2: RADIUS Received RADIUS message Mar 20 09:22:23.380889 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:22:23.380907 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=135 len=6) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:22:23.380912 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 135) Mar 20 09:22:23.381253 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=135 len=194) from STA: EAP Response-PEAP (25) Mar 20 09:22:23.381297 osdx hostapd[102609]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:22:23.381309 osdx hostapd[102609]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:22:23.382573 osdx hostapd[102609]: eth2: RADIUS Received 1068 bytes from RADIUS server Mar 20 09:22:23.382579 osdx hostapd[102609]: eth2: RADIUS Received RADIUS message Mar 20 09:22:23.382583 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:22:23.382603 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=136 len=1004) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:22:23.382610 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 136) Mar 20 09:22:23.382806 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=136 len=6) from STA: EAP Response-PEAP (25) Mar 20 09:22:23.382845 osdx hostapd[102609]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:22:23.382856 osdx hostapd[102609]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:22:23.382987 osdx hostapd[102609]: eth2: RADIUS Received 229 bytes from RADIUS server Mar 20 09:22:23.382992 osdx hostapd[102609]: eth2: RADIUS Received RADIUS message Mar 20 09:22:23.382995 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:22:23.383010 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=137 len=171) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:22:23.383019 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 137) Mar 20 09:22:23.384543 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=137 len=103) from STA: EAP Response-PEAP (25) Mar 20 09:22:23.384588 osdx hostapd[102609]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:22:23.384603 osdx hostapd[102609]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:22:23.384950 osdx hostapd[102609]: eth2: RADIUS Received 115 bytes from RADIUS server Mar 20 09:22:23.384955 osdx hostapd[102609]: eth2: RADIUS Received RADIUS message Mar 20 09:22:23.384959 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:22:23.384974 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=138 len=57) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:22:23.384980 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 138) Mar 20 09:22:23.385234 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=138 len=6) from STA: EAP Response-PEAP (25) Mar 20 09:22:23.385286 osdx hostapd[102609]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:22:23.385300 osdx hostapd[102609]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:22:23.385445 osdx hostapd[102609]: eth2: RADIUS Received 98 bytes from RADIUS server Mar 20 09:22:23.385451 osdx hostapd[102609]: eth2: RADIUS Received RADIUS message Mar 20 09:22:23.385454 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:22:23.385474 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=139 len=40) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:22:23.385481 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 139) Mar 20 09:22:23.385667 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=139 len=41) from STA: EAP Response-PEAP (25) Mar 20 09:22:23.385709 osdx hostapd[102609]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:22:23.385718 osdx hostapd[102609]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:22:23.385850 osdx hostapd[102609]: eth2: RADIUS Received 131 bytes from RADIUS server Mar 20 09:22:23.385855 osdx hostapd[102609]: eth2: RADIUS Received RADIUS message Mar 20 09:22:23.385858 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:22:23.385872 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=140 len=73) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:22:23.385878 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 140) Mar 20 09:22:23.386126 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=140 len=95) from STA: EAP Response-PEAP (25) Mar 20 09:22:23.386162 osdx hostapd[102609]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:22:23.386172 osdx hostapd[102609]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:22:23.386323 osdx hostapd[102609]: eth2: RADIUS Received 104 bytes from RADIUS server Mar 20 09:22:23.386327 osdx hostapd[102609]: eth2: RADIUS Received RADIUS message Mar 20 09:22:23.386331 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:22:23.386344 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=141 len=46) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:22:23.386350 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 141) Mar 20 09:22:23.386507 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=141 len=46) from STA: EAP Response-PEAP (25) Mar 20 09:22:23.386538 osdx hostapd[102609]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:22:23.386548 osdx hostapd[102609]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:22:24.386632 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=8) Mar 20 09:22:24.386669 osdx hostapd[102609]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Mar 20 09:22:24.386813 osdx hostapd[102609]: eth2: RADIUS Received 44 bytes from RADIUS server Mar 20 09:22:24.386816 osdx hostapd[102609]: eth2: RADIUS Received RADIUS message Mar 20 09:22:24.386820 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:22:24.386864 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=4 id=141 len=4) from RADIUS server: EAP Failure Mar 20 09:22:24.386889 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 141) Mar 20 09:22:24.386903 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port Mar 20 09:22:24.386908 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) Mar 20 09:22:24.386911 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately Mar 20 09:22:24.386916 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Mar 20 09:22:24.386943 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Mar 20 09:22:24.386949 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Mar 20 09:22:24.386960 osdx hostapd[102609]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:22:24.386973 osdx hostapd[102609]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:22:24.386986 osdx hostapd[102609]: eth2: RADIUS Received 44 bytes from RADIUS server Mar 20 09:22:24.386989 osdx hostapd[102609]: eth2: RADIUS Received RADIUS message Mar 20 09:22:24.386992 osdx hostapd[102609]: eth2: RADIUS No matching RADIUS request found (type=0 id=8) - dropping packet Mar 20 09:22:25.387058 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Mar 20 09:22:25.387092 osdx hostapd[102609]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Mar 20 09:22:25.387255 osdx hostapd[102609]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 20 09:22:25.387260 osdx hostapd[102609]: eth2: RADIUS Received RADIUS message Mar 20 09:22:25.387265 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:22:25.387268 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Mar 20 09:22:25.387312 osdx hostapd[102609]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Mar 20 09:22:25.387314 osdx hostapd[102609]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Mar 20 09:22:25.387317 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Authentication failed, entering held state (quiet period 60 sec) Mar 20 09:22:25.387319 osdx hostapd[102609]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Retry timeout registered for 60 seconds Mar 20 09:22:25.387325 osdx hostapd[102609]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 20 09:22:25.387328 osdx hostapd[102609]: eth2: RADIUS Received RADIUS message Mar 20 09:22:25.387330 osdx hostapd[102609]: eth2: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet
Test Unsupported 802.1x Authentication With Successful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 does not support 802.1x authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/ERACY6RfV6XUwfD4zrlo4VlKBfFVX4OzVYNssZ0JJngcS4SOO+bM5DrRAWoefG5OIM6t8TY5oqQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.244 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.244/0.244/0.244/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.361 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.361/0.361/0.361/0.000 ms
Step 5: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 0 EAPoL frames (Tx) 4 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name N/A
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.277 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.277/0.277/0.277/0.000 ms
Step 7: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately 802.1X: MAB: station successfully authenticatedShow output
Mar 20 09:22:32.384534 osdx hostapd[103118]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Mar 20 09:22:32.384550 osdx hostapd[103118]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 20 09:22:32.384791 osdx hostapd[103118]: connect[radius]: Network is unreachable Mar 20 09:22:32.384591 osdx hostapd[103118]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Mar 20 09:22:32.384598 osdx hostapd[103118]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Mar 20 09:22:32.408405 osdx hostapd[103118]: Discovery mode enabled on eth2 Mar 20 09:22:32.408463 osdx hostapd[103118]: eth2: interface state UNINITIALIZED->ENABLED Mar 20 09:22:32.408463 osdx hostapd[103118]: eth2: AP-ENABLED Mar 20 09:22:37.408582 osdx hostapd[103119]: eth2: STA de:ad:be:ef:6c:12 DRIVER: Device discovered, triggering MAB authentication Mar 20 09:22:37.408622 osdx hostapd[103119]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Mar 20 09:22:37.408632 osdx hostapd[103119]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Mar 20 09:22:37.424441 osdx hostapd[103119]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: start authentication Mar 20 09:22:37.424467 osdx hostapd[103119]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Mar 20 09:22:37.424471 osdx hostapd[103119]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Mar 20 09:22:37.424473 osdx hostapd[103119]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Mar 20 09:22:37.424484 osdx hostapd[103119]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Mar 20 09:22:37.424495 osdx hostapd[103119]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Mar 20 09:22:37.424517 osdx hostapd[103119]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 135) Mar 20 09:22:40.426590 osdx hostapd[103119]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 135) Mar 20 09:22:46.431589 osdx hostapd[103119]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 135) Mar 20 09:22:58.440583 osdx hostapd[103119]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: aborting authentication Mar 20 09:22:58.440593 osdx hostapd[103119]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately Mar 20 09:22:58.440601 osdx hostapd[103119]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Mar 20 09:22:58.440635 osdx hostapd[103119]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Mar 20 09:22:58.442389 osdx hostapd[103119]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Mar 20 09:22:58.442403 osdx hostapd[103119]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 20 09:22:58.442479 osdx hostapd[103119]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:22:58.442514 osdx hostapd[103119]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:22:58.442535 osdx hostapd[103119]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Mar 20 09:22:58.442552 osdx hostapd[103119]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 240) Mar 20 09:22:58.442777 osdx hostapd[103119]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 20 09:22:58.442783 osdx hostapd[103119]: eth2: RADIUS Received RADIUS message Mar 20 09:22:58.442787 osdx hostapd[103119]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:22:58.442791 osdx hostapd[103119]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Mar 20 09:22:58.442809 osdx hostapd[103119]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Mar 20 09:22:58.442813 osdx hostapd[103119]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Mar 20 09:22:58.442816 osdx hostapd[103119]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Mar 20 09:22:58.442825 osdx hostapd[103119]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Mar 20 09:22:58.442829 osdx hostapd[103119]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 02F4508CD746AAF2
Test Unsupported 802.1x Authentication With Unsuccessful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 does not support 802.1x authentication and uses an incorrect MAC address.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/iClrvq0GXTGvZC1OmJiMwjugDW7kS2GR/ZcijYjPg8FojygTMppiLtRMbzAF6RsL92XojdTUaWg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.306 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.306/0.306/0.306/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 2 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 0 EAPoL frames (Tx) 4 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 5: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately 802.1X: MAB: Authentication failedShow output
Mar 20 09:23:08.400604 osdx hostapd[103688]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Mar 20 09:23:08.400859 osdx hostapd[103688]: connect[radius]: Network is unreachable Mar 20 09:23:08.400619 osdx hostapd[103688]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 20 09:23:08.400659 osdx hostapd[103688]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Mar 20 09:23:08.400662 osdx hostapd[103688]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Mar 20 09:23:08.420473 osdx hostapd[103688]: Discovery mode enabled on eth2 Mar 20 09:23:08.420578 osdx hostapd[103688]: eth2: interface state UNINITIALIZED->ENABLED Mar 20 09:23:08.420578 osdx hostapd[103688]: eth2: AP-ENABLED Mar 20 09:23:13.420671 osdx hostapd[103689]: eth2: STA 00:11:22:33:44:55 DRIVER: Device discovered, triggering MAB authentication Mar 20 09:23:13.420715 osdx hostapd[103689]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Mar 20 09:23:13.420725 osdx hostapd[103689]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Mar 20 09:23:13.436502 osdx hostapd[103689]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: start authentication Mar 20 09:23:13.436531 osdx hostapd[103689]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Mar 20 09:23:13.436534 osdx hostapd[103689]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Mar 20 09:23:13.436536 osdx hostapd[103689]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Mar 20 09:23:13.436557 osdx hostapd[103689]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port Mar 20 09:23:13.436564 osdx hostapd[103689]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Mar 20 09:23:13.436588 osdx hostapd[103689]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 88) Mar 20 09:23:16.438600 osdx hostapd[103689]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 88) Mar 20 09:23:22.443624 osdx hostapd[103689]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 88) Mar 20 09:23:34.453504 osdx hostapd[103689]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: aborting authentication Mar 20 09:23:34.453514 osdx hostapd[103689]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately Mar 20 09:23:34.453521 osdx hostapd[103689]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Mar 20 09:23:34.453569 osdx hostapd[103689]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Mar 20 09:23:34.455839 osdx hostapd[103689]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Mar 20 09:23:34.455856 osdx hostapd[103689]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 20 09:23:34.455940 osdx hostapd[103689]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:23:34.455979 osdx hostapd[103689]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:23:34.456006 osdx hostapd[103689]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Mar 20 09:23:34.456022 osdx hostapd[103689]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 135) Mar 20 09:23:35.456574 osdx hostapd[103689]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Mar 20 09:23:35.456608 osdx hostapd[103689]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Mar 20 09:23:35.456771 osdx hostapd[103689]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 20 09:23:35.456774 osdx hostapd[103689]: eth2: RADIUS Received RADIUS message Mar 20 09:23:35.456778 osdx hostapd[103689]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:23:35.456782 osdx hostapd[103689]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Mar 20 09:23:35.456828 osdx hostapd[103689]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Mar 20 09:23:35.456833 osdx hostapd[103689]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Mar 20 09:23:35.456836 osdx hostapd[103689]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Authentication failed, entering held state (quiet period 60 sec) Mar 20 09:23:35.456844 osdx hostapd[103689]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Retry timeout registered for 60 seconds Mar 20 09:23:35.456851 osdx hostapd[103689]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 20 09:23:35.456853 osdx hostapd[103689]: eth2: RADIUS Received RADIUS message Mar 20 09:23:35.456855 osdx hostapd[103689]: eth2: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet