Mab First
This scenario shows how to configure the MAB-first
authentication mode.
Test Successful MAB Authentication With Successful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses a correct MAC address and correct 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+o0z5uuIc9l6/Ehm67A5+6DAVezE/T3FvEdYBNSD7CIOiwZjkaE9OlVBLtaskUVb83YxgK7SqvGA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.213 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.213/0.213/0.213/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1/QX2aQNUCe/Gx+sKpq25ZWDFj8y/VHukY= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 1 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name N/A
Step 5: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=2.37 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 2.365/2.365/2.365/0.000 ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
802.1X: MAB: station successfully authenticatedShow output
Apr 16 23:28:33.270099 osdx hostapd[1064291]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Apr 16 23:28:33.270114 osdx hostapd[1064291]: eth2: RADIUS Authentication server 10.215.168.1:1812 Apr 16 23:28:33.270353 osdx hostapd[1064291]: connect[radius]: Network is unreachable Apr 16 23:28:33.270160 osdx hostapd[1064291]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Apr 16 23:28:33.270163 osdx hostapd[1064291]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Apr 16 23:28:33.301950 osdx hostapd[1064291]: Discovery mode enabled on eth2 Apr 16 23:28:33.302077 osdx hostapd[1064291]: eth2: interface state UNINITIALIZED->ENABLED Apr 16 23:28:33.302077 osdx hostapd[1064291]: eth2: AP-ENABLED Apr 16 23:28:36.516874 osdx hostapd[1064292]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Apr 16 23:28:36.516890 osdx hostapd[1064292]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Apr 16 23:28:36.538005 osdx hostapd[1064292]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB-first mode: Starting MAB authentication Apr 16 23:28:36.538047 osdx hostapd[1064292]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Apr 16 23:28:36.538064 osdx hostapd[1064292]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Apr 16 23:28:36.540185 osdx hostapd[1064292]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Apr 16 23:28:36.540197 osdx hostapd[1064292]: eth2: RADIUS Authentication server 10.215.168.1:1812 Apr 16 23:28:36.540284 osdx hostapd[1064292]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:28:36.540321 osdx hostapd[1064292]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:28:36.540353 osdx hostapd[1064292]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAPOL-Start from STA Apr 16 23:28:36.540574 osdx hostapd[1064292]: eth2: RADIUS Received 20 bytes from RADIUS server Apr 16 23:28:36.540580 osdx hostapd[1064292]: eth2: RADIUS Received RADIUS message Apr 16 23:28:36.540584 osdx hostapd[1064292]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:28:36.540589 osdx hostapd[1064292]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Apr 16 23:28:36.540600 osdx hostapd[1064292]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Apr 16 23:28:36.540613 osdx hostapd[1064292]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Apr 16 23:28:36.540617 osdx hostapd[1064292]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Apr 16 23:28:36.540627 osdx hostapd[1064292]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Apr 16 23:28:36.540631 osdx hostapd[1064292]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 93B4B7CD39B0D652
Test Successful MAB Authentication With Unsuccessful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses a correct MAC address, but wrong 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18zUw0Go/fZ6ucVsHPCf/RKCzpeAKVwtge/lMJBuVDJ0QSSKleaCcarTZ51fXlaqPfh3alNiCpIRA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.439 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.439/0.439/0.439/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX19FTRYyTBdWVNoYX1KyDmI+WrjKibN3/wI= set interfaces ethernet eth2 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 1 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name N/A
Step 5: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.269 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.269/0.269/0.269/0.000 ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
802.1X: MAB: station successfully authenticatedShow output
Apr 16 23:28:45.487195 osdx hostapd[1064809]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Apr 16 23:28:45.487211 osdx hostapd[1064809]: eth2: RADIUS Authentication server 10.215.168.1:1812 Apr 16 23:28:45.487612 osdx hostapd[1064809]: connect[radius]: Network is unreachable Apr 16 23:28:45.487266 osdx hostapd[1064809]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Apr 16 23:28:45.487272 osdx hostapd[1064809]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Apr 16 23:28:45.507028 osdx hostapd[1064809]: Discovery mode enabled on eth2 Apr 16 23:28:45.507176 osdx hostapd[1064809]: eth2: interface state UNINITIALIZED->ENABLED Apr 16 23:28:45.507176 osdx hostapd[1064809]: eth2: AP-ENABLED Apr 16 23:28:48.745911 osdx hostapd[1064810]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Apr 16 23:28:48.745928 osdx hostapd[1064810]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Apr 16 23:28:48.771079 osdx hostapd[1064810]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB-first mode: Starting MAB authentication Apr 16 23:28:48.771116 osdx hostapd[1064810]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Apr 16 23:28:48.771135 osdx hostapd[1064810]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Apr 16 23:28:48.773486 osdx hostapd[1064810]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Apr 16 23:28:48.773500 osdx hostapd[1064810]: eth2: RADIUS Authentication server 10.215.168.1:1812 Apr 16 23:28:48.773590 osdx hostapd[1064810]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:28:48.773635 osdx hostapd[1064810]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:28:48.773661 osdx hostapd[1064810]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAPOL-Start from STA Apr 16 23:28:48.773896 osdx hostapd[1064810]: eth2: RADIUS Received 20 bytes from RADIUS server Apr 16 23:28:48.773902 osdx hostapd[1064810]: eth2: RADIUS Received RADIUS message Apr 16 23:28:48.773906 osdx hostapd[1064810]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:28:48.773910 osdx hostapd[1064810]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Apr 16 23:28:48.773921 osdx hostapd[1064810]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Apr 16 23:28:48.773933 osdx hostapd[1064810]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Apr 16 23:28:48.773936 osdx hostapd[1064810]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Apr 16 23:28:48.773946 osdx hostapd[1064810]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Apr 16 23:28:48.773950 osdx hostapd[1064810]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 233100B00A104663
Test Successful MAB Authentication With Unsupported 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 does not support 802.1x authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18mxE7Eb8vU3sira+fyZuXqhAEruD3aKXQgb3LyI+bCc9nzChiVAG5CtE/5fqKGvqS4H3CTbT/BiA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.284 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.284/0.284/0.284/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.457 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.457/0.457/0.457/0.000 ms
Step 5: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 0 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name N/A
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.497 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.497/0.497/0.497/0.000 ms
Step 7: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
802.1X: MAB: station successfully authenticatedShow output
Apr 16 23:28:56.389372 osdx hostapd[1065327]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Apr 16 23:28:56.389389 osdx hostapd[1065327]: eth2: RADIUS Authentication server 10.215.168.1:1812 Apr 16 23:28:56.389677 osdx hostapd[1065327]: connect[radius]: Network is unreachable Apr 16 23:28:56.389442 osdx hostapd[1065327]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Apr 16 23:28:56.389446 osdx hostapd[1065327]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Apr 16 23:28:56.413223 osdx hostapd[1065327]: Discovery mode enabled on eth2 Apr 16 23:28:56.413341 osdx hostapd[1065327]: eth2: interface state UNINITIALIZED->ENABLED Apr 16 23:28:56.413341 osdx hostapd[1065327]: eth2: AP-ENABLED Apr 16 23:29:01.413532 osdx hostapd[1065328]: eth2: STA de:ad:be:ef:6c:12 DRIVER: Device discovered, triggering MAB authentication Apr 16 23:29:01.413573 osdx hostapd[1065328]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Apr 16 23:29:01.413583 osdx hostapd[1065328]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Apr 16 23:29:01.433274 osdx hostapd[1065328]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB-first mode: Starting MAB authentication Apr 16 23:29:01.433317 osdx hostapd[1065328]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Apr 16 23:29:01.433342 osdx hostapd[1065328]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Apr 16 23:29:01.435723 osdx hostapd[1065328]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Apr 16 23:29:01.435741 osdx hostapd[1065328]: eth2: RADIUS Authentication server 10.215.168.1:1812 Apr 16 23:29:01.435830 osdx hostapd[1065328]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:29:01.435971 osdx hostapd[1065328]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:29:01.436187 osdx hostapd[1065328]: eth2: RADIUS Received 20 bytes from RADIUS server Apr 16 23:29:01.436193 osdx hostapd[1065328]: eth2: RADIUS Received RADIUS message Apr 16 23:29:01.436198 osdx hostapd[1065328]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:29:01.436203 osdx hostapd[1065328]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Apr 16 23:29:01.436215 osdx hostapd[1065328]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Apr 16 23:29:01.436232 osdx hostapd[1065328]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Apr 16 23:29:01.436235 osdx hostapd[1065328]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Apr 16 23:29:01.436251 osdx hostapd[1065328]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Apr 16 23:29:01.436255 osdx hostapd[1065328]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session EEFC2E15770066CC
Test Unsuccessful MAB Authentication With Successful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses an incorrect MAC address, but correct 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/rCsmsY1IpX0xEjqc6hOv3AECQoIbtue1uHnYeTzEHh2xy9wI+AH7Eo3uXKzYqyW4Ol3mYugQ3OA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.318 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.318/0.318/0.318/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX18Wg0cO+eqeas77uetjaslM9HdzJ6OkVF0= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 6: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name testing
Step 7: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.453 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.453/0.453/0.453/0.000 ms
Step 8: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X IEEE 802.1X: authenticated - EAP type: 25 (PEAP)Show output
Apr 16 23:29:12.341848 osdx hostapd[1065858]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Apr 16 23:29:12.341866 osdx hostapd[1065858]: eth2: RADIUS Authentication server 10.215.168.1:1812 Apr 16 23:29:12.342110 osdx hostapd[1065858]: connect[radius]: Network is unreachable Apr 16 23:29:12.341917 osdx hostapd[1065858]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Apr 16 23:29:12.341921 osdx hostapd[1065858]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Apr 16 23:29:12.357707 osdx hostapd[1065858]: Discovery mode enabled on eth2 Apr 16 23:29:12.357778 osdx hostapd[1065858]: eth2: interface state UNINITIALIZED->ENABLED Apr 16 23:29:12.357802 osdx hostapd[1065858]: eth2: AP-ENABLED Apr 16 23:29:15.859591 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Apr 16 23:29:15.859605 osdx hostapd[1065859]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Apr 16 23:29:15.873812 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: Starting MAB authentication Apr 16 23:29:15.873847 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Apr 16 23:29:15.873866 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Apr 16 23:29:15.876275 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Apr 16 23:29:15.876291 osdx hostapd[1065859]: eth2: RADIUS Authentication server 10.215.168.1:1812 Apr 16 23:29:15.876382 osdx hostapd[1065859]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:29:15.876519 osdx hostapd[1065859]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:29:15.876569 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA Apr 16 23:29:16.876611 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Apr 16 23:29:16.876643 osdx hostapd[1065859]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Apr 16 23:29:16.876845 osdx hostapd[1065859]: eth2: RADIUS Received 20 bytes from RADIUS server Apr 16 23:29:16.876850 osdx hostapd[1065859]: eth2: RADIUS Received RADIUS message Apr 16 23:29:16.876854 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:29:16.876857 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Apr 16 23:29:16.876910 osdx hostapd[1065859]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Apr 16 23:29:16.876913 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X Apr 16 23:29:16.876917 osdx hostapd[1065859]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Apr 16 23:29:16.876920 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first: 802.1X authentication started Apr 16 23:29:16.876929 osdx hostapd[1065859]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Apr 16 23:29:16.876946 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 1) Apr 16 23:29:16.876965 osdx hostapd[1065859]: eth2: RADIUS Received 20 bytes from RADIUS server Apr 16 23:29:16.876968 osdx hostapd[1065859]: eth2: RADIUS Received RADIUS message Apr 16 23:29:16.876972 osdx hostapd[1065859]: eth2: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet Apr 16 23:29:16.877319 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=1 len=12) from STA: EAP Response-Identity (1) Apr 16 23:29:16.877333 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'testing' Apr 16 23:29:16.877395 osdx hostapd[1065859]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:29:16.877413 osdx hostapd[1065859]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:29:16.877646 osdx hostapd[1065859]: eth2: RADIUS Received 80 bytes from RADIUS server Apr 16 23:29:16.877652 osdx hostapd[1065859]: eth2: RADIUS Received RADIUS message Apr 16 23:29:16.877669 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:29:16.877693 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=2 len=22) from RADIUS server: EAP-Request-MD5 (4) Apr 16 23:29:16.877701 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 2) Apr 16 23:29:16.877982 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=2 len=6) from STA: EAP Response-unknown (3) Apr 16 23:29:16.878045 osdx hostapd[1065859]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:29:16.878062 osdx hostapd[1065859]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:29:16.878257 osdx hostapd[1065859]: eth2: RADIUS Received 64 bytes from RADIUS server Apr 16 23:29:16.878264 osdx hostapd[1065859]: eth2: RADIUS Received RADIUS message Apr 16 23:29:16.878268 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:29:16.878285 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=3 len=6) from RADIUS server: EAP-Request-PEAP (25) Apr 16 23:29:16.878292 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 3) Apr 16 23:29:16.878670 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=3 len=194) from STA: EAP Response-PEAP (25) Apr 16 23:29:16.878710 osdx hostapd[1065859]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:29:16.878721 osdx hostapd[1065859]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:29:16.879736 osdx hostapd[1065859]: eth2: RADIUS Received 1068 bytes from RADIUS server Apr 16 23:29:16.879743 osdx hostapd[1065859]: eth2: RADIUS Received RADIUS message Apr 16 23:29:16.879747 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:29:16.879781 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=4 len=1004) from RADIUS server: EAP-Request-PEAP (25) Apr 16 23:29:16.879790 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 4) Apr 16 23:29:16.880029 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=4 len=6) from STA: EAP Response-PEAP (25) Apr 16 23:29:16.880086 osdx hostapd[1065859]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:29:16.880106 osdx hostapd[1065859]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:29:16.880249 osdx hostapd[1065859]: eth2: RADIUS Received 229 bytes from RADIUS server Apr 16 23:29:16.880255 osdx hostapd[1065859]: eth2: RADIUS Received RADIUS message Apr 16 23:29:16.880259 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:29:16.880278 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=5 len=171) from RADIUS server: EAP-Request-PEAP (25) Apr 16 23:29:16.880286 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 5) Apr 16 23:29:16.881605 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=5 len=103) from STA: EAP Response-PEAP (25) Apr 16 23:29:16.881671 osdx hostapd[1065859]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:29:16.881686 osdx hostapd[1065859]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:29:16.882009 osdx hostapd[1065859]: eth2: RADIUS Received 115 bytes from RADIUS server Apr 16 23:29:16.882015 osdx hostapd[1065859]: eth2: RADIUS Received RADIUS message Apr 16 23:29:16.882018 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:29:16.882036 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=6 len=57) from RADIUS server: EAP-Request-PEAP (25) Apr 16 23:29:16.882043 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 6) Apr 16 23:29:16.882285 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=6 len=6) from STA: EAP Response-PEAP (25) Apr 16 23:29:16.882328 osdx hostapd[1065859]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:29:16.882341 osdx hostapd[1065859]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:29:16.882479 osdx hostapd[1065859]: eth2: RADIUS Received 98 bytes from RADIUS server Apr 16 23:29:16.882484 osdx hostapd[1065859]: eth2: RADIUS Received RADIUS message Apr 16 23:29:16.882488 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:29:16.882503 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=7 len=40) from RADIUS server: EAP-Request-PEAP (25) Apr 16 23:29:16.882510 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 7) Apr 16 23:29:16.882717 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=7 len=43) from STA: EAP Response-PEAP (25) Apr 16 23:29:16.882765 osdx hostapd[1065859]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:29:16.882783 osdx hostapd[1065859]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:29:16.882990 osdx hostapd[1065859]: eth2: RADIUS Received 131 bytes from RADIUS server Apr 16 23:29:16.882996 osdx hostapd[1065859]: eth2: RADIUS Received RADIUS message Apr 16 23:29:16.883000 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:29:16.883016 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=8 len=73) from RADIUS server: EAP-Request-PEAP (25) Apr 16 23:29:16.883023 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 8) Apr 16 23:29:16.883297 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=8 len=97) from STA: EAP Response-PEAP (25) Apr 16 23:29:16.883348 osdx hostapd[1065859]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:29:16.883364 osdx hostapd[1065859]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:29:16.883534 osdx hostapd[1065859]: eth2: RADIUS Received 140 bytes from RADIUS server Apr 16 23:29:16.883539 osdx hostapd[1065859]: eth2: RADIUS Received RADIUS message Apr 16 23:29:16.883542 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:29:16.883563 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=9 len=82) from RADIUS server: EAP-Request-PEAP (25) Apr 16 23:29:16.883569 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 9) Apr 16 23:29:16.883735 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=9 len=37) from STA: EAP Response-PEAP (25) Apr 16 23:29:16.883768 osdx hostapd[1065859]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:29:16.883781 osdx hostapd[1065859]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:29:16.883940 osdx hostapd[1065859]: eth2: RADIUS Received 104 bytes from RADIUS server Apr 16 23:29:16.883946 osdx hostapd[1065859]: eth2: RADIUS Received RADIUS message Apr 16 23:29:16.883953 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:29:16.883971 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=10 len=46) from RADIUS server: EAP-Request-PEAP (25) Apr 16 23:29:16.883978 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 10) Apr 16 23:29:16.884172 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=10 len=46) from STA: EAP Response-PEAP (25) Apr 16 23:29:16.884206 osdx hostapd[1065859]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:29:16.884218 osdx hostapd[1065859]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:29:16.884414 osdx hostapd[1065859]: eth2: RADIUS Received 175 bytes from RADIUS server Apr 16 23:29:16.884419 osdx hostapd[1065859]: eth2: RADIUS Received RADIUS message Apr 16 23:29:16.884423 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:29:16.884443 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing' Apr 16 23:29:16.884448 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=3 id=10 len=4) from RADIUS server: EAP Success Apr 16 23:29:16.884462 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 10) Apr 16 23:29:16.884477 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authorizing port Apr 16 23:29:16.884480 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 RADIUS: starting accounting session EF638C22863464AC Apr 16 23:29:16.884503 osdx hostapd[1065859]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Test Unsuccessful MAB Authentication With Unsuccessful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses an incorrect MAC address and incorrect 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/zhXwkOxaWUgpP7YKqJQ7syefflMKhcXrduW7C5sav1YeeZAu0whRdNYx68XVbhSKNgnVo6PCwmA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.236 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.236/0.236/0.236/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1+Q+DUAKvK9qubi22E9TRXf7Y/AWQGS4ZM= set interfaces ethernet eth2 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+UnauthorizedShow output
--------------------------------- Field Value --------------------------------- EAPoL Frames (Rx) 9 EAPoL Frames (Tx) 10 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Unauthorized Req Frames (Rx) 8 Req ID Frames (Rx) 1 Resp Frames (Tx) 9 Start Frames (Tx) 1
Step 5: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 8 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 10 EAPoL frames (Tx) 9 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 6: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 7: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X IEEE 802.1X: authentication failed - EAP type: 25 (PEAP)Show output
Apr 16 23:29:24.502335 osdx hostapd[1066381]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Apr 16 23:29:24.502351 osdx hostapd[1066381]: eth2: RADIUS Authentication server 10.215.168.1:1812 Apr 16 23:29:24.502569 osdx hostapd[1066381]: connect[radius]: Network is unreachable Apr 16 23:29:24.502399 osdx hostapd[1066381]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Apr 16 23:29:24.502405 osdx hostapd[1066381]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Apr 16 23:29:24.522266 osdx hostapd[1066381]: Discovery mode enabled on eth2 Apr 16 23:29:24.522386 osdx hostapd[1066381]: eth2: interface state UNINITIALIZED->ENABLED Apr 16 23:29:24.522386 osdx hostapd[1066381]: eth2: AP-ENABLED Apr 16 23:29:27.800094 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Apr 16 23:29:27.800108 osdx hostapd[1066382]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Apr 16 23:29:27.814292 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: Starting MAB authentication Apr 16 23:29:27.814338 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Apr 16 23:29:27.814359 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Apr 16 23:29:27.816754 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Apr 16 23:29:27.816769 osdx hostapd[1066382]: eth2: RADIUS Authentication server 10.215.168.1:1812 Apr 16 23:29:27.816864 osdx hostapd[1066382]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:29:27.817001 osdx hostapd[1066382]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:29:27.817062 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA Apr 16 23:29:28.817085 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Apr 16 23:29:28.817116 osdx hostapd[1066382]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Apr 16 23:29:28.817278 osdx hostapd[1066382]: eth2: RADIUS Received 20 bytes from RADIUS server Apr 16 23:29:28.817281 osdx hostapd[1066382]: eth2: RADIUS Received RADIUS message Apr 16 23:29:28.817285 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:29:28.817288 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Apr 16 23:29:28.817340 osdx hostapd[1066382]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Apr 16 23:29:28.817342 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X Apr 16 23:29:28.817345 osdx hostapd[1066382]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Apr 16 23:29:28.817348 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first: 802.1X authentication started Apr 16 23:29:28.817354 osdx hostapd[1066382]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Apr 16 23:29:28.817369 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 77) Apr 16 23:29:28.817390 osdx hostapd[1066382]: eth2: RADIUS Received 20 bytes from RADIUS server Apr 16 23:29:28.817392 osdx hostapd[1066382]: eth2: RADIUS Received RADIUS message Apr 16 23:29:28.817397 osdx hostapd[1066382]: eth2: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet Apr 16 23:29:28.817679 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=77 len=10) from STA: EAP Response-Identity (1) Apr 16 23:29:28.817692 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'wrong' Apr 16 23:29:28.817765 osdx hostapd[1066382]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:29:28.817781 osdx hostapd[1066382]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:29:28.818054 osdx hostapd[1066382]: eth2: RADIUS Received 80 bytes from RADIUS server Apr 16 23:29:28.818061 osdx hostapd[1066382]: eth2: RADIUS Received RADIUS message Apr 16 23:29:28.818066 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:29:28.818097 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=78 len=22) from RADIUS server: EAP-Request-MD5 (4) Apr 16 23:29:28.818105 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 78) Apr 16 23:29:28.818314 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=78 len=6) from STA: EAP Response-unknown (3) Apr 16 23:29:28.818365 osdx hostapd[1066382]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:29:28.818379 osdx hostapd[1066382]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:29:28.818638 osdx hostapd[1066382]: eth2: RADIUS Received 64 bytes from RADIUS server Apr 16 23:29:28.818645 osdx hostapd[1066382]: eth2: RADIUS Received RADIUS message Apr 16 23:29:28.818650 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:29:28.818673 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=79 len=6) from RADIUS server: EAP-Request-PEAP (25) Apr 16 23:29:28.818681 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 79) Apr 16 23:29:28.819052 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=79 len=194) from STA: EAP Response-PEAP (25) Apr 16 23:29:28.819097 osdx hostapd[1066382]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:29:28.819111 osdx hostapd[1066382]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:29:28.821536 osdx hostapd[1066382]: eth2: RADIUS Received 1068 bytes from RADIUS server Apr 16 23:29:28.821544 osdx hostapd[1066382]: eth2: RADIUS Received RADIUS message Apr 16 23:29:28.821549 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:29:28.821587 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=80 len=1004) from RADIUS server: EAP-Request-PEAP (25) Apr 16 23:29:28.821598 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 80) Apr 16 23:29:28.821857 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=80 len=6) from STA: EAP Response-PEAP (25) Apr 16 23:29:28.821905 osdx hostapd[1066382]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:29:28.821921 osdx hostapd[1066382]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:29:28.822070 osdx hostapd[1066382]: eth2: RADIUS Received 229 bytes from RADIUS server Apr 16 23:29:28.822076 osdx hostapd[1066382]: eth2: RADIUS Received RADIUS message Apr 16 23:29:28.822079 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:29:28.822095 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=81 len=171) from RADIUS server: EAP-Request-PEAP (25) Apr 16 23:29:28.822101 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 81) Apr 16 23:29:28.823757 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=81 len=103) from STA: EAP Response-PEAP (25) Apr 16 23:29:28.823813 osdx hostapd[1066382]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:29:28.823889 osdx hostapd[1066382]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:29:28.824307 osdx hostapd[1066382]: eth2: RADIUS Received 115 bytes from RADIUS server Apr 16 23:29:28.824316 osdx hostapd[1066382]: eth2: RADIUS Received RADIUS message Apr 16 23:29:28.824321 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:29:28.824344 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=82 len=57) from RADIUS server: EAP-Request-PEAP (25) Apr 16 23:29:28.824352 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 82) Apr 16 23:29:28.824770 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=82 len=6) from STA: EAP Response-PEAP (25) Apr 16 23:29:28.824815 osdx hostapd[1066382]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:29:28.824828 osdx hostapd[1066382]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:29:28.824993 osdx hostapd[1066382]: eth2: RADIUS Received 98 bytes from RADIUS server Apr 16 23:29:28.825000 osdx hostapd[1066382]: eth2: RADIUS Received RADIUS message Apr 16 23:29:28.825003 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:29:28.825018 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=83 len=40) from RADIUS server: EAP-Request-PEAP (25) Apr 16 23:29:28.825024 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 83) Apr 16 23:29:28.825226 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=83 len=41) from STA: EAP Response-PEAP (25) Apr 16 23:29:28.825268 osdx hostapd[1066382]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:29:28.825342 osdx hostapd[1066382]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:29:28.825510 osdx hostapd[1066382]: eth2: RADIUS Received 131 bytes from RADIUS server Apr 16 23:29:28.825516 osdx hostapd[1066382]: eth2: RADIUS Received RADIUS message Apr 16 23:29:28.825520 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:29:28.825541 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=84 len=73) from RADIUS server: EAP-Request-PEAP (25) Apr 16 23:29:28.825549 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 84) Apr 16 23:29:28.825848 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=84 len=95) from STA: EAP Response-PEAP (25) Apr 16 23:29:28.825893 osdx hostapd[1066382]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:29:28.825905 osdx hostapd[1066382]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:29:28.826129 osdx hostapd[1066382]: eth2: RADIUS Received 104 bytes from RADIUS server Apr 16 23:29:28.826137 osdx hostapd[1066382]: eth2: RADIUS Received RADIUS message Apr 16 23:29:28.826140 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:29:28.826163 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=85 len=46) from RADIUS server: EAP-Request-PEAP (25) Apr 16 23:29:28.826171 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 85) Apr 16 23:29:28.826466 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=85 len=46) from STA: EAP Response-PEAP (25) Apr 16 23:29:28.826526 osdx hostapd[1066382]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:29:28.826540 osdx hostapd[1066382]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:29:29.826635 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=8) Apr 16 23:29:29.826669 osdx hostapd[1066382]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Apr 16 23:29:29.826826 osdx hostapd[1066382]: eth2: RADIUS Received 44 bytes from RADIUS server Apr 16 23:29:29.826831 osdx hostapd[1066382]: eth2: RADIUS Received RADIUS message Apr 16 23:29:29.826835 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:29:29.826879 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=4 id=85 len=4) from RADIUS server: EAP Failure Apr 16 23:29:29.826904 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 85) Apr 16 23:29:29.826916 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port Apr 16 23:29:29.826926 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) Apr 16 23:29:29.826929 osdx hostapd[1066382]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Authentication failed, enforcing quiet period (60 seconds) Apr 16 23:29:29.826933 osdx hostapd[1066382]: eth2: RADIUS Received 44 bytes from RADIUS server Apr 16 23:29:29.826936 osdx hostapd[1066382]: eth2: RADIUS Received RADIUS message Apr 16 23:29:29.826938 osdx hostapd[1066382]: eth2: RADIUS No matching RADIUS request found (type=0 id=8) - dropping packet
Test Unsuccessful MAB Authentication With Unsupported 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 does not support 802.1x authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX193Z4279chW/C6i1Q6gfcTVRSBE2hZSPbtbQ3RJkasXaAdupU5NS6yIVd4KV0VSLhDyy6jajLT45g== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.565 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.565/0.565/0.565/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 0 EAPoL frames (Tx) 2 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 5: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X IEEE 802.1X: EAP authentication timeoutShow output
Apr 16 23:29:38.328636 osdx hostapd[1066894]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Apr 16 23:29:38.328650 osdx hostapd[1066894]: eth2: RADIUS Authentication server 10.215.168.1:1812 Apr 16 23:29:38.328950 osdx hostapd[1066894]: connect[radius]: Network is unreachable Apr 16 23:29:38.328690 osdx hostapd[1066894]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Apr 16 23:29:38.328694 osdx hostapd[1066894]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Apr 16 23:29:38.356333 osdx hostapd[1066894]: Discovery mode enabled on eth2 Apr 16 23:29:38.356391 osdx hostapd[1066894]: eth2: interface state UNINITIALIZED->ENABLED Apr 16 23:29:38.356391 osdx hostapd[1066894]: eth2: AP-ENABLED Apr 16 23:29:43.356679 osdx hostapd[1066895]: eth2: STA 00:11:22:33:44:55 DRIVER: Device discovered, triggering MAB authentication Apr 16 23:29:43.356723 osdx hostapd[1066895]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Apr 16 23:29:43.356731 osdx hostapd[1066895]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Apr 16 23:29:43.372370 osdx hostapd[1066895]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: Starting MAB authentication Apr 16 23:29:43.372398 osdx hostapd[1066895]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Apr 16 23:29:43.372414 osdx hostapd[1066895]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Apr 16 23:29:43.374138 osdx hostapd[1066895]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Apr 16 23:29:43.374151 osdx hostapd[1066895]: eth2: RADIUS Authentication server 10.215.168.1:1812 Apr 16 23:29:43.374234 osdx hostapd[1066895]: eth2: RADIUS Sending RADIUS message to authentication server Apr 16 23:29:43.374268 osdx hostapd[1066895]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Apr 16 23:29:44.374350 osdx hostapd[1066895]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Apr 16 23:29:44.374382 osdx hostapd[1066895]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Apr 16 23:29:44.374595 osdx hostapd[1066895]: eth2: RADIUS Received 20 bytes from RADIUS server Apr 16 23:29:44.374598 osdx hostapd[1066895]: eth2: RADIUS Received RADIUS message Apr 16 23:29:44.374601 osdx hostapd[1066895]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Apr 16 23:29:44.374605 osdx hostapd[1066895]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Apr 16 23:29:44.374647 osdx hostapd[1066895]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Apr 16 23:29:44.374650 osdx hostapd[1066895]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X Apr 16 23:29:44.374653 osdx hostapd[1066895]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Apr 16 23:29:44.374655 osdx hostapd[1066895]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first: 802.1X authentication started Apr 16 23:29:44.374661 osdx hostapd[1066895]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Apr 16 23:29:44.374674 osdx hostapd[1066895]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 109) Apr 16 23:29:44.374689 osdx hostapd[1066895]: eth2: RADIUS Received 20 bytes from RADIUS server Apr 16 23:29:44.374692 osdx hostapd[1066895]: eth2: RADIUS Received RADIUS message Apr 16 23:29:44.374694 osdx hostapd[1066895]: eth2: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet Apr 16 23:29:47.375698 osdx hostapd[1066895]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 109) Apr 16 23:29:52.081498 osdx OSDxCLI[1043131]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Apr 16 23:29:53.380685 osdx hostapd[1066895]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 109) Apr 16 23:30:00.287404 osdx OSDxCLI[1043131]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Apr 16 23:30:05.391690 osdx hostapd[1066895]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: aborting authentication Apr 16 23:30:05.391705 osdx hostapd[1066895]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: EAP authentication timeout - enforcing 60 second quiet period before retrying Apr 16 23:30:05.391723 osdx hostapd[1066895]: eth2: STA 00:11:22:33:44:55 MLME: MLME-DEAUTHENTICATE.indication(00:11:22:33:44:55, 2) Apr 16 23:30:05.391727 osdx hostapd[1066895]: eth2: STA 00:11:22:33:44:55 MLME: MLME-DELETEKEYS.request(00:11:22:33:44:55)