Mab Fallback
This scenario shows how to configure the MAB-fallback
authentication mode.
Test Successful 802.1x Authentication With Successful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses the correct username and password.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+e4Lh8Y/+/IUm5CPBdKNwUOkae0kphbLUhIr3TG9/j7lVbKTD54exOqnmwOz7fS7grmZwYMsHlxQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.242 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.242/0.242/0.242/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1/dU+DpbPJQ8D0m8hYn0Ai+FaITAEazBnI= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 6: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name testing
Step 7: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.695 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.695/0.695/0.695/0.000 ms
Step 8: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: authenticated - EAP type: 25 (PEAP)Show output
Apr 16 23:30:15.282577 osdx hostapd[1067421]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Apr 16 23:30:15.282594 osdx hostapd[1067421]: eth2: RADIUS Authentication server 10.215.168.1:1812 Apr 16 23:30:15.282854 osdx hostapd[1067421]: connect[radius]: Network is unreachable Apr 16 23:30:15.282644 osdx hostapd[1067421]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Apr 16 23:30:15.282647 osdx hostapd[1067421]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Apr 16 23:30:15.302456 osdx hostapd[1067421]: Discovery mode enabled on eth2 Apr 16 23:30:15.302534 osdx hostapd[1067421]: eth2: interface state UNINITIALIZED->ENABLED Apr 16 23:30:15.302555 osdx hostapd[1067421]: eth2: AP-ENABLED Apr 16 23:30:18.430344 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Apr 16 23:30:18.430362 osdx hostapd[1067422]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Apr 16 23:30:18.450504 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: start authentication Apr 16 23:30:18.450533 osdx hostapd[1067422]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Apr 16 23:30:18.450539 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Apr 16 23:30:18.450542 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Apr 16 23:30:18.450556 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response Apr 16 23:30:18.450558 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAPOL-Start from STA Apr 16 23:30:18.450576 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Apr 16 23:30:18.450588 osdx hostapd[1067422]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Apr 16 23:30:18.450618 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 1) Apr 16 23:30:18.451010 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=1 len=12) from STA: EAP Response-Identity (1) Apr 16 23:30:18.451021 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: STA identity 'testing' Apr 16 23:30:18.451049 osdx hostapd[1067422]: eth2: RADIUS Authentication server 10.215.168.1:1812 Apr 16 23:30:18.452962 osdx hostapd[1067422]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:30:18.452990 osdx hostapd[1067422]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:30:18.453264 osdx hostapd[1067422]: eth2: RADIUS Received 80 bytes from RADIUS server Apr 16 23:30:18.453269 osdx hostapd[1067422]: eth2: RADIUS Received RADIUS message Apr 16 23:30:18.453273 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:30:18.453291 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=2 len=22) from RADIUS server: EAP-Request-MD5 (4) Apr 16 23:30:18.453298 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 2) Apr 16 23:30:18.453597 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=2 len=6) from STA: EAP Response-unknown (3) Apr 16 23:30:18.453674 osdx hostapd[1067422]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:30:18.453738 osdx hostapd[1067422]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:30:18.453926 osdx hostapd[1067422]: eth2: RADIUS Received 64 bytes from RADIUS server Apr 16 23:30:18.453932 osdx hostapd[1067422]: eth2: RADIUS Received RADIUS message Apr 16 23:30:18.453937 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:30:18.453960 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=3 len=6) from RADIUS server: EAP-Request-PEAP (25) Apr 16 23:30:18.453968 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 3) Apr 16 23:30:18.454389 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=3 len=194) from STA: EAP Response-PEAP (25) Apr 16 23:30:18.454456 osdx hostapd[1067422]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:30:18.454473 osdx hostapd[1067422]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:30:18.455792 osdx hostapd[1067422]: eth2: RADIUS Received 1068 bytes from RADIUS server Apr 16 23:30:18.455800 osdx hostapd[1067422]: eth2: RADIUS Received RADIUS message Apr 16 23:30:18.455804 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:30:18.455833 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=4 len=1004) from RADIUS server: EAP-Request-PEAP (25) Apr 16 23:30:18.455846 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 4) Apr 16 23:30:18.456069 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=4 len=6) from STA: EAP Response-PEAP (25) Apr 16 23:30:18.456119 osdx hostapd[1067422]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:30:18.456134 osdx hostapd[1067422]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:30:18.456265 osdx hostapd[1067422]: eth2: RADIUS Received 229 bytes from RADIUS server Apr 16 23:30:18.456271 osdx hostapd[1067422]: eth2: RADIUS Received RADIUS message Apr 16 23:30:18.456276 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:30:18.456291 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=5 len=171) from RADIUS server: EAP-Request-PEAP (25) Apr 16 23:30:18.456298 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 5) Apr 16 23:30:18.458210 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=5 len=103) from STA: EAP Response-PEAP (25) Apr 16 23:30:18.458254 osdx hostapd[1067422]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:30:18.458265 osdx hostapd[1067422]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:30:18.458561 osdx hostapd[1067422]: eth2: RADIUS Received 115 bytes from RADIUS server Apr 16 23:30:18.458566 osdx hostapd[1067422]: eth2: RADIUS Received RADIUS message Apr 16 23:30:18.458569 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:30:18.458584 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=6 len=57) from RADIUS server: EAP-Request-PEAP (25) Apr 16 23:30:18.458589 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 6) Apr 16 23:30:18.458857 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=6 len=6) from STA: EAP Response-PEAP (25) Apr 16 23:30:18.458887 osdx hostapd[1067422]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:30:18.458895 osdx hostapd[1067422]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:30:18.459031 osdx hostapd[1067422]: eth2: RADIUS Received 98 bytes from RADIUS server Apr 16 23:30:18.459036 osdx hostapd[1067422]: eth2: RADIUS Received RADIUS message Apr 16 23:30:18.459039 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:30:18.459052 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=7 len=40) from RADIUS server: EAP-Request-PEAP (25) Apr 16 23:30:18.459057 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 7) Apr 16 23:30:18.459197 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=7 len=43) from STA: EAP Response-PEAP (25) Apr 16 23:30:18.459227 osdx hostapd[1067422]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:30:18.459236 osdx hostapd[1067422]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:30:18.459375 osdx hostapd[1067422]: eth2: RADIUS Received 131 bytes from RADIUS server Apr 16 23:30:18.459379 osdx hostapd[1067422]: eth2: RADIUS Received RADIUS message Apr 16 23:30:18.459382 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:30:18.459393 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=8 len=73) from RADIUS server: EAP-Request-PEAP (25) Apr 16 23:30:18.459397 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 8) Apr 16 23:30:18.459613 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=8 len=97) from STA: EAP Response-PEAP (25) Apr 16 23:30:18.459647 osdx hostapd[1067422]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:30:18.459661 osdx hostapd[1067422]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:30:18.459817 osdx hostapd[1067422]: eth2: RADIUS Received 140 bytes from RADIUS server Apr 16 23:30:18.459822 osdx hostapd[1067422]: eth2: RADIUS Received RADIUS message Apr 16 23:30:18.459824 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:30:18.459836 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=9 len=82) from RADIUS server: EAP-Request-PEAP (25) Apr 16 23:30:18.459841 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 9) Apr 16 23:30:18.459995 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=9 len=37) from STA: EAP Response-PEAP (25) Apr 16 23:30:18.460020 osdx hostapd[1067422]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:30:18.460028 osdx hostapd[1067422]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:30:18.460169 osdx hostapd[1067422]: eth2: RADIUS Received 104 bytes from RADIUS server Apr 16 23:30:18.460173 osdx hostapd[1067422]: eth2: RADIUS Received RADIUS message Apr 16 23:30:18.460175 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:30:18.460186 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=10 len=46) from RADIUS server: EAP-Request-PEAP (25) Apr 16 23:30:18.460191 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 10) Apr 16 23:30:18.460358 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=10 len=46) from STA: EAP Response-PEAP (25) Apr 16 23:30:18.460390 osdx hostapd[1067422]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:30:18.460399 osdx hostapd[1067422]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:30:18.460569 osdx hostapd[1067422]: eth2: RADIUS Received 175 bytes from RADIUS server Apr 16 23:30:18.460574 osdx hostapd[1067422]: eth2: RADIUS Received RADIUS message Apr 16 23:30:18.460581 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:30:18.460600 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing' Apr 16 23:30:18.460603 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=3 id=10 len=4) from RADIUS server: EAP Success Apr 16 23:30:18.460617 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 10) Apr 16 23:30:18.460629 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Apr 16 23:30:18.460633 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 59ECDC4EFAB994DB Apr 16 23:30:18.460636 osdx hostapd[1067422]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Test Successful 802.1x Authentication With Unsuccessful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses the correct username and password, but an incorrect MAC address.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18dQbJboZJZLVRCv5ffSHgKu7JoJW6LZUAlZIlbWULR5nPStVduPdMr5+IVoam0AvWg7tlooy4UMQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.299 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.299/0.299/0.299/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1++GY+Jx59jhMLOlyBsHlHrg/3yQaMeHgg= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 6: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name testing
Step 7: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.708 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.708/0.708/0.708/0.000 ms
Step 8: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: authenticated - EAP type: 25 (PEAP)Show output
Apr 16 23:30:27.662267 osdx hostapd[1067938]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Apr 16 23:30:27.666697 osdx hostapd[1067938]: eth2: RADIUS Authentication server 10.215.168.1:1812 Apr 16 23:30:27.666826 osdx hostapd[1067938]: connect[radius]: Network is unreachable Apr 16 23:30:27.666757 osdx hostapd[1067938]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Apr 16 23:30:27.666761 osdx hostapd[1067938]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Apr 16 23:30:27.686110 osdx hostapd[1067938]: Discovery mode enabled on eth2 Apr 16 23:30:27.686234 osdx hostapd[1067938]: eth2: interface state UNINITIALIZED->ENABLED Apr 16 23:30:27.686234 osdx hostapd[1067938]: eth2: AP-ENABLED Apr 16 23:30:31.151952 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Apr 16 23:30:31.151966 osdx hostapd[1067939]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Apr 16 23:30:31.166165 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: start authentication Apr 16 23:30:31.166196 osdx hostapd[1067939]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Apr 16 23:30:31.166200 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Apr 16 23:30:31.166203 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Apr 16 23:30:31.166220 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response Apr 16 23:30:31.166223 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA Apr 16 23:30:31.166237 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port Apr 16 23:30:31.166246 osdx hostapd[1067939]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Apr 16 23:30:31.166269 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 57) Apr 16 23:30:31.166627 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=57 len=12) from STA: EAP Response-Identity (1) Apr 16 23:30:31.166640 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'testing' Apr 16 23:30:31.166667 osdx hostapd[1067939]: eth2: RADIUS Authentication server 10.215.168.1:1812 Apr 16 23:30:31.168516 osdx hostapd[1067939]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:30:31.168544 osdx hostapd[1067939]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:30:31.168842 osdx hostapd[1067939]: eth2: RADIUS Received 80 bytes from RADIUS server Apr 16 23:30:31.168847 osdx hostapd[1067939]: eth2: RADIUS Received RADIUS message Apr 16 23:30:31.168850 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:30:31.168867 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=58 len=22) from RADIUS server: EAP-Request-MD5 (4) Apr 16 23:30:31.168873 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 58) Apr 16 23:30:31.169066 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=58 len=6) from STA: EAP Response-unknown (3) Apr 16 23:30:31.169108 osdx hostapd[1067939]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:30:31.169121 osdx hostapd[1067939]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:30:31.169297 osdx hostapd[1067939]: eth2: RADIUS Received 64 bytes from RADIUS server Apr 16 23:30:31.169302 osdx hostapd[1067939]: eth2: RADIUS Received RADIUS message Apr 16 23:30:31.169305 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:30:31.169329 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=59 len=6) from RADIUS server: EAP-Request-PEAP (25) Apr 16 23:30:31.169336 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 59) Apr 16 23:30:31.169628 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=59 len=194) from STA: EAP Response-PEAP (25) Apr 16 23:30:31.169666 osdx hostapd[1067939]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:30:31.169680 osdx hostapd[1067939]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:30:31.170622 osdx hostapd[1067939]: eth2: RADIUS Received 1068 bytes from RADIUS server Apr 16 23:30:31.170628 osdx hostapd[1067939]: eth2: RADIUS Received RADIUS message Apr 16 23:30:31.170632 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:30:31.170654 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=60 len=1004) from RADIUS server: EAP-Request-PEAP (25) Apr 16 23:30:31.170660 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 60) Apr 16 23:30:31.170815 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=60 len=6) from STA: EAP Response-PEAP (25) Apr 16 23:30:31.170856 osdx hostapd[1067939]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:30:31.170869 osdx hostapd[1067939]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:30:31.170970 osdx hostapd[1067939]: eth2: RADIUS Received 229 bytes from RADIUS server Apr 16 23:30:31.170975 osdx hostapd[1067939]: eth2: RADIUS Received RADIUS message Apr 16 23:30:31.170978 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:30:31.170991 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=61 len=171) from RADIUS server: EAP-Request-PEAP (25) Apr 16 23:30:31.170996 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 61) Apr 16 23:30:31.172239 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=61 len=103) from STA: EAP Response-PEAP (25) Apr 16 23:30:31.172281 osdx hostapd[1067939]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:30:31.172298 osdx hostapd[1067939]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:30:31.172570 osdx hostapd[1067939]: eth2: RADIUS Received 115 bytes from RADIUS server Apr 16 23:30:31.172575 osdx hostapd[1067939]: eth2: RADIUS Received RADIUS message Apr 16 23:30:31.172578 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:30:31.172594 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=62 len=57) from RADIUS server: EAP-Request-PEAP (25) Apr 16 23:30:31.172600 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 62) Apr 16 23:30:31.172798 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=62 len=6) from STA: EAP Response-PEAP (25) Apr 16 23:30:31.172834 osdx hostapd[1067939]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:30:31.172848 osdx hostapd[1067939]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:30:31.172969 osdx hostapd[1067939]: eth2: RADIUS Received 98 bytes from RADIUS server Apr 16 23:30:31.172974 osdx hostapd[1067939]: eth2: RADIUS Received RADIUS message Apr 16 23:30:31.172976 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:30:31.172988 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=63 len=40) from RADIUS server: EAP-Request-PEAP (25) Apr 16 23:30:31.172993 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 63) Apr 16 23:30:31.173126 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=63 len=43) from STA: EAP Response-PEAP (25) Apr 16 23:30:31.173157 osdx hostapd[1067939]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:30:31.173166 osdx hostapd[1067939]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:30:31.173316 osdx hostapd[1067939]: eth2: RADIUS Received 131 bytes from RADIUS server Apr 16 23:30:31.173321 osdx hostapd[1067939]: eth2: RADIUS Received RADIUS message Apr 16 23:30:31.173325 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:30:31.173338 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=64 len=73) from RADIUS server: EAP-Request-PEAP (25) Apr 16 23:30:31.173343 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 64) Apr 16 23:30:31.173554 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=64 len=97) from STA: EAP Response-PEAP (25) Apr 16 23:30:31.173586 osdx hostapd[1067939]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:30:31.173597 osdx hostapd[1067939]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:30:31.173758 osdx hostapd[1067939]: eth2: RADIUS Received 140 bytes from RADIUS server Apr 16 23:30:31.173763 osdx hostapd[1067939]: eth2: RADIUS Received RADIUS message Apr 16 23:30:31.173766 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:30:31.173779 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=65 len=82) from RADIUS server: EAP-Request-PEAP (25) Apr 16 23:30:31.173784 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 65) Apr 16 23:30:31.173999 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=65 len=37) from STA: EAP Response-PEAP (25) Apr 16 23:30:31.174026 osdx hostapd[1067939]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:30:31.174044 osdx hostapd[1067939]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:30:31.174219 osdx hostapd[1067939]: eth2: RADIUS Received 104 bytes from RADIUS server Apr 16 23:30:31.174224 osdx hostapd[1067939]: eth2: RADIUS Received RADIUS message Apr 16 23:30:31.174227 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:30:31.174238 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=66 len=46) from RADIUS server: EAP-Request-PEAP (25) Apr 16 23:30:31.174243 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 66) Apr 16 23:30:31.174368 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=66 len=46) from STA: EAP Response-PEAP (25) Apr 16 23:30:31.174402 osdx hostapd[1067939]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:30:31.174413 osdx hostapd[1067939]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:30:31.174564 osdx hostapd[1067939]: eth2: RADIUS Received 175 bytes from RADIUS server Apr 16 23:30:31.174569 osdx hostapd[1067939]: eth2: RADIUS Received RADIUS message Apr 16 23:30:31.174572 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:30:31.174590 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing' Apr 16 23:30:31.174594 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=3 id=66 len=4) from RADIUS server: EAP Success Apr 16 23:30:31.174606 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 66) Apr 16 23:30:31.174619 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authorizing port Apr 16 23:30:31.174622 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 RADIUS: starting accounting session A6E58769D4A65655 Apr 16 23:30:31.174626 osdx hostapd[1067939]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Test Unsuccessful 802.1x Authentication With Successful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses an incorrect username.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/29kU2G1urEl2JAf2lz9W33bW9ybR/Zgxyc5vx3BQF8ekZdxalgo35+9Km1FeruOOiUA9J1eYExg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.348 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.348/0.348/0.348/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1+RWUMrUNitpA4RnFANhkgvvqfPyWBrNXo= set interfaces ethernet eth2 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 8 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 10 EAPoL frames (Tx) 10 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name wrong
Step 5: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.379 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.379/0.379/0.379/0.000 ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately 802.1X: MAB: station successfully authenticatedShow output
Apr 16 23:30:40.542338 osdx hostapd[1068457]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Apr 16 23:30:40.542351 osdx hostapd[1068457]: eth2: RADIUS Authentication server 10.215.168.1:1812 Apr 16 23:30:40.542659 osdx hostapd[1068457]: connect[radius]: Network is unreachable Apr 16 23:30:40.542394 osdx hostapd[1068457]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Apr 16 23:30:40.542397 osdx hostapd[1068457]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Apr 16 23:30:40.566166 osdx hostapd[1068457]: Discovery mode enabled on eth2 Apr 16 23:30:40.566264 osdx hostapd[1068457]: eth2: interface state UNINITIALIZED->ENABLED Apr 16 23:30:40.566264 osdx hostapd[1068457]: eth2: AP-ENABLED Apr 16 23:30:43.835019 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Apr 16 23:30:43.835031 osdx hostapd[1068458]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Apr 16 23:30:43.854179 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: start authentication Apr 16 23:30:43.854205 osdx hostapd[1068458]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Apr 16 23:30:43.854208 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Apr 16 23:30:43.854213 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Apr 16 23:30:43.854227 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response Apr 16 23:30:43.854229 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAPOL-Start from STA Apr 16 23:30:43.854236 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Apr 16 23:30:43.854244 osdx hostapd[1068458]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Apr 16 23:30:43.854261 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 2) Apr 16 23:30:43.854609 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=2 len=10) from STA: EAP Response-Identity (1) Apr 16 23:30:43.854622 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: STA identity 'wrong' Apr 16 23:30:43.854642 osdx hostapd[1068458]: eth2: RADIUS Authentication server 10.215.168.1:1812 Apr 16 23:30:43.856429 osdx hostapd[1068458]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:30:43.856455 osdx hostapd[1068458]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:30:43.856680 osdx hostapd[1068458]: eth2: RADIUS Received 80 bytes from RADIUS server Apr 16 23:30:43.856685 osdx hostapd[1068458]: eth2: RADIUS Received RADIUS message Apr 16 23:30:43.856688 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:30:43.856704 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=3 len=22) from RADIUS server: EAP-Request-MD5 (4) Apr 16 23:30:43.856710 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 3) Apr 16 23:30:43.856910 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=3 len=6) from STA: EAP Response-unknown (3) Apr 16 23:30:43.856948 osdx hostapd[1068458]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:30:43.856961 osdx hostapd[1068458]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:30:43.857114 osdx hostapd[1068458]: eth2: RADIUS Received 64 bytes from RADIUS server Apr 16 23:30:43.857119 osdx hostapd[1068458]: eth2: RADIUS Received RADIUS message Apr 16 23:30:43.857122 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:30:43.857135 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=4 len=6) from RADIUS server: EAP-Request-PEAP (25) Apr 16 23:30:43.857140 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 4) Apr 16 23:30:43.857470 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=4 len=194) from STA: EAP Response-PEAP (25) Apr 16 23:30:43.857505 osdx hostapd[1068458]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:30:43.857514 osdx hostapd[1068458]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:30:43.858515 osdx hostapd[1068458]: eth2: RADIUS Received 1068 bytes from RADIUS server Apr 16 23:30:43.858523 osdx hostapd[1068458]: eth2: RADIUS Received RADIUS message Apr 16 23:30:43.858528 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:30:43.858558 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=5 len=1004) from RADIUS server: EAP-Request-PEAP (25) Apr 16 23:30:43.858566 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 5) Apr 16 23:30:43.858713 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=5 len=6) from STA: EAP Response-PEAP (25) Apr 16 23:30:43.858755 osdx hostapd[1068458]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:30:43.858767 osdx hostapd[1068458]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:30:43.858899 osdx hostapd[1068458]: eth2: RADIUS Received 229 bytes from RADIUS server Apr 16 23:30:43.858903 osdx hostapd[1068458]: eth2: RADIUS Received RADIUS message Apr 16 23:30:43.858907 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:30:43.858921 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=6 len=171) from RADIUS server: EAP-Request-PEAP (25) Apr 16 23:30:43.858926 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 6) Apr 16 23:30:43.860225 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=6 len=103) from STA: EAP Response-PEAP (25) Apr 16 23:30:43.860270 osdx hostapd[1068458]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:30:43.860285 osdx hostapd[1068458]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:30:43.860599 osdx hostapd[1068458]: eth2: RADIUS Received 115 bytes from RADIUS server Apr 16 23:30:43.860603 osdx hostapd[1068458]: eth2: RADIUS Received RADIUS message Apr 16 23:30:43.860607 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:30:43.860622 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=7 len=57) from RADIUS server: EAP-Request-PEAP (25) Apr 16 23:30:43.860628 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 7) Apr 16 23:30:43.860849 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=7 len=6) from STA: EAP Response-PEAP (25) Apr 16 23:30:43.860883 osdx hostapd[1068458]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:30:43.860893 osdx hostapd[1068458]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:30:43.861008 osdx hostapd[1068458]: eth2: RADIUS Received 98 bytes from RADIUS server Apr 16 23:30:43.861012 osdx hostapd[1068458]: eth2: RADIUS Received RADIUS message Apr 16 23:30:43.861015 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:30:43.861026 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=8 len=40) from RADIUS server: EAP-Request-PEAP (25) Apr 16 23:30:43.861030 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 8) Apr 16 23:30:43.861213 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=8 len=41) from STA: EAP Response-PEAP (25) Apr 16 23:30:43.861249 osdx hostapd[1068458]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:30:43.861259 osdx hostapd[1068458]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:30:43.861417 osdx hostapd[1068458]: eth2: RADIUS Received 131 bytes from RADIUS server Apr 16 23:30:43.861422 osdx hostapd[1068458]: eth2: RADIUS Received RADIUS message Apr 16 23:30:43.861425 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:30:43.861437 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=9 len=73) from RADIUS server: EAP-Request-PEAP (25) Apr 16 23:30:43.861442 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 9) Apr 16 23:30:43.861688 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=9 len=95) from STA: EAP Response-PEAP (25) Apr 16 23:30:43.861719 osdx hostapd[1068458]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:30:43.861727 osdx hostapd[1068458]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:30:43.861986 osdx hostapd[1068458]: eth2: RADIUS Received 104 bytes from RADIUS server Apr 16 23:30:43.861989 osdx hostapd[1068458]: eth2: RADIUS Received RADIUS message Apr 16 23:30:43.861992 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:30:43.862005 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=10 len=46) from RADIUS server: EAP-Request-PEAP (25) Apr 16 23:30:43.862011 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 10) Apr 16 23:30:43.862469 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=10 len=46) from STA: EAP Response-PEAP (25) Apr 16 23:30:43.862509 osdx hostapd[1068458]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:30:43.862520 osdx hostapd[1068458]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:30:44.862632 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Resending RADIUS message (id=8) Apr 16 23:30:44.862673 osdx hostapd[1068458]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Apr 16 23:30:44.862850 osdx hostapd[1068458]: eth2: RADIUS Received 44 bytes from RADIUS server Apr 16 23:30:44.862855 osdx hostapd[1068458]: eth2: RADIUS Received RADIUS message Apr 16 23:30:44.862860 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:30:44.862918 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=4 id=10 len=4) from RADIUS server: EAP Failure Apr 16 23:30:44.862950 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 10) Apr 16 23:30:44.862965 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Apr 16 23:30:44.862970 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) Apr 16 23:30:44.862973 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately Apr 16 23:30:44.862978 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Apr 16 23:30:44.863037 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Apr 16 23:30:44.863046 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Apr 16 23:30:44.863060 osdx hostapd[1068458]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:30:44.863074 osdx hostapd[1068458]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:30:44.863087 osdx hostapd[1068458]: eth2: RADIUS Received 44 bytes from RADIUS server Apr 16 23:30:44.863090 osdx hostapd[1068458]: eth2: RADIUS Received RADIUS message Apr 16 23:30:44.863093 osdx hostapd[1068458]: eth2: RADIUS No matching RADIUS request found (type=0 id=8) - dropping packet Apr 16 23:30:44.863737 osdx hostapd[1068458]: eth2: RADIUS Received 20 bytes from RADIUS server Apr 16 23:30:44.863749 osdx hostapd[1068458]: eth2: RADIUS Received RADIUS message Apr 16 23:30:44.863753 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:30:44.863757 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Apr 16 23:30:44.863787 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Apr 16 23:30:44.863791 osdx hostapd[1068458]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Apr 16 23:30:44.863801 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Apr 16 23:30:44.863805 osdx hostapd[1068458]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 2B09E455194A962E
Test Unsuccessful 802.1x Authentication With Unsuccessful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses an incorrect username and MAC address.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX19LRaoLDF61uJalEjGCQuT6x3fO9mt4Aa+Q5y/j4h50d9WT41iJaHethDMQe5vG/gWKQF9GNPtp1A== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.388 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.388/0.388/0.388/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1+ReZqIfx1gblWvvuhRLQraUyzIaOgklC4= set interfaces ethernet eth2 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+UnauthorizedShow output
--------------------------------- Field Value --------------------------------- EAPoL Frames (Rx) 10 EAPoL Frames (Tx) 10 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Unauthorized Req Frames (Rx) 8 Req ID Frames (Rx) 1 Resp Frames (Tx) 9 Start Frames (Tx) 1
Step 5: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 8 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 10 EAPoL frames (Tx) 10 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 6: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 7: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately 802.1X: MAB: Authentication failedShow output
Apr 16 23:30:53.605720 osdx hostapd[1068975]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Apr 16 23:30:53.605733 osdx hostapd[1068975]: eth2: RADIUS Authentication server 10.215.168.1:1812 Apr 16 23:30:53.606030 osdx hostapd[1068975]: connect[radius]: Network is unreachable Apr 16 23:30:53.605777 osdx hostapd[1068975]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Apr 16 23:30:53.605780 osdx hostapd[1068975]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Apr 16 23:30:53.633598 osdx hostapd[1068975]: Discovery mode enabled on eth2 Apr 16 23:30:53.633674 osdx hostapd[1068975]: eth2: interface state UNINITIALIZED->ENABLED Apr 16 23:30:53.633674 osdx hostapd[1068975]: eth2: AP-ENABLED Apr 16 23:30:57.039479 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Apr 16 23:30:57.039497 osdx hostapd[1068976]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Apr 16 23:30:57.053635 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: start authentication Apr 16 23:30:57.053665 osdx hostapd[1068976]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Apr 16 23:30:57.053669 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Apr 16 23:30:57.053671 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Apr 16 23:30:57.053686 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response Apr 16 23:30:57.053689 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA Apr 16 23:30:57.053702 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port Apr 16 23:30:57.053721 osdx hostapd[1068976]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Apr 16 23:30:57.053744 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 35) Apr 16 23:30:57.054100 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=35 len=10) from STA: EAP Response-Identity (1) Apr 16 23:30:57.054111 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'wrong' Apr 16 23:30:57.054135 osdx hostapd[1068976]: eth2: RADIUS Authentication server 10.215.168.1:1812 Apr 16 23:30:57.056344 osdx hostapd[1068976]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:30:57.056372 osdx hostapd[1068976]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:30:57.056606 osdx hostapd[1068976]: eth2: RADIUS Received 80 bytes from RADIUS server Apr 16 23:30:57.056611 osdx hostapd[1068976]: eth2: RADIUS Received RADIUS message Apr 16 23:30:57.056615 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:30:57.056632 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=36 len=22) from RADIUS server: EAP-Request-MD5 (4) Apr 16 23:30:57.056639 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 36) Apr 16 23:30:57.056893 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=36 len=6) from STA: EAP Response-unknown (3) Apr 16 23:30:57.056939 osdx hostapd[1068976]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:30:57.056953 osdx hostapd[1068976]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:30:57.057130 osdx hostapd[1068976]: eth2: RADIUS Received 64 bytes from RADIUS server Apr 16 23:30:57.057135 osdx hostapd[1068976]: eth2: RADIUS Received RADIUS message Apr 16 23:30:57.057139 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:30:57.057155 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=37 len=6) from RADIUS server: EAP-Request-PEAP (25) Apr 16 23:30:57.057161 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 37) Apr 16 23:30:57.057534 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=37 len=194) from STA: EAP Response-PEAP (25) Apr 16 23:30:57.057585 osdx hostapd[1068976]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:30:57.057597 osdx hostapd[1068976]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:30:57.058842 osdx hostapd[1068976]: eth2: RADIUS Received 1068 bytes from RADIUS server Apr 16 23:30:57.058849 osdx hostapd[1068976]: eth2: RADIUS Received RADIUS message Apr 16 23:30:57.058854 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:30:57.058878 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=38 len=1004) from RADIUS server: EAP-Request-PEAP (25) Apr 16 23:30:57.058886 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 38) Apr 16 23:30:57.059130 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=38 len=6) from STA: EAP Response-PEAP (25) Apr 16 23:30:57.059180 osdx hostapd[1068976]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:30:57.059200 osdx hostapd[1068976]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:30:57.059368 osdx hostapd[1068976]: eth2: RADIUS Received 229 bytes from RADIUS server Apr 16 23:30:57.059375 osdx hostapd[1068976]: eth2: RADIUS Received RADIUS message Apr 16 23:30:57.059379 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:30:57.059400 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=39 len=171) from RADIUS server: EAP-Request-PEAP (25) Apr 16 23:30:57.059408 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 39) Apr 16 23:30:57.061275 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=39 len=103) from STA: EAP Response-PEAP (25) Apr 16 23:30:57.061323 osdx hostapd[1068976]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:30:57.061336 osdx hostapd[1068976]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:30:57.061731 osdx hostapd[1068976]: eth2: RADIUS Received 115 bytes from RADIUS server Apr 16 23:30:57.061740 osdx hostapd[1068976]: eth2: RADIUS Received RADIUS message Apr 16 23:30:57.061744 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:30:57.061774 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=40 len=57) from RADIUS server: EAP-Request-PEAP (25) Apr 16 23:30:57.061783 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 40) Apr 16 23:30:57.062090 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=40 len=6) from STA: EAP Response-PEAP (25) Apr 16 23:30:57.062131 osdx hostapd[1068976]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:30:57.062144 osdx hostapd[1068976]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:30:57.062276 osdx hostapd[1068976]: eth2: RADIUS Received 98 bytes from RADIUS server Apr 16 23:30:57.062282 osdx hostapd[1068976]: eth2: RADIUS Received RADIUS message Apr 16 23:30:57.062285 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:30:57.062301 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=41 len=40) from RADIUS server: EAP-Request-PEAP (25) Apr 16 23:30:57.062308 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 41) Apr 16 23:30:57.062461 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=41 len=41) from STA: EAP Response-PEAP (25) Apr 16 23:30:57.062494 osdx hostapd[1068976]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:30:57.062505 osdx hostapd[1068976]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:30:57.062639 osdx hostapd[1068976]: eth2: RADIUS Received 131 bytes from RADIUS server Apr 16 23:30:57.062643 osdx hostapd[1068976]: eth2: RADIUS Received RADIUS message Apr 16 23:30:57.062649 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:30:57.062665 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=42 len=73) from RADIUS server: EAP-Request-PEAP (25) Apr 16 23:30:57.062670 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 42) Apr 16 23:30:57.062935 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=42 len=95) from STA: EAP Response-PEAP (25) Apr 16 23:30:57.062988 osdx hostapd[1068976]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:30:57.063002 osdx hostapd[1068976]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:30:57.063182 osdx hostapd[1068976]: eth2: RADIUS Received 104 bytes from RADIUS server Apr 16 23:30:57.063189 osdx hostapd[1068976]: eth2: RADIUS Received RADIUS message Apr 16 23:30:57.063193 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:30:57.063209 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=43 len=46) from RADIUS server: EAP-Request-PEAP (25) Apr 16 23:30:57.063214 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 43) Apr 16 23:30:57.063404 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=43 len=46) from STA: EAP Response-PEAP (25) Apr 16 23:30:57.063446 osdx hostapd[1068976]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:30:57.063460 osdx hostapd[1068976]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:30:58.063571 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=8) Apr 16 23:30:58.063611 osdx hostapd[1068976]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Apr 16 23:30:58.063757 osdx hostapd[1068976]: eth2: RADIUS Received 44 bytes from RADIUS server Apr 16 23:30:58.063761 osdx hostapd[1068976]: eth2: RADIUS Received RADIUS message Apr 16 23:30:58.063767 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:30:58.063817 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=4 id=43 len=4) from RADIUS server: EAP Failure Apr 16 23:30:58.063853 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 43) Apr 16 23:30:58.063868 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port Apr 16 23:30:58.063872 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) Apr 16 23:30:58.063876 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately Apr 16 23:30:58.063881 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Apr 16 23:30:58.063912 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Apr 16 23:30:58.063920 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Apr 16 23:30:58.063934 osdx hostapd[1068976]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:30:58.063944 osdx hostapd[1068976]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:30:58.063972 osdx hostapd[1068976]: eth2: RADIUS Received 44 bytes from RADIUS server Apr 16 23:30:58.063975 osdx hostapd[1068976]: eth2: RADIUS Received RADIUS message Apr 16 23:30:58.063981 osdx hostapd[1068976]: eth2: RADIUS No matching RADIUS request found (type=0 id=8) - dropping packet Apr 16 23:30:59.064059 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Apr 16 23:30:59.064095 osdx hostapd[1068976]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Apr 16 23:30:59.064342 osdx hostapd[1068976]: eth2: RADIUS Received 20 bytes from RADIUS server Apr 16 23:30:59.064347 osdx hostapd[1068976]: eth2: RADIUS Received RADIUS message Apr 16 23:30:59.064352 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:30:59.064358 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Apr 16 23:30:59.064415 osdx hostapd[1068976]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Apr 16 23:30:59.064418 osdx hostapd[1068976]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Apr 16 23:30:59.064422 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Authentication failed, entering held state (quiet period 60 sec) Apr 16 23:30:59.064426 osdx hostapd[1068976]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Retry timeout registered for 60 seconds Apr 16 23:30:59.064436 osdx hostapd[1068976]: eth2: RADIUS Received 20 bytes from RADIUS server Apr 16 23:30:59.064439 osdx hostapd[1068976]: eth2: RADIUS Received RADIUS message Apr 16 23:30:59.064442 osdx hostapd[1068976]: eth2: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet
Test Unsupported 802.1x Authentication With Successful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 does not support 802.1x authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX19x8qsjQag+Mlfm7shwFyAUJyb0HCcekvYwTD3GhN1AIQDKQDz235ErFVRUsHrg0DFtuG6Lb8Py/g== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.291 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.291/0.291/0.291/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.486 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.486/0.486/0.486/0.000 ms
Step 5: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 0 EAPoL frames (Tx) 4 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name N/A
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.263 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.263/0.263/0.263/0.000 ms
Step 7: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately 802.1X: MAB: station successfully authenticatedShow output
Apr 16 23:31:06.211611 osdx hostapd[1069485]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Apr 16 23:31:06.211624 osdx hostapd[1069485]: eth2: RADIUS Authentication server 10.215.168.1:1812 Apr 16 23:31:06.211871 osdx hostapd[1069485]: connect[radius]: Network is unreachable Apr 16 23:31:06.211675 osdx hostapd[1069485]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Apr 16 23:31:06.211678 osdx hostapd[1069485]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Apr 16 23:31:06.231412 osdx hostapd[1069485]: Discovery mode enabled on eth2 Apr 16 23:31:06.231520 osdx hostapd[1069485]: eth2: interface state UNINITIALIZED->ENABLED Apr 16 23:31:06.231520 osdx hostapd[1069485]: eth2: AP-ENABLED Apr 16 23:31:11.231744 osdx hostapd[1069486]: eth2: STA de:ad:be:ef:6c:12 DRIVER: Device discovered, triggering MAB authentication Apr 16 23:31:11.231783 osdx hostapd[1069486]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Apr 16 23:31:11.231793 osdx hostapd[1069486]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Apr 16 23:31:11.255459 osdx hostapd[1069486]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: start authentication Apr 16 23:31:11.255489 osdx hostapd[1069486]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Apr 16 23:31:11.255493 osdx hostapd[1069486]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Apr 16 23:31:11.255495 osdx hostapd[1069486]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Apr 16 23:31:11.255514 osdx hostapd[1069486]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Apr 16 23:31:11.255523 osdx hostapd[1069486]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Apr 16 23:31:11.255557 osdx hostapd[1069486]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 177) Apr 16 23:31:14.258030 osdx hostapd[1069486]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 177) Apr 16 23:31:20.262751 osdx hostapd[1069486]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 177) Apr 16 23:31:32.272702 osdx hostapd[1069486]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: aborting authentication Apr 16 23:31:32.272710 osdx hostapd[1069486]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately Apr 16 23:31:32.272715 osdx hostapd[1069486]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Apr 16 23:31:32.272746 osdx hostapd[1069486]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Apr 16 23:31:32.274417 osdx hostapd[1069486]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Apr 16 23:31:32.274427 osdx hostapd[1069486]: eth2: RADIUS Authentication server 10.215.168.1:1812 Apr 16 23:31:32.274493 osdx hostapd[1069486]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:31:32.274520 osdx hostapd[1069486]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:31:32.274542 osdx hostapd[1069486]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Apr 16 23:31:32.274557 osdx hostapd[1069486]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 8) Apr 16 23:31:32.274792 osdx hostapd[1069486]: eth2: RADIUS Received 20 bytes from RADIUS server Apr 16 23:31:32.274797 osdx hostapd[1069486]: eth2: RADIUS Received RADIUS message Apr 16 23:31:32.274801 osdx hostapd[1069486]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:31:32.274805 osdx hostapd[1069486]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Apr 16 23:31:32.274816 osdx hostapd[1069486]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Apr 16 23:31:32.274827 osdx hostapd[1069486]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Apr 16 23:31:32.274830 osdx hostapd[1069486]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Apr 16 23:31:32.274839 osdx hostapd[1069486]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Apr 16 23:31:32.274842 osdx hostapd[1069486]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 1F26CC603FC92511
Test Unsupported 802.1x Authentication With Unsuccessful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 does not support 802.1x authentication and uses an incorrect MAC address.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/oRao77ra9bq3y+fjXFD2a5b1hM+c58EU/s+QLbOAbDtMYG872diES3BmcME0S9bBkcmCVa+126Q== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.281 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.281/0.281/0.281/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 2 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 0 EAPoL frames (Tx) 4 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 5: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately 802.1X: MAB: Authentication failedShow output
Apr 16 23:31:42.194930 osdx hostapd[1070046]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Apr 16 23:31:42.194946 osdx hostapd[1070046]: eth2: RADIUS Authentication server 10.215.168.1:1812 Apr 16 23:31:42.195239 osdx hostapd[1070046]: connect[radius]: Network is unreachable Apr 16 23:31:42.194981 osdx hostapd[1070046]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Apr 16 23:31:42.194984 osdx hostapd[1070046]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Apr 16 23:31:42.218835 osdx hostapd[1070046]: Discovery mode enabled on eth2 Apr 16 23:31:42.218926 osdx hostapd[1070046]: eth2: interface state UNINITIALIZED->ENABLED Apr 16 23:31:42.218926 osdx hostapd[1070046]: eth2: AP-ENABLED Apr 16 23:31:47.219151 osdx hostapd[1070047]: eth2: STA 00:11:22:33:44:55 DRIVER: Device discovered, triggering MAB authentication Apr 16 23:31:47.219190 osdx hostapd[1070047]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Apr 16 23:31:47.219197 osdx hostapd[1070047]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Apr 16 23:31:47.238846 osdx hostapd[1070047]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: start authentication Apr 16 23:31:47.238877 osdx hostapd[1070047]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Apr 16 23:31:47.238886 osdx hostapd[1070047]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Apr 16 23:31:47.238890 osdx hostapd[1070047]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Apr 16 23:31:47.238909 osdx hostapd[1070047]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port Apr 16 23:31:47.238918 osdx hostapd[1070047]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Apr 16 23:31:47.238949 osdx hostapd[1070047]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 233) Apr 16 23:31:50.241150 osdx hostapd[1070047]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 233) Apr 16 23:31:56.246150 osdx hostapd[1070047]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 233) Apr 16 23:32:08.255150 osdx hostapd[1070047]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: aborting authentication Apr 16 23:32:08.255156 osdx hostapd[1070047]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately Apr 16 23:32:08.255161 osdx hostapd[1070047]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Apr 16 23:32:08.255198 osdx hostapd[1070047]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Apr 16 23:32:08.256969 osdx hostapd[1070047]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Apr 16 23:32:08.256980 osdx hostapd[1070047]: eth2: RADIUS Authentication server 10.215.168.1:1812 Apr 16 23:32:08.257047 osdx hostapd[1070047]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:32:08.257083 osdx hostapd[1070047]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:32:08.257102 osdx hostapd[1070047]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Apr 16 23:32:08.257114 osdx hostapd[1070047]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 37) Apr 16 23:32:09.258021 osdx hostapd[1070047]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Apr 16 23:32:09.258060 osdx hostapd[1070047]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Apr 16 23:32:09.258070 osdx hostapd[1070047]: eth2: RADIUS Received 20 bytes from RADIUS server Apr 16 23:32:09.258074 osdx hostapd[1070047]: eth2: RADIUS Received RADIUS message Apr 16 23:32:09.258078 osdx hostapd[1070047]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:32:09.258083 osdx hostapd[1070047]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Apr 16 23:32:09.258132 osdx hostapd[1070047]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Apr 16 23:32:09.258135 osdx hostapd[1070047]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Apr 16 23:32:09.258137 osdx hostapd[1070047]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Authentication failed, entering held state (quiet period 60 sec) Apr 16 23:32:09.258140 osdx hostapd[1070047]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Retry timeout registered for 60 seconds Apr 16 23:32:09.258148 osdx hostapd[1070047]: eth2: RADIUS Received 20 bytes from RADIUS server Apr 16 23:32:09.258150 osdx hostapd[1070047]: eth2: RADIUS Received RADIUS message Apr 16 23:32:09.258152 osdx hostapd[1070047]: eth2: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet