Reauth Period
This scenario shows how to configure the reauthentication period in a device with 802.1x/MAB authentication.
Test Reauth Period In 802.1X Mode
Description
This scenario shows how to configure the reauthentication period in a device with 802.1x authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode only-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 20 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX19cw5pTGHjpOlQB5+fZ1RTvUXqciYRuxjfdIyzGOmVHnVf4NQZG0bXFnbAsQRO0wO45YQ6pOeDzkg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.309 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.309/0.309/0.309/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1+rnsfkdZ3umeO75Edw6oxJJHrhIrujdbg= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: authenticatedShow output
Mar 20 09:25:22.402974 osdx hostapd[106864]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Mar 20 09:25:22.402987 osdx hostapd[106864]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 20 09:25:22.403199 osdx hostapd[106864]: connect[radius]: Network is unreachable Mar 20 09:25:22.403024 osdx hostapd[106864]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X, eap_server=0, eap_quiet_period=60, eap_max_retrans=2 Mar 20 09:25:22.403027 osdx hostapd[106864]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Mar 20 09:25:22.422846 osdx hostapd[106864]: Discovery mode enabled on eth2 Mar 20 09:25:22.422845 osdx hostapd[106864]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: enabling transmission of periodic EAP-Request frames Mar 20 09:25:22.422931 osdx hostapd[106864]: eth2: interface state UNINITIALIZED->ENABLED Mar 20 09:25:22.422931 osdx hostapd[106864]: eth2: AP-ENABLED Mar 20 09:25:23.633284 osdx OSDxCLI[81197]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 20 09:25:25.463596 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Mar 20 09:25:25.463612 osdx hostapd[106865]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Mar 20 09:25:25.478908 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: start authentication Mar 20 09:25:25.478947 osdx hostapd[106865]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Mar 20 09:25:25.478965 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAPOL-Start from STA Mar 20 09:25:25.478984 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Mar 20 09:25:25.478992 osdx hostapd[106865]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Mar 20 09:25:25.479020 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 87) Mar 20 09:25:25.479417 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=87 len=12) from STA: EAP Response-Identity (1) Mar 20 09:25:25.479430 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: STA identity 'testing' Mar 20 09:25:25.479454 osdx hostapd[106865]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 20 09:25:25.481275 osdx hostapd[106865]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:25:25.481303 osdx hostapd[106865]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:25:25.481600 osdx hostapd[106865]: eth2: RADIUS Received 80 bytes from RADIUS server Mar 20 09:25:25.481612 osdx hostapd[106865]: eth2: RADIUS Received RADIUS message Mar 20 09:25:25.481617 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:25:25.481653 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=88 len=22) from RADIUS server: EAP-Request-MD5 (4) Mar 20 09:25:25.481662 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 88) Mar 20 09:25:25.481904 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=88 len=6) from STA: EAP Response-unknown (3) Mar 20 09:25:25.481960 osdx hostapd[106865]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:25:25.481975 osdx hostapd[106865]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:25:25.482228 osdx hostapd[106865]: eth2: RADIUS Received 64 bytes from RADIUS server Mar 20 09:25:25.482234 osdx hostapd[106865]: eth2: RADIUS Received RADIUS message Mar 20 09:25:25.482238 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:25:25.482255 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=89 len=6) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:25:25.482262 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 89) Mar 20 09:25:25.482603 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=89 len=194) from STA: EAP Response-PEAP (25) Mar 20 09:25:25.482652 osdx hostapd[106865]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:25:25.482664 osdx hostapd[106865]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:25:25.483717 osdx hostapd[106865]: eth2: RADIUS Received 1068 bytes from RADIUS server Mar 20 09:25:25.483726 osdx hostapd[106865]: eth2: RADIUS Received RADIUS message Mar 20 09:25:25.483731 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:25:25.483754 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=90 len=1004) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:25:25.483761 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 90) Mar 20 09:25:25.484000 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=90 len=6) from STA: EAP Response-PEAP (25) Mar 20 09:25:25.484050 osdx hostapd[106865]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:25:25.484063 osdx hostapd[106865]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:25:25.484206 osdx hostapd[106865]: eth2: RADIUS Received 229 bytes from RADIUS server Mar 20 09:25:25.484211 osdx hostapd[106865]: eth2: RADIUS Received RADIUS message Mar 20 09:25:25.484214 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:25:25.484234 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=91 len=171) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:25:25.484240 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 91) Mar 20 09:25:25.485559 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=91 len=103) from STA: EAP Response-PEAP (25) Mar 20 09:25:25.485611 osdx hostapd[106865]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:25:25.485626 osdx hostapd[106865]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:25:25.485953 osdx hostapd[106865]: eth2: RADIUS Received 115 bytes from RADIUS server Mar 20 09:25:25.485958 osdx hostapd[106865]: eth2: RADIUS Received RADIUS message Mar 20 09:25:25.485961 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:25:25.485979 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=92 len=57) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:25:25.485986 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 92) Mar 20 09:25:25.486216 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=92 len=6) from STA: EAP Response-PEAP (25) Mar 20 09:25:25.486259 osdx hostapd[106865]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:25:25.486275 osdx hostapd[106865]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:25:25.486394 osdx hostapd[106865]: eth2: RADIUS Received 98 bytes from RADIUS server Mar 20 09:25:25.486398 osdx hostapd[106865]: eth2: RADIUS Received RADIUS message Mar 20 09:25:25.486401 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:25:25.486412 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=93 len=40) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:25:25.486417 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 93) Mar 20 09:25:25.486589 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=93 len=43) from STA: EAP Response-PEAP (25) Mar 20 09:25:25.486639 osdx hostapd[106865]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:25:25.486654 osdx hostapd[106865]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:25:25.486832 osdx hostapd[106865]: eth2: RADIUS Received 131 bytes from RADIUS server Mar 20 09:25:25.486837 osdx hostapd[106865]: eth2: RADIUS Received RADIUS message Mar 20 09:25:25.486841 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:25:25.486857 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=94 len=73) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:25:25.486863 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 94) Mar 20 09:25:25.487105 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=94 len=97) from STA: EAP Response-PEAP (25) Mar 20 09:25:25.487137 osdx hostapd[106865]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:25:25.487152 osdx hostapd[106865]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:25:25.487336 osdx hostapd[106865]: eth2: RADIUS Received 140 bytes from RADIUS server Mar 20 09:25:25.487342 osdx hostapd[106865]: eth2: RADIUS Received RADIUS message Mar 20 09:25:25.487345 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:25:25.487361 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=95 len=82) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:25:25.487367 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 95) Mar 20 09:25:25.487527 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=95 len=37) from STA: EAP Response-PEAP (25) Mar 20 09:25:25.487559 osdx hostapd[106865]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:25:25.487569 osdx hostapd[106865]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:25:25.487716 osdx hostapd[106865]: eth2: RADIUS Received 104 bytes from RADIUS server Mar 20 09:25:25.487720 osdx hostapd[106865]: eth2: RADIUS Received RADIUS message Mar 20 09:25:25.487723 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:25:25.487736 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=96 len=46) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:25:25.487742 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 96) Mar 20 09:25:25.487917 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=96 len=46) from STA: EAP Response-PEAP (25) Mar 20 09:25:25.487953 osdx hostapd[106865]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:25:25.487963 osdx hostapd[106865]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:25:25.488159 osdx hostapd[106865]: eth2: RADIUS Received 175 bytes from RADIUS server Mar 20 09:25:25.488164 osdx hostapd[106865]: eth2: RADIUS Received RADIUS message Mar 20 09:25:25.488167 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:25:25.488188 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing' Mar 20 09:25:25.488192 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=3 id=96 len=4) from RADIUS server: EAP Success Mar 20 09:25:25.488280 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 96) Mar 20 09:25:25.488298 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Mar 20 09:25:25.488315 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 94E143FFCBAA3EAE Mar 20 09:25:25.488319 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Step 5: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: Re-authentication period expiredShow output
Mar 20 09:25:25.954410 osdx OSDxCLI[81197]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 20 09:25:28.047990 osdx OSDxCLI[81197]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 20 09:25:30.124406 osdx OSDxCLI[81197]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 20 09:25:32.202211 osdx OSDxCLI[81197]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 20 09:25:34.284048 osdx OSDxCLI[81197]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 20 09:25:36.364137 osdx OSDxCLI[81197]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 20 09:25:38.442158 osdx OSDxCLI[81197]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 20 09:25:40.527159 osdx OSDxCLI[81197]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 20 09:25:42.617021 osdx OSDxCLI[81197]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 20 09:25:44.696097 osdx OSDxCLI[81197]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 20 09:25:45.496999 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Re-authentication period expired (20 seconds), triggering re-authentication Mar 20 09:25:45.497014 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Starting re-authentication (port will be unauthorized until authentication succeeds) Mar 20 09:25:45.497020 osdx hostapd[106865]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Mar 20 09:25:45.497065 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 80) Mar 20 09:25:45.497459 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=80 len=12) from STA: EAP Response-Identity (1) Mar 20 09:25:45.497473 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: STA identity 'testing' Mar 20 09:25:45.497538 osdx hostapd[106865]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:25:45.497568 osdx hostapd[106865]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:25:45.497846 osdx hostapd[106865]: eth2: RADIUS Received 80 bytes from RADIUS server Mar 20 09:25:45.497853 osdx hostapd[106865]: eth2: RADIUS Received RADIUS message Mar 20 09:25:45.497856 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:25:45.497886 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=81 len=22) from RADIUS server: EAP-Request-MD5 (4) Mar 20 09:25:45.497892 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 81) Mar 20 09:25:45.498069 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=81 len=6) from STA: EAP Response-unknown (3) Mar 20 09:25:45.498108 osdx hostapd[106865]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:25:45.498132 osdx hostapd[106865]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:25:45.498466 osdx hostapd[106865]: eth2: RADIUS Received 64 bytes from RADIUS server Mar 20 09:25:45.498478 osdx hostapd[106865]: eth2: RADIUS Received RADIUS message Mar 20 09:25:45.498484 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:25:45.498520 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=82 len=6) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:25:45.498531 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 82) Mar 20 09:25:45.499066 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=82 len=194) from STA: EAP Response-PEAP (25) Mar 20 09:25:45.499151 osdx hostapd[106865]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:25:45.499174 osdx hostapd[106865]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:25:45.501072 osdx hostapd[106865]: eth2: RADIUS Received 1068 bytes from RADIUS server Mar 20 09:25:45.501079 osdx hostapd[106865]: eth2: RADIUS Received RADIUS message Mar 20 09:25:45.501084 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:25:45.501108 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=83 len=1004) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:25:45.501116 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 83) Mar 20 09:25:45.501318 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=83 len=6) from STA: EAP Response-PEAP (25) Mar 20 09:25:45.501363 osdx hostapd[106865]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:25:45.501377 osdx hostapd[106865]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:25:45.501499 osdx hostapd[106865]: eth2: RADIUS Received 229 bytes from RADIUS server Mar 20 09:25:45.501504 osdx hostapd[106865]: eth2: RADIUS Received RADIUS message Mar 20 09:25:45.501508 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:25:45.501527 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=84 len=171) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:25:45.501536 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 84) Mar 20 09:25:45.502871 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=84 len=103) from STA: EAP Response-PEAP (25) Mar 20 09:25:45.502945 osdx hostapd[106865]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:25:45.502961 osdx hostapd[106865]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:25:45.503492 osdx hostapd[106865]: eth2: RADIUS Received 115 bytes from RADIUS server Mar 20 09:25:45.503500 osdx hostapd[106865]: eth2: RADIUS Received RADIUS message Mar 20 09:25:45.503507 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:25:45.503532 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=85 len=57) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:25:45.503541 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 85) Mar 20 09:25:45.503886 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=85 len=6) from STA: EAP Response-PEAP (25) Mar 20 09:25:45.503945 osdx hostapd[106865]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:25:45.503961 osdx hostapd[106865]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:25:45.504139 osdx hostapd[106865]: eth2: RADIUS Received 98 bytes from RADIUS server Mar 20 09:25:45.504146 osdx hostapd[106865]: eth2: RADIUS Received RADIUS message Mar 20 09:25:45.504151 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:25:45.504170 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=86 len=40) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:25:45.504178 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 86) Mar 20 09:25:45.504371 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=86 len=43) from STA: EAP Response-PEAP (25) Mar 20 09:25:45.504417 osdx hostapd[106865]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:25:45.504431 osdx hostapd[106865]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:25:45.504635 osdx hostapd[106865]: eth2: RADIUS Received 131 bytes from RADIUS server Mar 20 09:25:45.504642 osdx hostapd[106865]: eth2: RADIUS Received RADIUS message Mar 20 09:25:45.504647 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:25:45.504673 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=87 len=73) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:25:45.504681 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 87) Mar 20 09:25:45.504991 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=87 len=97) from STA: EAP Response-PEAP (25) Mar 20 09:25:45.505038 osdx hostapd[106865]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:25:45.505052 osdx hostapd[106865]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:25:45.505334 osdx hostapd[106865]: eth2: RADIUS Received 140 bytes from RADIUS server Mar 20 09:25:45.505341 osdx hostapd[106865]: eth2: RADIUS Received RADIUS message Mar 20 09:25:45.505346 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:25:45.505366 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=88 len=82) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:25:45.505374 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 88) Mar 20 09:25:45.505579 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=88 len=37) from STA: EAP Response-PEAP (25) Mar 20 09:25:45.505621 osdx hostapd[106865]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:25:45.505633 osdx hostapd[106865]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:25:45.505832 osdx hostapd[106865]: eth2: RADIUS Received 104 bytes from RADIUS server Mar 20 09:25:45.505839 osdx hostapd[106865]: eth2: RADIUS Received RADIUS message Mar 20 09:25:45.505843 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:25:45.505864 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=89 len=46) from RADIUS server: EAP-Request-PEAP (25) Mar 20 09:25:45.505873 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 89) Mar 20 09:25:45.506044 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=89 len=46) from STA: EAP Response-PEAP (25) Mar 20 09:25:45.506092 osdx hostapd[106865]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:25:45.506107 osdx hostapd[106865]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:25:45.506343 osdx hostapd[106865]: eth2: RADIUS Received 175 bytes from RADIUS server Mar 20 09:25:45.506350 osdx hostapd[106865]: eth2: RADIUS Received RADIUS message Mar 20 09:25:45.506356 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:25:45.506387 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing' Mar 20 09:25:45.506393 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=3 id=89 len=4) from RADIUS server: EAP Success Mar 20 09:25:45.506413 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 89) Mar 20 09:25:45.506424 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Mar 20 09:25:45.506428 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 94E143FFCBAA3EAE Mar 20 09:25:45.506454 osdx hostapd[106865]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Test Reauth Period In MAB Mode
Description
This scenario shows how to configure the reauthentication period in a device with MAB authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode only-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 20 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX19lIwjvvqbLeWl8c0sbmTm7IfhxkzpLKV1BIylDRrxOkVd7flmGJRmk5NueuMthRh16HnDLd2BJyw== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.163 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.163/0.163/0.163/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
MAB: station successfully authenticatedShow output
Mar 20 09:25:53.336377 osdx hostapd[107466]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Mar 20 09:25:53.336393 osdx hostapd[107466]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 20 09:25:53.336668 osdx hostapd[107466]: connect[radius]: Network is unreachable Mar 20 09:25:53.336433 osdx hostapd[107466]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-only, eap_server=0, eap_quiet_period=60, eap_max_retrans=5 Mar 20 09:25:53.336436 osdx hostapd[107466]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Mar 20 09:25:53.360261 osdx hostapd[107466]: Discovery mode enabled on eth2 Mar 20 09:25:53.360307 osdx hostapd[107466]: eth2: interface state UNINITIALIZED->ENABLED Mar 20 09:25:53.360307 osdx hostapd[107466]: eth2: AP-ENABLED Mar 20 09:25:56.475630 osdx OSDxCLI[81197]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 20 09:25:58.362418 osdx hostapd[107467]: eth2: STA de:ad:be:ef:6c:12 DRIVER: Device discovered, triggering MAB authentication Mar 20 09:25:58.362452 osdx hostapd[107467]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Mar 20 09:25:58.362460 osdx hostapd[107467]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Mar 20 09:25:58.384292 osdx hostapd[107467]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB-only mode: Starting MAB authentication Mar 20 09:25:58.384325 osdx hostapd[107467]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Mar 20 09:25:58.384348 osdx hostapd[107467]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Mar 20 09:25:58.386676 osdx hostapd[107467]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Mar 20 09:25:58.386691 osdx hostapd[107467]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 20 09:25:58.386779 osdx hostapd[107467]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:25:58.386812 osdx hostapd[107467]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:25:58.387087 osdx hostapd[107467]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 20 09:25:58.387093 osdx hostapd[107467]: eth2: RADIUS Received RADIUS message Mar 20 09:25:58.387098 osdx hostapd[107467]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:25:58.387102 osdx hostapd[107467]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Mar 20 09:25:58.387120 osdx hostapd[107467]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Mar 20 09:25:58.387124 osdx hostapd[107467]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Mar 20 09:25:58.387127 osdx hostapd[107467]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Re-authentication enabled (next reauth in 20 seconds) Mar 20 09:25:58.387130 osdx hostapd[107467]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Mar 20 09:25:58.387145 osdx hostapd[107467]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Mar 20 09:25:58.387149 osdx hostapd[107467]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session B357B090CAB10B5A
Step 5: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: Re-authentication period expiredShow output
Mar 20 09:26:00.911720 osdx OSDxCLI[81197]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 20 09:26:04.078089 osdx OSDxCLI[81197]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 20 09:26:07.265699 osdx OSDxCLI[81197]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 20 09:26:10.461723 osdx OSDxCLI[81197]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 20 09:26:13.650746 osdx OSDxCLI[81197]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 20 09:26:16.818382 osdx OSDxCLI[81197]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 20 09:26:18.401386 osdx hostapd[107467]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Re-authentication period expired (20 seconds), triggering re-authentication Mar 20 09:26:18.401401 osdx hostapd[107467]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Mar 20 09:26:18.401451 osdx hostapd[107467]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Mar 20 09:26:18.401478 osdx hostapd[107467]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Mar 20 09:26:18.401497 osdx hostapd[107467]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:26:18.401530 osdx hostapd[107467]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:26:18.401826 osdx hostapd[107467]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 20 09:26:18.401832 osdx hostapd[107467]: eth2: RADIUS Received RADIUS message Mar 20 09:26:18.401836 osdx hostapd[107467]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:26:18.401840 osdx hostapd[107467]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Mar 20 09:26:18.401861 osdx hostapd[107467]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Mar 20 09:26:18.401865 osdx hostapd[107467]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Re-authentication enabled (next reauth in 20 seconds) Mar 20 09:26:18.401867 osdx hostapd[107467]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Mar 20 09:26:18.401871 osdx hostapd[107467]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Mar 20 09:26:18.401874 osdx hostapd[107467]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session B357B090CAB10B5A
Test Reauth Period In MAB-Fallback Mode
Description
This scenario shows how to configure the reauthentication period in a device with 802.1x-MAB authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 20 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX19Wjl8BKHt4TnM0DTrmwjRQrU6oix0JRVinQLAX8SXzZb7SF0Sk+gWbLNTjwzdRRTjqOtWtM6Kigg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.224 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.224/0.224/0.224/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
MAB: station successfully authenticatedShow output
Mar 20 09:26:26.406088 osdx hostapd[108048]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Mar 20 09:26:26.406104 osdx hostapd[108048]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 20 09:26:26.406433 osdx hostapd[108048]: connect[radius]: Network is unreachable Mar 20 09:26:26.406158 osdx hostapd[108048]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Mar 20 09:26:26.406162 osdx hostapd[108048]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Mar 20 09:26:26.425904 osdx hostapd[108048]: Discovery mode enabled on eth2 Mar 20 09:26:26.425910 osdx hostapd[108048]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: enabling transmission of periodic EAP-Request frames Mar 20 09:26:26.426021 osdx hostapd[108048]: eth2: interface state UNINITIALIZED->ENABLED Mar 20 09:26:26.426021 osdx hostapd[108048]: eth2: AP-ENABLED Mar 20 09:26:29.595387 osdx OSDxCLI[81197]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 20 09:26:31.428019 osdx hostapd[108049]: eth2: STA de:ad:be:ef:6c:12 DRIVER: Device discovered, triggering MAB authentication Mar 20 09:26:31.428055 osdx hostapd[108049]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Mar 20 09:26:31.428063 osdx hostapd[108049]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Mar 20 09:26:31.441953 osdx hostapd[108049]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: start authentication Mar 20 09:26:31.441991 osdx hostapd[108049]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Mar 20 09:26:31.441996 osdx hostapd[108049]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Mar 20 09:26:31.442000 osdx hostapd[108049]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Mar 20 09:26:31.442021 osdx hostapd[108049]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Mar 20 09:26:31.442030 osdx hostapd[108049]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Mar 20 09:26:31.442064 osdx hostapd[108049]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 179) Mar 20 09:26:33.847164 osdx OSDxCLI[81197]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 20 09:26:34.445013 osdx hostapd[108049]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 179) Mar 20 09:26:38.038374 osdx OSDxCLI[81197]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 20 09:26:40.450024 osdx hostapd[108049]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 179) Mar 20 09:26:42.266276 osdx OSDxCLI[81197]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 20 09:26:46.466017 osdx OSDxCLI[81197]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 20 09:26:50.654023 osdx OSDxCLI[81197]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 20 09:26:52.461039 osdx hostapd[108049]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: aborting authentication Mar 20 09:26:52.461052 osdx hostapd[108049]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately Mar 20 09:26:52.461058 osdx hostapd[108049]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Mar 20 09:26:52.461098 osdx hostapd[108049]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Mar 20 09:26:52.463543 osdx hostapd[108049]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Mar 20 09:26:52.463556 osdx hostapd[108049]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 20 09:26:52.463640 osdx hostapd[108049]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:26:52.463673 osdx hostapd[108049]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:26:52.463693 osdx hostapd[108049]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Mar 20 09:26:52.463709 osdx hostapd[108049]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 152) Mar 20 09:26:52.463968 osdx hostapd[108049]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 20 09:26:52.463975 osdx hostapd[108049]: eth2: RADIUS Received RADIUS message Mar 20 09:26:52.463980 osdx hostapd[108049]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:26:52.463985 osdx hostapd[108049]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Mar 20 09:26:52.464006 osdx hostapd[108049]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Mar 20 09:26:52.464009 osdx hostapd[108049]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Mar 20 09:26:52.464013 osdx hostapd[108049]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Re-authentication enabled (next reauth in 20 seconds) Mar 20 09:26:52.464016 osdx hostapd[108049]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Mar 20 09:26:52.464027 osdx hostapd[108049]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Mar 20 09:26:52.464031 osdx hostapd[108049]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 5162FE78E6FF716B
Step 5: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: Re-authentication period expiredShow output
Mar 20 09:26:55.172412 osdx OSDxCLI[81197]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 20 09:26:58.347025 osdx OSDxCLI[81197]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 20 09:27:01.530236 osdx OSDxCLI[81197]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 20 09:27:04.743453 osdx OSDxCLI[81197]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 20 09:27:07.916593 osdx OSDxCLI[81197]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 20 09:27:11.085455 osdx OSDxCLI[81197]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 20 09:27:12.481004 osdx hostapd[108049]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Re-authentication period expired (20 seconds), triggering re-authentication Mar 20 09:27:12.481021 osdx hostapd[108049]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB fallback: Scheduling MAB trigger in 30 seconds if no 802.1X response Mar 20 09:27:12.481025 osdx hostapd[108049]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Mar 20 09:27:12.481053 osdx hostapd[108049]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Mar 20 09:27:12.481058 osdx hostapd[108049]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Mar 20 09:27:12.481075 osdx hostapd[108049]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 8)
Test Reauth Period In MAB-First Mode
Description
This scenario shows how to configure the reauthentication period in a device with MAB-802.1X authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 20 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18wwY6mAGq+ldixTabcXm4a+D/A8267vKrxC3JfmD580J0cJTV4ELZTMhSvGeWPsqdahrITjheExA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.272 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.272/0.272/0.272/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
MAB: station successfully authenticatedShow output
Mar 20 09:27:22.539035 osdx hostapd[108659]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Mar 20 09:27:22.539047 osdx hostapd[108659]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 20 09:27:22.539274 osdx hostapd[108659]: connect[radius]: Network is unreachable Mar 20 09:27:22.539085 osdx hostapd[108659]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Mar 20 09:27:22.539088 osdx hostapd[108659]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Mar 20 09:27:22.554914 osdx hostapd[108659]: Discovery mode enabled on eth2 Mar 20 09:27:22.554920 osdx hostapd[108659]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: enabling transmission of periodic EAP-Request frames Mar 20 09:27:22.555030 osdx hostapd[108659]: eth2: interface state UNINITIALIZED->ENABLED Mar 20 09:27:22.555030 osdx hostapd[108659]: eth2: AP-ENABLED Mar 20 09:27:25.767518 osdx OSDxCLI[81197]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 20 09:27:27.557058 osdx hostapd[108660]: eth2: STA de:ad:be:ef:6c:12 DRIVER: Device discovered, triggering MAB authentication Mar 20 09:27:27.557105 osdx hostapd[108660]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Mar 20 09:27:27.557112 osdx hostapd[108660]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Mar 20 09:27:27.570913 osdx hostapd[108660]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB-first mode: Starting MAB authentication Mar 20 09:27:27.570936 osdx hostapd[108660]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Mar 20 09:27:27.570949 osdx hostapd[108660]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Mar 20 09:27:27.572633 osdx hostapd[108660]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Mar 20 09:27:27.572643 osdx hostapd[108660]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 20 09:27:27.572713 osdx hostapd[108660]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:27:27.572740 osdx hostapd[108660]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:27:27.572779 osdx hostapd[108660]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Sending EAP-Request/Identity frame Mar 20 09:27:27.572789 osdx hostapd[108660]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Next EAP-Request/Identity retransmit in 20 seconds Mar 20 09:27:27.572993 osdx hostapd[108660]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 20 09:27:27.572998 osdx hostapd[108660]: eth2: RADIUS Received RADIUS message Mar 20 09:27:27.573001 osdx hostapd[108660]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:27:27.573005 osdx hostapd[108660]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Mar 20 09:27:27.573024 osdx hostapd[108660]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Mar 20 09:27:27.573026 osdx hostapd[108660]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Mar 20 09:27:27.573029 osdx hostapd[108660]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Re-authentication enabled (next reauth in 20 seconds) Mar 20 09:27:27.573031 osdx hostapd[108660]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Mar 20 09:27:27.573044 osdx hostapd[108660]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Mar 20 09:27:27.573046 osdx hostapd[108660]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session AEA5F4947B00EFA9
Step 5: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: Re-authentication period expiredShow output
Mar 20 09:27:30.220525 osdx OSDxCLI[81197]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 20 09:27:33.395729 osdx OSDxCLI[81197]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 20 09:27:36.560936 osdx OSDxCLI[81197]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 20 09:27:39.745063 osdx OSDxCLI[81197]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 20 09:27:42.906108 osdx OSDxCLI[81197]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 20 09:27:46.100394 osdx OSDxCLI[81197]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 20 09:27:47.573079 osdx hostapd[108660]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Sending EAP-Request/Identity frame Mar 20 09:27:47.573106 osdx hostapd[108660]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Next EAP-Request/Identity retransmit in 20 seconds Mar 20 09:27:47.587093 osdx hostapd[108660]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Re-authentication period expired (20 seconds), triggering re-authentication Mar 20 09:27:47.587110 osdx hostapd[108660]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Mar 20 09:27:47.587151 osdx hostapd[108660]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Mar 20 09:27:47.587183 osdx hostapd[108660]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Mar 20 09:27:47.587213 osdx hostapd[108660]: eth2: RADIUS Sending RADIUS message to authentication server Mar 20 09:27:47.587257 osdx hostapd[108660]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 20 09:27:47.587572 osdx hostapd[108660]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 20 09:27:47.587581 osdx hostapd[108660]: eth2: RADIUS Received RADIUS message Mar 20 09:27:47.587586 osdx hostapd[108660]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 20 09:27:47.587591 osdx hostapd[108660]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Mar 20 09:27:47.587624 osdx hostapd[108660]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Mar 20 09:27:47.587628 osdx hostapd[108660]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Re-authentication enabled (next reauth in 20 seconds) Mar 20 09:27:47.587632 osdx hostapd[108660]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Mar 20 09:27:47.587636 osdx hostapd[108660]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Mar 20 09:27:47.587639 osdx hostapd[108660]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session AEA5F4947B00EFA9