Mab Fallback
This scenario shows how to configure the MAB-fallback
authentication mode.
Test Successful 802.1x Authentication With Successful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses the correct username and password.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX19K27c9+5rAx30xOwzRcqK2wMA/9P1gav+Q57+2NdLEDjapo1WTDoBqVcAR6Z9vU1rcXUkiOI3JQg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.735 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.735/0.735/0.735/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1+TU26uQWFmuUzX2Hl5X5TfGbMrnKqjlw0= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 6: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name testing
Step 7: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.310 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.310/0.310/0.310/0.000 ms
Step 8: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: authenticated - EAP type: 25 (PEAP)Show output
Mar 05 18:26:34.451620 osdx hostapd[597376]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Mar 05 18:26:34.451639 osdx hostapd[597376]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 05 18:26:34.451909 osdx hostapd[597376]: connect[radius]: Network is unreachable Mar 05 18:26:34.451706 osdx hostapd[597376]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Mar 05 18:26:34.451710 osdx hostapd[597376]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Mar 05 18:26:34.487440 osdx hostapd[597376]: Discovery mode enabled on eth2 Mar 05 18:26:34.487555 osdx hostapd[597376]: eth2: interface state UNINITIALIZED->ENABLED Mar 05 18:26:34.487555 osdx hostapd[597376]: eth2: AP-ENABLED Mar 05 18:26:37.678282 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Mar 05 18:26:37.678297 osdx hostapd[597377]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Mar 05 18:26:37.695520 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: start authentication Mar 05 18:26:37.695554 osdx hostapd[597377]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Mar 05 18:26:37.695559 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Mar 05 18:26:37.695562 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Mar 05 18:26:37.695582 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response Mar 05 18:26:37.695585 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAPOL-Start from STA Mar 05 18:26:37.695595 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Mar 05 18:26:37.695604 osdx hostapd[597377]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Mar 05 18:26:37.695656 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 218) Mar 05 18:26:37.696128 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=218 len=12) from STA: EAP Response-Identity (1) Mar 05 18:26:37.696141 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: STA identity 'testing' Mar 05 18:26:37.696189 osdx hostapd[597377]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 05 18:26:37.698641 osdx hostapd[597377]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:26:37.698676 osdx hostapd[597377]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:26:37.698952 osdx hostapd[597377]: eth2: RADIUS Received 80 bytes from RADIUS server Mar 05 18:26:37.698961 osdx hostapd[597377]: eth2: RADIUS Received RADIUS message Mar 05 18:26:37.698966 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:26:37.698998 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=219 len=22) from RADIUS server: EAP-Request-MD5 (4) Mar 05 18:26:37.699007 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 219) Mar 05 18:26:37.699259 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=219 len=6) from STA: EAP Response-unknown (3) Mar 05 18:26:37.699319 osdx hostapd[597377]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:26:37.699337 osdx hostapd[597377]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:26:37.699582 osdx hostapd[597377]: eth2: RADIUS Received 64 bytes from RADIUS server Mar 05 18:26:37.699588 osdx hostapd[597377]: eth2: RADIUS Received RADIUS message Mar 05 18:26:37.699592 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:26:37.699611 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=220 len=6) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:26:37.699617 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 220) Mar 05 18:26:37.700047 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=220 len=194) from STA: EAP Response-PEAP (25) Mar 05 18:26:37.700094 osdx hostapd[597377]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:26:37.700106 osdx hostapd[597377]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:26:37.701218 osdx hostapd[597377]: eth2: RADIUS Received 1068 bytes from RADIUS server Mar 05 18:26:37.701228 osdx hostapd[597377]: eth2: RADIUS Received RADIUS message Mar 05 18:26:37.701232 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:26:37.701266 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=221 len=1004) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:26:37.701275 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 221) Mar 05 18:26:37.701568 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=221 len=6) from STA: EAP Response-PEAP (25) Mar 05 18:26:37.701623 osdx hostapd[597377]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:26:37.701641 osdx hostapd[597377]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:26:37.701822 osdx hostapd[597377]: eth2: RADIUS Received 229 bytes from RADIUS server Mar 05 18:26:37.701829 osdx hostapd[597377]: eth2: RADIUS Received RADIUS message Mar 05 18:26:37.701833 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:26:37.701851 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=222 len=171) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:26:37.701859 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 222) Mar 05 18:26:37.703876 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=222 len=103) from STA: EAP Response-PEAP (25) Mar 05 18:26:37.703968 osdx hostapd[597377]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:26:37.703999 osdx hostapd[597377]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:26:37.704533 osdx hostapd[597377]: eth2: RADIUS Received 115 bytes from RADIUS server Mar 05 18:26:37.704540 osdx hostapd[597377]: eth2: RADIUS Received RADIUS message Mar 05 18:26:37.704544 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:26:37.704573 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=223 len=57) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:26:37.704582 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 223) Mar 05 18:26:37.704912 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=223 len=6) from STA: EAP Response-PEAP (25) Mar 05 18:26:37.704971 osdx hostapd[597377]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:26:37.704987 osdx hostapd[597377]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:26:37.705174 osdx hostapd[597377]: eth2: RADIUS Received 98 bytes from RADIUS server Mar 05 18:26:37.705183 osdx hostapd[597377]: eth2: RADIUS Received RADIUS message Mar 05 18:26:37.705188 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:26:37.705210 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=224 len=40) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:26:37.705217 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 224) Mar 05 18:26:37.705447 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=224 len=43) from STA: EAP Response-PEAP (25) Mar 05 18:26:37.705498 osdx hostapd[597377]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:26:37.705529 osdx hostapd[597377]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:26:37.705702 osdx hostapd[597377]: eth2: RADIUS Received 131 bytes from RADIUS server Mar 05 18:26:37.705709 osdx hostapd[597377]: eth2: RADIUS Received RADIUS message Mar 05 18:26:37.705713 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:26:37.705734 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=225 len=73) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:26:37.705740 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 225) Mar 05 18:26:37.706041 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=225 len=97) from STA: EAP Response-PEAP (25) Mar 05 18:26:37.706080 osdx hostapd[597377]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:26:37.706094 osdx hostapd[597377]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:26:37.706343 osdx hostapd[597377]: eth2: RADIUS Received 140 bytes from RADIUS server Mar 05 18:26:37.706348 osdx hostapd[597377]: eth2: RADIUS Received RADIUS message Mar 05 18:26:37.706351 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:26:37.706366 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=226 len=82) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:26:37.706371 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 226) Mar 05 18:26:37.706609 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=226 len=37) from STA: EAP Response-PEAP (25) Mar 05 18:26:37.706657 osdx hostapd[597377]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:26:37.706672 osdx hostapd[597377]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:26:37.706861 osdx hostapd[597377]: eth2: RADIUS Received 104 bytes from RADIUS server Mar 05 18:26:37.706865 osdx hostapd[597377]: eth2: RADIUS Received RADIUS message Mar 05 18:26:37.706868 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:26:37.706882 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=227 len=46) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:26:37.706887 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 227) Mar 05 18:26:37.707112 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=227 len=46) from STA: EAP Response-PEAP (25) Mar 05 18:26:37.707162 osdx hostapd[597377]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:26:37.707177 osdx hostapd[597377]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:26:37.707407 osdx hostapd[597377]: eth2: RADIUS Received 175 bytes from RADIUS server Mar 05 18:26:37.707416 osdx hostapd[597377]: eth2: RADIUS Received RADIUS message Mar 05 18:26:37.707420 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:26:37.707454 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing' Mar 05 18:26:37.707458 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=3 id=227 len=4) from RADIUS server: EAP Success Mar 05 18:26:37.707479 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 227) Mar 05 18:26:37.707498 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Mar 05 18:26:37.707502 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 62D7417521DF4C0D Mar 05 18:26:37.707506 osdx hostapd[597377]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Test Successful 802.1x Authentication With Unsuccessful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses the correct username and password, but an incorrect MAC address.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX19/3K39cvXDyieu6NlnlgqUVzriTypKSYfZ8dKMR9yDT4VgHrhQ9++nK+IpzLcPfIyEj3OlsgqKlg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.559 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.559/0.559/0.559/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1+zn8BCHGoaqnG+Mu4m6n4wXcNzoxMKkGQ= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 6: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name testing
Step 7: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.333 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.333/0.333/0.333/0.000 ms
Step 8: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: authenticated - EAP type: 25 (PEAP)Show output
Mar 05 18:26:46.394047 osdx hostapd[597888]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Mar 05 18:26:46.394059 osdx hostapd[597888]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 05 18:26:46.394272 osdx hostapd[597888]: connect[radius]: Network is unreachable Mar 05 18:26:46.394100 osdx hostapd[597888]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Mar 05 18:26:46.394105 osdx hostapd[597888]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Mar 05 18:26:46.409949 osdx hostapd[597888]: Discovery mode enabled on eth2 Mar 05 18:26:46.410004 osdx hostapd[597888]: eth2: interface state UNINITIALIZED->ENABLED Mar 05 18:26:46.410028 osdx hostapd[597888]: eth2: AP-ENABLED Mar 05 18:26:49.708778 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Mar 05 18:26:49.708792 osdx hostapd[597889]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Mar 05 18:26:49.722004 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: start authentication Mar 05 18:26:49.722033 osdx hostapd[597889]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Mar 05 18:26:49.722038 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Mar 05 18:26:49.722041 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Mar 05 18:26:49.722054 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response Mar 05 18:26:49.722057 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA Mar 05 18:26:49.722065 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port Mar 05 18:26:49.722077 osdx hostapd[597889]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Mar 05 18:26:49.722109 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 167) Mar 05 18:26:49.722406 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=167 len=12) from STA: EAP Response-Identity (1) Mar 05 18:26:49.722418 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'testing' Mar 05 18:26:49.722442 osdx hostapd[597889]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 05 18:26:49.724953 osdx hostapd[597889]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:26:49.724990 osdx hostapd[597889]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:26:49.725239 osdx hostapd[597889]: eth2: RADIUS Received 80 bytes from RADIUS server Mar 05 18:26:49.725247 osdx hostapd[597889]: eth2: RADIUS Received RADIUS message Mar 05 18:26:49.725251 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:26:49.725283 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=168 len=22) from RADIUS server: EAP-Request-MD5 (4) Mar 05 18:26:49.725291 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 168) Mar 05 18:26:49.725493 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=168 len=6) from STA: EAP Response-unknown (3) Mar 05 18:26:49.725542 osdx hostapd[597889]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:26:49.725556 osdx hostapd[597889]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:26:49.725749 osdx hostapd[597889]: eth2: RADIUS Received 64 bytes from RADIUS server Mar 05 18:26:49.725754 osdx hostapd[597889]: eth2: RADIUS Received RADIUS message Mar 05 18:26:49.725757 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:26:49.725779 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=169 len=6) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:26:49.725790 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 169) Mar 05 18:26:49.726175 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=169 len=194) from STA: EAP Response-PEAP (25) Mar 05 18:26:49.726222 osdx hostapd[597889]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:26:49.726237 osdx hostapd[597889]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:26:49.727522 osdx hostapd[597889]: eth2: RADIUS Received 1068 bytes from RADIUS server Mar 05 18:26:49.727528 osdx hostapd[597889]: eth2: RADIUS Received RADIUS message Mar 05 18:26:49.727531 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:26:49.727551 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=170 len=1004) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:26:49.727559 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 170) Mar 05 18:26:49.727731 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=170 len=6) from STA: EAP Response-PEAP (25) Mar 05 18:26:49.727774 osdx hostapd[597889]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:26:49.727787 osdx hostapd[597889]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:26:49.727908 osdx hostapd[597889]: eth2: RADIUS Received 229 bytes from RADIUS server Mar 05 18:26:49.727913 osdx hostapd[597889]: eth2: RADIUS Received RADIUS message Mar 05 18:26:49.727916 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:26:49.727929 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=171 len=171) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:26:49.727936 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 171) Mar 05 18:26:49.729211 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=171 len=103) from STA: EAP Response-PEAP (25) Mar 05 18:26:49.729253 osdx hostapd[597889]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:26:49.729267 osdx hostapd[597889]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:26:49.729551 osdx hostapd[597889]: eth2: RADIUS Received 115 bytes from RADIUS server Mar 05 18:26:49.729556 osdx hostapd[597889]: eth2: RADIUS Received RADIUS message Mar 05 18:26:49.729559 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:26:49.729574 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=172 len=57) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:26:49.729579 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 172) Mar 05 18:26:49.729758 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=172 len=6) from STA: EAP Response-PEAP (25) Mar 05 18:26:49.729797 osdx hostapd[597889]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:26:49.729808 osdx hostapd[597889]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:26:49.729927 osdx hostapd[597889]: eth2: RADIUS Received 98 bytes from RADIUS server Mar 05 18:26:49.729933 osdx hostapd[597889]: eth2: RADIUS Received RADIUS message Mar 05 18:26:49.729936 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:26:49.729950 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=173 len=40) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:26:49.729960 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 173) Mar 05 18:26:49.730078 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=173 len=43) from STA: EAP Response-PEAP (25) Mar 05 18:26:49.730108 osdx hostapd[597889]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:26:49.730117 osdx hostapd[597889]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:26:49.730242 osdx hostapd[597889]: eth2: RADIUS Received 131 bytes from RADIUS server Mar 05 18:26:49.730247 osdx hostapd[597889]: eth2: RADIUS Received RADIUS message Mar 05 18:26:49.730249 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:26:49.730261 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=174 len=73) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:26:49.730266 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 174) Mar 05 18:26:49.730441 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=174 len=97) from STA: EAP Response-PEAP (25) Mar 05 18:26:49.730470 osdx hostapd[597889]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:26:49.730480 osdx hostapd[597889]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:26:49.730631 osdx hostapd[597889]: eth2: RADIUS Received 140 bytes from RADIUS server Mar 05 18:26:49.730636 osdx hostapd[597889]: eth2: RADIUS Received RADIUS message Mar 05 18:26:49.730639 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:26:49.730651 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=175 len=82) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:26:49.730657 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 175) Mar 05 18:26:49.730834 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=175 len=37) from STA: EAP Response-PEAP (25) Mar 05 18:26:49.730863 osdx hostapd[597889]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:26:49.730872 osdx hostapd[597889]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:26:49.731001 osdx hostapd[597889]: eth2: RADIUS Received 104 bytes from RADIUS server Mar 05 18:26:49.731005 osdx hostapd[597889]: eth2: RADIUS Received RADIUS message Mar 05 18:26:49.731008 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:26:49.731020 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=176 len=46) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:26:49.731026 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 176) Mar 05 18:26:49.731221 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=176 len=46) from STA: EAP Response-PEAP (25) Mar 05 18:26:49.731251 osdx hostapd[597889]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:26:49.731261 osdx hostapd[597889]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:26:49.731406 osdx hostapd[597889]: eth2: RADIUS Received 175 bytes from RADIUS server Mar 05 18:26:49.731411 osdx hostapd[597889]: eth2: RADIUS Received RADIUS message Mar 05 18:26:49.731414 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:26:49.731434 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing' Mar 05 18:26:49.731438 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=3 id=176 len=4) from RADIUS server: EAP Success Mar 05 18:26:49.731453 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 176) Mar 05 18:26:49.731466 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authorizing port Mar 05 18:26:49.731469 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 RADIUS: starting accounting session F1441A4F2DBADC87 Mar 05 18:26:49.731473 osdx hostapd[597889]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Test Unsuccessful 802.1x Authentication With Successful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses an incorrect username.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX186eLAmrO80zg2AbE02uedth08FWnoY1re6TwoMTh6/W3XGPnXSRRO+sK/oGZEOtPaipt7T3Cnx9g== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.330 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.330/0.330/0.330/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1+8vT4Hg9kVtWwpNepSA3Rl8Re67RASuPI= set interfaces ethernet eth2 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 8 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 10 EAPoL frames (Tx) 10 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name wrong
Step 5: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.442 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.442/0.442/0.442/0.000 ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately 802.1X: MAB: station successfully authenticatedShow output
Mar 05 18:26:58.405635 osdx hostapd[598402]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Mar 05 18:26:58.405653 osdx hostapd[598402]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 05 18:26:58.405850 osdx hostapd[598402]: connect[radius]: Network is unreachable Mar 05 18:26:58.405694 osdx hostapd[598402]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Mar 05 18:26:58.405698 osdx hostapd[598402]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Mar 05 18:26:58.425411 osdx hostapd[598402]: Discovery mode enabled on eth2 Mar 05 18:26:58.425467 osdx hostapd[598402]: eth2: interface state UNINITIALIZED->ENABLED Mar 05 18:26:58.425467 osdx hostapd[598402]: eth2: AP-ENABLED Mar 05 18:27:01.480336 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Mar 05 18:27:01.480352 osdx hostapd[598403]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Mar 05 18:27:01.505537 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: start authentication Mar 05 18:27:01.505572 osdx hostapd[598403]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Mar 05 18:27:01.505577 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Mar 05 18:27:01.505581 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Mar 05 18:27:01.505603 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response Mar 05 18:27:01.505607 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAPOL-Start from STA Mar 05 18:27:01.505618 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Mar 05 18:27:01.505627 osdx hostapd[598403]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Mar 05 18:27:01.505651 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 194) Mar 05 18:27:01.506484 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=194 len=10) from STA: EAP Response-Identity (1) Mar 05 18:27:01.506507 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: STA identity 'wrong' Mar 05 18:27:01.506540 osdx hostapd[598403]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 05 18:27:01.508743 osdx hostapd[598403]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:27:01.508891 osdx hostapd[598403]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:27:01.509067 osdx hostapd[598403]: eth2: RADIUS Received 80 bytes from RADIUS server Mar 05 18:27:01.509074 osdx hostapd[598403]: eth2: RADIUS Received RADIUS message Mar 05 18:27:01.509078 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:27:01.509103 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=195 len=22) from RADIUS server: EAP-Request-MD5 (4) Mar 05 18:27:01.509111 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 195) Mar 05 18:27:01.509563 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=195 len=6) from STA: EAP Response-unknown (3) Mar 05 18:27:01.509631 osdx hostapd[598403]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:27:01.509698 osdx hostapd[598403]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:27:01.509891 osdx hostapd[598403]: eth2: RADIUS Received 64 bytes from RADIUS server Mar 05 18:27:01.509897 osdx hostapd[598403]: eth2: RADIUS Received RADIUS message Mar 05 18:27:01.509901 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:27:01.509920 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=196 len=6) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:27:01.509927 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 196) Mar 05 18:27:01.510420 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=196 len=194) from STA: EAP Response-PEAP (25) Mar 05 18:27:01.510470 osdx hostapd[598403]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:27:01.510537 osdx hostapd[598403]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:27:01.511579 osdx hostapd[598403]: eth2: RADIUS Received 1068 bytes from RADIUS server Mar 05 18:27:01.511587 osdx hostapd[598403]: eth2: RADIUS Received RADIUS message Mar 05 18:27:01.511590 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:27:01.511614 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=197 len=1004) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:27:01.511621 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 197) Mar 05 18:27:01.511874 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=197 len=6) from STA: EAP Response-PEAP (25) Mar 05 18:27:01.511933 osdx hostapd[598403]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:27:01.511951 osdx hostapd[598403]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:27:01.512117 osdx hostapd[598403]: eth2: RADIUS Received 229 bytes from RADIUS server Mar 05 18:27:01.512123 osdx hostapd[598403]: eth2: RADIUS Received RADIUS message Mar 05 18:27:01.512126 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:27:01.512147 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=198 len=171) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:27:01.512160 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 198) Mar 05 18:27:01.513702 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=198 len=103) from STA: EAP Response-PEAP (25) Mar 05 18:27:01.513759 osdx hostapd[598403]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:27:01.513777 osdx hostapd[598403]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:27:01.514149 osdx hostapd[598403]: eth2: RADIUS Received 115 bytes from RADIUS server Mar 05 18:27:01.514161 osdx hostapd[598403]: eth2: RADIUS Received RADIUS message Mar 05 18:27:01.514166 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:27:01.514192 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=199 len=57) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:27:01.514201 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 199) Mar 05 18:27:01.514479 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=199 len=6) from STA: EAP Response-PEAP (25) Mar 05 18:27:01.514533 osdx hostapd[598403]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:27:01.514547 osdx hostapd[598403]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:27:01.514729 osdx hostapd[598403]: eth2: RADIUS Received 98 bytes from RADIUS server Mar 05 18:27:01.514735 osdx hostapd[598403]: eth2: RADIUS Received RADIUS message Mar 05 18:27:01.514740 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:27:01.514758 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=200 len=40) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:27:01.514764 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 200) Mar 05 18:27:01.515014 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=200 len=41) from STA: EAP Response-PEAP (25) Mar 05 18:27:01.515062 osdx hostapd[598403]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:27:01.515250 osdx hostapd[598403]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:27:01.515260 osdx hostapd[598403]: eth2: RADIUS Received 131 bytes from RADIUS server Mar 05 18:27:01.515264 osdx hostapd[598403]: eth2: RADIUS Received RADIUS message Mar 05 18:27:01.515267 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:27:01.515285 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=201 len=73) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:27:01.515291 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 201) Mar 05 18:27:01.515610 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=201 len=95) from STA: EAP Response-PEAP (25) Mar 05 18:27:01.515655 osdx hostapd[598403]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:27:01.515696 osdx hostapd[598403]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:27:01.515895 osdx hostapd[598403]: eth2: RADIUS Received 104 bytes from RADIUS server Mar 05 18:27:01.515900 osdx hostapd[598403]: eth2: RADIUS Received RADIUS message Mar 05 18:27:01.515903 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:27:01.515919 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=202 len=46) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:27:01.515930 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 202) Mar 05 18:27:01.516166 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=202 len=46) from STA: EAP Response-PEAP (25) Mar 05 18:27:01.516219 osdx hostapd[598403]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:27:01.516233 osdx hostapd[598403]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:27:02.516335 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Resending RADIUS message (id=8) Mar 05 18:27:02.516371 osdx hostapd[598403]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Mar 05 18:27:02.516589 osdx hostapd[598403]: eth2: RADIUS Received 44 bytes from RADIUS server Mar 05 18:27:02.516593 osdx hostapd[598403]: eth2: RADIUS Received RADIUS message Mar 05 18:27:02.516596 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:27:02.516639 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=4 id=202 len=4) from RADIUS server: EAP Failure Mar 05 18:27:02.516666 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 202) Mar 05 18:27:02.516681 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Mar 05 18:27:02.516685 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) Mar 05 18:27:02.516688 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately Mar 05 18:27:02.516692 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Mar 05 18:27:02.516721 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Mar 05 18:27:02.516734 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Mar 05 18:27:02.516747 osdx hostapd[598403]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:27:02.516757 osdx hostapd[598403]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:27:02.516770 osdx hostapd[598403]: eth2: RADIUS Received 44 bytes from RADIUS server Mar 05 18:27:02.516773 osdx hostapd[598403]: eth2: RADIUS Received RADIUS message Mar 05 18:27:02.516776 osdx hostapd[598403]: eth2: RADIUS No matching RADIUS request found (type=0 id=8) - dropping packet Mar 05 18:27:02.516993 osdx hostapd[598403]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 05 18:27:02.516998 osdx hostapd[598403]: eth2: RADIUS Received RADIUS message Mar 05 18:27:02.517003 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:27:02.517007 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Mar 05 18:27:02.517038 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Mar 05 18:27:02.517042 osdx hostapd[598403]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Mar 05 18:27:02.517051 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Mar 05 18:27:02.517056 osdx hostapd[598403]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session EC7BE2DED209C122
Test Unsuccessful 802.1x Authentication With Unsuccessful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses an incorrect username and MAC address.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX19kXE+ug8Fbd/d0B29gIWdWq6Zjcv7tMIMcWzbxkYDTI0+AYH3Eumdja8PPlQqDvaaLNd+ylnCrqg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.306 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.306/0.306/0.306/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX18gxX8NWR9ll3H2inH+fzd9828sGd3rf7I= set interfaces ethernet eth2 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+UnauthorizedShow output
--------------------------------- Field Value --------------------------------- EAPoL Frames (Rx) 10 EAPoL Frames (Tx) 10 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Unauthorized Req Frames (Rx) 8 Req ID Frames (Rx) 1 Resp Frames (Tx) 9 Start Frames (Tx) 1
Step 5: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 8 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 10 EAPoL frames (Tx) 10 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 6: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 7: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately 802.1X: MAB: Authentication failedShow output
Mar 05 18:27:09.331238 osdx hostapd[598918]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Mar 05 18:27:09.331483 osdx hostapd[598918]: connect[radius]: Network is unreachable Mar 05 18:27:09.331250 osdx hostapd[598918]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 05 18:27:09.331293 osdx hostapd[598918]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Mar 05 18:27:09.331296 osdx hostapd[598918]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Mar 05 18:27:09.355030 osdx hostapd[598918]: Discovery mode enabled on eth2 Mar 05 18:27:09.355121 osdx hostapd[598918]: eth2: interface state UNINITIALIZED->ENABLED Mar 05 18:27:09.355121 osdx hostapd[598918]: eth2: AP-ENABLED Mar 05 18:27:12.593817 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Mar 05 18:27:12.593831 osdx hostapd[598919]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Mar 05 18:27:12.607043 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: start authentication Mar 05 18:27:12.607069 osdx hostapd[598919]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Mar 05 18:27:12.607072 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Mar 05 18:27:12.607075 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Mar 05 18:27:12.607087 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response Mar 05 18:27:12.607090 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA Mar 05 18:27:12.607107 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port Mar 05 18:27:12.607115 osdx hostapd[598919]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Mar 05 18:27:12.607140 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 96) Mar 05 18:27:12.607448 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=96 len=10) from STA: EAP Response-Identity (1) Mar 05 18:27:12.607459 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'wrong' Mar 05 18:27:12.607482 osdx hostapd[598919]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 05 18:27:12.609254 osdx hostapd[598919]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:27:12.609282 osdx hostapd[598919]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:27:12.609530 osdx hostapd[598919]: eth2: RADIUS Received 80 bytes from RADIUS server Mar 05 18:27:12.609536 osdx hostapd[598919]: eth2: RADIUS Received RADIUS message Mar 05 18:27:12.609540 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:27:12.609559 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=97 len=22) from RADIUS server: EAP-Request-MD5 (4) Mar 05 18:27:12.609566 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 97) Mar 05 18:27:12.609803 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=97 len=6) from STA: EAP Response-unknown (3) Mar 05 18:27:12.609857 osdx hostapd[598919]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:27:12.609873 osdx hostapd[598919]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:27:12.610112 osdx hostapd[598919]: eth2: RADIUS Received 64 bytes from RADIUS server Mar 05 18:27:12.610118 osdx hostapd[598919]: eth2: RADIUS Received RADIUS message Mar 05 18:27:12.610122 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:27:12.610145 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=98 len=6) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:27:12.610153 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 98) Mar 05 18:27:12.610492 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=98 len=194) from STA: EAP Response-PEAP (25) Mar 05 18:27:12.610531 osdx hostapd[598919]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:27:12.610548 osdx hostapd[598919]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:27:12.611591 osdx hostapd[598919]: eth2: RADIUS Received 1068 bytes from RADIUS server Mar 05 18:27:12.611597 osdx hostapd[598919]: eth2: RADIUS Received RADIUS message Mar 05 18:27:12.611600 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:27:12.611619 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=99 len=1004) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:27:12.611625 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 99) Mar 05 18:27:12.611812 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=99 len=6) from STA: EAP Response-PEAP (25) Mar 05 18:27:12.611868 osdx hostapd[598919]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:27:12.611884 osdx hostapd[598919]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:27:12.612004 osdx hostapd[598919]: eth2: RADIUS Received 229 bytes from RADIUS server Mar 05 18:27:12.612009 osdx hostapd[598919]: eth2: RADIUS Received RADIUS message Mar 05 18:27:12.612012 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:27:12.612028 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=100 len=171) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:27:12.612035 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 100) Mar 05 18:27:12.613570 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=100 len=103) from STA: EAP Response-PEAP (25) Mar 05 18:27:12.613609 osdx hostapd[598919]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:27:12.613620 osdx hostapd[598919]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:27:12.613905 osdx hostapd[598919]: eth2: RADIUS Received 115 bytes from RADIUS server Mar 05 18:27:12.613910 osdx hostapd[598919]: eth2: RADIUS Received RADIUS message Mar 05 18:27:12.613914 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:27:12.613928 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=101 len=57) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:27:12.613934 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 101) Mar 05 18:27:12.614146 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=101 len=6) from STA: EAP Response-PEAP (25) Mar 05 18:27:12.614188 osdx hostapd[598919]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:27:12.614201 osdx hostapd[598919]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:27:12.614298 osdx hostapd[598919]: eth2: RADIUS Received 98 bytes from RADIUS server Mar 05 18:27:12.614304 osdx hostapd[598919]: eth2: RADIUS Received RADIUS message Mar 05 18:27:12.614308 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:27:12.614322 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=102 len=40) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:27:12.614328 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 102) Mar 05 18:27:12.614436 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=102 len=41) from STA: EAP Response-PEAP (25) Mar 05 18:27:12.614466 osdx hostapd[598919]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:27:12.614476 osdx hostapd[598919]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:27:12.614605 osdx hostapd[598919]: eth2: RADIUS Received 131 bytes from RADIUS server Mar 05 18:27:12.614610 osdx hostapd[598919]: eth2: RADIUS Received RADIUS message Mar 05 18:27:12.614613 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:27:12.614625 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=103 len=73) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:27:12.614631 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 103) Mar 05 18:27:12.614826 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=103 len=95) from STA: EAP Response-PEAP (25) Mar 05 18:27:12.614854 osdx hostapd[598919]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:27:12.614862 osdx hostapd[598919]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:27:12.615017 osdx hostapd[598919]: eth2: RADIUS Received 104 bytes from RADIUS server Mar 05 18:27:12.615022 osdx hostapd[598919]: eth2: RADIUS Received RADIUS message Mar 05 18:27:12.615025 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:27:12.615038 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=104 len=46) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:27:12.615043 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 104) Mar 05 18:27:12.615176 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=104 len=46) from STA: EAP Response-PEAP (25) Mar 05 18:27:12.615205 osdx hostapd[598919]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:27:12.615214 osdx hostapd[598919]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:27:13.615305 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=8) Mar 05 18:27:13.615340 osdx hostapd[598919]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Mar 05 18:27:13.615488 osdx hostapd[598919]: eth2: RADIUS Received 44 bytes from RADIUS server Mar 05 18:27:13.615492 osdx hostapd[598919]: eth2: RADIUS Received RADIUS message Mar 05 18:27:13.615496 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:27:13.615545 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=4 id=104 len=4) from RADIUS server: EAP Failure Mar 05 18:27:13.615568 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 104) Mar 05 18:27:13.615580 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port Mar 05 18:27:13.615584 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) Mar 05 18:27:13.615588 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately Mar 05 18:27:13.615593 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Mar 05 18:27:13.615619 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Mar 05 18:27:13.615626 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Mar 05 18:27:13.615638 osdx hostapd[598919]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:27:13.615683 osdx hostapd[598919]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:27:13.615723 osdx hostapd[598919]: eth2: RADIUS Received 44 bytes from RADIUS server Mar 05 18:27:13.615726 osdx hostapd[598919]: eth2: RADIUS Received RADIUS message Mar 05 18:27:13.615733 osdx hostapd[598919]: eth2: RADIUS No matching RADIUS request found (type=0 id=8) - dropping packet Mar 05 18:27:14.615772 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Mar 05 18:27:14.615804 osdx hostapd[598919]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Mar 05 18:27:14.616044 osdx hostapd[598919]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 05 18:27:14.616048 osdx hostapd[598919]: eth2: RADIUS Received RADIUS message Mar 05 18:27:14.616052 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:27:14.616056 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Mar 05 18:27:14.616112 osdx hostapd[598919]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Mar 05 18:27:14.616115 osdx hostapd[598919]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Mar 05 18:27:14.616118 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Authentication failed, entering held state (quiet period 60 sec) Mar 05 18:27:14.616121 osdx hostapd[598919]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Retry timeout registered for 60 seconds Mar 05 18:27:14.616129 osdx hostapd[598919]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 05 18:27:14.616132 osdx hostapd[598919]: eth2: RADIUS Received RADIUS message Mar 05 18:27:14.616135 osdx hostapd[598919]: eth2: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet
Test Unsupported 802.1x Authentication With Successful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 does not support 802.1x authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX19AaMk8wPp3jlSbDlG/3zXvlQzyubdjU/NEn/AIoZQwCG9YztSsHQU8WzmZS+9ML/L0gtIDxQUSmA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.376 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.376/0.376/0.376/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.825 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.825/0.825/0.825/0.000 ms
Step 5: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 0 EAPoL frames (Tx) 4 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name N/A
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.243 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.243/0.243/0.243/0.000 ms
Step 7: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately 802.1X: MAB: station successfully authenticatedShow output
Mar 05 18:27:22.352341 osdx hostapd[599422]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Mar 05 18:27:22.352352 osdx hostapd[599422]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 05 18:27:22.352557 osdx hostapd[599422]: connect[radius]: Network is unreachable Mar 05 18:27:22.352387 osdx hostapd[599422]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Mar 05 18:27:22.352390 osdx hostapd[599422]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Mar 05 18:27:22.376265 osdx hostapd[599422]: Discovery mode enabled on eth2 Mar 05 18:27:22.376353 osdx hostapd[599422]: eth2: interface state UNINITIALIZED->ENABLED Mar 05 18:27:22.376353 osdx hostapd[599422]: eth2: AP-ENABLED Mar 05 18:27:27.377082 osdx hostapd[599423]: eth2: STA de:ad:be:ef:6c:12 DRIVER: Device discovered, triggering MAB authentication Mar 05 18:27:27.377119 osdx hostapd[599423]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Mar 05 18:27:27.377127 osdx hostapd[599423]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Mar 05 18:27:27.392306 osdx hostapd[599423]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: start authentication Mar 05 18:27:27.392342 osdx hostapd[599423]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Mar 05 18:27:27.392347 osdx hostapd[599423]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Mar 05 18:27:27.392350 osdx hostapd[599423]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Mar 05 18:27:27.392372 osdx hostapd[599423]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Mar 05 18:27:27.392381 osdx hostapd[599423]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Mar 05 18:27:27.392411 osdx hostapd[599423]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 255) Mar 05 18:27:30.395066 osdx hostapd[599423]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 255) Mar 05 18:27:36.400065 osdx hostapd[599423]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 255) Mar 05 18:27:48.409066 osdx hostapd[599423]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: aborting authentication Mar 05 18:27:48.409078 osdx hostapd[599423]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately Mar 05 18:27:48.409084 osdx hostapd[599423]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Mar 05 18:27:48.409115 osdx hostapd[599423]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Mar 05 18:27:48.410879 osdx hostapd[599423]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Mar 05 18:27:48.410890 osdx hostapd[599423]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 05 18:27:48.410958 osdx hostapd[599423]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:27:48.410993 osdx hostapd[599423]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:27:48.411012 osdx hostapd[599423]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Mar 05 18:27:48.411030 osdx hostapd[599423]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 76) Mar 05 18:27:48.411416 osdx hostapd[599423]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 05 18:27:48.411422 osdx hostapd[599423]: eth2: RADIUS Received RADIUS message Mar 05 18:27:48.411425 osdx hostapd[599423]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:27:48.411429 osdx hostapd[599423]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Mar 05 18:27:48.411442 osdx hostapd[599423]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Mar 05 18:27:48.411455 osdx hostapd[599423]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Mar 05 18:27:48.411458 osdx hostapd[599423]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Mar 05 18:27:48.411466 osdx hostapd[599423]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Mar 05 18:27:48.411468 osdx hostapd[599423]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 459B150ED0D5EDC5
Test Unsupported 802.1x Authentication With Unsuccessful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 does not support 802.1x authentication and uses an incorrect MAC address.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+XHrZ2e69JPkTPvSeN8gdhXMAVb+FBwzphVpVf+kouxwucAHbn/ud7vSRLlR5shR/l/MBlMD/HYg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.698 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.698/0.698/0.698/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 2 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 0 EAPoL frames (Tx) 4 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 5: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately 802.1X: MAB: Authentication failedShow output
Mar 05 18:27:57.220919 osdx hostapd[599978]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Mar 05 18:27:57.221161 osdx hostapd[599978]: connect[radius]: Network is unreachable Mar 05 18:27:57.220930 osdx hostapd[599978]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 05 18:27:57.220962 osdx hostapd[599978]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Mar 05 18:27:57.220965 osdx hostapd[599978]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Mar 05 18:27:57.240817 osdx hostapd[599978]: Discovery mode enabled on eth2 Mar 05 18:27:57.240874 osdx hostapd[599978]: eth2: interface state UNINITIALIZED->ENABLED Mar 05 18:27:57.240874 osdx hostapd[599978]: eth2: AP-ENABLED Mar 05 18:28:02.241619 osdx hostapd[599979]: eth2: STA 00:11:22:33:44:55 DRIVER: Device discovered, triggering MAB authentication Mar 05 18:28:02.241653 osdx hostapd[599979]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Mar 05 18:28:02.241661 osdx hostapd[599979]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Mar 05 18:28:02.256883 osdx hostapd[599979]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: start authentication Mar 05 18:28:02.256921 osdx hostapd[599979]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Mar 05 18:28:02.256926 osdx hostapd[599979]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Mar 05 18:28:02.256929 osdx hostapd[599979]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Mar 05 18:28:02.256954 osdx hostapd[599979]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port Mar 05 18:28:02.256963 osdx hostapd[599979]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Mar 05 18:28:02.256992 osdx hostapd[599979]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 37) Mar 05 18:28:05.259692 osdx hostapd[599979]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 37) Mar 05 18:28:11.264623 osdx hostapd[599979]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 37) Mar 05 18:28:23.273705 osdx hostapd[599979]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: aborting authentication Mar 05 18:28:23.273727 osdx hostapd[599979]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately Mar 05 18:28:23.273738 osdx hostapd[599979]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Mar 05 18:28:23.273803 osdx hostapd[599979]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Mar 05 18:28:23.279207 osdx hostapd[599979]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Mar 05 18:28:23.279234 osdx hostapd[599979]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 05 18:28:23.279407 osdx hostapd[599979]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:28:23.279471 osdx hostapd[599979]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:28:23.279510 osdx hostapd[599979]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Mar 05 18:28:23.279560 osdx hostapd[599979]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 179) Mar 05 18:28:24.279631 osdx hostapd[599979]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Mar 05 18:28:24.279712 osdx hostapd[599979]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Mar 05 18:28:24.280068 osdx hostapd[599979]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 05 18:28:24.280079 osdx hostapd[599979]: eth2: RADIUS Received RADIUS message Mar 05 18:28:24.280091 osdx hostapd[599979]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:28:24.280103 osdx hostapd[599979]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Mar 05 18:28:24.280217 osdx hostapd[599979]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Mar 05 18:28:24.280226 osdx hostapd[599979]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Mar 05 18:28:24.280236 osdx hostapd[599979]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Authentication failed, entering held state (quiet period 60 sec) Mar 05 18:28:24.280245 osdx hostapd[599979]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Retry timeout registered for 60 seconds Mar 05 18:28:24.280265 osdx hostapd[599979]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 05 18:28:24.280273 osdx hostapd[599979]: eth2: RADIUS Received RADIUS message Mar 05 18:28:24.280282 osdx hostapd[599979]: eth2: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet