Mab First
This scenario shows how to configure the MAB-first
authentication mode.
Test Successful MAB Authentication With Successful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses a correct MAC address and correct 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX180EDjPp5cokjcEIULIX1JDgjss2U49/lXDFgjysityN0JeUPoxly8YVUgvKOIYtfb7lZqNmr6mRg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.211 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.211/0.211/0.211/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX18tryOd83fpNpvApWmRoLg1SvowrSiBThw= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 1 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name N/A
Step 5: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.272 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.272/0.272/0.272/0.000 ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
802.1X: MAB: station successfully authenticatedShow output
Mar 20 09:20:06.711479 osdx hostapd[97889]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Mar 20 09:20:06.711505 osdx hostapd[97889]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 20 09:20:06.711788 osdx hostapd[97889]: connect[radius]: Network is unreachable Mar 20 09:20:06.711554 osdx hostapd[97889]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Mar 20 09:20:06.711558 osdx hostapd[97889]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Mar 20 09:20:06.727281 osdx hostapd[97889]: Discovery mode enabled on eth2 Mar 20 09:20:06.727365 osdx hostapd[97889]: eth2: interface state UNINITIALIZED->ENABLED Mar 20 09:20:06.727365 osdx hostapd[97889]: eth2: AP-ENABLED Mar 20 09:20:10.183009 osdx hostapd[97890]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Mar 20 09:20:10.183023 osdx hostapd[97890]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Mar 20 09:20:10.195320 osdx hostapd[97890]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB-first mode: Starting MAB authentication Mar 20 09:20:10.195344 osdx hostapd[97890]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Mar 20 09:20:10.195361 osdx hostapd[97890]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Mar 20 09:20:10.197046 osdx hostapd[97890]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Mar 20 09:20:10.197059 osdx hostapd[97890]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 20 09:20:10.197129 osdx hostapd[97890]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:20:10.197158 osdx hostapd[97890]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:20:10.197178 osdx hostapd[97890]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAPOL-Start from STA Mar 20 09:20:10.197468 osdx hostapd[97890]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 20 09:20:10.197473 osdx hostapd[97890]: eth2: RADIUS Received RADIUS message Mar 20 09:20:10.197477 osdx hostapd[97890]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:20:10.197481 osdx hostapd[97890]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Mar 20 09:20:10.197496 osdx hostapd[97890]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Mar 20 09:20:10.197498 osdx hostapd[97890]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Mar 20 09:20:10.197500 osdx hostapd[97890]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Mar 20 09:20:10.197508 osdx hostapd[97890]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Mar 20 09:20:10.197511 osdx hostapd[97890]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 775303B22B46C9C2
Test Successful MAB Authentication With Unsuccessful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses a correct MAC address, but wrong 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+9cFnW3WSPV+rn7op0phiVBDpZnLaS+ZY0TER5rQxYjnJURKck0yrvpBnHWvwv2lL8GE8kFPUQdw== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.218 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.218/0.218/0.218/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX18gzXOnCU+4YktkoDit6sOljpgkqd+E+p8= set interfaces ethernet eth2 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 1 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name N/A
Step 5: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.549 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.549/0.549/0.549/0.000 ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
802.1X: MAB: station successfully authenticatedShow output
Mar 20 09:20:18.362433 osdx hostapd[98412]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Mar 20 09:20:18.362448 osdx hostapd[98412]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 20 09:20:18.362782 osdx hostapd[98412]: connect[radius]: Network is unreachable Mar 20 09:20:18.362492 osdx hostapd[98412]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Mar 20 09:20:18.362496 osdx hostapd[98412]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Mar 20 09:20:18.394230 osdx hostapd[98412]: Discovery mode enabled on eth2 Mar 20 09:20:18.394318 osdx hostapd[98412]: eth2: interface state UNINITIALIZED->ENABLED Mar 20 09:20:18.394318 osdx hostapd[98412]: eth2: AP-ENABLED Mar 20 09:20:21.583961 osdx hostapd[98413]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Mar 20 09:20:21.583977 osdx hostapd[98413]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Mar 20 09:20:21.598257 osdx hostapd[98413]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB-first mode: Starting MAB authentication Mar 20 09:20:21.598291 osdx hostapd[98413]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Mar 20 09:20:21.598311 osdx hostapd[98413]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Mar 20 09:20:21.600660 osdx hostapd[98413]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Mar 20 09:20:21.600674 osdx hostapd[98413]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 20 09:20:21.600759 osdx hostapd[98413]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:20:21.600792 osdx hostapd[98413]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:20:21.600824 osdx hostapd[98413]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAPOL-Start from STA Mar 20 09:20:21.601113 osdx hostapd[98413]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 20 09:20:21.601119 osdx hostapd[98413]: eth2: RADIUS Received RADIUS message Mar 20 09:20:21.601123 osdx hostapd[98413]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:20:21.601128 osdx hostapd[98413]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Mar 20 09:20:21.601149 osdx hostapd[98413]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Mar 20 09:20:21.601152 osdx hostapd[98413]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Mar 20 09:20:21.601156 osdx hostapd[98413]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Mar 20 09:20:21.601165 osdx hostapd[98413]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Mar 20 09:20:21.601168 osdx hostapd[98413]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 2BF46892D6436C24
Test Successful MAB Authentication With Unsupported 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 does not support 802.1x authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18A4DxTupuee9cOHokXrCr2P68/q24lROYwz/22MDa1/jWgzqblFZyvARRkSuJ+KHzCLeLsBuS4mg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.180 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.180/0.180/0.180/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.338 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.338/0.338/0.338/0.000 ms
Step 5: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 0 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name N/A
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.246 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.246/0.246/0.246/0.000 ms
Step 7: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
802.1X: MAB: station successfully authenticatedShow output
Mar 20 09:20:29.141967 osdx hostapd[98934]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Mar 20 09:20:29.141979 osdx hostapd[98934]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 20 09:20:29.142196 osdx hostapd[98934]: connect[radius]: Network is unreachable Mar 20 09:20:29.142015 osdx hostapd[98934]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Mar 20 09:20:29.142021 osdx hostapd[98934]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Mar 20 09:20:29.157849 osdx hostapd[98934]: Discovery mode enabled on eth2 Mar 20 09:20:29.157891 osdx hostapd[98934]: eth2: interface state UNINITIALIZED->ENABLED Mar 20 09:20:29.157891 osdx hostapd[98934]: eth2: AP-ENABLED Mar 20 09:20:34.158028 osdx hostapd[98935]: eth2: STA de:ad:be:ef:6c:12 DRIVER: Device discovered, triggering MAB authentication Mar 20 09:20:34.158072 osdx hostapd[98935]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Mar 20 09:20:34.158086 osdx hostapd[98935]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Mar 20 09:20:34.173902 osdx hostapd[98935]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB-first mode: Starting MAB authentication Mar 20 09:20:34.173943 osdx hostapd[98935]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Mar 20 09:20:34.173962 osdx hostapd[98935]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Mar 20 09:20:34.176276 osdx hostapd[98935]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Mar 20 09:20:34.176290 osdx hostapd[98935]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 20 09:20:34.176374 osdx hostapd[98935]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:20:34.176407 osdx hostapd[98935]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:20:34.176689 osdx hostapd[98935]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 20 09:20:34.176695 osdx hostapd[98935]: eth2: RADIUS Received RADIUS message Mar 20 09:20:34.176700 osdx hostapd[98935]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:20:34.176704 osdx hostapd[98935]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Mar 20 09:20:34.176724 osdx hostapd[98935]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Mar 20 09:20:34.176727 osdx hostapd[98935]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Mar 20 09:20:34.176731 osdx hostapd[98935]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Mar 20 09:20:34.176741 osdx hostapd[98935]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Mar 20 09:20:34.176745 osdx hostapd[98935]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session E092AD75BF930A02
Test Unsuccessful MAB Authentication With Successful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses an incorrect MAC address, but correct 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18OUVRCCYouBkom61LDOQOx5Ugpuv0b9jfbD7e/9Y8t2DHqAynoHOF0c5ZlDouBMNIsn/S/Vu9qtw== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.172 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.172/0.172/0.172/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1/wKOUUT35xgvVjSZvV8ep3cDnWeZ4VcBk= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 6: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name testing
Step 7: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.309 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.309/0.309/0.309/0.000 ms
Step 8: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X IEEE 802.1X: authenticated - EAP type: 25 (PEAP)Show output
Mar 20 09:20:44.208661 osdx hostapd[99464]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Mar 20 09:20:44.208677 osdx hostapd[99464]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 20 09:20:44.208923 osdx hostapd[99464]: connect[radius]: Network is unreachable Mar 20 09:20:44.208717 osdx hostapd[99464]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Mar 20 09:20:44.208720 osdx hostapd[99464]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Mar 20 09:20:44.224500 osdx hostapd[99464]: Discovery mode enabled on eth2 Mar 20 09:20:44.224593 osdx hostapd[99464]: eth2: interface state UNINITIALIZED->ENABLED Mar 20 09:20:44.224593 osdx hostapd[99464]: eth2: AP-ENABLED Mar 20 09:20:47.296233 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Mar 20 09:20:47.296254 osdx hostapd[99465]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Mar 20 09:20:47.308534 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: Starting MAB authentication Mar 20 09:20:47.308570 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Mar 20 09:20:47.308589 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Mar 20 09:20:47.310931 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Mar 20 09:20:47.310945 osdx hostapd[99465]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 20 09:20:47.311027 osdx hostapd[99465]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:20:47.311058 osdx hostapd[99465]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:20:47.311091 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA Mar 20 09:20:48.311136 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Mar 20 09:20:48.311171 osdx hostapd[99465]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Mar 20 09:20:48.311319 osdx hostapd[99465]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 20 09:20:48.311322 osdx hostapd[99465]: eth2: RADIUS Received RADIUS message Mar 20 09:20:48.311327 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:20:48.311331 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Mar 20 09:20:48.311384 osdx hostapd[99465]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Mar 20 09:20:48.311387 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X Mar 20 09:20:48.311391 osdx hostapd[99465]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Mar 20 09:20:48.311394 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first: 802.1X authentication started Mar 20 09:20:48.311410 osdx hostapd[99465]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Mar 20 09:20:48.311431 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 40) Mar 20 09:20:48.311444 osdx hostapd[99465]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 20 09:20:48.311447 osdx hostapd[99465]: eth2: RADIUS Received RADIUS message Mar 20 09:20:48.311450 osdx hostapd[99465]: eth2: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet Mar 20 09:20:48.311753 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=40 len=12) from STA: EAP Response-Identity (1) Mar 20 09:20:48.311766 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'testing' Mar 20 09:20:48.311823 osdx hostapd[99465]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:20:48.311841 osdx hostapd[99465]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:20:48.312112 osdx hostapd[99465]: eth2: RADIUS Received 80 bytes from RADIUS server Mar 20 09:20:48.312118 osdx hostapd[99465]: eth2: RADIUS Received RADIUS message Mar 20 09:20:48.312122 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:20:48.312145 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=41 len=22) from RADIUS server: EAP-Request-MD5 (4) Mar 20 09:20:48.312151 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 41) Mar 20 09:20:48.312381 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=41 len=6) from STA: EAP Response-unknown (3) Mar 20 09:20:48.312435 osdx hostapd[99465]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:20:48.312456 osdx hostapd[99465]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:20:48.312705 osdx hostapd[99465]: eth2: RADIUS Received 64 bytes from RADIUS server Mar 20 09:20:48.312709 osdx hostapd[99465]: eth2: RADIUS Received RADIUS message Mar 20 09:20:48.312712 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:20:48.312729 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=42 len=6) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:20:48.312736 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 42) Mar 20 09:20:48.325071 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=42 len=194) from STA: EAP Response-PEAP (25) Mar 20 09:20:48.325163 osdx hostapd[99465]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:20:48.325192 osdx hostapd[99465]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:20:48.357877 osdx hostapd[99465]: eth2: RADIUS Received 1068 bytes from RADIUS server Mar 20 09:20:48.357891 osdx hostapd[99465]: eth2: RADIUS Received RADIUS message Mar 20 09:20:48.357895 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.03 sec Mar 20 09:20:48.357951 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=43 len=1004) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:20:48.357962 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 43) Mar 20 09:20:48.358259 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=43 len=6) from STA: EAP Response-PEAP (25) Mar 20 09:20:48.358322 osdx hostapd[99465]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:20:48.358341 osdx hostapd[99465]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:20:48.358528 osdx hostapd[99465]: eth2: RADIUS Received 229 bytes from RADIUS server Mar 20 09:20:48.358534 osdx hostapd[99465]: eth2: RADIUS Received RADIUS message Mar 20 09:20:48.358538 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:20:48.358556 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=44 len=171) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:20:48.358568 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 44) Mar 20 09:20:48.362786 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=44 len=103) from STA: EAP Response-PEAP (25) Mar 20 09:20:48.362835 osdx hostapd[99465]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:20:48.362849 osdx hostapd[99465]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:20:48.363270 osdx hostapd[99465]: eth2: RADIUS Received 115 bytes from RADIUS server Mar 20 09:20:48.363277 osdx hostapd[99465]: eth2: RADIUS Received RADIUS message Mar 20 09:20:48.363281 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:20:48.363305 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=45 len=57) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:20:48.363313 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 45) Mar 20 09:20:48.363571 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=45 len=6) from STA: EAP Response-PEAP (25) Mar 20 09:20:48.363614 osdx hostapd[99465]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:20:48.363629 osdx hostapd[99465]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:20:48.363806 osdx hostapd[99465]: eth2: RADIUS Received 98 bytes from RADIUS server Mar 20 09:20:48.363811 osdx hostapd[99465]: eth2: RADIUS Received RADIUS message Mar 20 09:20:48.363815 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:20:48.363827 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=46 len=40) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:20:48.363834 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 46) Mar 20 09:20:48.363985 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=46 len=43) from STA: EAP Response-PEAP (25) Mar 20 09:20:48.364020 osdx hostapd[99465]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:20:48.364035 osdx hostapd[99465]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:20:48.364226 osdx hostapd[99465]: eth2: RADIUS Received 131 bytes from RADIUS server Mar 20 09:20:48.364230 osdx hostapd[99465]: eth2: RADIUS Received RADIUS message Mar 20 09:20:48.364233 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:20:48.364247 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=47 len=73) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:20:48.364253 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 47) Mar 20 09:20:48.364557 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=47 len=97) from STA: EAP Response-PEAP (25) Mar 20 09:20:48.364593 osdx hostapd[99465]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:20:48.364601 osdx hostapd[99465]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:20:48.369225 osdx hostapd[99465]: eth2: RADIUS Received 140 bytes from RADIUS server Mar 20 09:20:48.369235 osdx hostapd[99465]: eth2: RADIUS Received RADIUS message Mar 20 09:20:48.369239 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:20:48.369278 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=48 len=82) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:20:48.369288 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 48) Mar 20 09:20:48.369578 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=48 len=37) from STA: EAP Response-PEAP (25) Mar 20 09:20:48.369629 osdx hostapd[99465]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:20:48.369643 osdx hostapd[99465]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:20:48.369861 osdx hostapd[99465]: eth2: RADIUS Received 104 bytes from RADIUS server Mar 20 09:20:48.369867 osdx hostapd[99465]: eth2: RADIUS Received RADIUS message Mar 20 09:20:48.369876 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:20:48.369895 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=49 len=46) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:20:48.369902 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 49) Mar 20 09:20:48.370140 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=49 len=46) from STA: EAP Response-PEAP (25) Mar 20 09:20:48.370179 osdx hostapd[99465]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:20:48.370192 osdx hostapd[99465]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:20:48.370402 osdx hostapd[99465]: eth2: RADIUS Received 175 bytes from RADIUS server Mar 20 09:20:48.370407 osdx hostapd[99465]: eth2: RADIUS Received RADIUS message Mar 20 09:20:48.370410 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:20:48.370437 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing' Mar 20 09:20:48.370441 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=3 id=49 len=4) from RADIUS server: EAP Success Mar 20 09:20:48.370455 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 49) Mar 20 09:20:48.370492 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authorizing port Mar 20 09:20:48.370496 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 RADIUS: starting accounting session C9089B081D792CA9 Mar 20 09:20:48.370524 osdx hostapd[99465]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Test Unsuccessful MAB Authentication With Unsuccessful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses an incorrect MAC address and incorrect 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+e3XnFAZ5ze6INM2xw0UoNc9YPbl3iRA0EFSK3maiqdOZQUl9uZXLRpBuiFdF1cCRbhLObKg0+ew== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.243 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.243/0.243/0.243/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX19Rw5yazU+XPrtjZHIJaScfTwWS90/Hs+g= set interfaces ethernet eth2 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+UnauthorizedShow output
--------------------------------- Field Value --------------------------------- EAPoL Frames (Rx) 9 EAPoL Frames (Tx) 10 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Unauthorized Req Frames (Rx) 8 Req ID Frames (Rx) 1 Resp Frames (Tx) 9 Start Frames (Tx) 1
Step 5: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 8 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 10 EAPoL frames (Tx) 9 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 6: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 7: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X IEEE 802.1X: authentication failed - EAP type: 25 (PEAP)Show output
Mar 20 09:20:55.211538 osdx hostapd[99991]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Mar 20 09:20:55.211775 osdx hostapd[99991]: connect[radius]: Network is unreachable Mar 20 09:20:55.211549 osdx hostapd[99991]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 20 09:20:55.211583 osdx hostapd[99991]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Mar 20 09:20:55.211586 osdx hostapd[99991]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Mar 20 09:20:55.243431 osdx hostapd[99991]: Discovery mode enabled on eth2 Mar 20 09:20:55.243485 osdx hostapd[99991]: eth2: interface state UNINITIALIZED->ENABLED Mar 20 09:20:55.243485 osdx hostapd[99991]: eth2: AP-ENABLED Mar 20 09:20:58.446161 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Mar 20 09:20:58.446176 osdx hostapd[99992]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Mar 20 09:20:58.459494 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: Starting MAB authentication Mar 20 09:20:58.459525 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Mar 20 09:20:58.459539 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Mar 20 09:20:58.461194 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Mar 20 09:20:58.461209 osdx hostapd[99992]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 20 09:20:58.461279 osdx hostapd[99992]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:20:58.461303 osdx hostapd[99992]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:20:58.461330 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA Mar 20 09:20:59.461387 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Mar 20 09:20:59.461426 osdx hostapd[99992]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Mar 20 09:20:59.461570 osdx hostapd[99992]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 20 09:20:59.461575 osdx hostapd[99992]: eth2: RADIUS Received RADIUS message Mar 20 09:20:59.461578 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:20:59.461582 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Mar 20 09:20:59.461626 osdx hostapd[99992]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Mar 20 09:20:59.461629 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X Mar 20 09:20:59.461634 osdx hostapd[99992]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Mar 20 09:20:59.461636 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first: 802.1X authentication started Mar 20 09:20:59.461643 osdx hostapd[99992]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Mar 20 09:20:59.461656 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 181) Mar 20 09:20:59.461668 osdx hostapd[99992]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 20 09:20:59.461671 osdx hostapd[99992]: eth2: RADIUS Received RADIUS message Mar 20 09:20:59.461673 osdx hostapd[99992]: eth2: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet Mar 20 09:20:59.461967 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=181 len=10) from STA: EAP Response-Identity (1) Mar 20 09:20:59.461977 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'wrong' Mar 20 09:20:59.462038 osdx hostapd[99992]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:20:59.462054 osdx hostapd[99992]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:20:59.462257 osdx hostapd[99992]: eth2: RADIUS Received 80 bytes from RADIUS server Mar 20 09:20:59.462264 osdx hostapd[99992]: eth2: RADIUS Received RADIUS message Mar 20 09:20:59.462267 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:20:59.462293 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=182 len=22) from RADIUS server: EAP-Request-MD5 (4) Mar 20 09:20:59.462299 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 182) Mar 20 09:20:59.462484 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=182 len=6) from STA: EAP Response-unknown (3) Mar 20 09:20:59.462535 osdx hostapd[99992]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:20:59.462548 osdx hostapd[99992]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:20:59.462784 osdx hostapd[99992]: eth2: RADIUS Received 64 bytes from RADIUS server Mar 20 09:20:59.462789 osdx hostapd[99992]: eth2: RADIUS Received RADIUS message Mar 20 09:20:59.462793 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:20:59.462810 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=183 len=6) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:20:59.462816 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 183) Mar 20 09:20:59.463167 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=183 len=194) from STA: EAP Response-PEAP (25) Mar 20 09:20:59.463201 osdx hostapd[99992]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:20:59.463211 osdx hostapd[99992]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:20:59.464821 osdx hostapd[99992]: eth2: RADIUS Received 1068 bytes from RADIUS server Mar 20 09:20:59.464826 osdx hostapd[99992]: eth2: RADIUS Received RADIUS message Mar 20 09:20:59.464831 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:20:59.464855 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=184 len=1004) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:20:59.464862 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 184) Mar 20 09:20:59.465022 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=184 len=6) from STA: EAP Response-PEAP (25) Mar 20 09:20:59.465062 osdx hostapd[99992]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:20:59.465071 osdx hostapd[99992]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:20:59.465169 osdx hostapd[99992]: eth2: RADIUS Received 229 bytes from RADIUS server Mar 20 09:20:59.465174 osdx hostapd[99992]: eth2: RADIUS Received RADIUS message Mar 20 09:20:59.465176 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:20:59.465188 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=185 len=171) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:20:59.465193 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 185) Mar 20 09:20:59.466988 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=185 len=103) from STA: EAP Response-PEAP (25) Mar 20 09:20:59.467033 osdx hostapd[99992]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:20:59.467044 osdx hostapd[99992]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:20:59.467382 osdx hostapd[99992]: eth2: RADIUS Received 115 bytes from RADIUS server Mar 20 09:20:59.467386 osdx hostapd[99992]: eth2: RADIUS Received RADIUS message Mar 20 09:20:59.467389 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:20:59.467411 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=186 len=57) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:20:59.467419 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 186) Mar 20 09:20:59.467620 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=186 len=6) from STA: EAP Response-PEAP (25) Mar 20 09:20:59.467651 osdx hostapd[99992]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:20:59.467660 osdx hostapd[99992]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:20:59.467772 osdx hostapd[99992]: eth2: RADIUS Received 98 bytes from RADIUS server Mar 20 09:20:59.467776 osdx hostapd[99992]: eth2: RADIUS Received RADIUS message Mar 20 09:20:59.467779 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:20:59.467791 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=187 len=40) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:20:59.467795 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 187) Mar 20 09:20:59.467975 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=187 len=41) from STA: EAP Response-PEAP (25) Mar 20 09:20:59.468020 osdx hostapd[99992]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:20:59.468032 osdx hostapd[99992]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:20:59.468171 osdx hostapd[99992]: eth2: RADIUS Received 131 bytes from RADIUS server Mar 20 09:20:59.468177 osdx hostapd[99992]: eth2: RADIUS Received RADIUS message Mar 20 09:20:59.468181 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:20:59.468195 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=188 len=73) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:20:59.468201 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 188) Mar 20 09:20:59.468430 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=188 len=95) from STA: EAP Response-PEAP (25) Mar 20 09:20:59.468462 osdx hostapd[99992]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:20:59.468472 osdx hostapd[99992]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:20:59.468642 osdx hostapd[99992]: eth2: RADIUS Received 104 bytes from RADIUS server Mar 20 09:20:59.468648 osdx hostapd[99992]: eth2: RADIUS Received RADIUS message Mar 20 09:20:59.468651 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:20:59.468667 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=189 len=46) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:20:59.468673 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 189) Mar 20 09:20:59.468822 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=189 len=46) from STA: EAP Response-PEAP (25) Mar 20 09:20:59.468867 osdx hostapd[99992]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:20:59.468879 osdx hostapd[99992]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:21:00.468992 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=8) Mar 20 09:21:00.469028 osdx hostapd[99992]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Mar 20 09:21:00.469204 osdx hostapd[99992]: eth2: RADIUS Received 44 bytes from RADIUS server Mar 20 09:21:00.469208 osdx hostapd[99992]: eth2: RADIUS Received RADIUS message Mar 20 09:21:00.469211 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:21:00.469256 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=4 id=189 len=4) from RADIUS server: EAP Failure Mar 20 09:21:00.469281 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 189) Mar 20 09:21:00.469294 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port Mar 20 09:21:00.469298 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) Mar 20 09:21:00.469300 osdx hostapd[99992]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Authentication failed, enforcing quiet period (60 seconds) Mar 20 09:21:00.469305 osdx hostapd[99992]: eth2: RADIUS Received 44 bytes from RADIUS server Mar 20 09:21:00.469307 osdx hostapd[99992]: eth2: RADIUS Received RADIUS message Mar 20 09:21:00.469309 osdx hostapd[99992]: eth2: RADIUS No matching RADIUS request found (type=0 id=8) - dropping packet
