Mab Fallback
This scenario shows how to configure the MAB-fallback
authentication mode.
Test Successful 802.1x Authentication With Successful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses the correct username and password.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/aiW5buct616JbqULqGhMjaTLcrpLZyksWO9YY7HJpYNwv06eeNzkmLSgTGU7Ma9KslWYJM9CRwg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.667 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.667/0.667/0.667/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1+PEfgpgAnDmKEdU6YsvxPB1oGhKqIRwLo= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 6: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name testing
Step 7: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.541 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.541/0.541/0.541/0.000 ms
Step 8: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: authenticated - EAP type: 25 (PEAP)Show output
May 04 18:10:54.250154 osdx hostapd[52910]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. May 04 18:10:54.250165 osdx hostapd[52910]: eth2: RADIUS Authentication server 10.215.168.1:1812 May 04 18:10:54.250363 osdx hostapd[52910]: connect[radius]: Network is unreachable May 04 18:10:54.250197 osdx hostapd[52910]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 May 04 18:10:54.250199 osdx hostapd[52910]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode May 04 18:10:54.274069 osdx hostapd[52910]: Discovery mode enabled on eth2 May 04 18:10:54.274130 osdx hostapd[52910]: eth2: interface state UNINITIALIZED->ENABLED May 04 18:10:54.274130 osdx hostapd[52910]: eth2: AP-ENABLED May 04 18:10:57.479465 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added May 04 18:10:57.479479 osdx hostapd[52911]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode May 04 18:10:57.494186 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: start authentication May 04 18:10:57.494220 osdx hostapd[52911]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames May 04 18:10:57.494229 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response May 04 18:10:57.494233 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response May 04 18:10:57.494252 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response May 04 18:10:57.494256 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAPOL-Start from STA May 04 18:10:57.494267 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port May 04 18:10:57.494276 osdx hostapd[52911]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication May 04 18:10:57.494300 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 148) May 04 18:10:57.494679 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=148 len=12) from STA: EAP Response-Identity (1) May 04 18:10:57.494697 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: STA identity 'testing' May 04 18:10:57.494723 osdx hostapd[52911]: eth2: RADIUS Authentication server 10.215.168.1:1812 May 04 18:10:57.496503 osdx hostapd[52911]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:10:57.496538 osdx hostapd[52911]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:10:57.496781 osdx hostapd[52911]: eth2: RADIUS Received 80 bytes from RADIUS server May 04 18:10:57.496787 osdx hostapd[52911]: eth2: RADIUS Received RADIUS message May 04 18:10:57.496793 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:10:57.496827 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=149 len=22) from RADIUS server: EAP-Request-MD5 (4) May 04 18:10:57.496834 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 149) May 04 18:10:57.497051 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=149 len=6) from STA: EAP Response-unknown (3) May 04 18:10:57.497092 osdx hostapd[52911]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:10:57.497105 osdx hostapd[52911]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:10:57.497245 osdx hostapd[52911]: eth2: RADIUS Received 64 bytes from RADIUS server May 04 18:10:57.497249 osdx hostapd[52911]: eth2: RADIUS Received RADIUS message May 04 18:10:57.497252 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:10:57.497265 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=150 len=6) from RADIUS server: EAP-Request-PEAP (25) May 04 18:10:57.497270 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 150) May 04 18:10:57.497587 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=150 len=194) from STA: EAP Response-PEAP (25) May 04 18:10:57.497636 osdx hostapd[52911]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:10:57.497652 osdx hostapd[52911]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:10:57.498619 osdx hostapd[52911]: eth2: RADIUS Received 1068 bytes from RADIUS server May 04 18:10:57.498625 osdx hostapd[52911]: eth2: RADIUS Received RADIUS message May 04 18:10:57.498629 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:10:57.498651 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=151 len=1004) from RADIUS server: EAP-Request-PEAP (25) May 04 18:10:57.498658 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 151) May 04 18:10:57.498856 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=151 len=6) from STA: EAP Response-PEAP (25) May 04 18:10:57.498897 osdx hostapd[52911]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:10:57.498910 osdx hostapd[52911]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:10:57.499024 osdx hostapd[52911]: eth2: RADIUS Received 229 bytes from RADIUS server May 04 18:10:57.499028 osdx hostapd[52911]: eth2: RADIUS Received RADIUS message May 04 18:10:57.499032 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:10:57.499046 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=152 len=171) from RADIUS server: EAP-Request-PEAP (25) May 04 18:10:57.499052 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 152) May 04 18:10:57.500416 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=152 len=103) from STA: EAP Response-PEAP (25) May 04 18:10:57.500467 osdx hostapd[52911]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:10:57.500481 osdx hostapd[52911]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:10:57.500765 osdx hostapd[52911]: eth2: RADIUS Received 115 bytes from RADIUS server May 04 18:10:57.500771 osdx hostapd[52911]: eth2: RADIUS Received RADIUS message May 04 18:10:57.500774 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:10:57.500792 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=153 len=57) from RADIUS server: EAP-Request-PEAP (25) May 04 18:10:57.500799 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 153) May 04 18:10:57.501028 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=153 len=6) from STA: EAP Response-PEAP (25) May 04 18:10:57.501071 osdx hostapd[52911]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:10:57.501084 osdx hostapd[52911]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:10:57.501210 osdx hostapd[52911]: eth2: RADIUS Received 98 bytes from RADIUS server May 04 18:10:57.501215 osdx hostapd[52911]: eth2: RADIUS Received RADIUS message May 04 18:10:57.501218 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:10:57.501233 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=154 len=40) from RADIUS server: EAP-Request-PEAP (25) May 04 18:10:57.501244 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 154) May 04 18:10:57.501444 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=154 len=43) from STA: EAP Response-PEAP (25) May 04 18:10:57.501486 osdx hostapd[52911]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:10:57.501500 osdx hostapd[52911]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:10:57.501650 osdx hostapd[52911]: eth2: RADIUS Received 131 bytes from RADIUS server May 04 18:10:57.501655 osdx hostapd[52911]: eth2: RADIUS Received RADIUS message May 04 18:10:57.501658 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:10:57.501672 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=155 len=73) from RADIUS server: EAP-Request-PEAP (25) May 04 18:10:57.501678 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 155) May 04 18:10:57.501912 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=155 len=97) from STA: EAP Response-PEAP (25) May 04 18:10:57.501944 osdx hostapd[52911]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:10:57.501954 osdx hostapd[52911]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:10:57.502119 osdx hostapd[52911]: eth2: RADIUS Received 140 bytes from RADIUS server May 04 18:10:57.502124 osdx hostapd[52911]: eth2: RADIUS Received RADIUS message May 04 18:10:57.502128 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:10:57.502144 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=156 len=82) from RADIUS server: EAP-Request-PEAP (25) May 04 18:10:57.502150 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 156) May 04 18:10:57.502319 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=156 len=37) from STA: EAP Response-PEAP (25) May 04 18:10:57.502359 osdx hostapd[52911]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:10:57.502369 osdx hostapd[52911]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:10:57.502501 osdx hostapd[52911]: eth2: RADIUS Received 104 bytes from RADIUS server May 04 18:10:57.502506 osdx hostapd[52911]: eth2: RADIUS Received RADIUS message May 04 18:10:57.502510 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:10:57.502524 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=157 len=46) from RADIUS server: EAP-Request-PEAP (25) May 04 18:10:57.502530 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 157) May 04 18:10:57.502726 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=157 len=46) from STA: EAP Response-PEAP (25) May 04 18:10:57.502760 osdx hostapd[52911]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:10:57.502770 osdx hostapd[52911]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:10:57.502958 osdx hostapd[52911]: eth2: RADIUS Received 175 bytes from RADIUS server May 04 18:10:57.502963 osdx hostapd[52911]: eth2: RADIUS Received RADIUS message May 04 18:10:57.502966 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:10:57.502988 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing' May 04 18:10:57.502992 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=3 id=157 len=4) from RADIUS server: EAP Success May 04 18:10:57.503008 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 157) May 04 18:10:57.503022 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port May 04 18:10:57.503027 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 72F2AA35746D29EC May 04 18:10:57.503031 osdx hostapd[52911]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Test Successful 802.1x Authentication With Unsuccessful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses the correct username and password, but an incorrect MAC address.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/0LxZX31433IPCAtzvwOL70W8/oNuJporhSP+rUS/y0NM/++vBtU17vXs6aQgIJ+8peMQ1xU8iig== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.372 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.372/0.372/0.372/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1+0aIuIYDvOsEJkoVJeU+MEElFLJu+Kdlk= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 6: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name testing
Step 7: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.320 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.320/0.320/0.320/0.000 ms
Step 8: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: authenticated - EAP type: 25 (PEAP)Show output
May 04 18:11:05.319442 osdx hostapd[53431]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. May 04 18:11:05.319690 osdx hostapd[53431]: connect[radius]: Network is unreachable May 04 18:11:05.319456 osdx hostapd[53431]: eth2: RADIUS Authentication server 10.215.168.1:1812 May 04 18:11:05.319505 osdx hostapd[53431]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 May 04 18:11:05.319509 osdx hostapd[53431]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode May 04 18:11:05.339330 osdx hostapd[53431]: Discovery mode enabled on eth2 May 04 18:11:05.339415 osdx hostapd[53431]: eth2: interface state UNINITIALIZED->ENABLED May 04 18:11:05.339415 osdx hostapd[53431]: eth2: AP-ENABLED May 04 18:11:08.565662 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added May 04 18:11:08.565677 osdx hostapd[53432]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode May 04 18:11:08.579363 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: start authentication May 04 18:11:08.579390 osdx hostapd[53432]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames May 04 18:11:08.579393 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response May 04 18:11:08.579396 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response May 04 18:11:08.579409 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response May 04 18:11:08.579412 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA May 04 18:11:08.579426 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port May 04 18:11:08.579434 osdx hostapd[53432]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication May 04 18:11:08.579459 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 45) May 04 18:11:08.579846 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=45 len=12) from STA: EAP Response-Identity (1) May 04 18:11:08.579859 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'testing' May 04 18:11:08.579891 osdx hostapd[53432]: eth2: RADIUS Authentication server 10.215.168.1:1812 May 04 18:11:08.581738 osdx hostapd[53432]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:11:08.581766 osdx hostapd[53432]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:11:08.582042 osdx hostapd[53432]: eth2: RADIUS Received 80 bytes from RADIUS server May 04 18:11:08.582049 osdx hostapd[53432]: eth2: RADIUS Received RADIUS message May 04 18:11:08.582053 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:11:08.582074 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=46 len=22) from RADIUS server: EAP-Request-MD5 (4) May 04 18:11:08.582081 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 46) May 04 18:11:08.582355 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=46 len=6) from STA: EAP Response-unknown (3) May 04 18:11:08.582409 osdx hostapd[53432]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:11:08.582424 osdx hostapd[53432]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:11:08.582657 osdx hostapd[53432]: eth2: RADIUS Received 64 bytes from RADIUS server May 04 18:11:08.582667 osdx hostapd[53432]: eth2: RADIUS Received RADIUS message May 04 18:11:08.582674 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:11:08.582702 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=47 len=6) from RADIUS server: EAP-Request-PEAP (25) May 04 18:11:08.582711 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 47) May 04 18:11:08.583125 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=47 len=194) from STA: EAP Response-PEAP (25) May 04 18:11:08.583172 osdx hostapd[53432]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:11:08.583188 osdx hostapd[53432]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:11:08.584192 osdx hostapd[53432]: eth2: RADIUS Received 1068 bytes from RADIUS server May 04 18:11:08.584198 osdx hostapd[53432]: eth2: RADIUS Received RADIUS message May 04 18:11:08.584205 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:11:08.584232 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=48 len=1004) from RADIUS server: EAP-Request-PEAP (25) May 04 18:11:08.584240 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 48) May 04 18:11:08.584444 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=48 len=6) from STA: EAP Response-PEAP (25) May 04 18:11:08.584491 osdx hostapd[53432]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:11:08.584502 osdx hostapd[53432]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:11:08.584652 osdx hostapd[53432]: eth2: RADIUS Received 229 bytes from RADIUS server May 04 18:11:08.584658 osdx hostapd[53432]: eth2: RADIUS Received RADIUS message May 04 18:11:08.584661 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:11:08.584684 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=49 len=171) from RADIUS server: EAP-Request-PEAP (25) May 04 18:11:08.584691 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 49) May 04 18:11:08.586661 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=49 len=103) from STA: EAP Response-PEAP (25) May 04 18:11:08.586706 osdx hostapd[53432]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:11:08.586719 osdx hostapd[53432]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:11:08.587095 osdx hostapd[53432]: eth2: RADIUS Received 115 bytes from RADIUS server May 04 18:11:08.587101 osdx hostapd[53432]: eth2: RADIUS Received RADIUS message May 04 18:11:08.587104 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:11:08.587118 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=50 len=57) from RADIUS server: EAP-Request-PEAP (25) May 04 18:11:08.587123 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 50) May 04 18:11:08.587425 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=50 len=6) from STA: EAP Response-PEAP (25) May 04 18:11:08.587470 osdx hostapd[53432]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:11:08.587524 osdx hostapd[53432]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:11:08.587647 osdx hostapd[53432]: eth2: RADIUS Received 98 bytes from RADIUS server May 04 18:11:08.587653 osdx hostapd[53432]: eth2: RADIUS Received RADIUS message May 04 18:11:08.587660 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:11:08.587682 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=51 len=40) from RADIUS server: EAP-Request-PEAP (25) May 04 18:11:08.587689 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 51) May 04 18:11:08.588014 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=51 len=43) from STA: EAP Response-PEAP (25) May 04 18:11:08.588062 osdx hostapd[53432]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:11:08.588078 osdx hostapd[53432]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:11:08.588285 osdx hostapd[53432]: eth2: RADIUS Received 131 bytes from RADIUS server May 04 18:11:08.588293 osdx hostapd[53432]: eth2: RADIUS Received RADIUS message May 04 18:11:08.588297 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:11:08.588316 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=52 len=73) from RADIUS server: EAP-Request-PEAP (25) May 04 18:11:08.588323 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 52) May 04 18:11:08.588714 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=52 len=97) from STA: EAP Response-PEAP (25) May 04 18:11:08.588764 osdx hostapd[53432]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:11:08.588778 osdx hostapd[53432]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:11:08.589014 osdx hostapd[53432]: eth2: RADIUS Received 140 bytes from RADIUS server May 04 18:11:08.589021 osdx hostapd[53432]: eth2: RADIUS Received RADIUS message May 04 18:11:08.589025 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:11:08.589052 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=53 len=82) from RADIUS server: EAP-Request-PEAP (25) May 04 18:11:08.589059 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 53) May 04 18:11:08.589295 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=53 len=37) from STA: EAP Response-PEAP (25) May 04 18:11:08.589341 osdx hostapd[53432]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:11:08.589386 osdx hostapd[53432]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:11:08.589532 osdx hostapd[53432]: eth2: RADIUS Received 104 bytes from RADIUS server May 04 18:11:08.589539 osdx hostapd[53432]: eth2: RADIUS Received RADIUS message May 04 18:11:08.589543 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:11:08.589561 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=54 len=46) from RADIUS server: EAP-Request-PEAP (25) May 04 18:11:08.589567 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 54) May 04 18:11:08.589869 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=54 len=46) from STA: EAP Response-PEAP (25) May 04 18:11:08.589916 osdx hostapd[53432]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:11:08.589955 osdx hostapd[53432]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:11:08.590136 osdx hostapd[53432]: eth2: RADIUS Received 175 bytes from RADIUS server May 04 18:11:08.590143 osdx hostapd[53432]: eth2: RADIUS Received RADIUS message May 04 18:11:08.590147 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:11:08.590172 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing' May 04 18:11:08.590176 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=3 id=54 len=4) from RADIUS server: EAP Success May 04 18:11:08.590261 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 54) May 04 18:11:08.590277 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authorizing port May 04 18:11:08.590281 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 RADIUS: starting accounting session FFA7C915EAD09C85 May 04 18:11:08.590285 osdx hostapd[53432]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Test Unsuccessful 802.1x Authentication With Successful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses an incorrect username.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/EbFfalvlnhs1SNEehYBE9eR3AJpott6vnfEFYqWshPFW19l9MhEdQD7xRsIUhpZ9QdBV4IIaw1A== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.294 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.294/0.294/0.294/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX19ptmFANow7TWdMTihlkP36WdWRxnW4DSs= set interfaces ethernet eth2 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 8 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 10 EAPoL frames (Tx) 10 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name wrong
Step 5: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.761 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.761/0.761/0.761/0.000 ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately 802.1X: MAB: station successfully authenticatedShow output
May 04 18:11:17.229578 osdx hostapd[53948]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. May 04 18:11:17.229594 osdx hostapd[53948]: eth2: RADIUS Authentication server 10.215.168.1:1812 May 04 18:11:17.229860 osdx hostapd[53948]: connect[radius]: Network is unreachable May 04 18:11:17.229636 osdx hostapd[53948]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 May 04 18:11:17.229639 osdx hostapd[53948]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode May 04 18:11:17.249392 osdx hostapd[53948]: Discovery mode enabled on eth2 May 04 18:11:17.249488 osdx hostapd[53948]: eth2: interface state UNINITIALIZED->ENABLED May 04 18:11:17.249488 osdx hostapd[53948]: eth2: AP-ENABLED May 04 18:11:20.495736 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added May 04 18:11:20.495750 osdx hostapd[53949]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode May 04 18:11:20.509424 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: start authentication May 04 18:11:20.509455 osdx hostapd[53949]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames May 04 18:11:20.509459 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response May 04 18:11:20.509461 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response May 04 18:11:20.509474 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response May 04 18:11:20.509477 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAPOL-Start from STA May 04 18:11:20.509484 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port May 04 18:11:20.509492 osdx hostapd[53949]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication May 04 18:11:20.509511 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 158) May 04 18:11:20.509896 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=158 len=10) from STA: EAP Response-Identity (1) May 04 18:11:20.509910 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: STA identity 'wrong' May 04 18:11:20.509938 osdx hostapd[53949]: eth2: RADIUS Authentication server 10.215.168.1:1812 May 04 18:11:20.511775 osdx hostapd[53949]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:11:20.511800 osdx hostapd[53949]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:11:20.512032 osdx hostapd[53949]: eth2: RADIUS Received 80 bytes from RADIUS server May 04 18:11:20.512038 osdx hostapd[53949]: eth2: RADIUS Received RADIUS message May 04 18:11:20.512041 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:11:20.512059 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=159 len=22) from RADIUS server: EAP-Request-MD5 (4) May 04 18:11:20.512065 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 159) May 04 18:11:20.512316 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=159 len=6) from STA: EAP Response-unknown (3) May 04 18:11:20.512379 osdx hostapd[53949]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:11:20.512399 osdx hostapd[53949]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:11:20.512579 osdx hostapd[53949]: eth2: RADIUS Received 64 bytes from RADIUS server May 04 18:11:20.512586 osdx hostapd[53949]: eth2: RADIUS Received RADIUS message May 04 18:11:20.512590 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:11:20.512610 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=160 len=6) from RADIUS server: EAP-Request-PEAP (25) May 04 18:11:20.512622 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 160) May 04 18:11:20.512997 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=160 len=194) from STA: EAP Response-PEAP (25) May 04 18:11:20.513041 osdx hostapd[53949]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:11:20.513055 osdx hostapd[53949]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:11:20.514311 osdx hostapd[53949]: eth2: RADIUS Received 1068 bytes from RADIUS server May 04 18:11:20.514316 osdx hostapd[53949]: eth2: RADIUS Received RADIUS message May 04 18:11:20.514319 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:11:20.514337 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=161 len=1004) from RADIUS server: EAP-Request-PEAP (25) May 04 18:11:20.514343 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 161) May 04 18:11:20.514468 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=161 len=6) from STA: EAP Response-PEAP (25) May 04 18:11:20.514502 osdx hostapd[53949]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:11:20.514513 osdx hostapd[53949]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:11:20.514654 osdx hostapd[53949]: eth2: RADIUS Received 229 bytes from RADIUS server May 04 18:11:20.514662 osdx hostapd[53949]: eth2: RADIUS Received RADIUS message May 04 18:11:20.514666 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:11:20.514691 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=162 len=171) from RADIUS server: EAP-Request-PEAP (25) May 04 18:11:20.514707 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 162) May 04 18:11:20.516509 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=162 len=103) from STA: EAP Response-PEAP (25) May 04 18:11:20.516557 osdx hostapd[53949]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:11:20.516572 osdx hostapd[53949]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:11:20.516903 osdx hostapd[53949]: eth2: RADIUS Received 115 bytes from RADIUS server May 04 18:11:20.516909 osdx hostapd[53949]: eth2: RADIUS Received RADIUS message May 04 18:11:20.516914 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:11:20.516930 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=163 len=57) from RADIUS server: EAP-Request-PEAP (25) May 04 18:11:20.516936 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 163) May 04 18:11:20.517150 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=163 len=6) from STA: EAP Response-PEAP (25) May 04 18:11:20.517191 osdx hostapd[53949]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:11:20.517205 osdx hostapd[53949]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:11:20.517318 osdx hostapd[53949]: eth2: RADIUS Received 98 bytes from RADIUS server May 04 18:11:20.517323 osdx hostapd[53949]: eth2: RADIUS Received RADIUS message May 04 18:11:20.517326 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:11:20.517347 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=164 len=40) from RADIUS server: EAP-Request-PEAP (25) May 04 18:11:20.517353 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 164) May 04 18:11:20.517464 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=164 len=41) from STA: EAP Response-PEAP (25) May 04 18:11:20.517495 osdx hostapd[53949]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:11:20.517505 osdx hostapd[53949]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:11:20.517609 osdx hostapd[53949]: eth2: RADIUS Received 131 bytes from RADIUS server May 04 18:11:20.517616 osdx hostapd[53949]: eth2: RADIUS Received RADIUS message May 04 18:11:20.517621 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:11:20.517634 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=165 len=73) from RADIUS server: EAP-Request-PEAP (25) May 04 18:11:20.517639 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 165) May 04 18:11:20.517876 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=165 len=95) from STA: EAP Response-PEAP (25) May 04 18:11:20.517906 osdx hostapd[53949]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:11:20.517912 osdx hostapd[53949]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:11:20.518079 osdx hostapd[53949]: eth2: RADIUS Received 104 bytes from RADIUS server May 04 18:11:20.518084 osdx hostapd[53949]: eth2: RADIUS Received RADIUS message May 04 18:11:20.518090 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:11:20.518105 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=166 len=46) from RADIUS server: EAP-Request-PEAP (25) May 04 18:11:20.518110 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 166) May 04 18:11:20.518281 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=166 len=46) from STA: EAP Response-PEAP (25) May 04 18:11:20.518311 osdx hostapd[53949]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:11:20.518319 osdx hostapd[53949]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:11:21.518402 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Resending RADIUS message (id=8) May 04 18:11:21.518434 osdx hostapd[53949]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds May 04 18:11:21.518584 osdx hostapd[53949]: eth2: RADIUS Received 44 bytes from RADIUS server May 04 18:11:21.518589 osdx hostapd[53949]: eth2: RADIUS Received RADIUS message May 04 18:11:21.518593 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:11:21.518632 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=4 id=166 len=4) from RADIUS server: EAP Failure May 04 18:11:21.518666 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 166) May 04 18:11:21.518683 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port May 04 18:11:21.518686 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) May 04 18:11:21.518690 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately May 04 18:11:21.518694 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query May 04 18:11:21.518749 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 May 04 18:11:21.518758 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 May 04 18:11:21.518772 osdx hostapd[53949]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:11:21.518786 osdx hostapd[53949]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:11:21.518806 osdx hostapd[53949]: eth2: RADIUS Received 44 bytes from RADIUS server May 04 18:11:21.518809 osdx hostapd[53949]: eth2: RADIUS Received RADIUS message May 04 18:11:21.518812 osdx hostapd[53949]: eth2: RADIUS No matching RADIUS request found (type=0 id=8) - dropping packet May 04 18:11:21.519006 osdx hostapd[53949]: eth2: RADIUS Received 20 bytes from RADIUS server May 04 18:11:21.519010 osdx hostapd[53949]: eth2: RADIUS Received RADIUS message May 04 18:11:21.519015 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:11:21.519019 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response May 04 18:11:21.519047 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated May 04 18:11:21.519051 osdx hostapd[53949]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled May 04 18:11:21.519059 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port May 04 18:11:21.519063 osdx hostapd[53949]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session A94174364B5816CF
Test Unsuccessful 802.1x Authentication With Unsuccessful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses an incorrect username and MAC address.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18RAmYcG0dNFKxTouDltJlmmqQh7kpmXk2KaFbvwNBtSPZOY6rk/xnFofrqpvM7Z6LgptWoihv9Eg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.542 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.542/0.542/0.542/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX19lt3KvHyuF2RwVqDimf+EbkTrDn6/Nz9o= set interfaces ethernet eth2 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+UnauthorizedShow output
--------------------------------- Field Value --------------------------------- EAPoL Frames (Rx) 10 EAPoL Frames (Tx) 10 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Unauthorized Req Frames (Rx) 8 Req ID Frames (Rx) 1 Resp Frames (Tx) 9 Start Frames (Tx) 1
Step 5: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 8 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 10 EAPoL frames (Tx) 10 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 6: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 7: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately 802.1X: MAB: Authentication failedShow output
May 04 18:11:28.264748 osdx hostapd[54466]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. May 04 18:11:28.264760 osdx hostapd[54466]: eth2: RADIUS Authentication server 10.215.168.1:1812 May 04 18:11:28.264973 osdx hostapd[54466]: connect[radius]: Network is unreachable May 04 18:11:28.264800 osdx hostapd[54466]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 May 04 18:11:28.264804 osdx hostapd[54466]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode May 04 18:11:28.280628 osdx hostapd[54466]: Discovery mode enabled on eth2 May 04 18:11:28.280677 osdx hostapd[54466]: eth2: interface state UNINITIALIZED->ENABLED May 04 18:11:28.280677 osdx hostapd[54466]: eth2: AP-ENABLED May 04 18:11:31.471007 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added May 04 18:11:31.471019 osdx hostapd[54467]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode May 04 18:11:31.488698 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: start authentication May 04 18:11:31.488723 osdx hostapd[54467]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames May 04 18:11:31.488727 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response May 04 18:11:31.488729 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response May 04 18:11:31.488742 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response May 04 18:11:31.488744 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA May 04 18:11:31.488751 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port May 04 18:11:31.488761 osdx hostapd[54467]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication May 04 18:11:31.488779 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 74) May 04 18:11:31.489068 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=74 len=10) from STA: EAP Response-Identity (1) May 04 18:11:31.489081 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'wrong' May 04 18:11:31.489107 osdx hostapd[54467]: eth2: RADIUS Authentication server 10.215.168.1:1812 May 04 18:11:31.491056 osdx hostapd[54467]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:11:31.491086 osdx hostapd[54467]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:11:31.491312 osdx hostapd[54467]: eth2: RADIUS Received 80 bytes from RADIUS server May 04 18:11:31.491318 osdx hostapd[54467]: eth2: RADIUS Received RADIUS message May 04 18:11:31.491322 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:11:31.491342 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=75 len=22) from RADIUS server: EAP-Request-MD5 (4) May 04 18:11:31.491349 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 75) May 04 18:11:31.491532 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=75 len=6) from STA: EAP Response-unknown (3) May 04 18:11:31.491578 osdx hostapd[54467]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:11:31.491589 osdx hostapd[54467]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:11:31.491745 osdx hostapd[54467]: eth2: RADIUS Received 64 bytes from RADIUS server May 04 18:11:31.491750 osdx hostapd[54467]: eth2: RADIUS Received RADIUS message May 04 18:11:31.491753 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:11:31.491767 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=76 len=6) from RADIUS server: EAP-Request-PEAP (25) May 04 18:11:31.491772 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 76) May 04 18:11:31.492116 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=76 len=194) from STA: EAP Response-PEAP (25) May 04 18:11:31.492153 osdx hostapd[54467]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:11:31.492164 osdx hostapd[54467]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:11:31.493303 osdx hostapd[54467]: eth2: RADIUS Received 1068 bytes from RADIUS server May 04 18:11:31.493308 osdx hostapd[54467]: eth2: RADIUS Received RADIUS message May 04 18:11:31.493310 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:11:31.493326 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=77 len=1004) from RADIUS server: EAP-Request-PEAP (25) May 04 18:11:31.493331 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 77) May 04 18:11:31.493480 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=77 len=6) from STA: EAP Response-PEAP (25) May 04 18:11:31.493514 osdx hostapd[54467]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:11:31.493523 osdx hostapd[54467]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:11:31.493647 osdx hostapd[54467]: eth2: RADIUS Received 229 bytes from RADIUS server May 04 18:11:31.493651 osdx hostapd[54467]: eth2: RADIUS Received RADIUS message May 04 18:11:31.493654 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:11:31.493666 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=78 len=171) from RADIUS server: EAP-Request-PEAP (25) May 04 18:11:31.493671 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 78) May 04 18:11:31.494980 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=78 len=103) from STA: EAP Response-PEAP (25) May 04 18:11:31.495017 osdx hostapd[54467]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:11:31.495027 osdx hostapd[54467]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:11:31.495278 osdx hostapd[54467]: eth2: RADIUS Received 115 bytes from RADIUS server May 04 18:11:31.495282 osdx hostapd[54467]: eth2: RADIUS Received RADIUS message May 04 18:11:31.495285 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:11:31.495298 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=79 len=57) from RADIUS server: EAP-Request-PEAP (25) May 04 18:11:31.495303 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 79) May 04 18:11:31.495475 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=79 len=6) from STA: EAP Response-PEAP (25) May 04 18:11:31.495501 osdx hostapd[54467]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:11:31.495510 osdx hostapd[54467]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:11:31.495630 osdx hostapd[54467]: eth2: RADIUS Received 98 bytes from RADIUS server May 04 18:11:31.495634 osdx hostapd[54467]: eth2: RADIUS Received RADIUS message May 04 18:11:31.495637 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:11:31.495647 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=80 len=40) from RADIUS server: EAP-Request-PEAP (25) May 04 18:11:31.495651 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 80) May 04 18:11:31.495777 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=80 len=41) from STA: EAP Response-PEAP (25) May 04 18:11:31.495803 osdx hostapd[54467]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:11:31.495813 osdx hostapd[54467]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:11:31.495966 osdx hostapd[54467]: eth2: RADIUS Received 131 bytes from RADIUS server May 04 18:11:31.495970 osdx hostapd[54467]: eth2: RADIUS Received RADIUS message May 04 18:11:31.495973 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:11:31.495986 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=81 len=73) from RADIUS server: EAP-Request-PEAP (25) May 04 18:11:31.495991 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 81) May 04 18:11:31.496180 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=81 len=95) from STA: EAP Response-PEAP (25) May 04 18:11:31.496211 osdx hostapd[54467]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:11:31.496220 osdx hostapd[54467]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:11:31.496356 osdx hostapd[54467]: eth2: RADIUS Received 104 bytes from RADIUS server May 04 18:11:31.496360 osdx hostapd[54467]: eth2: RADIUS Received RADIUS message May 04 18:11:31.496363 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:11:31.496373 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=82 len=46) from RADIUS server: EAP-Request-PEAP (25) May 04 18:11:31.496377 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 82) May 04 18:11:31.496499 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=82 len=46) from STA: EAP Response-PEAP (25) May 04 18:11:31.496529 osdx hostapd[54467]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:11:31.496538 osdx hostapd[54467]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:11:32.496623 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=8) May 04 18:11:32.496656 osdx hostapd[54467]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds May 04 18:11:32.496828 osdx hostapd[54467]: eth2: RADIUS Received 44 bytes from RADIUS server May 04 18:11:32.496831 osdx hostapd[54467]: eth2: RADIUS Received RADIUS message May 04 18:11:32.496835 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:11:32.496879 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=4 id=82 len=4) from RADIUS server: EAP Failure May 04 18:11:32.496903 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 82) May 04 18:11:32.496918 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port May 04 18:11:32.496921 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) May 04 18:11:32.496923 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately May 04 18:11:32.496927 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query May 04 18:11:32.496984 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 May 04 18:11:32.496992 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 May 04 18:11:32.497010 osdx hostapd[54467]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:11:32.497019 osdx hostapd[54467]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:11:32.497031 osdx hostapd[54467]: eth2: RADIUS Received 44 bytes from RADIUS server May 04 18:11:32.497033 osdx hostapd[54467]: eth2: RADIUS Received RADIUS message May 04 18:11:32.497035 osdx hostapd[54467]: eth2: RADIUS No matching RADIUS request found (type=0 id=8) - dropping packet May 04 18:11:33.497138 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) May 04 18:11:33.497178 osdx hostapd[54467]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds May 04 18:11:33.497353 osdx hostapd[54467]: eth2: RADIUS Received 20 bytes from RADIUS server May 04 18:11:33.497358 osdx hostapd[54467]: eth2: RADIUS Received RADIUS message May 04 18:11:33.497362 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:11:33.497367 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response May 04 18:11:33.497420 osdx hostapd[54467]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled May 04 18:11:33.497423 osdx hostapd[54467]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled May 04 18:11:33.497426 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Authentication failed, entering held state (quiet period 60 sec) May 04 18:11:33.497430 osdx hostapd[54467]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Retry timeout registered for 60 seconds May 04 18:11:33.497438 osdx hostapd[54467]: eth2: RADIUS Received 20 bytes from RADIUS server May 04 18:11:33.497441 osdx hostapd[54467]: eth2: RADIUS Received RADIUS message May 04 18:11:33.497444 osdx hostapd[54467]: eth2: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet
Test Unsupported 802.1x Authentication With Successful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 does not support 802.1x authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX19R/g8enLdkaOEKin85LGcfJCwFclMJEpTj09QWkf2KCnKRmiT7rKL2O4R4RcNkttxMQA+3k23M+Q== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.203 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.203/0.203/0.203/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.437 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.437/0.437/0.437/0.000 ms
Step 5: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 0 EAPoL frames (Tx) 4 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name N/A
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.276 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.276/0.276/0.276/0.000 ms
Step 7: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately 802.1X: MAB: station successfully authenticatedShow output
May 04 18:11:41.497966 osdx hostapd[54973]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. May 04 18:11:41.497990 osdx hostapd[54973]: eth2: RADIUS Authentication server 10.215.168.1:1812 May 04 18:11:41.498441 osdx hostapd[54973]: connect[radius]: Network is unreachable May 04 18:11:41.498038 osdx hostapd[54973]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 May 04 18:11:41.498042 osdx hostapd[54973]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode May 04 18:11:41.513713 osdx hostapd[54973]: Discovery mode enabled on eth2 May 04 18:11:41.513789 osdx hostapd[54973]: eth2: interface state UNINITIALIZED->ENABLED May 04 18:11:41.513789 osdx hostapd[54973]: eth2: AP-ENABLED May 04 18:11:46.514073 osdx hostapd[54974]: eth2: STA de:ad:be:ef:6c:12 DRIVER: Device discovered, triggering MAB authentication May 04 18:11:46.514124 osdx hostapd[54974]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added May 04 18:11:46.514134 osdx hostapd[54974]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode May 04 18:11:46.533768 osdx hostapd[54974]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: start authentication May 04 18:11:46.533796 osdx hostapd[54974]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames May 04 18:11:46.533799 osdx hostapd[54974]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response May 04 18:11:46.533802 osdx hostapd[54974]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response May 04 18:11:46.533817 osdx hostapd[54974]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port May 04 18:11:46.533826 osdx hostapd[54974]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication May 04 18:11:46.533852 osdx hostapd[54974]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 2) May 04 18:11:49.536058 osdx hostapd[54974]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 2) May 04 18:11:55.541049 osdx hostapd[54974]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 2) May 04 18:12:07.550929 osdx hostapd[54974]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: aborting authentication May 04 18:12:07.550938 osdx hostapd[54974]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately May 04 18:12:07.550942 osdx hostapd[54974]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query May 04 18:12:07.550984 osdx hostapd[54974]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 May 04 18:12:07.552650 osdx hostapd[54974]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 May 04 18:12:07.552660 osdx hostapd[54974]: eth2: RADIUS Authentication server 10.215.168.1:1812 May 04 18:12:07.552720 osdx hostapd[54974]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:12:07.552749 osdx hostapd[54974]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:12:07.552763 osdx hostapd[54974]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication May 04 18:12:07.552775 osdx hostapd[54974]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 253) May 04 18:12:07.552998 osdx hostapd[54974]: eth2: RADIUS Received 20 bytes from RADIUS server May 04 18:12:07.553002 osdx hostapd[54974]: eth2: RADIUS Received RADIUS message May 04 18:12:07.553005 osdx hostapd[54974]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:12:07.553009 osdx hostapd[54974]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response May 04 18:12:07.553017 osdx hostapd[54974]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' May 04 18:12:07.553027 osdx hostapd[54974]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated May 04 18:12:07.553030 osdx hostapd[54974]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled May 04 18:12:07.553037 osdx hostapd[54974]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port May 04 18:12:07.553040 osdx hostapd[54974]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session E29EA24C16EB7FFE
Test Unsupported 802.1x Authentication With Unsuccessful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 does not support 802.1x authentication and uses an incorrect MAC address.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+1ZHxUjQrdCflPD7ySozbr5YdeFRyOyDjp+35ReFnjWx9TBtbraUL/fV/+AVEvblTdqKj1gxXwaQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.262 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.262/0.262/0.262/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 2 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 0 EAPoL frames (Tx) 4 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 5: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately 802.1X: MAB: Authentication failedShow output
May 04 18:12:17.427041 osdx hostapd[55537]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. May 04 18:12:17.427058 osdx hostapd[55537]: eth2: RADIUS Authentication server 10.215.168.1:1812 May 04 18:12:17.427318 osdx hostapd[55537]: connect[radius]: Network is unreachable May 04 18:12:17.427105 osdx hostapd[55537]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 May 04 18:12:17.427109 osdx hostapd[55537]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode May 04 18:12:17.442955 osdx hostapd[55537]: Discovery mode enabled on eth2 May 04 18:12:17.443010 osdx hostapd[55537]: eth2: interface state UNINITIALIZED->ENABLED May 04 18:12:17.443010 osdx hostapd[55537]: eth2: AP-ENABLED May 04 18:12:22.443297 osdx hostapd[55538]: eth2: STA 00:11:22:33:44:55 DRIVER: Device discovered, triggering MAB authentication May 04 18:12:22.443337 osdx hostapd[55538]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added May 04 18:12:22.443346 osdx hostapd[55538]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode May 04 18:12:22.463006 osdx hostapd[55538]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: start authentication May 04 18:12:22.463035 osdx hostapd[55538]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames May 04 18:12:22.463038 osdx hostapd[55538]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response May 04 18:12:22.463041 osdx hostapd[55538]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response May 04 18:12:22.463055 osdx hostapd[55538]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port May 04 18:12:22.463063 osdx hostapd[55538]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication May 04 18:12:22.463095 osdx hostapd[55538]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 4) May 04 18:12:25.465301 osdx hostapd[55538]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 4) May 04 18:12:31.470300 osdx hostapd[55538]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 4) May 04 18:12:43.479291 osdx hostapd[55538]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: aborting authentication May 04 18:12:43.479299 osdx hostapd[55538]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately May 04 18:12:43.479302 osdx hostapd[55538]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query May 04 18:12:43.479335 osdx hostapd[55538]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 May 04 18:12:43.481221 osdx hostapd[55538]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 May 04 18:12:43.481233 osdx hostapd[55538]: eth2: RADIUS Authentication server 10.215.168.1:1812 May 04 18:12:43.481296 osdx hostapd[55538]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:12:43.481330 osdx hostapd[55538]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:12:43.481347 osdx hostapd[55538]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication May 04 18:12:43.481362 osdx hostapd[55538]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 248) May 04 18:12:44.482277 osdx hostapd[55538]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) May 04 18:12:44.482317 osdx hostapd[55538]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds May 04 18:12:44.482334 osdx hostapd[55538]: eth2: RADIUS Received 20 bytes from RADIUS server May 04 18:12:44.482336 osdx hostapd[55538]: eth2: RADIUS Received RADIUS message May 04 18:12:44.482341 osdx hostapd[55538]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:12:44.482344 osdx hostapd[55538]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response May 04 18:12:44.482398 osdx hostapd[55538]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled May 04 18:12:44.482400 osdx hostapd[55538]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled May 04 18:12:44.482404 osdx hostapd[55538]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Authentication failed, entering held state (quiet period 60 sec) May 04 18:12:44.482409 osdx hostapd[55538]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Retry timeout registered for 60 seconds May 04 18:12:44.482418 osdx hostapd[55538]: eth2: RADIUS Received 20 bytes from RADIUS server May 04 18:12:44.482420 osdx hostapd[55538]: eth2: RADIUS Received RADIUS message May 04 18:12:44.482424 osdx hostapd[55538]: eth2: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet