Dhcp
This scenario shows how to configure a device to perform 802.1X/MAB authentication. The supplicant uses DHCP and no additional traffic is sent to launch the authentication process.
Test Denied Authentication With DHCP Client
Description
This scenario shows how to configure 802.1X/MAB authentication in a device with a DHCP-Server. A DHCP-Client is connected, but authentication fails. This test case ensures there is no DHCP lease time.
Scenario
Step 1: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address dhcp set interfaces ethernet eth2 mac '00:11:22:33:44:55' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set service dhcp-server shared-network LAN subnet 192.168.100.0/24 start 192.168.100.2 stop 192.168.100.20 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/WwYtlxHLG5XKFsw865wJ846M4tAd2AX+V+xpRFTusq5B+mnA70SgHFhBYN8qjPQ0Vsq3QeNVcaw== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.643 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.643/0.643/0.643/0.000 ms
Step 4: Run command interfaces ethernet eth2 authenticator show status at DUT0 and check if output contains the following tokens:
Current status: UnauthorizedShow output
Current status: Unauthorized
Step 5: Run command interfaces ethernet show at DUT1 and check if output does not contain the following tokens:
192.168.100Show output
----------------------------------------------------------------- Name IP Address Admin Oper Vrf Description ----------------------------------------------------------------- eth0 down down eth1 down down eth2 fe80::dcad:beff:feef:6c12/64 up up eth3 down down
Step 6: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
ping: connect: Network is unreachable
Test 802.1X Authentication With DHCP Client
Description
This scenario shows how to configure 802.1X authentication in a device with a DHCP-Server. A DHCP-Client is connected and successfully authenticated using 802.1X.
Scenario
Step 1: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address dhcp set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1/zLfYkexJfjj5iaqZQmyTYZLZ26hg7VjE= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode only-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set service dhcp-server shared-network LAN subnet 192.168.100.0/24 start 192.168.100.2 stop 192.168.100.20 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX19KpRWKxo4Ul0QKV1gdnRq1YKgtqAIbKvfdV91M3hE1wAIsinkSz3E2dHm+FOLUGGqhTa6G3TPH0A== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.171 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.171/0.171/0.171/0.000 ms
Step 4: Run command interfaces ethernet eth2 authenticator show status at DUT0 and check if output contains the following tokens:
Current status: AuthorizedShow output
Current status: Authorized (802.1X)
Step 5: Run command interfaces ethernet show at DUT1 and check if output contains the following tokens:
192.168.100Show output
----------------------------------------------------------------- Name IP Address Admin Oper Vrf Description ----------------------------------------------------------------- eth0 down down eth1 down down eth2 192.168.100.2/24 up up fe80::dcad:beff:feef:6c12/64 eth3 down down
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.698 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.698/0.698/0.698/0.000 ms
Test MAB Authentication With DHCP Client
Description
This scenario shows how to configure MAB authentication in a device with a DHCP-Server. A DHCP-Client is connected and successfully authenticated using MAB.
Scenario
Step 1: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address dhcp set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode only-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set service dhcp-server shared-network LAN subnet 192.168.100.0/24 start 192.168.100.2 stop 192.168.100.20 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+yv5YiUH+524pIl+c73i6OmwqZbOEDe3bN1IDhwjWkDxKB+u7s5BHLnEUxG+kkG/POcvtUFkCC1Q== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.219 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.219/0.219/0.219/0.000 ms
Step 4: Run command interfaces ethernet eth2 authenticator show status at DUT0 and check if output contains the following tokens:
Current status: AuthorizedShow output
Current status: Authorized (MAB)
Step 5: Run command interfaces ethernet show at DUT1 and check if output contains the following tokens:
192.168.100Show output
----------------------------------------------------------------- Name IP Address Admin Oper Vrf Description ----------------------------------------------------------------- eth0 down down eth1 down down eth2 192.168.100.2/24 up up fe80::dcad:beff:feef:6c12/64 eth3 down down
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.721 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.721/0.721/0.721/0.000 ms
Test 802.1X Authentication With Bridge And Multiple DHCP Clients
Description
This scenario shows how to configure 802.1X authentication in a device with a DHCP-Server. Two DHCP-Clients are connected: DUT1 and DUT2. DUT1 is successfully authenticated, but DUT2 fails to authenticate and does not receive a DHCP lease.
Scenario
Step 1: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address dhcp set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX18E1O3nxvA4t+SwkwPf8js9PAoLjO/526w= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT2 :
set interfaces ethernet eth3 address dhcp set interfaces ethernet eth3 supplicant encrypted-password U2FsdGVkX18fsr3iQH10KVb6lk0Oq1Q7rHGgj5Ssf8s= set interfaces ethernet eth3 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT0 :
set interfaces bridge br0 address 192.168.100.1/24 set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level info set interfaces ethernet eth2 authenticator mode only-802.1x set interfaces ethernet eth2 bridge-group bridge br0 set interfaces ethernet eth3 authenticator aaa authentication list1 set interfaces ethernet eth3 authenticator log-level info set interfaces ethernet eth3 authenticator mode only-802.1x set interfaces ethernet eth3 bridge-group bridge br0 set service dhcp-server shared-network LAN subnet 192.168.100.0/24 start 192.168.100.2 stop 192.168.100.20 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX19Dk6L6/LQoB1Frl9Oy/Y2WeG8xvAglZtt0q+6q5k4AzVuJb+gsb9CuzYKU7EDIQLxqmuLsuXGaGw== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.332 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.332/0.332/0.332/0.000 ms
Step 5: Run command interfaces ethernet eth2 authenticator show status at DUT0 and check if output contains the following tokens:
Current status: AuthorizedShow output
Current status: Authorized (802.1X)
Step 6: Run command interfaces ethernet show at DUT1 and check if output contains the following tokens:
192.168.100Show output
----------------------------------------------------------------- Name IP Address Admin Oper Vrf Description ----------------------------------------------------------------- eth0 down down eth1 down down eth2 192.168.100.2/24 up up fe80::dcad:beff:feef:6c12/64 eth3 down down
Step 7: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.319 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.319/0.319/0.319/0.000 ms
Step 8: Run command interfaces ethernet eth3 authenticator show status at DUT0 and check if output contains the following tokens:
Current status: UnauthorizedShow output
Current status: Unauthorized
Step 9: Run command interfaces ethernet show at DUT2 and check if output does not contain the following tokens:
192.168.100Show output
----------------------------------------------------------------- Name IP Address Admin Oper Vrf Description ----------------------------------------------------------------- eth0 down down eth1 down down eth2 down down eth3 fe80::dcad:beff:feef:6c23/64 up up
Step 10: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT2:
admin@DUT2$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
ping: connect: Network is unreachable
Test MAB Authentication With Bridge And Multiple DHCP Clients
Description
This scenario shows how to configure MAB authentication in a device with a DHCP-Server. Two DHCP-Clients are connected: DUT1 and DUT2. DUT1 is successfully authenticated, but DUT2 fails to authenticate and does not receive a DHCP lease.
Scenario
Step 1: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address dhcp set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT2 :
set interfaces ethernet eth3 address dhcp set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT0 :
set interfaces bridge br0 address 192.168.100.1/24 set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level info set interfaces ethernet eth2 authenticator mode only-MAB set interfaces ethernet eth2 bridge-group bridge br0 set interfaces ethernet eth3 authenticator aaa authentication list1 set interfaces ethernet eth3 authenticator log-level info set interfaces ethernet eth3 authenticator mode only-MAB set interfaces ethernet eth3 bridge-group bridge br0 set service dhcp-server shared-network LAN subnet 192.168.100.0/24 start 192.168.100.2 stop 192.168.100.20 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18kqix2eqoACpTZwAwvKKuI+GS1/mrq+bJPeH4DVkNSKcYLovEawzrpl2XmpFhzire6MkFF7BlWeQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.318 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.318/0.318/0.318/0.000 ms
Step 5: Run command interfaces ethernet eth2 authenticator show status at DUT0 and check if output contains the following tokens:
Current status: AuthorizedShow output
Current status: Authorized (MAB)
Step 6: Run command interfaces ethernet show at DUT1 and check if output contains the following tokens:
192.168.100Show output
----------------------------------------------------------------- Name IP Address Admin Oper Vrf Description ----------------------------------------------------------------- eth0 down down eth1 down down eth2 192.168.100.2/24 up up fe80::dcad:beff:feef:6c12/64 eth3 down down
Step 7: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.659 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.659/0.659/0.659/0.000 ms
Step 8: Run command interfaces ethernet eth3 authenticator show status at DUT0 and check if output contains the following tokens:
Current status: UnauthorizedShow output
Current status: Unauthorized
Step 9: Run command interfaces ethernet show at DUT2 and check if output does not contain the following tokens:
192.168.100Show output
----------------------------------------------------------------- Name IP Address Admin Oper Vrf Description ----------------------------------------------------------------- eth0 down down eth1 down down eth2 down down eth3 fe80::dcad:beff:feef:6c23/64 up up
Step 10: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT2:
admin@DUT2$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
ping: connect: Network is unreachable