Test Unsuccessful MAB Authentication With Unsupported 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 does not support 802.1x authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX19vjzA6EOdeJHRYfp2ANFC+C5n7pBDcZx5ImQsWukDTmtXIwaR4k1+wiqUP06iOZTilsB7dEI10jg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.178 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.178/0.178/0.178/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 0 EAPoL frames (Tx) 2 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 5: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X IEEE 802.1X: EAP authentication timeoutShow output
Mar 20 09:21:08.458480 osdx hostapd[100511]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Mar 20 09:21:08.458494 osdx hostapd[100511]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 20 09:21:08.458767 osdx hostapd[100511]: connect[radius]: Network is unreachable Mar 20 09:21:08.458532 osdx hostapd[100511]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Mar 20 09:21:08.458535 osdx hostapd[100511]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Mar 20 09:21:08.474328 osdx hostapd[100511]: Discovery mode enabled on eth2 Mar 20 09:21:08.474415 osdx hostapd[100511]: eth2: interface state UNINITIALIZED->ENABLED Mar 20 09:21:08.474415 osdx hostapd[100511]: eth2: AP-ENABLED Mar 20 09:21:13.474488 osdx hostapd[100512]: eth2: STA 00:11:22:33:44:55 DRIVER: Device discovered, triggering MAB authentication Mar 20 09:21:13.474527 osdx hostapd[100512]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Mar 20 09:21:13.474536 osdx hostapd[100512]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Mar 20 09:21:13.490386 osdx hostapd[100512]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: Starting MAB authentication Mar 20 09:21:13.490423 osdx hostapd[100512]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Mar 20 09:21:13.490442 osdx hostapd[100512]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Mar 20 09:21:13.492816 osdx hostapd[100512]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Mar 20 09:21:13.492831 osdx hostapd[100512]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 20 09:21:13.492917 osdx hostapd[100512]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:21:13.492951 osdx hostapd[100512]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:21:14.493033 osdx hostapd[100512]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Mar 20 09:21:14.493067 osdx hostapd[100512]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Mar 20 09:21:14.493273 osdx hostapd[100512]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 20 09:21:14.493279 osdx hostapd[100512]: eth2: RADIUS Received RADIUS message Mar 20 09:21:14.493285 osdx hostapd[100512]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:21:14.493290 osdx hostapd[100512]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Mar 20 09:21:14.493342 osdx hostapd[100512]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Mar 20 09:21:14.493346 osdx hostapd[100512]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X Mar 20 09:21:14.493350 osdx hostapd[100512]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Mar 20 09:21:14.493353 osdx hostapd[100512]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first: 802.1X authentication started Mar 20 09:21:14.493360 osdx hostapd[100512]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Mar 20 09:21:14.493376 osdx hostapd[100512]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 249) Mar 20 09:21:14.493396 osdx hostapd[100512]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 20 09:21:14.493399 osdx hostapd[100512]: eth2: RADIUS Received RADIUS message Mar 20 09:21:14.493402 osdx hostapd[100512]: eth2: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet Mar 20 09:21:17.494465 osdx hostapd[100512]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 249) Mar 20 09:21:22.115581 osdx OSDxCLI[81197]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 20 09:21:23.499472 osdx hostapd[100512]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 249) Mar 20 09:21:30.314063 osdx OSDxCLI[81197]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 20 09:21:35.510476 osdx hostapd[100512]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: aborting authentication Mar 20 09:21:35.510488 osdx hostapd[100512]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: EAP authentication timeout - enforcing 60 second quiet period before retrying Mar 20 09:21:35.510505 osdx hostapd[100512]: eth2: STA 00:11:22:33:44:55 MLME: MLME-DEAUTHENTICATE.indication(00:11:22:33:44:55, 2) Mar 20 09:21:35.510508 osdx hostapd[100512]: eth2: STA 00:11:22:33:44:55 MLME: MLME-DELETEKEYS.request(00:11:22:33:44:55)