Reauth Period
This scenario shows how to configure the reauthentication period in a device with 802.1x/MAB authentication.
Test Reauth Period In 802.1X Mode
Description
This scenario shows how to configure the reauthentication period in a device with 802.1x authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode only-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 20 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX19g9Zp3HMteAlIe4iQaiYj2Th3gh89nIGcvP/FfmPfofUFef3i3I0MsRKF2H0QipQV9fELGjSrZlA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.265 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.265/0.265/0.265/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1+XfoyPDH8s4biD+0w+VL5lJ6Useb7X0Zs= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: authenticatedShow output
Mar 05 18:32:23.088892 osdx hostapd[607800]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Mar 05 18:32:23.088902 osdx hostapd[607800]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 05 18:32:23.089098 osdx hostapd[607800]: connect[radius]: Network is unreachable Mar 05 18:32:23.088938 osdx hostapd[607800]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X, eap_server=0, eap_quiet_period=60, eap_max_retrans=2 Mar 05 18:32:23.088941 osdx hostapd[607800]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Mar 05 18:32:23.104820 osdx hostapd[607800]: Discovery mode enabled on eth2 Mar 05 18:32:23.104804 osdx hostapd[607800]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: enabling transmission of periodic EAP-Request frames Mar 05 18:32:23.104871 osdx hostapd[607800]: eth2: interface state UNINITIALIZED->ENABLED Mar 05 18:32:23.104871 osdx hostapd[607800]: eth2: AP-ENABLED Mar 05 18:32:24.266287 osdx OSDxCLI[559085]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 05 18:32:26.127661 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Mar 05 18:32:26.127677 osdx hostapd[607801]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Mar 05 18:32:26.140846 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: start authentication Mar 05 18:32:26.140870 osdx hostapd[607801]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Mar 05 18:32:26.140883 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAPOL-Start from STA Mar 05 18:32:26.140895 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Mar 05 18:32:26.140903 osdx hostapd[607801]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Mar 05 18:32:26.140925 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 70) Mar 05 18:32:26.141218 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=70 len=12) from STA: EAP Response-Identity (1) Mar 05 18:32:26.141228 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: STA identity 'testing' Mar 05 18:32:26.141248 osdx hostapd[607801]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 05 18:32:26.143074 osdx hostapd[607801]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:32:26.143109 osdx hostapd[607801]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:32:26.143408 osdx hostapd[607801]: eth2: RADIUS Received 80 bytes from RADIUS server Mar 05 18:32:26.143415 osdx hostapd[607801]: eth2: RADIUS Received RADIUS message Mar 05 18:32:26.143419 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:32:26.143450 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=71 len=22) from RADIUS server: EAP-Request-MD5 (4) Mar 05 18:32:26.143457 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 71) Mar 05 18:32:26.143723 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=71 len=6) from STA: EAP Response-unknown (3) Mar 05 18:32:26.143783 osdx hostapd[607801]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:32:26.143801 osdx hostapd[607801]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:32:26.144000 osdx hostapd[607801]: eth2: RADIUS Received 64 bytes from RADIUS server Mar 05 18:32:26.144005 osdx hostapd[607801]: eth2: RADIUS Received RADIUS message Mar 05 18:32:26.144009 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:32:26.144024 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=72 len=6) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:32:26.144030 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 72) Mar 05 18:32:26.144327 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=72 len=194) from STA: EAP Response-PEAP (25) Mar 05 18:32:26.144361 osdx hostapd[607801]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:32:26.144371 osdx hostapd[607801]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:32:26.145313 osdx hostapd[607801]: eth2: RADIUS Received 1068 bytes from RADIUS server Mar 05 18:32:26.145320 osdx hostapd[607801]: eth2: RADIUS Received RADIUS message Mar 05 18:32:26.145323 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:32:26.145345 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=73 len=1004) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:32:26.145352 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 73) Mar 05 18:32:26.145542 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=73 len=6) from STA: EAP Response-PEAP (25) Mar 05 18:32:26.145583 osdx hostapd[607801]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:32:26.145593 osdx hostapd[607801]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:32:26.145726 osdx hostapd[607801]: eth2: RADIUS Received 229 bytes from RADIUS server Mar 05 18:32:26.145731 osdx hostapd[607801]: eth2: RADIUS Received RADIUS message Mar 05 18:32:26.145735 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:32:26.145751 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=74 len=171) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:32:26.145757 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 74) Mar 05 18:32:26.147055 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=74 len=103) from STA: EAP Response-PEAP (25) Mar 05 18:32:26.147100 osdx hostapd[607801]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:32:26.147115 osdx hostapd[607801]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:32:26.147414 osdx hostapd[607801]: eth2: RADIUS Received 115 bytes from RADIUS server Mar 05 18:32:26.147419 osdx hostapd[607801]: eth2: RADIUS Received RADIUS message Mar 05 18:32:26.147423 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:32:26.147441 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=75 len=57) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:32:26.147448 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 75) Mar 05 18:32:26.147670 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=75 len=6) from STA: EAP Response-PEAP (25) Mar 05 18:32:26.147705 osdx hostapd[607801]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:32:26.147716 osdx hostapd[607801]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:32:26.147815 osdx hostapd[607801]: eth2: RADIUS Received 98 bytes from RADIUS server Mar 05 18:32:26.147820 osdx hostapd[607801]: eth2: RADIUS Received RADIUS message Mar 05 18:32:26.147825 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:32:26.147840 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=76 len=40) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:32:26.147846 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 76) Mar 05 18:32:26.148001 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=76 len=43) from STA: EAP Response-PEAP (25) Mar 05 18:32:26.148035 osdx hostapd[607801]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:32:26.148045 osdx hostapd[607801]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:32:26.148170 osdx hostapd[607801]: eth2: RADIUS Received 131 bytes from RADIUS server Mar 05 18:32:26.148175 osdx hostapd[607801]: eth2: RADIUS Received RADIUS message Mar 05 18:32:26.148179 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:32:26.148192 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=77 len=73) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:32:26.148198 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 77) Mar 05 18:32:26.148424 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=77 len=97) from STA: EAP Response-PEAP (25) Mar 05 18:32:26.148454 osdx hostapd[607801]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:32:26.148465 osdx hostapd[607801]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:32:26.148652 osdx hostapd[607801]: eth2: RADIUS Received 140 bytes from RADIUS server Mar 05 18:32:26.148658 osdx hostapd[607801]: eth2: RADIUS Received RADIUS message Mar 05 18:32:26.148661 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:32:26.148677 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=78 len=82) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:32:26.148683 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 78) Mar 05 18:32:26.148839 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=78 len=37) from STA: EAP Response-PEAP (25) Mar 05 18:32:26.148900 osdx hostapd[607801]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:32:26.148918 osdx hostapd[607801]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:32:26.149075 osdx hostapd[607801]: eth2: RADIUS Received 104 bytes from RADIUS server Mar 05 18:32:26.149080 osdx hostapd[607801]: eth2: RADIUS Received RADIUS message Mar 05 18:32:26.149084 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:32:26.149101 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=79 len=46) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:32:26.149108 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 79) Mar 05 18:32:26.149244 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=79 len=46) from STA: EAP Response-PEAP (25) Mar 05 18:32:26.149279 osdx hostapd[607801]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:32:26.149290 osdx hostapd[607801]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:32:26.149434 osdx hostapd[607801]: eth2: RADIUS Received 175 bytes from RADIUS server Mar 05 18:32:26.149439 osdx hostapd[607801]: eth2: RADIUS Received RADIUS message Mar 05 18:32:26.149442 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:32:26.149463 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing' Mar 05 18:32:26.149467 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=3 id=79 len=4) from RADIUS server: EAP Success Mar 05 18:32:26.149486 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 79) Mar 05 18:32:26.149502 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Mar 05 18:32:26.149505 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 8F9FA459A7557570 Mar 05 18:32:26.149509 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Step 5: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: Re-authentication period expiredShow output
Mar 05 18:32:26.608146 osdx OSDxCLI[559085]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 05 18:32:28.722950 osdx OSDxCLI[559085]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 05 18:32:30.804379 osdx OSDxCLI[559085]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 05 18:32:32.877762 osdx OSDxCLI[559085]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 05 18:32:34.942588 osdx OSDxCLI[559085]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 05 18:32:37.006822 osdx OSDxCLI[559085]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 05 18:32:39.096287 osdx OSDxCLI[559085]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 05 18:32:41.165175 osdx OSDxCLI[559085]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 05 18:32:43.246423 osdx OSDxCLI[559085]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 05 18:32:45.315396 osdx OSDxCLI[559085]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 05 18:32:46.158601 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Re-authentication period expired (20 seconds), triggering re-authentication Mar 05 18:32:46.158610 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Starting re-authentication (port will be unauthorized until authentication succeeds) Mar 05 18:32:46.158614 osdx hostapd[607801]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Mar 05 18:32:46.158647 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 19) Mar 05 18:32:46.158982 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=19 len=12) from STA: EAP Response-Identity (1) Mar 05 18:32:46.158992 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: STA identity 'testing' Mar 05 18:32:46.159054 osdx hostapd[607801]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:32:46.159084 osdx hostapd[607801]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:32:46.159307 osdx hostapd[607801]: eth2: RADIUS Received 80 bytes from RADIUS server Mar 05 18:32:46.159312 osdx hostapd[607801]: eth2: RADIUS Received RADIUS message Mar 05 18:32:46.159315 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:32:46.159338 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=20 len=22) from RADIUS server: EAP-Request-MD5 (4) Mar 05 18:32:46.159344 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 20) Mar 05 18:32:46.159546 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=20 len=6) from STA: EAP Response-unknown (3) Mar 05 18:32:46.159583 osdx hostapd[607801]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:32:46.159595 osdx hostapd[607801]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:32:46.159769 osdx hostapd[607801]: eth2: RADIUS Received 64 bytes from RADIUS server Mar 05 18:32:46.159774 osdx hostapd[607801]: eth2: RADIUS Received RADIUS message Mar 05 18:32:46.159777 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:32:46.159792 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=21 len=6) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:32:46.159797 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 21) Mar 05 18:32:46.160075 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=21 len=194) from STA: EAP Response-PEAP (25) Mar 05 18:32:46.160118 osdx hostapd[607801]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:32:46.160134 osdx hostapd[607801]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:32:46.161109 osdx hostapd[607801]: eth2: RADIUS Received 1068 bytes from RADIUS server Mar 05 18:32:46.161114 osdx hostapd[607801]: eth2: RADIUS Received RADIUS message Mar 05 18:32:46.161117 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:32:46.161138 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=22 len=1004) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:32:46.161143 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 22) Mar 05 18:32:46.161314 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=22 len=6) from STA: EAP Response-PEAP (25) Mar 05 18:32:46.161368 osdx hostapd[607801]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:32:46.161384 osdx hostapd[607801]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:32:46.161501 osdx hostapd[607801]: eth2: RADIUS Received 229 bytes from RADIUS server Mar 05 18:32:46.161506 osdx hostapd[607801]: eth2: RADIUS Received RADIUS message Mar 05 18:32:46.161509 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:32:46.161525 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=23 len=171) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:32:46.161530 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 23) Mar 05 18:32:46.162501 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=23 len=103) from STA: EAP Response-PEAP (25) Mar 05 18:32:46.162543 osdx hostapd[607801]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:32:46.162558 osdx hostapd[607801]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:32:46.162839 osdx hostapd[607801]: eth2: RADIUS Received 115 bytes from RADIUS server Mar 05 18:32:46.162845 osdx hostapd[607801]: eth2: RADIUS Received RADIUS message Mar 05 18:32:46.162849 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:32:46.162869 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=24 len=57) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:32:46.162876 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 24) Mar 05 18:32:46.163072 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=24 len=6) from STA: EAP Response-PEAP (25) Mar 05 18:32:46.163112 osdx hostapd[607801]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:32:46.163124 osdx hostapd[607801]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:32:46.163252 osdx hostapd[607801]: eth2: RADIUS Received 98 bytes from RADIUS server Mar 05 18:32:46.163257 osdx hostapd[607801]: eth2: RADIUS Received RADIUS message Mar 05 18:32:46.163260 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:32:46.163275 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=25 len=40) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:32:46.163281 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 25) Mar 05 18:32:46.163443 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=25 len=43) from STA: EAP Response-PEAP (25) Mar 05 18:32:46.163494 osdx hostapd[607801]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:32:46.163508 osdx hostapd[607801]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:32:46.163632 osdx hostapd[607801]: eth2: RADIUS Received 131 bytes from RADIUS server Mar 05 18:32:46.163637 osdx hostapd[607801]: eth2: RADIUS Received RADIUS message Mar 05 18:32:46.163641 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:32:46.163656 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=26 len=73) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:32:46.163661 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 26) Mar 05 18:32:46.163933 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=26 len=97) from STA: EAP Response-PEAP (25) Mar 05 18:32:46.163971 osdx hostapd[607801]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:32:46.163981 osdx hostapd[607801]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:32:46.164156 osdx hostapd[607801]: eth2: RADIUS Received 140 bytes from RADIUS server Mar 05 18:32:46.164161 osdx hostapd[607801]: eth2: RADIUS Received RADIUS message Mar 05 18:32:46.164164 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:32:46.164178 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=27 len=82) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:32:46.164183 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 27) Mar 05 18:32:46.164323 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=27 len=37) from STA: EAP Response-PEAP (25) Mar 05 18:32:46.164366 osdx hostapd[607801]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:32:46.164378 osdx hostapd[607801]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:32:46.164505 osdx hostapd[607801]: eth2: RADIUS Received 104 bytes from RADIUS server Mar 05 18:32:46.164510 osdx hostapd[607801]: eth2: RADIUS Received RADIUS message Mar 05 18:32:46.164513 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:32:46.164525 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=28 len=46) from RADIUS server: EAP-Request-PEAP (25) Mar 05 18:32:46.164530 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 28) Mar 05 18:32:46.164684 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=28 len=46) from STA: EAP Response-PEAP (25) Mar 05 18:32:46.164718 osdx hostapd[607801]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:32:46.164729 osdx hostapd[607801]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:32:46.164912 osdx hostapd[607801]: eth2: RADIUS Received 175 bytes from RADIUS server Mar 05 18:32:46.164918 osdx hostapd[607801]: eth2: RADIUS Received RADIUS message Mar 05 18:32:46.164921 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:32:46.164940 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing' Mar 05 18:32:46.164945 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=3 id=28 len=4) from RADIUS server: EAP Success Mar 05 18:32:46.164960 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 28) Mar 05 18:32:46.164968 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Mar 05 18:32:46.164971 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 8F9FA459A7557570 Mar 05 18:32:46.164974 osdx hostapd[607801]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Test Reauth Period In MAB Mode
Description
This scenario shows how to configure the reauthentication period in a device with MAB authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode only-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 20 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/b/jnBPVhvGRo6N4jU9FVzHzWwotizPW5f9DUIkARhDGnWNFzhaKdcVIlTlmsNwNnfR/dRdHdbXg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.297 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.297/0.297/0.297/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
MAB: station successfully authenticatedShow output
Mar 05 18:32:54.123603 osdx hostapd[608389]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Mar 05 18:32:54.123614 osdx hostapd[608389]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 05 18:32:54.123795 osdx hostapd[608389]: connect[radius]: Network is unreachable Mar 05 18:32:54.123643 osdx hostapd[608389]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-only, eap_server=0, eap_quiet_period=60, eap_max_retrans=5 Mar 05 18:32:54.123646 osdx hostapd[608389]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Mar 05 18:32:54.147557 osdx hostapd[608389]: Discovery mode enabled on eth2 Mar 05 18:32:54.147615 osdx hostapd[608389]: eth2: interface state UNINITIALIZED->ENABLED Mar 05 18:32:54.147615 osdx hostapd[608389]: eth2: AP-ENABLED Mar 05 18:32:57.232992 osdx OSDxCLI[559085]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 05 18:32:59.149365 osdx hostapd[608390]: eth2: STA de:ad:be:ef:6c:12 DRIVER: Device discovered, triggering MAB authentication Mar 05 18:32:59.149404 osdx hostapd[608390]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Mar 05 18:32:59.149413 osdx hostapd[608390]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Mar 05 18:32:59.163555 osdx hostapd[608390]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB-only mode: Starting MAB authentication Mar 05 18:32:59.163578 osdx hostapd[608390]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Mar 05 18:32:59.163594 osdx hostapd[608390]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Mar 05 18:32:59.165269 osdx hostapd[608390]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Mar 05 18:32:59.165283 osdx hostapd[608390]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 05 18:32:59.165357 osdx hostapd[608390]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:32:59.165391 osdx hostapd[608390]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:32:59.165650 osdx hostapd[608390]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 05 18:32:59.165655 osdx hostapd[608390]: eth2: RADIUS Received RADIUS message Mar 05 18:32:59.165659 osdx hostapd[608390]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:32:59.165663 osdx hostapd[608390]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Mar 05 18:32:59.165674 osdx hostapd[608390]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Mar 05 18:32:59.165687 osdx hostapd[608390]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Mar 05 18:32:59.165691 osdx hostapd[608390]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Re-authentication enabled (next reauth in 20 seconds) Mar 05 18:32:59.165694 osdx hostapd[608390]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Mar 05 18:32:59.165707 osdx hostapd[608390]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Mar 05 18:32:59.165710 osdx hostapd[608390]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session D25215F02DFE39DC
Step 5: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: Re-authentication period expiredShow output
Mar 05 18:33:01.686147 osdx OSDxCLI[559085]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 05 18:33:04.870811 osdx OSDxCLI[559085]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 05 18:33:08.035962 osdx OSDxCLI[559085]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 05 18:33:11.249451 osdx OSDxCLI[559085]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 05 18:33:14.402328 osdx OSDxCLI[559085]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 05 18:33:17.571468 osdx OSDxCLI[559085]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 05 18:33:19.181328 osdx hostapd[608390]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Re-authentication period expired (20 seconds), triggering re-authentication Mar 05 18:33:19.181344 osdx hostapd[608390]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Mar 05 18:33:19.181389 osdx hostapd[608390]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Mar 05 18:33:19.181415 osdx hostapd[608390]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Mar 05 18:33:19.181434 osdx hostapd[608390]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:33:19.181469 osdx hostapd[608390]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:33:19.181771 osdx hostapd[608390]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 05 18:33:19.181777 osdx hostapd[608390]: eth2: RADIUS Received RADIUS message Mar 05 18:33:19.181782 osdx hostapd[608390]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:33:19.181785 osdx hostapd[608390]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Mar 05 18:33:19.181807 osdx hostapd[608390]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Mar 05 18:33:19.181810 osdx hostapd[608390]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Re-authentication enabled (next reauth in 20 seconds) Mar 05 18:33:19.181813 osdx hostapd[608390]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Mar 05 18:33:19.181816 osdx hostapd[608390]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Mar 05 18:33:19.181819 osdx hostapd[608390]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session D25215F02DFE39DC
Test Reauth Period In MAB-Fallback Mode
Description
This scenario shows how to configure the reauthentication period in a device with 802.1x/MAB authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 20 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/MyMPb8N/82L8jpYmIRyFzj8de5pGv/hKe3rlT7JnSOPWiL1urtloCxb0fNSt+eunL1M0f6Ct6TQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.540 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.540/0.540/0.540/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
MAB: station successfully authenticatedShow output
Mar 05 18:33:27.582247 osdx hostapd[608963]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Mar 05 18:33:27.582263 osdx hostapd[608963]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 05 18:33:27.582531 osdx hostapd[608963]: connect[radius]: Network is unreachable Mar 05 18:33:27.582308 osdx hostapd[608963]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Mar 05 18:33:27.582313 osdx hostapd[608963]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Mar 05 18:33:27.602106 osdx hostapd[608963]: Discovery mode enabled on eth2 Mar 05 18:33:27.602110 osdx hostapd[608963]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: enabling transmission of periodic EAP-Request frames Mar 05 18:33:27.602226 osdx hostapd[608963]: eth2: interface state UNINITIALIZED->ENABLED Mar 05 18:33:27.602226 osdx hostapd[608963]: eth2: AP-ENABLED Mar 05 18:33:30.685918 osdx OSDxCLI[559085]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 05 18:33:32.603917 osdx hostapd[608964]: eth2: STA de:ad:be:ef:6c:12 DRIVER: Device discovered, triggering MAB authentication Mar 05 18:33:32.603950 osdx hostapd[608964]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Mar 05 18:33:32.603958 osdx hostapd[608964]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Mar 05 18:33:32.622125 osdx hostapd[608964]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: start authentication Mar 05 18:33:32.622161 osdx hostapd[608964]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Mar 05 18:33:32.622166 osdx hostapd[608964]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Mar 05 18:33:32.622169 osdx hostapd[608964]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Mar 05 18:33:32.622182 osdx hostapd[608964]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Mar 05 18:33:32.622192 osdx hostapd[608964]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Mar 05 18:33:32.622224 osdx hostapd[608964]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 124) Mar 05 18:33:34.882024 osdx OSDxCLI[559085]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 05 18:33:35.624946 osdx hostapd[608964]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 124) Mar 05 18:33:39.101044 osdx OSDxCLI[559085]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 05 18:33:41.629934 osdx hostapd[608964]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 124) Mar 05 18:33:43.283793 osdx OSDxCLI[559085]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 05 18:33:47.492007 osdx OSDxCLI[559085]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 05 18:33:51.684050 osdx OSDxCLI[559085]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 05 18:33:53.640921 osdx hostapd[608964]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: aborting authentication Mar 05 18:33:53.640931 osdx hostapd[608964]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately Mar 05 18:33:53.640935 osdx hostapd[608964]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Mar 05 18:33:53.640966 osdx hostapd[608964]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Mar 05 18:33:53.643014 osdx hostapd[608964]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Mar 05 18:33:53.643028 osdx hostapd[608964]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 05 18:33:53.643112 osdx hostapd[608964]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:33:53.643148 osdx hostapd[608964]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:33:53.643171 osdx hostapd[608964]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Mar 05 18:33:53.643192 osdx hostapd[608964]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 104) Mar 05 18:33:53.643443 osdx hostapd[608964]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 05 18:33:53.643450 osdx hostapd[608964]: eth2: RADIUS Received RADIUS message Mar 05 18:33:53.643455 osdx hostapd[608964]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:33:53.643460 osdx hostapd[608964]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Mar 05 18:33:53.643474 osdx hostapd[608964]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Mar 05 18:33:53.643488 osdx hostapd[608964]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Mar 05 18:33:53.643491 osdx hostapd[608964]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Re-authentication enabled (next reauth in 20 seconds) Mar 05 18:33:53.643494 osdx hostapd[608964]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Mar 05 18:33:53.643505 osdx hostapd[608964]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Mar 05 18:33:53.643508 osdx hostapd[608964]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 390ED15DF0887FC8
Step 5: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: Re-authentication period expiredShow output
Mar 05 18:33:56.164685 osdx OSDxCLI[559085]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 05 18:33:59.323839 osdx OSDxCLI[559085]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 05 18:34:02.505797 osdx OSDxCLI[559085]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 05 18:34:05.684883 osdx OSDxCLI[559085]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 05 18:34:08.871022 osdx OSDxCLI[559085]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 05 18:34:12.058302 osdx OSDxCLI[559085]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 05 18:34:13.660883 osdx hostapd[608964]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Re-authentication period expired (20 seconds), triggering re-authentication Mar 05 18:34:13.660898 osdx hostapd[608964]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB fallback: Scheduling MAB trigger in 30 seconds if no 802.1X response Mar 05 18:34:13.660902 osdx hostapd[608964]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Mar 05 18:34:13.660928 osdx hostapd[608964]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Mar 05 18:34:13.660933 osdx hostapd[608964]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Mar 05 18:34:13.660948 osdx hostapd[608964]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 0)
Test Reauth Period In MAB-First Mode
Description
This scenario shows how to configure the reauthentication period in a device with MAB/802.1X authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 20 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/OD/yohBH96ZQkG7ELhldgxiofNzmUr3ge4QVV/ZaHl9a2CJ/hCjVxDVSSnlzzJGOLo7EAEBAI0A== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.335 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.335/0.335/0.335/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
MAB: station successfully authenticatedShow output
Mar 05 18:34:23.564881 osdx hostapd[609561]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Mar 05 18:34:23.564897 osdx hostapd[609561]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 05 18:34:23.565108 osdx hostapd[609561]: connect[radius]: Network is unreachable Mar 05 18:34:23.564955 osdx hostapd[609561]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Mar 05 18:34:23.564959 osdx hostapd[609561]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Mar 05 18:34:23.584773 osdx hostapd[609561]: Discovery mode enabled on eth2 Mar 05 18:34:23.584767 osdx hostapd[609561]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: enabling transmission of periodic EAP-Request frames Mar 05 18:34:23.584876 osdx hostapd[609561]: eth2: interface state UNINITIALIZED->ENABLED Mar 05 18:34:23.584876 osdx hostapd[609561]: eth2: AP-ENABLED Mar 05 18:34:26.774342 osdx OSDxCLI[559085]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 05 18:34:28.587603 osdx hostapd[609562]: eth2: STA de:ad:be:ef:6c:12 DRIVER: Device discovered, triggering MAB authentication Mar 05 18:34:28.587641 osdx hostapd[609562]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Mar 05 18:34:28.587650 osdx hostapd[609562]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Mar 05 18:34:28.600858 osdx hostapd[609562]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB-first mode: Starting MAB authentication Mar 05 18:34:28.600894 osdx hostapd[609562]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Mar 05 18:34:28.600912 osdx hostapd[609562]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Mar 05 18:34:28.603254 osdx hostapd[609562]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Mar 05 18:34:28.603269 osdx hostapd[609562]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 05 18:34:28.603364 osdx hostapd[609562]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:34:28.603403 osdx hostapd[609562]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:34:28.603462 osdx hostapd[609562]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Sending EAP-Request/Identity frame Mar 05 18:34:28.603479 osdx hostapd[609562]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Next EAP-Request/Identity retransmit in 20 seconds Mar 05 18:34:28.603748 osdx hostapd[609562]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 05 18:34:28.603757 osdx hostapd[609562]: eth2: RADIUS Received RADIUS message Mar 05 18:34:28.603762 osdx hostapd[609562]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:34:28.603766 osdx hostapd[609562]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Mar 05 18:34:28.603779 osdx hostapd[609562]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Mar 05 18:34:28.603794 osdx hostapd[609562]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Mar 05 18:34:28.603798 osdx hostapd[609562]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Re-authentication enabled (next reauth in 20 seconds) Mar 05 18:34:28.603801 osdx hostapd[609562]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Mar 05 18:34:28.603816 osdx hostapd[609562]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Mar 05 18:34:28.603819 osdx hostapd[609562]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session CD0FC229EF19DCCE
Step 5: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: Re-authentication period expiredShow output
Mar 05 18:34:31.227037 osdx OSDxCLI[559085]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 05 18:34:34.392702 osdx OSDxCLI[559085]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 05 18:34:37.542606 osdx OSDxCLI[559085]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 05 18:34:40.709753 osdx OSDxCLI[559085]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 05 18:34:43.907658 osdx OSDxCLI[559085]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 05 18:34:47.095345 osdx OSDxCLI[559085]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 05 18:34:48.603617 osdx hostapd[609562]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Sending EAP-Request/Identity frame Mar 05 18:34:48.603642 osdx hostapd[609562]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Next EAP-Request/Identity retransmit in 20 seconds Mar 05 18:34:48.617640 osdx hostapd[609562]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Re-authentication period expired (20 seconds), triggering re-authentication Mar 05 18:34:48.617654 osdx hostapd[609562]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Mar 05 18:34:48.617690 osdx hostapd[609562]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Mar 05 18:34:48.617721 osdx hostapd[609562]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Mar 05 18:34:48.617746 osdx hostapd[609562]: eth2: RADIUS Sending RADIUS message to authentication server Mar 05 18:34:48.617792 osdx hostapd[609562]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 05 18:34:48.618044 osdx hostapd[609562]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 05 18:34:48.618050 osdx hostapd[609562]: eth2: RADIUS Received RADIUS message Mar 05 18:34:48.618054 osdx hostapd[609562]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 05 18:34:48.618058 osdx hostapd[609562]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Mar 05 18:34:48.618077 osdx hostapd[609562]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Mar 05 18:34:48.618080 osdx hostapd[609562]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Re-authentication enabled (next reauth in 20 seconds) Mar 05 18:34:48.618083 osdx hostapd[609562]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Mar 05 18:34:48.618087 osdx hostapd[609562]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Mar 05 18:34:48.618091 osdx hostapd[609562]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session CD0FC229EF19DCCE