Mab First
This scenario shows how to configure the MAB-first
authentication mode.
Test Successful MAB Authentication With Successful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses a correct MAC address and correct 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+Nin+/cZ9/QoHqW82bnMv/iU2dL778rzbHMoQwv06I8JiTxrdx7gTxkJ2npB3d9JLYvihJ9K+/0A== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.319 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.319/0.319/0.319/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1+5jncvlhGJDMdkLmJjBBtEN+rgz1AaV88= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 1 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name N/A
Step 5: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.603 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.603/0.603/0.603/0.000 ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
802.1X: MAB: station successfully authenticatedShow output
Mar 23 14:43:36.535021 osdx hostapd[801512]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Mar 23 14:43:36.535325 osdx hostapd[801512]: connect[radius]: Network is unreachable Mar 23 14:43:36.535042 osdx hostapd[801512]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 23 14:43:36.535098 osdx hostapd[801512]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Mar 23 14:43:36.535107 osdx hostapd[801512]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Mar 23 14:43:36.550829 osdx hostapd[801512]: Discovery mode enabled on eth2 Mar 23 14:43:36.550922 osdx hostapd[801512]: eth2: interface state UNINITIALIZED->ENABLED Mar 23 14:43:36.550922 osdx hostapd[801512]: eth2: AP-ENABLED Mar 23 14:43:39.662932 osdx hostapd[801513]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Mar 23 14:43:39.662945 osdx hostapd[801513]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Mar 23 14:43:39.682829 osdx hostapd[801513]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB-first mode: Starting MAB authentication Mar 23 14:43:39.682851 osdx hostapd[801513]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Mar 23 14:43:39.682866 osdx hostapd[801513]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Mar 23 14:43:39.684540 osdx hostapd[801513]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Mar 23 14:43:39.684554 osdx hostapd[801513]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 23 14:43:39.684629 osdx hostapd[801513]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:43:39.684657 osdx hostapd[801513]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:43:39.684682 osdx hostapd[801513]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAPOL-Start from STA Mar 23 14:43:39.684889 osdx hostapd[801513]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 23 14:43:39.684895 osdx hostapd[801513]: eth2: RADIUS Received RADIUS message Mar 23 14:43:39.684899 osdx hostapd[801513]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:43:39.684903 osdx hostapd[801513]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Mar 23 14:43:39.684912 osdx hostapd[801513]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Mar 23 14:43:39.684923 osdx hostapd[801513]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Mar 23 14:43:39.684926 osdx hostapd[801513]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Mar 23 14:43:39.684935 osdx hostapd[801513]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Mar 23 14:43:39.684938 osdx hostapd[801513]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 14A5EDC270A6DD65
Test Successful MAB Authentication With Unsuccessful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses a correct MAC address, but wrong 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+oCBgYckwH4NKo7+Z5AsleIQxLwMQGqx5sVOxG/wKvaiIJbc8XoEggVD3MKDCjwnqTdsWXrrAjng== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.244 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.244/0.244/0.244/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX18c9xuBcHqMVuQP1SCFwAuhPLkuQbTU6jA= set interfaces ethernet eth2 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 1 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name N/A
Step 5: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.537 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.537/0.537/0.537/0.000 ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
802.1X: MAB: station successfully authenticatedShow output
Mar 23 14:43:48.491444 osdx hostapd[802030]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Mar 23 14:43:48.491454 osdx hostapd[802030]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 23 14:43:48.491736 osdx hostapd[802030]: connect[radius]: Network is unreachable Mar 23 14:43:48.491493 osdx hostapd[802030]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Mar 23 14:43:48.491496 osdx hostapd[802030]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Mar 23 14:43:48.511346 osdx hostapd[802030]: Discovery mode enabled on eth2 Mar 23 14:43:48.511427 osdx hostapd[802030]: eth2: interface state UNINITIALIZED->ENABLED Mar 23 14:43:48.511427 osdx hostapd[802030]: eth2: AP-ENABLED Mar 23 14:43:51.583533 osdx hostapd[802031]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Mar 23 14:43:51.583554 osdx hostapd[802031]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Mar 23 14:43:51.599440 osdx hostapd[802031]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB-first mode: Starting MAB authentication Mar 23 14:43:51.599478 osdx hostapd[802031]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Mar 23 14:43:51.599493 osdx hostapd[802031]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Mar 23 14:43:51.601235 osdx hostapd[802031]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Mar 23 14:43:51.601246 osdx hostapd[802031]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 23 14:43:51.601325 osdx hostapd[802031]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:43:51.601367 osdx hostapd[802031]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:43:51.601397 osdx hostapd[802031]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAPOL-Start from STA Mar 23 14:43:51.601669 osdx hostapd[802031]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 23 14:43:51.601674 osdx hostapd[802031]: eth2: RADIUS Received RADIUS message Mar 23 14:43:51.601677 osdx hostapd[802031]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:43:51.601681 osdx hostapd[802031]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Mar 23 14:43:51.601693 osdx hostapd[802031]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Mar 23 14:43:51.601711 osdx hostapd[802031]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Mar 23 14:43:51.601714 osdx hostapd[802031]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Mar 23 14:43:51.601724 osdx hostapd[802031]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Mar 23 14:43:51.601728 osdx hostapd[802031]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 553DECA812D015D6
Test Successful MAB Authentication With Unsupported 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 does not support 802.1x authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/4T7W+3INfVfLbX0KuxjSGAl/OsA+XgW0/uAsrjg6dcDBnMh2Nz0Q06UxrxdiYzxuc+SNf0hyIBQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.311 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.311/0.311/0.311/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.686 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.686/0.686/0.686/0.000 ms
Step 5: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 0 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name N/A
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.310 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.310/0.310/0.310/0.000 ms
Step 7: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
802.1X: MAB: station successfully authenticatedShow output
Mar 23 14:43:59.214268 osdx hostapd[802547]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Mar 23 14:43:59.214282 osdx hostapd[802547]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 23 14:43:59.214528 osdx hostapd[802547]: connect[radius]: Network is unreachable Mar 23 14:43:59.214328 osdx hostapd[802547]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Mar 23 14:43:59.214332 osdx hostapd[802547]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Mar 23 14:43:59.246107 osdx hostapd[802547]: Discovery mode enabled on eth2 Mar 23 14:43:59.246201 osdx hostapd[802547]: eth2: interface state UNINITIALIZED->ENABLED Mar 23 14:43:59.246201 osdx hostapd[802547]: eth2: AP-ENABLED Mar 23 14:44:04.246170 osdx hostapd[802548]: eth2: STA de:ad:be:ef:6c:12 DRIVER: Device discovered, triggering MAB authentication Mar 23 14:44:04.246221 osdx hostapd[802548]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Mar 23 14:44:04.246230 osdx hostapd[802548]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Mar 23 14:44:04.266128 osdx hostapd[802548]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB-first mode: Starting MAB authentication Mar 23 14:44:04.266158 osdx hostapd[802548]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Mar 23 14:44:04.266174 osdx hostapd[802548]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Mar 23 14:44:04.268264 osdx hostapd[802548]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Mar 23 14:44:04.268277 osdx hostapd[802548]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 23 14:44:04.268358 osdx hostapd[802548]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:44:04.268391 osdx hostapd[802548]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:44:04.268680 osdx hostapd[802548]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 23 14:44:04.268686 osdx hostapd[802548]: eth2: RADIUS Received RADIUS message Mar 23 14:44:04.268690 osdx hostapd[802548]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:44:04.268695 osdx hostapd[802548]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Mar 23 14:44:04.268706 osdx hostapd[802548]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Mar 23 14:44:04.268720 osdx hostapd[802548]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Mar 23 14:44:04.268723 osdx hostapd[802548]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Mar 23 14:44:04.268738 osdx hostapd[802548]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Mar 23 14:44:04.268741 osdx hostapd[802548]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 46B52CF90F02DF1A
Test Unsuccessful MAB Authentication With Successful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses an incorrect MAC address, but correct 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18Ak1RvHmrxhyLnyRm+NLr/xD8O40T7ybTKk8PETzVHtMNLqsjttS2qVwp+OizLlVzzZJJgadrW6g== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.243 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.243/0.243/0.243/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX18pSVcqZDYPBMzKn6Z6Qu4PxJxT0mUoXrg= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 6: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name testing
Step 7: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.331 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.331/0.331/0.331/0.000 ms
Step 8: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X IEEE 802.1X: authenticated - EAP type: 25 (PEAP)Show output
Mar 23 14:44:14.322855 osdx hostapd[803074]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Mar 23 14:44:14.322868 osdx hostapd[803074]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 23 14:44:14.323068 osdx hostapd[803074]: connect[radius]: Network is unreachable Mar 23 14:44:14.322910 osdx hostapd[803074]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Mar 23 14:44:14.322918 osdx hostapd[803074]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Mar 23 14:44:14.338807 osdx hostapd[803074]: Discovery mode enabled on eth2 Mar 23 14:44:14.338852 osdx hostapd[803074]: eth2: interface state UNINITIALIZED->ENABLED Mar 23 14:44:14.338869 osdx hostapd[803074]: eth2: AP-ENABLED Mar 23 14:44:17.414937 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Mar 23 14:44:17.414955 osdx hostapd[803075]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Mar 23 14:44:17.430857 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: Starting MAB authentication Mar 23 14:44:17.430901 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Mar 23 14:44:17.430921 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Mar 23 14:44:17.433269 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Mar 23 14:44:17.433284 osdx hostapd[803075]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 23 14:44:17.433374 osdx hostapd[803075]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:44:17.433409 osdx hostapd[803075]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:44:17.433439 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA Mar 23 14:44:18.433499 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Mar 23 14:44:18.433538 osdx hostapd[803075]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Mar 23 14:44:18.433691 osdx hostapd[803075]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 23 14:44:18.433695 osdx hostapd[803075]: eth2: RADIUS Received RADIUS message Mar 23 14:44:18.433699 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:44:18.433704 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Mar 23 14:44:18.433757 osdx hostapd[803075]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Mar 23 14:44:18.433760 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X Mar 23 14:44:18.433765 osdx hostapd[803075]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Mar 23 14:44:18.433768 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first: 802.1X authentication started Mar 23 14:44:18.433775 osdx hostapd[803075]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Mar 23 14:44:18.433797 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 80) Mar 23 14:44:18.434107 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=80 len=12) from STA: EAP Response-Identity (1) Mar 23 14:44:18.434119 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'testing' Mar 23 14:44:18.434178 osdx hostapd[803075]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:44:18.434193 osdx hostapd[803075]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:44:18.434408 osdx hostapd[803075]: eth2: RADIUS Received 80 bytes from RADIUS server Mar 23 14:44:18.434413 osdx hostapd[803075]: eth2: RADIUS Received RADIUS message Mar 23 14:44:18.434418 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:44:18.434437 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=81 len=22) from RADIUS server: EAP-Request-MD5 (4) Mar 23 14:44:18.434444 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 81) Mar 23 14:44:18.434696 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=81 len=6) from STA: EAP Response-unknown (3) Mar 23 14:44:18.434761 osdx hostapd[803075]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:44:18.434775 osdx hostapd[803075]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:44:18.434997 osdx hostapd[803075]: eth2: RADIUS Received 64 bytes from RADIUS server Mar 23 14:44:18.435003 osdx hostapd[803075]: eth2: RADIUS Received RADIUS message Mar 23 14:44:18.435006 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:44:18.435025 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=82 len=6) from RADIUS server: EAP-Request-PEAP (25) Mar 23 14:44:18.435032 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 82) Mar 23 14:44:18.435386 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=82 len=194) from STA: EAP Response-PEAP (25) Mar 23 14:44:18.435426 osdx hostapd[803075]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:44:18.435444 osdx hostapd[803075]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:44:18.436489 osdx hostapd[803075]: eth2: RADIUS Received 1068 bytes from RADIUS server Mar 23 14:44:18.436496 osdx hostapd[803075]: eth2: RADIUS Received RADIUS message Mar 23 14:44:18.436499 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:44:18.436522 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=83 len=1004) from RADIUS server: EAP-Request-PEAP (25) Mar 23 14:44:18.436528 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 83) Mar 23 14:44:18.436735 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=83 len=6) from STA: EAP Response-PEAP (25) Mar 23 14:44:18.436783 osdx hostapd[803075]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:44:18.436794 osdx hostapd[803075]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:44:18.436950 osdx hostapd[803075]: eth2: RADIUS Received 229 bytes from RADIUS server Mar 23 14:44:18.436956 osdx hostapd[803075]: eth2: RADIUS Received RADIUS message Mar 23 14:44:18.436960 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:44:18.436978 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=84 len=171) from RADIUS server: EAP-Request-PEAP (25) Mar 23 14:44:18.436984 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 84) Mar 23 14:44:18.438919 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=84 len=103) from STA: EAP Response-PEAP (25) Mar 23 14:44:18.438978 osdx hostapd[803075]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:44:18.438996 osdx hostapd[803075]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:44:18.439394 osdx hostapd[803075]: eth2: RADIUS Received 115 bytes from RADIUS server Mar 23 14:44:18.439401 osdx hostapd[803075]: eth2: RADIUS Received RADIUS message Mar 23 14:44:18.439404 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:44:18.439422 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=85 len=57) from RADIUS server: EAP-Request-PEAP (25) Mar 23 14:44:18.439429 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 85) Mar 23 14:44:18.439748 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=85 len=6) from STA: EAP Response-PEAP (25) Mar 23 14:44:18.439799 osdx hostapd[803075]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:44:18.439811 osdx hostapd[803075]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:44:18.439965 osdx hostapd[803075]: eth2: RADIUS Received 98 bytes from RADIUS server Mar 23 14:44:18.439971 osdx hostapd[803075]: eth2: RADIUS Received RADIUS message Mar 23 14:44:18.439974 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:44:18.439990 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=86 len=40) from RADIUS server: EAP-Request-PEAP (25) Mar 23 14:44:18.439997 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 86) Mar 23 14:44:18.440214 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=86 len=43) from STA: EAP Response-PEAP (25) Mar 23 14:44:18.440264 osdx hostapd[803075]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:44:18.440280 osdx hostapd[803075]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:44:18.440439 osdx hostapd[803075]: eth2: RADIUS Received 131 bytes from RADIUS server Mar 23 14:44:18.440445 osdx hostapd[803075]: eth2: RADIUS Received RADIUS message Mar 23 14:44:18.440450 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:44:18.440465 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=87 len=73) from RADIUS server: EAP-Request-PEAP (25) Mar 23 14:44:18.440472 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 87) Mar 23 14:44:18.440722 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=87 len=97) from STA: EAP Response-PEAP (25) Mar 23 14:44:18.440757 osdx hostapd[803075]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:44:18.440768 osdx hostapd[803075]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:44:18.440934 osdx hostapd[803075]: eth2: RADIUS Received 140 bytes from RADIUS server Mar 23 14:44:18.440939 osdx hostapd[803075]: eth2: RADIUS Received RADIUS message Mar 23 14:44:18.440943 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:44:18.440957 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=88 len=82) from RADIUS server: EAP-Request-PEAP (25) Mar 23 14:44:18.440962 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 88) Mar 23 14:44:18.441140 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=88 len=37) from STA: EAP Response-PEAP (25) Mar 23 14:44:18.441174 osdx hostapd[803075]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:44:18.441183 osdx hostapd[803075]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:44:18.441347 osdx hostapd[803075]: eth2: RADIUS Received 104 bytes from RADIUS server Mar 23 14:44:18.441353 osdx hostapd[803075]: eth2: RADIUS Received RADIUS message Mar 23 14:44:18.441356 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:44:18.441370 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=89 len=46) from RADIUS server: EAP-Request-PEAP (25) Mar 23 14:44:18.441376 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 89) Mar 23 14:44:18.441576 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=89 len=46) from STA: EAP Response-PEAP (25) Mar 23 14:44:18.441610 osdx hostapd[803075]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:44:18.441619 osdx hostapd[803075]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:44:18.441818 osdx hostapd[803075]: eth2: RADIUS Received 175 bytes from RADIUS server Mar 23 14:44:18.441824 osdx hostapd[803075]: eth2: RADIUS Received RADIUS message Mar 23 14:44:18.441827 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:44:18.441848 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing' Mar 23 14:44:18.441852 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=3 id=89 len=4) from RADIUS server: EAP Success Mar 23 14:44:18.441866 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 89) Mar 23 14:44:18.441881 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authorizing port Mar 23 14:44:18.441884 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 RADIUS: starting accounting session 6EB5C2432304ADA9 Mar 23 14:44:18.441912 osdx hostapd[803075]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Test Unsuccessful MAB Authentication With Unsuccessful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses an incorrect MAC address and incorrect 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/+dMc7RcupF8Ujb227zvb+7XQnYA5DMGtECLiU9FJJnMPrb8Zrqjg3ZHMsqNpU+FH/34oDW4noTg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.353 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.353/0.353/0.353/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1/eSx8q2+r1Z1WLQaPUDgqx1vhfs46DITg= set interfaces ethernet eth2 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+UnauthorizedShow output
--------------------------------- Field Value --------------------------------- EAPoL Frames (Rx) 9 EAPoL Frames (Tx) 10 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Unauthorized Req Frames (Rx) 8 Req ID Frames (Rx) 1 Resp Frames (Tx) 9 Start Frames (Tx) 1
Step 5: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 8 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 10 EAPoL frames (Tx) 9 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 6: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 7: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X IEEE 802.1X: authentication failed - EAP type: 25 (PEAP)Show output
Mar 23 14:44:26.482096 osdx hostapd[803595]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Mar 23 14:44:26.482110 osdx hostapd[803595]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 23 14:44:26.482364 osdx hostapd[803595]: connect[radius]: Network is unreachable Mar 23 14:44:26.482151 osdx hostapd[803595]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Mar 23 14:44:26.482155 osdx hostapd[803595]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Mar 23 14:44:26.501976 osdx hostapd[803595]: Discovery mode enabled on eth2 Mar 23 14:44:26.502053 osdx hostapd[803595]: eth2: interface state UNINITIALIZED->ENABLED Mar 23 14:44:26.502053 osdx hostapd[803595]: eth2: AP-ENABLED Mar 23 14:44:29.670104 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Mar 23 14:44:29.670118 osdx hostapd[803596]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Mar 23 14:44:29.690011 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: Starting MAB authentication Mar 23 14:44:29.690042 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Mar 23 14:44:29.690056 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Mar 23 14:44:29.691749 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Mar 23 14:44:29.691759 osdx hostapd[803596]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 23 14:44:29.691830 osdx hostapd[803596]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:44:29.691859 osdx hostapd[803596]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:44:29.691885 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA Mar 23 14:44:30.691989 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Mar 23 14:44:30.692021 osdx hostapd[803596]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Mar 23 14:44:30.692270 osdx hostapd[803596]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 23 14:44:30.692275 osdx hostapd[803596]: eth2: RADIUS Received RADIUS message Mar 23 14:44:30.692279 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:44:30.692282 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Mar 23 14:44:30.692328 osdx hostapd[803596]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Mar 23 14:44:30.692331 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X Mar 23 14:44:30.692333 osdx hostapd[803596]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Mar 23 14:44:30.692336 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first: 802.1X authentication started Mar 23 14:44:30.692342 osdx hostapd[803596]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Mar 23 14:44:30.692355 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 50) Mar 23 14:44:30.692368 osdx hostapd[803596]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 23 14:44:30.692370 osdx hostapd[803596]: eth2: RADIUS Received RADIUS message Mar 23 14:44:30.692373 osdx hostapd[803596]: eth2: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet Mar 23 14:44:30.692643 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=50 len=10) from STA: EAP Response-Identity (1) Mar 23 14:44:30.692653 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'wrong' Mar 23 14:44:30.692701 osdx hostapd[803596]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:44:30.692712 osdx hostapd[803596]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:44:30.692921 osdx hostapd[803596]: eth2: RADIUS Received 80 bytes from RADIUS server Mar 23 14:44:30.692927 osdx hostapd[803596]: eth2: RADIUS Received RADIUS message Mar 23 14:44:30.692931 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:44:30.692961 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=51 len=22) from RADIUS server: EAP-Request-MD5 (4) Mar 23 14:44:30.692968 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 51) Mar 23 14:44:30.693132 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=51 len=6) from STA: EAP Response-unknown (3) Mar 23 14:44:30.693168 osdx hostapd[803596]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:44:30.693179 osdx hostapd[803596]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:44:30.693360 osdx hostapd[803596]: eth2: RADIUS Received 64 bytes from RADIUS server Mar 23 14:44:30.693364 osdx hostapd[803596]: eth2: RADIUS Received RADIUS message Mar 23 14:44:30.693367 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:44:30.693380 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=52 len=6) from RADIUS server: EAP-Request-PEAP (25) Mar 23 14:44:30.693385 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 52) Mar 23 14:44:30.693714 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=52 len=194) from STA: EAP Response-PEAP (25) Mar 23 14:44:30.693747 osdx hostapd[803596]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:44:30.693756 osdx hostapd[803596]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:44:30.694912 osdx hostapd[803596]: eth2: RADIUS Received 1068 bytes from RADIUS server Mar 23 14:44:30.694918 osdx hostapd[803596]: eth2: RADIUS Received RADIUS message Mar 23 14:44:30.694921 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:44:30.694943 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=53 len=1004) from RADIUS server: EAP-Request-PEAP (25) Mar 23 14:44:30.694949 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 53) Mar 23 14:44:30.695108 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=53 len=6) from STA: EAP Response-PEAP (25) Mar 23 14:44:30.695146 osdx hostapd[803596]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:44:30.695155 osdx hostapd[803596]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:44:30.695279 osdx hostapd[803596]: eth2: RADIUS Received 229 bytes from RADIUS server Mar 23 14:44:30.695284 osdx hostapd[803596]: eth2: RADIUS Received RADIUS message Mar 23 14:44:30.695287 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:44:30.695303 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=54 len=171) from RADIUS server: EAP-Request-PEAP (25) Mar 23 14:44:30.695309 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 54) Mar 23 14:44:30.696527 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=54 len=103) from STA: EAP Response-PEAP (25) Mar 23 14:44:30.696569 osdx hostapd[803596]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:44:30.696582 osdx hostapd[803596]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:44:30.696873 osdx hostapd[803596]: eth2: RADIUS Received 115 bytes from RADIUS server Mar 23 14:44:30.696879 osdx hostapd[803596]: eth2: RADIUS Received RADIUS message Mar 23 14:44:30.696883 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:44:30.696897 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=55 len=57) from RADIUS server: EAP-Request-PEAP (25) Mar 23 14:44:30.696902 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 55) Mar 23 14:44:30.697122 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=55 len=6) from STA: EAP Response-PEAP (25) Mar 23 14:44:30.697167 osdx hostapd[803596]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:44:30.697180 osdx hostapd[803596]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:44:30.697332 osdx hostapd[803596]: eth2: RADIUS Received 98 bytes from RADIUS server Mar 23 14:44:30.697338 osdx hostapd[803596]: eth2: RADIUS Received RADIUS message Mar 23 14:44:30.697342 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:44:30.697361 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=56 len=40) from RADIUS server: EAP-Request-PEAP (25) Mar 23 14:44:30.697367 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 56) Mar 23 14:44:30.697532 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=56 len=41) from STA: EAP Response-PEAP (25) Mar 23 14:44:30.697615 osdx hostapd[803596]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:44:30.697628 osdx hostapd[803596]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:44:30.697789 osdx hostapd[803596]: eth2: RADIUS Received 131 bytes from RADIUS server Mar 23 14:44:30.697795 osdx hostapd[803596]: eth2: RADIUS Received RADIUS message Mar 23 14:44:30.697798 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:44:30.697817 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=57 len=73) from RADIUS server: EAP-Request-PEAP (25) Mar 23 14:44:30.697823 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 57) Mar 23 14:44:30.698065 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=57 len=95) from STA: EAP Response-PEAP (25) Mar 23 14:44:30.698098 osdx hostapd[803596]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:44:30.698108 osdx hostapd[803596]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:44:30.698297 osdx hostapd[803596]: eth2: RADIUS Received 104 bytes from RADIUS server Mar 23 14:44:30.698301 osdx hostapd[803596]: eth2: RADIUS Received RADIUS message Mar 23 14:44:30.698304 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:44:30.698317 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=58 len=46) from RADIUS server: EAP-Request-PEAP (25) Mar 23 14:44:30.698322 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 58) Mar 23 14:44:30.698475 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=58 len=46) from STA: EAP Response-PEAP (25) Mar 23 14:44:30.698503 osdx hostapd[803596]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:44:30.698511 osdx hostapd[803596]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:44:31.698620 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=8) Mar 23 14:44:31.698662 osdx hostapd[803596]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Mar 23 14:44:31.698836 osdx hostapd[803596]: eth2: RADIUS Received 44 bytes from RADIUS server Mar 23 14:44:31.698840 osdx hostapd[803596]: eth2: RADIUS Received RADIUS message Mar 23 14:44:31.698845 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:44:31.698899 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=4 id=58 len=4) from RADIUS server: EAP Failure Mar 23 14:44:31.698929 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 58) Mar 23 14:44:31.698943 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port Mar 23 14:44:31.698957 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) Mar 23 14:44:31.698960 osdx hostapd[803596]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Authentication failed, enforcing quiet period (60 seconds) Mar 23 14:44:31.698966 osdx hostapd[803596]: eth2: RADIUS Received 44 bytes from RADIUS server Mar 23 14:44:31.698969 osdx hostapd[803596]: eth2: RADIUS Received RADIUS message Mar 23 14:44:31.698972 osdx hostapd[803596]: eth2: RADIUS No matching RADIUS request found (type=0 id=8) - dropping packet
Test Unsuccessful MAB Authentication With Unsupported 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 does not support 802.1x authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/dd37azBeDpyw999X39+7QpFmSAiDSyQdHrR/lJ1MkmTpMusHNhQzsmxAiXw21zDJqyUoElMDy7w== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.636 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.636/0.636/0.636/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 0 EAPoL frames (Tx) 2 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 5: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X IEEE 802.1X: EAP authentication timeoutShow output
Mar 23 14:44:39.644748 osdx hostapd[804107]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Mar 23 14:44:39.644763 osdx hostapd[804107]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 23 14:44:39.645088 osdx hostapd[804107]: connect[radius]: Network is unreachable Mar 23 14:44:39.644813 osdx hostapd[804107]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Mar 23 14:44:39.644819 osdx hostapd[804107]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Mar 23 14:44:39.664572 osdx hostapd[804107]: Discovery mode enabled on eth2 Mar 23 14:44:39.664643 osdx hostapd[804107]: eth2: interface state UNINITIALIZED->ENABLED Mar 23 14:44:39.664643 osdx hostapd[804107]: eth2: AP-ENABLED Mar 23 14:44:44.664671 osdx hostapd[804108]: eth2: STA 00:11:22:33:44:55 DRIVER: Device discovered, triggering MAB authentication Mar 23 14:44:44.664718 osdx hostapd[804108]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Mar 23 14:44:44.664728 osdx hostapd[804108]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Mar 23 14:44:44.680625 osdx hostapd[804108]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: Starting MAB authentication Mar 23 14:44:44.680650 osdx hostapd[804108]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Mar 23 14:44:44.680664 osdx hostapd[804108]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Mar 23 14:44:44.682389 osdx hostapd[804108]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Mar 23 14:44:44.682403 osdx hostapd[804108]: eth2: RADIUS Authentication server 10.215.168.1:1812 Mar 23 14:44:44.682475 osdx hostapd[804108]: eth2: RADIUS Sending RADIUS message to authentication server Mar 23 14:44:44.682500 osdx hostapd[804108]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Mar 23 14:44:45.682590 osdx hostapd[804108]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Mar 23 14:44:45.682802 osdx hostapd[804108]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Mar 23 14:44:45.682863 osdx hostapd[804108]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 23 14:44:45.682866 osdx hostapd[804108]: eth2: RADIUS Received RADIUS message Mar 23 14:44:45.682871 osdx hostapd[804108]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Mar 23 14:44:45.682876 osdx hostapd[804108]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Mar 23 14:44:45.682935 osdx hostapd[804108]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Mar 23 14:44:45.682938 osdx hostapd[804108]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X Mar 23 14:44:45.682942 osdx hostapd[804108]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Mar 23 14:44:45.682945 osdx hostapd[804108]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first: 802.1X authentication started Mar 23 14:44:45.682953 osdx hostapd[804108]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Mar 23 14:44:45.682970 osdx hostapd[804108]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 4) Mar 23 14:44:45.683088 osdx hostapd[804108]: eth2: RADIUS Received 20 bytes from RADIUS server Mar 23 14:44:45.683091 osdx hostapd[804108]: eth2: RADIUS Received RADIUS message Mar 23 14:44:45.683097 osdx hostapd[804108]: eth2: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet Mar 23 14:44:48.684685 osdx hostapd[804108]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 4) Mar 23 14:44:53.563981 osdx OSDxCLI[768149]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 23 14:44:54.689665 osdx hostapd[804108]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 4) Mar 23 14:45:01.754026 osdx OSDxCLI[768149]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Mar 23 14:45:06.700671 osdx hostapd[804108]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: aborting authentication Mar 23 14:45:06.700682 osdx hostapd[804108]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: EAP authentication timeout - enforcing 60 second quiet period before retrying Mar 23 14:45:06.700694 osdx hostapd[804108]: eth2: STA 00:11:22:33:44:55 MLME: MLME-DEAUTHENTICATE.indication(00:11:22:33:44:55, 2) Mar 23 14:45:06.700698 osdx hostapd[804108]: eth2: STA 00:11:22:33:44:55 MLME: MLME-DELETEKEYS.request(00:11:22:33:44:55)