Mab First
This scenario shows how to configure the MAB-first
authentication mode.
Test Successful MAB Authentication With Successful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses a correct MAC address and correct 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+jPeRWQZqU/N+ItXjE4HufNjOYikBN3b3TZoTeeKPmqUdIiDII5UkphTdj8mH9/Twr5q2SyB10wQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.591 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.591/0.591/0.591/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1994vjSYgcGBAdV3Mm151LCdK8OFnITybQ= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 1 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name N/A
Step 5: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.261 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.261/0.261/0.261/0.000 ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
802.1X: MAB: station successfully authenticatedShow output
Mar 05 18:29:35.250467 osdx hostapd[602088]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Mar 05 18:29:35.250481 osdx hostapd[602088]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 05 18:29:35.250720 osdx hostapd[602088]: connect[radius]: Network is unreachable Mar 05 18:29:35.250525 osdx hostapd[602088]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Mar 05 18:29:35.250529 osdx hostapd[602088]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Mar 05 18:29:35.278308 osdx hostapd[602088]: Discovery mode enabled on eth2 Mar 05 18:29:35.278389 osdx hostapd[602088]: eth2: interface state UNINITIALIZED->ENABLED Mar 05 18:29:35.278389 osdx hostapd[602088]: eth2: AP-ENABLED Mar 05 18:29:38.371176 osdx hostapd[602089]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Mar 05 18:29:38.371192 osdx hostapd[602089]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Mar 05 18:29:38.386359 osdx hostapd[602089]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB-first mode: Starting MAB authentication Mar 05 18:29:38.386394 osdx hostapd[602089]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Mar 05 18:29:38.386409 osdx hostapd[602089]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Mar 05 18:29:38.388711 osdx hostapd[602089]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Mar 05 18:29:38.388726 osdx hostapd[602089]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 05 18:29:38.388820 osdx hostapd[602089]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:29:38.388856 osdx hostapd[602089]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:29:38.388887 osdx hostapd[602089]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAPOL-Start from STA Mar 05 18:29:38.389187 osdx hostapd[602089]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 05 18:29:38.389195 osdx hostapd[602089]: eth2: RADIUS Received RADIUS message Mar 05 18:29:38.389199 osdx hostapd[602089]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:29:38.389203 osdx hostapd[602089]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Mar 05 18:29:38.389226 osdx hostapd[602089]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Mar 05 18:29:38.389248 osdx hostapd[602089]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Mar 05 18:29:38.389251 osdx hostapd[602089]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Mar 05 18:29:38.389261 osdx hostapd[602089]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Mar 05 18:29:38.389265 osdx hostapd[602089]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 0828282D414CBF69
Test Successful MAB Authentication With Unsuccessful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses a correct MAC address, but wrong 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/fhV46JKrbK07g3HgeaU4cOtnZR1jwkWrkgfIG43YM3t3DMDtdLcPrOCovh/snxxxUScBFYjSu+Q== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.501 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.501/0.501/0.501/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1+AyHeEAQPelc65EXx/BVspA8xAU7LdFtI= set interfaces ethernet eth2 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 1 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name N/A
Step 5: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.533 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.533/0.533/0.533/0.000 ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
802.1X: MAB: station successfully authenticatedShow output
Mar 05 18:29:47.254965 osdx hostapd[602605]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Mar 05 18:29:47.254976 osdx hostapd[602605]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 05 18:29:47.255285 osdx hostapd[602605]: connect[radius]: Network is unreachable Mar 05 18:29:47.255013 osdx hostapd[602605]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Mar 05 18:29:47.255016 osdx hostapd[602605]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Mar 05 18:29:47.286883 osdx hostapd[602605]: Discovery mode enabled on eth2 Mar 05 18:29:47.286986 osdx hostapd[602605]: eth2: interface state UNINITIALIZED->ENABLED Mar 05 18:29:47.286986 osdx hostapd[602605]: eth2: AP-ENABLED Mar 05 18:29:50.414696 osdx hostapd[602606]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Mar 05 18:29:50.414709 osdx hostapd[602606]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Mar 05 18:29:50.426885 osdx hostapd[602606]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB-first mode: Starting MAB authentication Mar 05 18:29:50.426909 osdx hostapd[602606]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Mar 05 18:29:50.426926 osdx hostapd[602606]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Mar 05 18:29:50.428638 osdx hostapd[602606]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Mar 05 18:29:50.428648 osdx hostapd[602606]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 05 18:29:50.428715 osdx hostapd[602606]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:29:50.428741 osdx hostapd[602606]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:29:50.428765 osdx hostapd[602606]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAPOL-Start from STA Mar 05 18:29:50.428990 osdx hostapd[602606]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 05 18:29:50.428996 osdx hostapd[602606]: eth2: RADIUS Received RADIUS message Mar 05 18:29:50.428999 osdx hostapd[602606]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:29:50.429004 osdx hostapd[602606]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Mar 05 18:29:50.429017 osdx hostapd[602606]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Mar 05 18:29:50.429030 osdx hostapd[602606]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Mar 05 18:29:50.429032 osdx hostapd[602606]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Mar 05 18:29:50.429040 osdx hostapd[602606]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Mar 05 18:29:50.429043 osdx hostapd[602606]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 7122E6B2A3EBC222
Test Successful MAB Authentication With Unsupported 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 does not support 802.1x authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+QlHA3dxQE2NJxa9DkbqGC86zpEYJU9r0+87u5B8iWQdkXFlpkOR1EE/OP5ouLo5QC0FtYjAYvlQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.175 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.175/0.175/0.175/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.367 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.367/0.367/0.367/0.000 ms
Step 5: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 0 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name N/A
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.515 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.515/0.515/0.515/0.000 ms
Step 7: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
802.1X: MAB: station successfully authenticatedShow output
Mar 05 18:29:58.138713 osdx hostapd[603117]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Mar 05 18:29:58.138724 osdx hostapd[603117]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 05 18:29:58.138939 osdx hostapd[603117]: connect[radius]: Network is unreachable Mar 05 18:29:58.138758 osdx hostapd[603117]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Mar 05 18:29:58.138761 osdx hostapd[603117]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Mar 05 18:29:58.170554 osdx hostapd[603117]: Discovery mode enabled on eth2 Mar 05 18:29:58.170621 osdx hostapd[603117]: eth2: interface state UNINITIALIZED->ENABLED Mar 05 18:29:58.170621 osdx hostapd[603117]: eth2: AP-ENABLED Mar 05 18:30:03.171377 osdx hostapd[603118]: eth2: STA de:ad:be:ef:6c:12 DRIVER: Device discovered, triggering MAB authentication Mar 05 18:30:03.171416 osdx hostapd[603118]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Mar 05 18:30:03.171424 osdx hostapd[603118]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Mar 05 18:30:03.186570 osdx hostapd[603118]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB-first mode: Starting MAB authentication Mar 05 18:30:03.186598 osdx hostapd[603118]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Mar 05 18:30:03.186612 osdx hostapd[603118]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Mar 05 18:30:03.188941 osdx hostapd[603118]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Mar 05 18:30:03.188953 osdx hostapd[603118]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 05 18:30:03.189045 osdx hostapd[603118]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:30:03.189080 osdx hostapd[603118]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:30:03.189332 osdx hostapd[603118]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 05 18:30:03.189337 osdx hostapd[603118]: eth2: RADIUS Received RADIUS message Mar 05 18:30:03.189342 osdx hostapd[603118]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:30:03.189347 osdx hostapd[603118]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Mar 05 18:30:03.189357 osdx hostapd[603118]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Mar 05 18:30:03.189370 osdx hostapd[603118]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Mar 05 18:30:03.189374 osdx hostapd[603118]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Mar 05 18:30:03.189387 osdx hostapd[603118]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Mar 05 18:30:03.189391 osdx hostapd[603118]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 5DF078CEAB766EF6
Test Unsuccessful MAB Authentication With Successful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses an incorrect MAC address, but correct 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18DDW2gnG0Y5/EY0u0tbTrZpraq9DEn9ttDkXp9TPJ3A7R42fLDp4M8+DALVqOiy/SjbL0YyxHu8Q== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.365 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.365/0.365/0.365/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX185zvGYlaEGmxIUauelCrjeHtsFMqARmys= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 6: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name testing
Step 7: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.322 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.322/0.322/0.322/0.000 ms
Step 8: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X IEEE 802.1X: authenticated - EAP type: 25 (PEAP)Show output
Mar 05 18:30:12.167905 osdx hostapd[603641]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Mar 05 18:30:12.167917 osdx hostapd[603641]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 05 18:30:12.168165 osdx hostapd[603641]: connect[radius]: Network is unreachable Mar 05 18:30:12.167956 osdx hostapd[603641]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Mar 05 18:30:12.167959 osdx hostapd[603641]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Mar 05 18:30:12.183811 osdx hostapd[603641]: Discovery mode enabled on eth2 Mar 05 18:30:12.183912 osdx hostapd[603641]: eth2: interface state UNINITIALIZED->ENABLED Mar 05 18:30:12.183912 osdx hostapd[603641]: eth2: AP-ENABLED Mar 05 18:30:15.359586 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Mar 05 18:30:15.359600 osdx hostapd[603642]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Mar 05 18:30:15.371803 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: Starting MAB authentication Mar 05 18:30:15.371836 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Mar 05 18:30:15.371852 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Mar 05 18:30:15.373543 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Mar 05 18:30:15.373555 osdx hostapd[603642]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 05 18:30:15.373641 osdx hostapd[603642]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:30:15.373673 osdx hostapd[603642]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:30:15.373699 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA Mar 05 18:30:16.373793 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Mar 05 18:30:16.373858 osdx hostapd[603642]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Mar 05 18:30:16.374228 osdx hostapd[603642]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 05 18:30:16.374236 osdx hostapd[603642]: eth2: RADIUS Received RADIUS message Mar 05 18:30:16.374247 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:30:16.374255 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Mar 05 18:30:16.374400 osdx hostapd[603642]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Mar 05 18:30:16.374406 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X Mar 05 18:30:16.374414 osdx hostapd[603642]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Mar 05 18:30:16.374421 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first: 802.1X authentication started Mar 05 18:30:16.374437 osdx hostapd[603642]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Mar 05 18:30:16.374476 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 67) Mar 05 18:30:16.374528 osdx hostapd[603642]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 05 18:30:16.374551 osdx hostapd[603642]: eth2: RADIUS Received RADIUS message Mar 05 18:30:16.374560 osdx hostapd[603642]: eth2: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet Mar 05 18:30:16.375338 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=67 len=12) from STA: EAP Response-Identity (1) Mar 05 18:30:16.375375 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'testing' Mar 05 18:30:16.375560 osdx hostapd[603642]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:30:16.375599 osdx hostapd[603642]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:30:16.376124 osdx hostapd[603642]: eth2: RADIUS Received 80 bytes from RADIUS server Mar 05 18:30:16.376141 osdx hostapd[603642]: eth2: RADIUS Received RADIUS message Mar 05 18:30:16.376152 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:30:16.376230 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=68 len=22) from RADIUS server: EAP-Request-MD5 (4) Mar 05 18:30:16.376249 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 68) Mar 05 18:30:16.376915 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=68 len=6) from STA: EAP Response-unknown (3) Mar 05 18:30:16.377065 osdx hostapd[603642]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:30:16.377107 osdx hostapd[603642]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:30:16.377625 osdx hostapd[603642]: eth2: RADIUS Received 64 bytes from RADIUS server Mar 05 18:30:16.377641 osdx hostapd[603642]: eth2: RADIUS Received RADIUS message Mar 05 18:30:16.377650 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:30:16.377700 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=69 len=6) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:30:16.377717 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 69) Mar 05 18:30:16.378764 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=69 len=194) from STA: EAP Response-PEAP (25) Mar 05 18:30:16.378930 osdx hostapd[603642]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:30:16.378971 osdx hostapd[603642]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:30:16.381818 osdx hostapd[603642]: eth2: RADIUS Received 1068 bytes from RADIUS server Mar 05 18:30:16.381838 osdx hostapd[603642]: eth2: RADIUS Received RADIUS message Mar 05 18:30:16.381846 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:30:16.381929 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=70 len=1004) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:30:16.381948 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 70) Mar 05 18:30:16.382513 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=70 len=6) from STA: EAP Response-PEAP (25) Mar 05 18:30:16.382673 osdx hostapd[603642]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:30:16.382717 osdx hostapd[603642]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:30:16.383177 osdx hostapd[603642]: eth2: RADIUS Received 229 bytes from RADIUS server Mar 05 18:30:16.383191 osdx hostapd[603642]: eth2: RADIUS Received RADIUS message Mar 05 18:30:16.383205 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:30:16.383258 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=71 len=171) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:30:16.383276 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 71) Mar 05 18:30:16.388631 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=71 len=103) from STA: EAP Response-PEAP (25) Mar 05 18:30:16.388752 osdx hostapd[603642]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:30:16.388795 osdx hostapd[603642]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:30:16.389758 osdx hostapd[603642]: eth2: RADIUS Received 115 bytes from RADIUS server Mar 05 18:30:16.389789 osdx hostapd[603642]: eth2: RADIUS Received RADIUS message Mar 05 18:30:16.389799 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:30:16.389856 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=72 len=57) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:30:16.389873 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 72) Mar 05 18:30:16.390672 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=72 len=6) from STA: EAP Response-PEAP (25) Mar 05 18:30:16.390780 osdx hostapd[603642]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:30:16.390818 osdx hostapd[603642]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:30:16.391257 osdx hostapd[603642]: eth2: RADIUS Received 98 bytes from RADIUS server Mar 05 18:30:16.391272 osdx hostapd[603642]: eth2: RADIUS Received RADIUS message Mar 05 18:30:16.391281 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:30:16.391347 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=73 len=40) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:30:16.391364 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 73) Mar 05 18:30:16.391862 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=73 len=43) from STA: EAP Response-PEAP (25) Mar 05 18:30:16.391956 osdx hostapd[603642]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:30:16.391982 osdx hostapd[603642]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:30:16.392485 osdx hostapd[603642]: eth2: RADIUS Received 131 bytes from RADIUS server Mar 05 18:30:16.392501 osdx hostapd[603642]: eth2: RADIUS Received RADIUS message Mar 05 18:30:16.392511 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:30:16.392569 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=74 len=73) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:30:16.392582 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 74) Mar 05 18:30:16.393354 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=74 len=97) from STA: EAP Response-PEAP (25) Mar 05 18:30:16.393433 osdx hostapd[603642]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:30:16.393462 osdx hostapd[603642]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:30:16.393973 osdx hostapd[603642]: eth2: RADIUS Received 140 bytes from RADIUS server Mar 05 18:30:16.393987 osdx hostapd[603642]: eth2: RADIUS Received RADIUS message Mar 05 18:30:16.393995 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:30:16.394034 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=75 len=82) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:30:16.394049 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 75) Mar 05 18:30:16.394663 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=75 len=37) from STA: EAP Response-PEAP (25) Mar 05 18:30:16.394767 osdx hostapd[603642]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:30:16.394811 osdx hostapd[603642]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:30:16.395274 osdx hostapd[603642]: eth2: RADIUS Received 104 bytes from RADIUS server Mar 05 18:30:16.395304 osdx hostapd[603642]: eth2: RADIUS Received RADIUS message Mar 05 18:30:16.395315 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:30:16.395360 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=76 len=46) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:30:16.395376 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 76) Mar 05 18:30:16.396027 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=76 len=46) from STA: EAP Response-PEAP (25) Mar 05 18:30:16.396139 osdx hostapd[603642]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:30:16.396173 osdx hostapd[603642]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:30:16.396699 osdx hostapd[603642]: eth2: RADIUS Received 175 bytes from RADIUS server Mar 05 18:30:16.396712 osdx hostapd[603642]: eth2: RADIUS Received RADIUS message Mar 05 18:30:16.396719 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:30:16.396777 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing' Mar 05 18:30:16.396789 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=3 id=76 len=4) from RADIUS server: EAP Success Mar 05 18:30:16.396826 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 76) Mar 05 18:30:16.396876 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authorizing port Mar 05 18:30:16.396885 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 RADIUS: starting accounting session 72E7D04584F1A769 Mar 05 18:30:16.396928 osdx hostapd[603642]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Test Unsuccessful MAB Authentication With Unsuccessful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses an incorrect MAC address and incorrect 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/VWu+hGkKPV1/Xsdnx+XrbLZeajdkNpFtVPd5VMXs7W9wMFo7HPh4hQk4VB3xjKUZoo6FD19UFPw== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.250 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.250/0.250/0.250/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX18scZhy7hR7fixE/6fqttbfHcOWc/La9jE= set interfaces ethernet eth2 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+UnauthorizedShow output
--------------------------------- Field Value --------------------------------- EAPoL Frames (Rx) 9 EAPoL Frames (Tx) 10 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Unauthorized Req Frames (Rx) 8 Req ID Frames (Rx) 1 Resp Frames (Tx) 9 Start Frames (Tx) 1
Step 5: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 8 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 10 EAPoL frames (Tx) 9 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 6: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 7: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X IEEE 802.1X: authentication failed - EAP type: 25 (PEAP)Show output
Mar 05 18:30:24.279049 osdx hostapd[604158]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Mar 05 18:30:24.279063 osdx hostapd[604158]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 05 18:30:24.279308 osdx hostapd[604158]: connect[radius]: Network is unreachable Mar 05 18:30:24.279103 osdx hostapd[604158]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Mar 05 18:30:24.279106 osdx hostapd[604158]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Mar 05 18:30:24.302976 osdx hostapd[604158]: Discovery mode enabled on eth2 Mar 05 18:30:24.303031 osdx hostapd[604158]: eth2: interface state UNINITIALIZED->ENABLED Mar 05 18:30:24.303031 osdx hostapd[604158]: eth2: AP-ENABLED Mar 05 18:30:27.456765 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Mar 05 18:30:27.456778 osdx hostapd[604159]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Mar 05 18:30:27.471033 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: Starting MAB authentication Mar 05 18:30:27.471066 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Mar 05 18:30:27.471080 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Mar 05 18:30:27.472806 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Mar 05 18:30:27.472818 osdx hostapd[604159]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 05 18:30:27.472890 osdx hostapd[604159]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:30:27.472916 osdx hostapd[604159]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:30:27.472942 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA Mar 05 18:30:28.472992 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Mar 05 18:30:28.473022 osdx hostapd[604159]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Mar 05 18:30:28.473167 osdx hostapd[604159]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 05 18:30:28.473170 osdx hostapd[604159]: eth2: RADIUS Received RADIUS message Mar 05 18:30:28.473173 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:30:28.473177 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Mar 05 18:30:28.473221 osdx hostapd[604159]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Mar 05 18:30:28.473224 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X Mar 05 18:30:28.473227 osdx hostapd[604159]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Mar 05 18:30:28.473230 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first: 802.1X authentication started Mar 05 18:30:28.473236 osdx hostapd[604159]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Mar 05 18:30:28.473249 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 138) Mar 05 18:30:28.473261 osdx hostapd[604159]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 05 18:30:28.473263 osdx hostapd[604159]: eth2: RADIUS Received RADIUS message Mar 05 18:30:28.473266 osdx hostapd[604159]: eth2: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet Mar 05 18:30:28.473573 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=138 len=10) from STA: EAP Response-Identity (1) Mar 05 18:30:28.473584 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'wrong' Mar 05 18:30:28.473630 osdx hostapd[604159]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:30:28.473642 osdx hostapd[604159]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:30:28.473873 osdx hostapd[604159]: eth2: RADIUS Received 80 bytes from RADIUS server Mar 05 18:30:28.473878 osdx hostapd[604159]: eth2: RADIUS Received RADIUS message Mar 05 18:30:28.473882 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:30:28.473905 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=139 len=22) from RADIUS server: EAP-Request-MD5 (4) Mar 05 18:30:28.473911 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 139) Mar 05 18:30:28.474077 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=139 len=6) from STA: EAP Response-unknown (3) Mar 05 18:30:28.474115 osdx hostapd[604159]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:30:28.474128 osdx hostapd[604159]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:30:28.474313 osdx hostapd[604159]: eth2: RADIUS Received 64 bytes from RADIUS server Mar 05 18:30:28.474319 osdx hostapd[604159]: eth2: RADIUS Received RADIUS message Mar 05 18:30:28.474322 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:30:28.474347 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=140 len=6) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:30:28.474359 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 140) Mar 05 18:30:28.474666 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=140 len=194) from STA: EAP Response-PEAP (25) Mar 05 18:30:28.474717 osdx hostapd[604159]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:30:28.474731 osdx hostapd[604159]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:30:28.475913 osdx hostapd[604159]: eth2: RADIUS Received 1068 bytes from RADIUS server Mar 05 18:30:28.475919 osdx hostapd[604159]: eth2: RADIUS Received RADIUS message Mar 05 18:30:28.475922 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:30:28.475945 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=141 len=1004) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:30:28.475951 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 141) Mar 05 18:30:28.476161 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=141 len=6) from STA: EAP Response-PEAP (25) Mar 05 18:30:28.476205 osdx hostapd[604159]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:30:28.476217 osdx hostapd[604159]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:30:28.476379 osdx hostapd[604159]: eth2: RADIUS Received 229 bytes from RADIUS server Mar 05 18:30:28.476387 osdx hostapd[604159]: eth2: RADIUS Received RADIUS message Mar 05 18:30:28.476393 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:30:28.476419 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=142 len=171) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:30:28.476427 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 142) Mar 05 18:30:28.478001 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=142 len=103) from STA: EAP Response-PEAP (25) Mar 05 18:30:28.478046 osdx hostapd[604159]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:30:28.478061 osdx hostapd[604159]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:30:28.478415 osdx hostapd[604159]: eth2: RADIUS Received 115 bytes from RADIUS server Mar 05 18:30:28.478423 osdx hostapd[604159]: eth2: RADIUS Received RADIUS message Mar 05 18:30:28.478426 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:30:28.478448 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=143 len=57) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:30:28.478455 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 143) Mar 05 18:30:28.478754 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=143 len=6) from STA: EAP Response-PEAP (25) Mar 05 18:30:28.478797 osdx hostapd[604159]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:30:28.478814 osdx hostapd[604159]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:30:28.478980 osdx hostapd[604159]: eth2: RADIUS Received 98 bytes from RADIUS server Mar 05 18:30:28.478986 osdx hostapd[604159]: eth2: RADIUS Received RADIUS message Mar 05 18:30:28.478989 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:30:28.479003 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=144 len=40) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:30:28.479008 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 144) Mar 05 18:30:28.479187 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=144 len=41) from STA: EAP Response-PEAP (25) Mar 05 18:30:28.479218 osdx hostapd[604159]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:30:28.479227 osdx hostapd[604159]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:30:28.479368 osdx hostapd[604159]: eth2: RADIUS Received 131 bytes from RADIUS server Mar 05 18:30:28.479373 osdx hostapd[604159]: eth2: RADIUS Received RADIUS message Mar 05 18:30:28.479376 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:30:28.479388 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=145 len=73) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:30:28.479393 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 145) Mar 05 18:30:28.479637 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=145 len=95) from STA: EAP Response-PEAP (25) Mar 05 18:30:28.479670 osdx hostapd[604159]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:30:28.479678 osdx hostapd[604159]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:30:28.479890 osdx hostapd[604159]: eth2: RADIUS Received 104 bytes from RADIUS server Mar 05 18:30:28.479895 osdx hostapd[604159]: eth2: RADIUS Received RADIUS message Mar 05 18:30:28.479898 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:30:28.479910 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=146 len=46) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:30:28.479915 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 146) Mar 05 18:30:28.480080 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=146 len=46) from STA: EAP Response-PEAP (25) Mar 05 18:30:28.480109 osdx hostapd[604159]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:30:28.480122 osdx hostapd[604159]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:30:29.480216 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=8) Mar 05 18:30:29.480255 osdx hostapd[604159]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Mar 05 18:30:29.480387 osdx hostapd[604159]: eth2: RADIUS Received 44 bytes from RADIUS server Mar 05 18:30:29.480391 osdx hostapd[604159]: eth2: RADIUS Received RADIUS message Mar 05 18:30:29.480396 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:30:29.480448 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=4 id=146 len=4) from RADIUS server: EAP Failure Mar 05 18:30:29.480475 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 146) Mar 05 18:30:29.480489 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port Mar 05 18:30:29.480493 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) Mar 05 18:30:29.480497 osdx hostapd[604159]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Authentication failed, enforcing quiet period (60 seconds) Mar 05 18:30:29.480502 osdx hostapd[604159]: eth2: RADIUS Received 44 bytes from RADIUS server Mar 05 18:30:29.480535 osdx hostapd[604159]: eth2: RADIUS Received RADIUS message Mar 05 18:30:29.480538 osdx hostapd[604159]: eth2: RADIUS No matching RADIUS request found (type=0 id=8) - dropping packet
Test Unsuccessful MAB Authentication With Unsupported 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 does not support 802.1x authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/l+/4N1oXfGfpZn6/4s5be3EIz/nMpV9wExqWjih1vCFEhac1MhFlktibFd42cuktPKeAcC3NM4g== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.653 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.653/0.653/0.653/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 0 EAPoL frames (Tx) 2 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 5: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X IEEE 802.1X: EAP authentication timeoutShow output
Mar 05 18:30:36.250933 osdx hostapd[604664]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Mar 05 18:30:36.250947 osdx hostapd[604664]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 05 18:30:36.251220 osdx hostapd[604664]: connect[radius]: Network is unreachable Mar 05 18:30:36.250985 osdx hostapd[604664]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Mar 05 18:30:36.250988 osdx hostapd[604664]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Mar 05 18:30:36.270823 osdx hostapd[604664]: Discovery mode enabled on eth2 Mar 05 18:30:36.270929 osdx hostapd[604664]: eth2: interface state UNINITIALIZED->ENABLED Mar 05 18:30:36.270929 osdx hostapd[604664]: eth2: AP-ENABLED Mar 05 18:30:41.271630 osdx hostapd[604665]: eth2: STA 00:11:22:33:44:55 DRIVER: Device discovered, triggering MAB authentication Mar 05 18:30:41.271667 osdx hostapd[604665]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Mar 05 18:30:41.271675 osdx hostapd[604665]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Mar 05 18:30:41.290846 osdx hostapd[604665]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: Starting MAB authentication Mar 05 18:30:41.290870 osdx hostapd[604665]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Mar 05 18:30:41.290885 osdx hostapd[604665]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Mar 05 18:30:41.292615 osdx hostapd[604665]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Mar 05 18:30:41.292626 osdx hostapd[604665]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 05 18:30:41.292693 osdx hostapd[604665]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:30:41.292721 osdx hostapd[604665]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:30:42.292832 osdx hostapd[604665]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Mar 05 18:30:42.292873 osdx hostapd[604665]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Mar 05 18:30:42.293183 osdx hostapd[604665]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 05 18:30:42.293192 osdx hostapd[604665]: eth2: RADIUS Received RADIUS message Mar 05 18:30:42.293196 osdx hostapd[604665]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:30:42.293200 osdx hostapd[604665]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Mar 05 18:30:42.293242 osdx hostapd[604665]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Mar 05 18:30:42.293244 osdx hostapd[604665]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X Mar 05 18:30:42.293247 osdx hostapd[604665]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Mar 05 18:30:42.293254 osdx hostapd[604665]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first: 802.1X authentication started Mar 05 18:30:42.293261 osdx hostapd[604665]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Mar 05 18:30:42.293273 osdx hostapd[604665]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 214) Mar 05 18:30:42.293296 osdx hostapd[604665]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 05 18:30:42.293298 osdx hostapd[604665]: eth2: RADIUS Received RADIUS message Mar 05 18:30:42.293301 osdx hostapd[604665]: eth2: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet Mar 05 18:30:45.294623 osdx hostapd[604665]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 214) Mar 05 18:30:49.965529 osdx OSDxCLI[559085]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 05 18:30:51.299626 osdx hostapd[604665]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 214) Mar 05 18:30:58.195056 osdx OSDxCLI[559085]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 05 18:31:03.310622 osdx hostapd[604665]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: aborting authentication Mar 05 18:31:03.310633 osdx hostapd[604665]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: EAP authentication timeout - enforcing 60 second quiet period before retrying Mar 05 18:31:03.310644 osdx hostapd[604665]: eth2: STA 00:11:22:33:44:55 MLME: MLME-DEAUTHENTICATE.indication(00:11:22:33:44:55, 2) Mar 05 18:31:03.310647 osdx hostapd[604665]: eth2: STA 00:11:22:33:44:55 MLME: MLME-DELETEKEYS.request(00:11:22:33:44:55)