Mab Fallback
This scenario shows how to configure the MAB-fallback
authentication mode.
Test Successful 802.1x Authentication With Successful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses the correct username and password.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/LqGenCdHyQnGYCSAqe0j8jZxw5xd7XUEnJOrUbpFopPehPIFGKkFq+axsehLTyXaRfoxkvwTVkA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.289 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.289/0.289/0.289/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1/LOrWvmecc31qVKgyMWgJ4EpzYFy5UGwk= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 6: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name testing
Step 7: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.284 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.284/0.284/0.284/0.000 ms
Step 8: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: authenticated - EAP type: 25 (PEAP)Show output
Mar 23 14:45:17.248831 osdx hostapd[804634]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Mar 23 14:45:17.248841 osdx hostapd[804634]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 23 14:45:17.249063 osdx hostapd[804634]: connect[radius]: Network is unreachable Mar 23 14:45:17.248873 osdx hostapd[804634]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Mar 23 14:45:17.248876 osdx hostapd[804634]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Mar 23 14:45:17.276741 osdx hostapd[804634]: Discovery mode enabled on eth2 Mar 23 14:45:17.276860 osdx hostapd[804634]: eth2: interface state UNINITIALIZED->ENABLED Mar 23 14:45:17.276860 osdx hostapd[804634]: eth2: AP-ENABLED Mar 23 14:45:20.442864 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Mar 23 14:45:20.442879 osdx hostapd[804635]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Mar 23 14:45:20.456788 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: start authentication Mar 23 14:45:20.456822 osdx hostapd[804635]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Mar 23 14:45:20.456827 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Mar 23 14:45:20.456830 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Mar 23 14:45:20.456849 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response Mar 23 14:45:20.456852 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAPOL-Start from STA Mar 23 14:45:20.456863 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Mar 23 14:45:20.456873 osdx hostapd[804635]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Mar 23 14:45:20.456898 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 102) Mar 23 14:45:20.457315 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=102 len=12) from STA: EAP Response-Identity (1) Mar 23 14:45:20.457328 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: STA identity 'testing' Mar 23 14:45:20.457359 osdx hostapd[804635]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 23 14:45:20.459801 osdx hostapd[804635]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:45:20.459837 osdx hostapd[804635]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:45:20.460113 osdx hostapd[804635]: eth2: RADIUS Received 80 bytes from RADIUS server Mar 23 14:45:20.460120 osdx hostapd[804635]: eth2: RADIUS Received RADIUS message Mar 23 14:45:20.460125 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:45:20.460147 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=103 len=22) from RADIUS server: EAP-Request-MD5 (4) Mar 23 14:45:20.460156 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 103) Mar 23 14:45:20.460404 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=103 len=6) from STA: EAP Response-unknown (3) Mar 23 14:45:20.460457 osdx hostapd[804635]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:45:20.460472 osdx hostapd[804635]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:45:20.460647 osdx hostapd[804635]: eth2: RADIUS Received 64 bytes from RADIUS server Mar 23 14:45:20.460665 osdx hostapd[804635]: eth2: RADIUS Received RADIUS message Mar 23 14:45:20.460669 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:45:20.460686 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=104 len=6) from RADIUS server: EAP-Request-PEAP (25) Mar 23 14:45:20.460693 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 104) Mar 23 14:45:20.461072 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=104 len=194) from STA: EAP Response-PEAP (25) Mar 23 14:45:20.461110 osdx hostapd[804635]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:45:20.461122 osdx hostapd[804635]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:45:20.462447 osdx hostapd[804635]: eth2: RADIUS Received 1068 bytes from RADIUS server Mar 23 14:45:20.462453 osdx hostapd[804635]: eth2: RADIUS Received RADIUS message Mar 23 14:45:20.462458 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:45:20.462477 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=105 len=1004) from RADIUS server: EAP-Request-PEAP (25) Mar 23 14:45:20.462484 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 105) Mar 23 14:45:20.462690 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=105 len=6) from STA: EAP Response-PEAP (25) Mar 23 14:45:20.462747 osdx hostapd[804635]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:45:20.462766 osdx hostapd[804635]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:45:20.462898 osdx hostapd[804635]: eth2: RADIUS Received 229 bytes from RADIUS server Mar 23 14:45:20.462903 osdx hostapd[804635]: eth2: RADIUS Received RADIUS message Mar 23 14:45:20.462907 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:45:20.462925 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=106 len=171) from RADIUS server: EAP-Request-PEAP (25) Mar 23 14:45:20.462932 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 106) Mar 23 14:45:20.464895 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=106 len=103) from STA: EAP Response-PEAP (25) Mar 23 14:45:20.464941 osdx hostapd[804635]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:45:20.464955 osdx hostapd[804635]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:45:20.465325 osdx hostapd[804635]: eth2: RADIUS Received 115 bytes from RADIUS server Mar 23 14:45:20.465330 osdx hostapd[804635]: eth2: RADIUS Received RADIUS message Mar 23 14:45:20.465334 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:45:20.465349 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=107 len=57) from RADIUS server: EAP-Request-PEAP (25) Mar 23 14:45:20.465355 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 107) Mar 23 14:45:20.465634 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=107 len=6) from STA: EAP Response-PEAP (25) Mar 23 14:45:20.465691 osdx hostapd[804635]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:45:20.465713 osdx hostapd[804635]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:45:20.465863 osdx hostapd[804635]: eth2: RADIUS Received 98 bytes from RADIUS server Mar 23 14:45:20.465869 osdx hostapd[804635]: eth2: RADIUS Received RADIUS message Mar 23 14:45:20.465873 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:45:20.465889 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=108 len=40) from RADIUS server: EAP-Request-PEAP (25) Mar 23 14:45:20.465896 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 108) Mar 23 14:45:20.466090 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=108 len=43) from STA: EAP Response-PEAP (25) Mar 23 14:45:20.466125 osdx hostapd[804635]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:45:20.466134 osdx hostapd[804635]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:45:20.466297 osdx hostapd[804635]: eth2: RADIUS Received 131 bytes from RADIUS server Mar 23 14:45:20.466303 osdx hostapd[804635]: eth2: RADIUS Received RADIUS message Mar 23 14:45:20.466307 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:45:20.466320 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=109 len=73) from RADIUS server: EAP-Request-PEAP (25) Mar 23 14:45:20.466326 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 109) Mar 23 14:45:20.466601 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=109 len=97) from STA: EAP Response-PEAP (25) Mar 23 14:45:20.466636 osdx hostapd[804635]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:45:20.466647 osdx hostapd[804635]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:45:20.466855 osdx hostapd[804635]: eth2: RADIUS Received 140 bytes from RADIUS server Mar 23 14:45:20.466861 osdx hostapd[804635]: eth2: RADIUS Received RADIUS message Mar 23 14:45:20.466865 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:45:20.466880 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=110 len=82) from RADIUS server: EAP-Request-PEAP (25) Mar 23 14:45:20.466887 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 110) Mar 23 14:45:20.467079 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=110 len=37) from STA: EAP Response-PEAP (25) Mar 23 14:45:20.467115 osdx hostapd[804635]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:45:20.467123 osdx hostapd[804635]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:45:20.467275 osdx hostapd[804635]: eth2: RADIUS Received 104 bytes from RADIUS server Mar 23 14:45:20.467280 osdx hostapd[804635]: eth2: RADIUS Received RADIUS message Mar 23 14:45:20.467284 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:45:20.467298 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=111 len=46) from RADIUS server: EAP-Request-PEAP (25) Mar 23 14:45:20.467304 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 111) Mar 23 14:45:20.467492 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=111 len=46) from STA: EAP Response-PEAP (25) Mar 23 14:45:20.467530 osdx hostapd[804635]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:45:20.467581 osdx hostapd[804635]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:45:20.467761 osdx hostapd[804635]: eth2: RADIUS Received 175 bytes from RADIUS server Mar 23 14:45:20.467767 osdx hostapd[804635]: eth2: RADIUS Received RADIUS message Mar 23 14:45:20.467771 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:45:20.467794 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing' Mar 23 14:45:20.467799 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=3 id=111 len=4) from RADIUS server: EAP Success Mar 23 14:45:20.467877 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 111) Mar 23 14:45:20.467893 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Mar 23 14:45:20.467897 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 9B57526A299BBCFC Mar 23 14:45:20.467917 osdx hostapd[804635]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Test Successful 802.1x Authentication With Unsuccessful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses the correct username and password, but an incorrect MAC address.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18zVKum8GoLruLApPq2wbmGvMrRWf9i4rJGXSJ4jW1HaW7uHj5Q+qoQUcS184f4tY1CyyeZVdzlDg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.197 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.197/0.197/0.197/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX19DPGw/AIzFkke88piJZj5RpYZZJiYJpvo= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 6: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name testing
Step 7: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.618 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.618/0.618/0.618/0.000 ms
Step 8: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: authenticated - EAP type: 25 (PEAP)Show output
Mar 23 14:45:28.483546 osdx hostapd[805150]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Mar 23 14:45:28.483560 osdx hostapd[805150]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 23 14:45:28.483817 osdx hostapd[805150]: connect[radius]: Network is unreachable Mar 23 14:45:28.483607 osdx hostapd[805150]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Mar 23 14:45:28.483610 osdx hostapd[805150]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Mar 23 14:45:28.507459 osdx hostapd[805150]: Discovery mode enabled on eth2 Mar 23 14:45:28.507506 osdx hostapd[805150]: eth2: interface state UNINITIALIZED->ENABLED Mar 23 14:45:28.507506 osdx hostapd[805150]: eth2: AP-ENABLED Mar 23 14:45:31.819627 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Mar 23 14:45:31.819641 osdx hostapd[805151]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Mar 23 14:45:31.835533 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: start authentication Mar 23 14:45:31.835564 osdx hostapd[805151]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Mar 23 14:45:31.835569 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Mar 23 14:45:31.835572 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Mar 23 14:45:31.835591 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response Mar 23 14:45:31.835594 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA Mar 23 14:45:31.835604 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port Mar 23 14:45:31.835613 osdx hostapd[805151]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Mar 23 14:45:31.835651 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 209) Mar 23 14:45:31.836045 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=209 len=12) from STA: EAP Response-Identity (1) Mar 23 14:45:31.836057 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'testing' Mar 23 14:45:31.836085 osdx hostapd[805151]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 23 14:45:31.839209 osdx hostapd[805151]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:45:31.839259 osdx hostapd[805151]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:45:31.839788 osdx hostapd[805151]: eth2: RADIUS Received 80 bytes from RADIUS server Mar 23 14:45:31.839803 osdx hostapd[805151]: eth2: RADIUS Received RADIUS message Mar 23 14:45:31.839812 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:45:31.839855 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=210 len=22) from RADIUS server: EAP-Request-MD5 (4) Mar 23 14:45:31.839874 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 210) Mar 23 14:45:31.840466 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=210 len=6) from STA: EAP Response-unknown (3) Mar 23 14:45:31.840656 osdx hostapd[805151]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:45:31.840719 osdx hostapd[805151]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:45:31.841223 osdx hostapd[805151]: eth2: RADIUS Received 64 bytes from RADIUS server Mar 23 14:45:31.841239 osdx hostapd[805151]: eth2: RADIUS Received RADIUS message Mar 23 14:45:31.841251 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:45:31.841308 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=211 len=6) from RADIUS server: EAP-Request-PEAP (25) Mar 23 14:45:31.841327 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 211) Mar 23 14:45:31.842109 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=211 len=194) from STA: EAP Response-PEAP (25) Mar 23 14:45:31.842252 osdx hostapd[805151]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:45:31.842302 osdx hostapd[805151]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:45:31.845682 osdx hostapd[805151]: eth2: RADIUS Received 1068 bytes from RADIUS server Mar 23 14:45:31.845706 osdx hostapd[805151]: eth2: RADIUS Received RADIUS message Mar 23 14:45:31.845719 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:45:31.845791 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=212 len=1004) from RADIUS server: EAP-Request-PEAP (25) Mar 23 14:45:31.845815 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 212) Mar 23 14:45:31.846392 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=212 len=6) from STA: EAP Response-PEAP (25) Mar 23 14:45:31.846540 osdx hostapd[805151]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:45:31.846581 osdx hostapd[805151]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:45:31.846954 osdx hostapd[805151]: eth2: RADIUS Received 229 bytes from RADIUS server Mar 23 14:45:31.846969 osdx hostapd[805151]: eth2: RADIUS Received RADIUS message Mar 23 14:45:31.846978 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:45:31.847019 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=213 len=171) from RADIUS server: EAP-Request-PEAP (25) Mar 23 14:45:31.847034 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 213) Mar 23 14:45:31.851776 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=213 len=103) from STA: EAP Response-PEAP (25) Mar 23 14:45:31.851923 osdx hostapd[805151]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:45:31.851963 osdx hostapd[805151]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:45:31.853067 osdx hostapd[805151]: eth2: RADIUS Received 115 bytes from RADIUS server Mar 23 14:45:31.853090 osdx hostapd[805151]: eth2: RADIUS Received RADIUS message Mar 23 14:45:31.853104 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:45:31.853187 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=214 len=57) from RADIUS server: EAP-Request-PEAP (25) Mar 23 14:45:31.853221 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 214) Mar 23 14:45:31.854167 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=214 len=6) from STA: EAP Response-PEAP (25) Mar 23 14:45:31.854323 osdx hostapd[805151]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:45:31.854458 osdx hostapd[805151]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:45:31.854860 osdx hostapd[805151]: eth2: RADIUS Received 98 bytes from RADIUS server Mar 23 14:45:31.854878 osdx hostapd[805151]: eth2: RADIUS Received RADIUS message Mar 23 14:45:31.854889 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:45:31.854937 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=215 len=40) from RADIUS server: EAP-Request-PEAP (25) Mar 23 14:45:31.854955 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 215) Mar 23 14:45:31.855807 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=215 len=43) from STA: EAP Response-PEAP (25) Mar 23 14:45:31.855950 osdx hostapd[805151]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:45:31.855996 osdx hostapd[805151]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:45:31.856578 osdx hostapd[805151]: eth2: RADIUS Received 131 bytes from RADIUS server Mar 23 14:45:31.856611 osdx hostapd[805151]: eth2: RADIUS Received RADIUS message Mar 23 14:45:31.856624 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:45:31.856701 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=216 len=73) from RADIUS server: EAP-Request-PEAP (25) Mar 23 14:45:31.856724 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 216) Mar 23 14:45:31.857656 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=216 len=97) from STA: EAP Response-PEAP (25) Mar 23 14:45:31.857798 osdx hostapd[805151]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:45:31.857840 osdx hostapd[805151]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:45:31.858530 osdx hostapd[805151]: eth2: RADIUS Received 140 bytes from RADIUS server Mar 23 14:45:31.858549 osdx hostapd[805151]: eth2: RADIUS Received RADIUS message Mar 23 14:45:31.858560 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:45:31.858624 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=217 len=82) from RADIUS server: EAP-Request-PEAP (25) Mar 23 14:45:31.858646 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 217) Mar 23 14:45:31.859489 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=217 len=37) from STA: EAP Response-PEAP (25) Mar 23 14:45:31.859614 osdx hostapd[805151]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:45:31.859651 osdx hostapd[805151]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:45:31.860304 osdx hostapd[805151]: eth2: RADIUS Received 104 bytes from RADIUS server Mar 23 14:45:31.860332 osdx hostapd[805151]: eth2: RADIUS Received RADIUS message Mar 23 14:45:31.860343 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:45:31.860412 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=218 len=46) from RADIUS server: EAP-Request-PEAP (25) Mar 23 14:45:31.860435 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 218) Mar 23 14:45:31.861240 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=218 len=46) from STA: EAP Response-PEAP (25) Mar 23 14:45:31.861436 osdx hostapd[805151]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:45:31.861501 osdx hostapd[805151]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:45:31.862284 osdx hostapd[805151]: eth2: RADIUS Received 175 bytes from RADIUS server Mar 23 14:45:31.862309 osdx hostapd[805151]: eth2: RADIUS Received RADIUS message Mar 23 14:45:31.862321 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:45:31.862423 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing' Mar 23 14:45:31.862436 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=3 id=218 len=4) from RADIUS server: EAP Success Mar 23 14:45:31.862502 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 218) Mar 23 14:45:31.862631 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authorizing port Mar 23 14:45:31.862642 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 RADIUS: starting accounting session 7E06A98153FADE06 Mar 23 14:45:31.862653 osdx hostapd[805151]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Test Unsuccessful 802.1x Authentication With Successful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses an incorrect username.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+0FUUfohz9L3YwQ7p7+IRq0/hs1h2aJ/7HZX/4QF8OHGJxbWppd2C3HQpoZtzEcDySRDQliBQobA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.569 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.569/0.569/0.569/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1+Z7tAsdOc1XNf855A+AI49DqMEB/+t+R4= set interfaces ethernet eth2 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 8 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 10 EAPoL frames (Tx) 10 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name wrong
Step 5: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.726 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.726/0.726/0.726/0.000 ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately 802.1X: MAB: station successfully authenticatedShow output
Mar 23 14:45:40.363111 osdx hostapd[805666]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Mar 23 14:45:40.363124 osdx hostapd[805666]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 23 14:45:40.363412 osdx hostapd[805666]: connect[radius]: Network is unreachable Mar 23 14:45:40.363173 osdx hostapd[805666]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Mar 23 14:45:40.363177 osdx hostapd[805666]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Mar 23 14:45:40.383011 osdx hostapd[805666]: Discovery mode enabled on eth2 Mar 23 14:45:40.383101 osdx hostapd[805666]: eth2: interface state UNINITIALIZED->ENABLED Mar 23 14:45:40.383101 osdx hostapd[805666]: eth2: AP-ENABLED Mar 23 14:45:43.479189 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Mar 23 14:45:43.479201 osdx hostapd[805667]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Mar 23 14:45:43.495018 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: start authentication Mar 23 14:45:43.495041 osdx hostapd[805667]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Mar 23 14:45:43.495045 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Mar 23 14:45:43.495047 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Mar 23 14:45:43.495060 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response Mar 23 14:45:43.495063 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAPOL-Start from STA Mar 23 14:45:43.495069 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Mar 23 14:45:43.495080 osdx hostapd[805667]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Mar 23 14:45:43.495099 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 102) Mar 23 14:45:43.495370 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=102 len=10) from STA: EAP Response-Identity (1) Mar 23 14:45:43.495378 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: STA identity 'wrong' Mar 23 14:45:43.495397 osdx hostapd[805667]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 23 14:45:43.497150 osdx hostapd[805667]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:45:43.497177 osdx hostapd[805667]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:45:43.497400 osdx hostapd[805667]: eth2: RADIUS Received 80 bytes from RADIUS server Mar 23 14:45:43.497405 osdx hostapd[805667]: eth2: RADIUS Received RADIUS message Mar 23 14:45:43.497409 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:45:43.497427 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=103 len=22) from RADIUS server: EAP-Request-MD5 (4) Mar 23 14:45:43.497434 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 103) Mar 23 14:45:43.497637 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=103 len=6) from STA: EAP Response-unknown (3) Mar 23 14:45:43.497680 osdx hostapd[805667]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:45:43.497691 osdx hostapd[805667]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:45:43.497894 osdx hostapd[805667]: eth2: RADIUS Received 64 bytes from RADIUS server Mar 23 14:45:43.497899 osdx hostapd[805667]: eth2: RADIUS Received RADIUS message Mar 23 14:45:43.497902 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:45:43.497916 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=104 len=6) from RADIUS server: EAP-Request-PEAP (25) Mar 23 14:45:43.497921 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 104) Mar 23 14:45:43.498241 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=104 len=194) from STA: EAP Response-PEAP (25) Mar 23 14:45:43.498270 osdx hostapd[805667]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:45:43.498279 osdx hostapd[805667]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:45:43.499250 osdx hostapd[805667]: eth2: RADIUS Received 1068 bytes from RADIUS server Mar 23 14:45:43.499258 osdx hostapd[805667]: eth2: RADIUS Received RADIUS message Mar 23 14:45:43.499262 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:45:43.499286 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=105 len=1004) from RADIUS server: EAP-Request-PEAP (25) Mar 23 14:45:43.499293 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 105) Mar 23 14:45:43.499450 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=105 len=6) from STA: EAP Response-PEAP (25) Mar 23 14:45:43.499489 osdx hostapd[805667]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:45:43.499501 osdx hostapd[805667]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:45:43.499622 osdx hostapd[805667]: eth2: RADIUS Received 229 bytes from RADIUS server Mar 23 14:45:43.499627 osdx hostapd[805667]: eth2: RADIUS Received RADIUS message Mar 23 14:45:43.499629 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:45:43.499642 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=106 len=171) from RADIUS server: EAP-Request-PEAP (25) Mar 23 14:45:43.499647 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 106) Mar 23 14:45:43.500892 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=106 len=103) from STA: EAP Response-PEAP (25) Mar 23 14:45:43.500924 osdx hostapd[805667]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:45:43.500932 osdx hostapd[805667]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:45:43.501198 osdx hostapd[805667]: eth2: RADIUS Received 115 bytes from RADIUS server Mar 23 14:45:43.501202 osdx hostapd[805667]: eth2: RADIUS Received RADIUS message Mar 23 14:45:43.501206 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:45:43.501218 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=107 len=57) from RADIUS server: EAP-Request-PEAP (25) Mar 23 14:45:43.501223 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 107) Mar 23 14:45:43.501461 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=107 len=6) from STA: EAP Response-PEAP (25) Mar 23 14:45:43.501497 osdx hostapd[805667]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:45:43.501507 osdx hostapd[805667]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:45:43.501635 osdx hostapd[805667]: eth2: RADIUS Received 98 bytes from RADIUS server Mar 23 14:45:43.501640 osdx hostapd[805667]: eth2: RADIUS Received RADIUS message Mar 23 14:45:43.501642 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:45:43.501655 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=108 len=40) from RADIUS server: EAP-Request-PEAP (25) Mar 23 14:45:43.501660 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 108) Mar 23 14:45:43.501795 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=108 len=41) from STA: EAP Response-PEAP (25) Mar 23 14:45:43.501833 osdx hostapd[805667]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:45:43.501844 osdx hostapd[805667]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:45:43.501980 osdx hostapd[805667]: eth2: RADIUS Received 131 bytes from RADIUS server Mar 23 14:45:43.501984 osdx hostapd[805667]: eth2: RADIUS Received RADIUS message Mar 23 14:45:43.501987 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:45:43.501998 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=109 len=73) from RADIUS server: EAP-Request-PEAP (25) Mar 23 14:45:43.502003 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 109) Mar 23 14:45:43.502232 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=109 len=95) from STA: EAP Response-PEAP (25) Mar 23 14:45:43.502259 osdx hostapd[805667]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:45:43.502266 osdx hostapd[805667]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:45:43.502426 osdx hostapd[805667]: eth2: RADIUS Received 104 bytes from RADIUS server Mar 23 14:45:43.502433 osdx hostapd[805667]: eth2: RADIUS Received RADIUS message Mar 23 14:45:43.502436 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:45:43.502452 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=110 len=46) from RADIUS server: EAP-Request-PEAP (25) Mar 23 14:45:43.502458 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 110) Mar 23 14:45:43.502599 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=110 len=46) from STA: EAP Response-PEAP (25) Mar 23 14:45:43.502630 osdx hostapd[805667]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:45:43.502641 osdx hostapd[805667]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:45:44.502741 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Resending RADIUS message (id=8) Mar 23 14:45:44.502780 osdx hostapd[805667]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Mar 23 14:45:44.502961 osdx hostapd[805667]: eth2: RADIUS Received 44 bytes from RADIUS server Mar 23 14:45:44.502965 osdx hostapd[805667]: eth2: RADIUS Received RADIUS message Mar 23 14:45:44.502969 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:45:44.503013 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=4 id=110 len=4) from RADIUS server: EAP Failure Mar 23 14:45:44.503038 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 110) Mar 23 14:45:44.503049 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Mar 23 14:45:44.503052 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) Mar 23 14:45:44.503055 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately Mar 23 14:45:44.503059 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Mar 23 14:45:44.503087 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Mar 23 14:45:44.503095 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Mar 23 14:45:44.503115 osdx hostapd[805667]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:45:44.503130 osdx hostapd[805667]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:45:44.503141 osdx hostapd[805667]: eth2: RADIUS Received 44 bytes from RADIUS server Mar 23 14:45:44.503144 osdx hostapd[805667]: eth2: RADIUS Received RADIUS message Mar 23 14:45:44.503146 osdx hostapd[805667]: eth2: RADIUS No matching RADIUS request found (type=0 id=8) - dropping packet Mar 23 14:45:44.503373 osdx hostapd[805667]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 23 14:45:44.503375 osdx hostapd[805667]: eth2: RADIUS Received RADIUS message Mar 23 14:45:44.503378 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:45:44.503381 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Mar 23 14:45:44.503395 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Mar 23 14:45:44.503398 osdx hostapd[805667]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Mar 23 14:45:44.503407 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Mar 23 14:45:44.503410 osdx hostapd[805667]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session B82275CB957139CB
Test Unsuccessful 802.1x Authentication With Unsuccessful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses an incorrect username and MAC address.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/GjYChDno4yZ39NB57YpeG9t19GssCNsO50hUeDqRduySryxE2AfBI50+3f5I64wZIAa5PW5eNfg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.235 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.235/0.235/0.235/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX19x8pDB6tKRmRLNcdjhXjlQHq5dxhpMtnA= set interfaces ethernet eth2 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+UnauthorizedShow output
--------------------------------- Field Value --------------------------------- EAPoL Frames (Rx) 10 EAPoL Frames (Tx) 10 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Unauthorized Req Frames (Rx) 8 Req ID Frames (Rx) 1 Resp Frames (Tx) 9 Start Frames (Tx) 1
Step 5: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 8 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 10 EAPoL frames (Tx) 10 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 6: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 7: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately 802.1X: MAB: Authentication failedShow output
Mar 23 14:45:51.593299 osdx hostapd[806183]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Mar 23 14:45:51.593317 osdx hostapd[806183]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 23 14:45:51.593607 osdx hostapd[806183]: connect[radius]: Network is unreachable Mar 23 14:45:51.593364 osdx hostapd[806183]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Mar 23 14:45:51.593368 osdx hostapd[806183]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Mar 23 14:45:51.609207 osdx hostapd[806183]: Discovery mode enabled on eth2 Mar 23 14:45:51.609296 osdx hostapd[806183]: eth2: interface state UNINITIALIZED->ENABLED Mar 23 14:45:51.609296 osdx hostapd[806183]: eth2: AP-ENABLED Mar 23 14:45:54.917362 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Mar 23 14:45:54.917377 osdx hostapd[806184]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Mar 23 14:45:54.933221 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: start authentication Mar 23 14:45:54.933247 osdx hostapd[806184]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Mar 23 14:45:54.933252 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Mar 23 14:45:54.933255 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Mar 23 14:45:54.933268 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response Mar 23 14:45:54.933270 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA Mar 23 14:45:54.933278 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port Mar 23 14:45:54.933287 osdx hostapd[806184]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Mar 23 14:45:54.933320 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 120) Mar 23 14:45:54.933666 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=120 len=10) from STA: EAP Response-Identity (1) Mar 23 14:45:54.933677 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'wrong' Mar 23 14:45:54.933702 osdx hostapd[806184]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 23 14:45:54.935458 osdx hostapd[806184]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:45:54.935488 osdx hostapd[806184]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:45:54.935718 osdx hostapd[806184]: eth2: RADIUS Received 80 bytes from RADIUS server Mar 23 14:45:54.935724 osdx hostapd[806184]: eth2: RADIUS Received RADIUS message Mar 23 14:45:54.935729 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:45:54.935751 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=121 len=22) from RADIUS server: EAP-Request-MD5 (4) Mar 23 14:45:54.935759 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 121) Mar 23 14:45:54.935986 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=121 len=6) from STA: EAP Response-unknown (3) Mar 23 14:45:54.936035 osdx hostapd[806184]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:45:54.936052 osdx hostapd[806184]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:45:54.936241 osdx hostapd[806184]: eth2: RADIUS Received 64 bytes from RADIUS server Mar 23 14:45:54.936247 osdx hostapd[806184]: eth2: RADIUS Received RADIUS message Mar 23 14:45:54.936251 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:45:54.936266 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=122 len=6) from RADIUS server: EAP-Request-PEAP (25) Mar 23 14:45:54.936271 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 122) Mar 23 14:45:54.936665 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=122 len=194) from STA: EAP Response-PEAP (25) Mar 23 14:45:54.936707 osdx hostapd[806184]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:45:54.936721 osdx hostapd[806184]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:45:54.937702 osdx hostapd[806184]: eth2: RADIUS Received 1068 bytes from RADIUS server Mar 23 14:45:54.937709 osdx hostapd[806184]: eth2: RADIUS Received RADIUS message Mar 23 14:45:54.937714 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:45:54.937742 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=123 len=1004) from RADIUS server: EAP-Request-PEAP (25) Mar 23 14:45:54.937750 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 123) Mar 23 14:45:54.937947 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=123 len=6) from STA: EAP Response-PEAP (25) Mar 23 14:45:54.937991 osdx hostapd[806184]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:45:54.938042 osdx hostapd[806184]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:45:54.938157 osdx hostapd[806184]: eth2: RADIUS Received 229 bytes from RADIUS server Mar 23 14:45:54.938162 osdx hostapd[806184]: eth2: RADIUS Received RADIUS message Mar 23 14:45:54.938166 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:45:54.938183 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=124 len=171) from RADIUS server: EAP-Request-PEAP (25) Mar 23 14:45:54.938189 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 124) Mar 23 14:45:54.940084 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=124 len=103) from STA: EAP Response-PEAP (25) Mar 23 14:45:54.940128 osdx hostapd[806184]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:45:54.940141 osdx hostapd[806184]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:45:54.940509 osdx hostapd[806184]: eth2: RADIUS Received 115 bytes from RADIUS server Mar 23 14:45:54.940515 osdx hostapd[806184]: eth2: RADIUS Received RADIUS message Mar 23 14:45:54.940519 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:45:54.940537 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=125 len=57) from RADIUS server: EAP-Request-PEAP (25) Mar 23 14:45:54.940543 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 125) Mar 23 14:45:54.940802 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=125 len=6) from STA: EAP Response-PEAP (25) Mar 23 14:45:54.940847 osdx hostapd[806184]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:45:54.940860 osdx hostapd[806184]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:45:54.941022 osdx hostapd[806184]: eth2: RADIUS Received 98 bytes from RADIUS server Mar 23 14:45:54.941028 osdx hostapd[806184]: eth2: RADIUS Received RADIUS message Mar 23 14:45:54.941032 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:45:54.941058 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=126 len=40) from RADIUS server: EAP-Request-PEAP (25) Mar 23 14:45:54.941066 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 126) Mar 23 14:45:54.941285 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=126 len=41) from STA: EAP Response-PEAP (25) Mar 23 14:45:54.941341 osdx hostapd[806184]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:45:54.941356 osdx hostapd[806184]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:45:54.941528 osdx hostapd[806184]: eth2: RADIUS Received 131 bytes from RADIUS server Mar 23 14:45:54.941535 osdx hostapd[806184]: eth2: RADIUS Received RADIUS message Mar 23 14:45:54.941538 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:45:54.941556 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=127 len=73) from RADIUS server: EAP-Request-PEAP (25) Mar 23 14:45:54.941563 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 127) Mar 23 14:45:54.941852 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=127 len=95) from STA: EAP Response-PEAP (25) Mar 23 14:45:54.941894 osdx hostapd[806184]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:45:54.941914 osdx hostapd[806184]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:45:54.942091 osdx hostapd[806184]: eth2: RADIUS Received 104 bytes from RADIUS server Mar 23 14:45:54.942096 osdx hostapd[806184]: eth2: RADIUS Received RADIUS message Mar 23 14:45:54.942099 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:45:54.942115 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=128 len=46) from RADIUS server: EAP-Request-PEAP (25) Mar 23 14:45:54.942121 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 128) Mar 23 14:45:54.942341 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=128 len=46) from STA: EAP Response-PEAP (25) Mar 23 14:45:54.942386 osdx hostapd[806184]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:45:54.942400 osdx hostapd[806184]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:45:55.942483 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=8) Mar 23 14:45:55.942519 osdx hostapd[806184]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Mar 23 14:45:55.942699 osdx hostapd[806184]: eth2: RADIUS Received 44 bytes from RADIUS server Mar 23 14:45:55.942702 osdx hostapd[806184]: eth2: RADIUS Received RADIUS message Mar 23 14:45:55.942706 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:45:55.942754 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=4 id=128 len=4) from RADIUS server: EAP Failure Mar 23 14:45:55.942779 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 128) Mar 23 14:45:55.942790 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port Mar 23 14:45:55.942793 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) Mar 23 14:45:55.942796 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately Mar 23 14:45:55.942799 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Mar 23 14:45:55.942825 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Mar 23 14:45:55.942831 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Mar 23 14:45:55.942843 osdx hostapd[806184]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:45:55.942854 osdx hostapd[806184]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:45:55.942869 osdx hostapd[806184]: eth2: RADIUS Received 44 bytes from RADIUS server Mar 23 14:45:55.942874 osdx hostapd[806184]: eth2: RADIUS Received RADIUS message Mar 23 14:45:55.942876 osdx hostapd[806184]: eth2: RADIUS No matching RADIUS request found (type=0 id=8) - dropping packet Mar 23 14:45:56.942950 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Mar 23 14:45:56.942984 osdx hostapd[806184]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Mar 23 14:45:56.943130 osdx hostapd[806184]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 23 14:45:56.943133 osdx hostapd[806184]: eth2: RADIUS Received RADIUS message Mar 23 14:45:56.943137 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:45:56.943140 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Mar 23 14:45:56.943185 osdx hostapd[806184]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Mar 23 14:45:56.943187 osdx hostapd[806184]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Mar 23 14:45:56.943195 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Authentication failed, entering held state (quiet period 60 sec) Mar 23 14:45:56.943197 osdx hostapd[806184]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Retry timeout registered for 60 seconds Mar 23 14:45:56.943204 osdx hostapd[806184]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 23 14:45:56.943206 osdx hostapd[806184]: eth2: RADIUS Received RADIUS message Mar 23 14:45:56.943208 osdx hostapd[806184]: eth2: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet
Test Unsupported 802.1x Authentication With Successful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 does not support 802.1x authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18DWtYxq8fN3WzXWuuSyRlA7n1wnlGiI/9fpAZyJ1FtpQg/vYxdK9grqWZL0EV65A9jYk+Qn7Gr0Q== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.298 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.298/0.298/0.298/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.700 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.700/0.700/0.700/0.000 ms
Step 5: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 0 EAPoL frames (Tx) 4 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name N/A
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.443 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.443/0.443/0.443/0.000 ms
Step 7: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately 802.1X: MAB: station successfully authenticatedShow output
Mar 23 14:46:05.488700 osdx hostapd[806692]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Mar 23 14:46:05.488716 osdx hostapd[806692]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 23 14:46:05.489173 osdx hostapd[806692]: connect[radius]: Network is unreachable Mar 23 14:46:05.488764 osdx hostapd[806692]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Mar 23 14:46:05.488772 osdx hostapd[806692]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Mar 23 14:46:05.504537 osdx hostapd[806692]: Discovery mode enabled on eth2 Mar 23 14:46:05.504604 osdx hostapd[806692]: eth2: interface state UNINITIALIZED->ENABLED Mar 23 14:46:05.504604 osdx hostapd[806692]: eth2: AP-ENABLED Mar 23 14:46:10.504642 osdx hostapd[806693]: eth2: STA de:ad:be:ef:6c:12 DRIVER: Device discovered, triggering MAB authentication Mar 23 14:46:10.504686 osdx hostapd[806693]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Mar 23 14:46:10.504694 osdx hostapd[806693]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Mar 23 14:46:10.520595 osdx hostapd[806693]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: start authentication Mar 23 14:46:10.520625 osdx hostapd[806693]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Mar 23 14:46:10.520629 osdx hostapd[806693]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Mar 23 14:46:10.520631 osdx hostapd[806693]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Mar 23 14:46:10.520650 osdx hostapd[806693]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Mar 23 14:46:10.520663 osdx hostapd[806693]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Mar 23 14:46:10.520693 osdx hostapd[806693]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 65) Mar 23 14:46:13.523651 osdx hostapd[806693]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 65) Mar 23 14:46:19.528629 osdx hostapd[806693]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 65) Mar 23 14:46:31.537635 osdx hostapd[806693]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: aborting authentication Mar 23 14:46:31.537644 osdx hostapd[806693]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately Mar 23 14:46:31.537648 osdx hostapd[806693]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Mar 23 14:46:31.537682 osdx hostapd[806693]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Mar 23 14:46:31.539375 osdx hostapd[806693]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Mar 23 14:46:31.539387 osdx hostapd[806693]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 23 14:46:31.539450 osdx hostapd[806693]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:46:31.539479 osdx hostapd[806693]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:46:31.539495 osdx hostapd[806693]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Mar 23 14:46:31.539511 osdx hostapd[806693]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 178) Mar 23 14:46:31.539771 osdx hostapd[806693]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 23 14:46:31.539777 osdx hostapd[806693]: eth2: RADIUS Received RADIUS message Mar 23 14:46:31.539780 osdx hostapd[806693]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:46:31.539784 osdx hostapd[806693]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Mar 23 14:46:31.539796 osdx hostapd[806693]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Mar 23 14:46:31.539809 osdx hostapd[806693]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Mar 23 14:46:31.539813 osdx hostapd[806693]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Mar 23 14:46:31.539822 osdx hostapd[806693]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Mar 23 14:46:31.539826 osdx hostapd[806693]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 426F0C7FDB929239
Test Unsupported 802.1x Authentication With Unsuccessful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 does not support 802.1x authentication and uses an incorrect MAC address.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/AifKifb/iJDeq4jQ0HmA2hG6Au4jPg+G2Qs4D+3fLXosmu47jqjlYnqYoKkYvx9N2xu6xld/f5g== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.627 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.627/0.627/0.627/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 2 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 0 EAPoL frames (Tx) 4 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 5: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately 802.1X: MAB: Authentication failedShow output
Mar 23 14:46:41.428623 osdx hostapd[807254]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Mar 23 14:46:41.429087 osdx hostapd[807254]: connect[radius]: Network is unreachable Mar 23 14:46:41.428646 osdx hostapd[807254]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 23 14:46:41.428695 osdx hostapd[807254]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Mar 23 14:46:41.428699 osdx hostapd[807254]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Mar 23 14:46:41.456346 osdx hostapd[807254]: Discovery mode enabled on eth2 Mar 23 14:46:41.456472 osdx hostapd[807254]: eth2: interface state UNINITIALIZED->ENABLED Mar 23 14:46:41.456472 osdx hostapd[807254]: eth2: AP-ENABLED Mar 23 14:46:46.457037 osdx hostapd[807255]: eth2: STA 00:11:22:33:44:55 DRIVER: Device discovered, triggering MAB authentication Mar 23 14:46:46.457071 osdx hostapd[807255]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Mar 23 14:46:46.457079 osdx hostapd[807255]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Mar 23 14:46:46.476373 osdx hostapd[807255]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: start authentication Mar 23 14:46:46.476404 osdx hostapd[807255]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Mar 23 14:46:46.476414 osdx hostapd[807255]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Mar 23 14:46:46.476417 osdx hostapd[807255]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Mar 23 14:46:46.476434 osdx hostapd[807255]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port Mar 23 14:46:46.476444 osdx hostapd[807255]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Mar 23 14:46:46.476482 osdx hostapd[807255]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 114) Mar 23 14:46:49.479394 osdx hostapd[807255]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 114) Mar 23 14:46:55.484388 osdx hostapd[807255]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 114) Mar 23 14:47:07.494259 osdx hostapd[807255]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: aborting authentication Mar 23 14:47:07.494267 osdx hostapd[807255]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately Mar 23 14:47:07.494273 osdx hostapd[807255]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Mar 23 14:47:07.494319 osdx hostapd[807255]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Mar 23 14:47:07.496662 osdx hostapd[807255]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Mar 23 14:47:07.496676 osdx hostapd[807255]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 23 14:47:07.496760 osdx hostapd[807255]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:47:07.496793 osdx hostapd[807255]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:47:07.496815 osdx hostapd[807255]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Mar 23 14:47:07.496836 osdx hostapd[807255]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 220) Mar 23 14:47:08.497381 osdx hostapd[807255]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Mar 23 14:47:08.497414 osdx hostapd[807255]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Mar 23 14:47:08.497613 osdx hostapd[807255]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 23 14:47:08.497618 osdx hostapd[807255]: eth2: RADIUS Received RADIUS message Mar 23 14:47:08.497624 osdx hostapd[807255]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:47:08.497629 osdx hostapd[807255]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Mar 23 14:47:08.497685 osdx hostapd[807255]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Mar 23 14:47:08.497688 osdx hostapd[807255]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Mar 23 14:47:08.497691 osdx hostapd[807255]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Authentication failed, entering held state (quiet period 60 sec) Mar 23 14:47:08.497695 osdx hostapd[807255]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Retry timeout registered for 60 seconds Mar 23 14:47:08.497703 osdx hostapd[807255]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 23 14:47:08.497707 osdx hostapd[807255]: eth2: RADIUS Received RADIUS message Mar 23 14:47:08.497710 osdx hostapd[807255]: eth2: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet