Mab First
This scenario shows how to configure the MAB-first
authentication mode.
Test Successful MAB Authentication With Successful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses a correct MAC address and correct 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18QtIPhxhGPCPafmiE/AKhmqmfjTPwNc5e6ktGmDkeL5r4Kg4oxBljRqCfH/p4htHjBUBUfdvja7g== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.369 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.369/0.369/0.369/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX18djO+AW2SMy8Obh1CvdeMzhiCudwGjqSQ= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 1 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name N/A
Step 5: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.319 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.319/0.319/0.319/0.000 ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
802.1X: MAB: station successfully authenticatedShow output
May 04 18:12:55.452207 osdx hostapd[56085]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. May 04 18:12:55.452226 osdx hostapd[56085]: eth2: RADIUS Authentication server 10.215.168.1:1812 May 04 18:12:55.452488 osdx hostapd[56085]: connect[radius]: Network is unreachable May 04 18:12:55.452273 osdx hostapd[56085]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 May 04 18:12:55.452277 osdx hostapd[56085]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode May 04 18:12:55.476094 osdx hostapd[56085]: Discovery mode enabled on eth2 May 04 18:12:55.476180 osdx hostapd[56085]: eth2: interface state UNINITIALIZED->ENABLED May 04 18:12:55.476180 osdx hostapd[56085]: eth2: AP-ENABLED May 04 18:12:58.691394 osdx hostapd[56086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added May 04 18:12:58.691410 osdx hostapd[56086]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode May 04 18:12:58.704054 osdx hostapd[56086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB-first mode: Starting MAB authentication May 04 18:12:58.704077 osdx hostapd[56086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query May 04 18:12:58.704091 osdx hostapd[56086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 May 04 18:12:58.705723 osdx hostapd[56086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 May 04 18:12:58.705732 osdx hostapd[56086]: eth2: RADIUS Authentication server 10.215.168.1:1812 May 04 18:12:58.705798 osdx hostapd[56086]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:12:58.705823 osdx hostapd[56086]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:12:58.705842 osdx hostapd[56086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAPOL-Start from STA May 04 18:12:58.706091 osdx hostapd[56086]: eth2: RADIUS Received 20 bytes from RADIUS server May 04 18:12:58.706096 osdx hostapd[56086]: eth2: RADIUS Received RADIUS message May 04 18:12:58.706099 osdx hostapd[56086]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:12:58.706102 osdx hostapd[56086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response May 04 18:12:58.706112 osdx hostapd[56086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' May 04 18:12:58.706123 osdx hostapd[56086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated May 04 18:12:58.706126 osdx hostapd[56086]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled May 04 18:12:58.706134 osdx hostapd[56086]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port May 04 18:12:58.706137 osdx hostapd[56086]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session D42B304CC896448B
Test Successful MAB Authentication With Unsuccessful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses a correct MAC address, but wrong 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+Qwx0X5PMFNmyELIwveet7wQMWP+y+zBVuQdoWMpHOSCsSvqHg7YGwIbcmPaNv8qVb248HstA6CQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.335 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.335/0.335/0.335/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX19KClPZQ7LbS9U2o8yCNA2PeVJgq/s4fEQ= set interfaces ethernet eth2 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 1 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name N/A
Step 5: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.287 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.287/0.287/0.287/0.000 ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
802.1X: MAB: station successfully authenticatedShow output
May 04 18:13:06.421346 osdx hostapd[56605]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. May 04 18:13:06.421359 osdx hostapd[56605]: eth2: RADIUS Authentication server 10.215.168.1:1812 May 04 18:13:06.421567 osdx hostapd[56605]: connect[radius]: Network is unreachable May 04 18:13:06.421399 osdx hostapd[56605]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 May 04 18:13:06.421404 osdx hostapd[56605]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode May 04 18:13:06.449225 osdx hostapd[56605]: Discovery mode enabled on eth2 May 04 18:13:06.449388 osdx hostapd[56605]: eth2: interface state UNINITIALIZED->ENABLED May 04 18:13:06.449388 osdx hostapd[56605]: eth2: AP-ENABLED May 04 18:13:09.672567 osdx hostapd[56606]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added May 04 18:13:09.672580 osdx hostapd[56606]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode May 04 18:13:09.685254 osdx hostapd[56606]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB-first mode: Starting MAB authentication May 04 18:13:09.685286 osdx hostapd[56606]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query May 04 18:13:09.685305 osdx hostapd[56606]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 May 04 18:13:09.687547 osdx hostapd[56606]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 May 04 18:13:09.687558 osdx hostapd[56606]: eth2: RADIUS Authentication server 10.215.168.1:1812 May 04 18:13:09.687622 osdx hostapd[56606]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:13:09.687746 osdx hostapd[56606]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:13:09.687779 osdx hostapd[56606]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAPOL-Start from STA May 04 18:13:09.687990 osdx hostapd[56606]: eth2: RADIUS Received 20 bytes from RADIUS server May 04 18:13:09.687997 osdx hostapd[56606]: eth2: RADIUS Received RADIUS message May 04 18:13:09.688002 osdx hostapd[56606]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:13:09.688006 osdx hostapd[56606]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response May 04 18:13:09.688023 osdx hostapd[56606]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' May 04 18:13:09.688039 osdx hostapd[56606]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated May 04 18:13:09.688042 osdx hostapd[56606]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled May 04 18:13:09.688052 osdx hostapd[56606]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port May 04 18:13:09.688055 osdx hostapd[56606]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 9AADA2128EAD3131
Test Successful MAB Authentication With Unsupported 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 does not support 802.1x authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18fx+i1v9NpQhtDMhZ4FYj7HaxEUX8CILePW06SK7mLhwydACaRz7oJIoqIjxA+Xh6N1rYQoOBKJA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.326 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.326/0.326/0.326/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.653 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.653/0.653/0.653/0.000 ms
Step 5: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 0 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name N/A
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.389 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.389/0.389/0.389/0.000 ms
Step 7: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
802.1X: MAB: station successfully authenticatedShow output
May 04 18:13:18.430654 osdx hostapd[57122]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. May 04 18:13:18.430672 osdx hostapd[57122]: eth2: RADIUS Authentication server 10.215.168.1:1812 May 04 18:13:18.430959 osdx hostapd[57122]: connect[radius]: Network is unreachable May 04 18:13:18.430728 osdx hostapd[57122]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 May 04 18:13:18.430731 osdx hostapd[57122]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode May 04 18:13:18.462546 osdx hostapd[57122]: Discovery mode enabled on eth2 May 04 18:13:18.462617 osdx hostapd[57122]: eth2: interface state UNINITIALIZED->ENABLED May 04 18:13:18.462638 osdx hostapd[57122]: eth2: AP-ENABLED May 04 18:13:23.462885 osdx hostapd[57123]: eth2: STA de:ad:be:ef:6c:12 DRIVER: Device discovered, triggering MAB authentication May 04 18:13:23.462924 osdx hostapd[57123]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added May 04 18:13:23.462934 osdx hostapd[57123]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode May 04 18:13:23.478592 osdx hostapd[57123]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB-first mode: Starting MAB authentication May 04 18:13:23.478626 osdx hostapd[57123]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query May 04 18:13:23.478645 osdx hostapd[57123]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 May 04 18:13:23.480967 osdx hostapd[57123]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 May 04 18:13:23.480981 osdx hostapd[57123]: eth2: RADIUS Authentication server 10.215.168.1:1812 May 04 18:13:23.481073 osdx hostapd[57123]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:13:23.481108 osdx hostapd[57123]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:13:23.481415 osdx hostapd[57123]: eth2: RADIUS Received 20 bytes from RADIUS server May 04 18:13:23.481421 osdx hostapd[57123]: eth2: RADIUS Received RADIUS message May 04 18:13:23.481425 osdx hostapd[57123]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:13:23.481429 osdx hostapd[57123]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response May 04 18:13:23.481442 osdx hostapd[57123]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' May 04 18:13:23.481456 osdx hostapd[57123]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated May 04 18:13:23.481460 osdx hostapd[57123]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled May 04 18:13:23.481475 osdx hostapd[57123]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port May 04 18:13:23.481479 osdx hostapd[57123]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 333E707AB7B4B293
Test Unsuccessful MAB Authentication With Successful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses an incorrect MAC address, but correct 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX19x24PqJO9O9oL3W/ychw6Pge44U5ok3Kjj1aIiDBf7qDhq61YGYKYk/BBf13z/s6hRuf5Uwscy6w== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.524 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.524/0.524/0.524/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1++iGq+MZhLdY1/2Pl4ucvDGYDjeahl2ac= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 6: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name testing
Step 7: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.537 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.537/0.537/0.537/0.000 ms
Step 8: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X IEEE 802.1X: authenticated - EAP type: 25 (PEAP)Show output
May 04 18:13:33.112704 osdx hostapd[57647]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. May 04 18:13:33.112720 osdx hostapd[57647]: eth2: RADIUS Authentication server 10.215.168.1:1812 May 04 18:13:33.112942 osdx hostapd[57647]: connect[radius]: Network is unreachable May 04 18:13:33.112763 osdx hostapd[57647]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 May 04 18:13:33.112767 osdx hostapd[57647]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode May 04 18:13:33.132628 osdx hostapd[57647]: Discovery mode enabled on eth2 May 04 18:13:33.132675 osdx hostapd[57647]: eth2: interface state UNINITIALIZED->ENABLED May 04 18:13:33.132675 osdx hostapd[57647]: eth2: AP-ENABLED May 04 18:13:36.351991 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added May 04 18:13:36.352005 osdx hostapd[57648]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode May 04 18:13:36.364660 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: Starting MAB authentication May 04 18:13:36.364692 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query May 04 18:13:36.364709 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 May 04 18:13:36.366446 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 May 04 18:13:36.366458 osdx hostapd[57648]: eth2: RADIUS Authentication server 10.215.168.1:1812 May 04 18:13:36.366542 osdx hostapd[57648]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:13:36.366574 osdx hostapd[57648]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:13:36.366599 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA May 04 18:13:37.366656 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) May 04 18:13:37.366690 osdx hostapd[57648]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds May 04 18:13:37.366853 osdx hostapd[57648]: eth2: RADIUS Received 20 bytes from RADIUS server May 04 18:13:37.366856 osdx hostapd[57648]: eth2: RADIUS Received RADIUS message May 04 18:13:37.366859 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:13:37.366863 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response May 04 18:13:37.366911 osdx hostapd[57648]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled May 04 18:13:37.366913 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X May 04 18:13:37.366916 osdx hostapd[57648]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames May 04 18:13:37.366919 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first: 802.1X authentication started May 04 18:13:37.366926 osdx hostapd[57648]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication May 04 18:13:37.366938 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 34) May 04 18:13:37.366949 osdx hostapd[57648]: eth2: RADIUS Received 20 bytes from RADIUS server May 04 18:13:37.366952 osdx hostapd[57648]: eth2: RADIUS Received RADIUS message May 04 18:13:37.366954 osdx hostapd[57648]: eth2: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet May 04 18:13:37.367237 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=34 len=12) from STA: EAP Response-Identity (1) May 04 18:13:37.367245 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'testing' May 04 18:13:37.367292 osdx hostapd[57648]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:13:37.367306 osdx hostapd[57648]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:13:37.367548 osdx hostapd[57648]: eth2: RADIUS Received 80 bytes from RADIUS server May 04 18:13:37.367554 osdx hostapd[57648]: eth2: RADIUS Received RADIUS message May 04 18:13:37.367558 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:13:37.367588 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=35 len=22) from RADIUS server: EAP-Request-MD5 (4) May 04 18:13:37.367599 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 35) May 04 18:13:37.367831 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=35 len=6) from STA: EAP Response-unknown (3) May 04 18:13:37.367875 osdx hostapd[57648]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:13:37.367894 osdx hostapd[57648]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:13:37.368103 osdx hostapd[57648]: eth2: RADIUS Received 64 bytes from RADIUS server May 04 18:13:37.368108 osdx hostapd[57648]: eth2: RADIUS Received RADIUS message May 04 18:13:37.368111 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:13:37.368124 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=36 len=6) from RADIUS server: EAP-Request-PEAP (25) May 04 18:13:37.368129 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 36) May 04 18:13:37.368438 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=36 len=194) from STA: EAP Response-PEAP (25) May 04 18:13:37.368475 osdx hostapd[57648]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:13:37.368486 osdx hostapd[57648]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:13:37.369636 osdx hostapd[57648]: eth2: RADIUS Received 1068 bytes from RADIUS server May 04 18:13:37.369643 osdx hostapd[57648]: eth2: RADIUS Received RADIUS message May 04 18:13:37.369646 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:13:37.369683 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=37 len=1004) from RADIUS server: EAP-Request-PEAP (25) May 04 18:13:37.369690 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 37) May 04 18:13:37.369963 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=37 len=6) from STA: EAP Response-PEAP (25) May 04 18:13:37.370014 osdx hostapd[57648]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:13:37.370030 osdx hostapd[57648]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:13:37.370189 osdx hostapd[57648]: eth2: RADIUS Received 229 bytes from RADIUS server May 04 18:13:37.370194 osdx hostapd[57648]: eth2: RADIUS Received RADIUS message May 04 18:13:37.370196 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:13:37.370209 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=38 len=171) from RADIUS server: EAP-Request-PEAP (25) May 04 18:13:37.370214 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 38) May 04 18:13:37.371640 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=38 len=103) from STA: EAP Response-PEAP (25) May 04 18:13:37.371687 osdx hostapd[57648]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:13:37.371701 osdx hostapd[57648]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:13:37.372010 osdx hostapd[57648]: eth2: RADIUS Received 115 bytes from RADIUS server May 04 18:13:37.372015 osdx hostapd[57648]: eth2: RADIUS Received RADIUS message May 04 18:13:37.372018 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:13:37.372035 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=39 len=57) from RADIUS server: EAP-Request-PEAP (25) May 04 18:13:37.372040 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 39) May 04 18:13:37.372253 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=39 len=6) from STA: EAP Response-PEAP (25) May 04 18:13:37.372284 osdx hostapd[57648]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:13:37.372293 osdx hostapd[57648]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:13:37.372432 osdx hostapd[57648]: eth2: RADIUS Received 98 bytes from RADIUS server May 04 18:13:37.372436 osdx hostapd[57648]: eth2: RADIUS Received RADIUS message May 04 18:13:37.372439 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:13:37.372451 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=40 len=40) from RADIUS server: EAP-Request-PEAP (25) May 04 18:13:37.372455 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 40) May 04 18:13:37.372604 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=40 len=43) from STA: EAP Response-PEAP (25) May 04 18:13:37.372633 osdx hostapd[57648]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:13:37.372641 osdx hostapd[57648]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:13:37.372795 osdx hostapd[57648]: eth2: RADIUS Received 131 bytes from RADIUS server May 04 18:13:37.372799 osdx hostapd[57648]: eth2: RADIUS Received RADIUS message May 04 18:13:37.372802 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:13:37.372814 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=41 len=73) from RADIUS server: EAP-Request-PEAP (25) May 04 18:13:37.372820 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 41) May 04 18:13:37.373024 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=41 len=97) from STA: EAP Response-PEAP (25) May 04 18:13:37.373051 osdx hostapd[57648]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:13:37.373058 osdx hostapd[57648]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:13:37.373224 osdx hostapd[57648]: eth2: RADIUS Received 140 bytes from RADIUS server May 04 18:13:37.373229 osdx hostapd[57648]: eth2: RADIUS Received RADIUS message May 04 18:13:37.373233 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:13:37.373245 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=42 len=82) from RADIUS server: EAP-Request-PEAP (25) May 04 18:13:37.373250 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 42) May 04 18:13:37.373379 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=42 len=37) from STA: EAP Response-PEAP (25) May 04 18:13:37.373404 osdx hostapd[57648]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:13:37.373411 osdx hostapd[57648]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:13:37.373561 osdx hostapd[57648]: eth2: RADIUS Received 104 bytes from RADIUS server May 04 18:13:37.373566 osdx hostapd[57648]: eth2: RADIUS Received RADIUS message May 04 18:13:37.373569 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:13:37.373584 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=43 len=46) from RADIUS server: EAP-Request-PEAP (25) May 04 18:13:37.373590 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 43) May 04 18:13:37.373710 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=43 len=46) from STA: EAP Response-PEAP (25) May 04 18:13:37.373745 osdx hostapd[57648]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:13:37.373756 osdx hostapd[57648]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:13:37.373931 osdx hostapd[57648]: eth2: RADIUS Received 175 bytes from RADIUS server May 04 18:13:37.373936 osdx hostapd[57648]: eth2: RADIUS Received RADIUS message May 04 18:13:37.373938 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:13:37.373956 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing' May 04 18:13:37.373959 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=3 id=43 len=4) from RADIUS server: EAP Success May 04 18:13:37.373972 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 43) May 04 18:13:37.373987 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authorizing port May 04 18:13:37.373990 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 RADIUS: starting accounting session F909502745890C3E May 04 18:13:37.374001 osdx hostapd[57648]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Test Unsuccessful MAB Authentication With Unsuccessful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses an incorrect MAC address and incorrect 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+1tpFVn3vhkkExHTbRInvPmQX1aBDvbUyj49BhEpEM4oR3iBF05dfObhFZiYoCGvBP0Lj/DPTx1A== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.267 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.267/0.267/0.267/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1/J445rwpyvAt4YpRw9noxm/Ob76YwIIEc= set interfaces ethernet eth2 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+UnauthorizedShow output
--------------------------------- Field Value --------------------------------- EAPoL Frames (Rx) 9 EAPoL Frames (Tx) 10 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Unauthorized Req Frames (Rx) 8 Req ID Frames (Rx) 1 Resp Frames (Tx) 9 Start Frames (Tx) 1
Step 5: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 8 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 10 EAPoL frames (Tx) 9 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 6: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 7: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X IEEE 802.1X: authentication failed - EAP type: 25 (PEAP)Show output
May 04 18:13:45.237890 osdx hostapd[58172]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. May 04 18:13:45.237905 osdx hostapd[58172]: eth2: RADIUS Authentication server 10.215.168.1:1812 May 04 18:13:45.238183 osdx hostapd[58172]: connect[radius]: Network is unreachable May 04 18:13:45.237958 osdx hostapd[58172]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 May 04 18:13:45.237965 osdx hostapd[58172]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode May 04 18:13:45.257766 osdx hostapd[58172]: Discovery mode enabled on eth2 May 04 18:13:45.257849 osdx hostapd[58172]: eth2: interface state UNINITIALIZED->ENABLED May 04 18:13:45.257849 osdx hostapd[58172]: eth2: AP-ENABLED May 04 18:13:48.500033 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added May 04 18:13:48.500049 osdx hostapd[58173]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode May 04 18:13:48.513754 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: Starting MAB authentication May 04 18:13:48.513777 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query May 04 18:13:48.513790 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 May 04 18:13:48.515432 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 May 04 18:13:48.515442 osdx hostapd[58173]: eth2: RADIUS Authentication server 10.215.168.1:1812 May 04 18:13:48.515507 osdx hostapd[58173]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:13:48.515534 osdx hostapd[58173]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:13:48.515554 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA May 04 18:13:49.515620 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) May 04 18:13:49.515655 osdx hostapd[58173]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds May 04 18:13:49.515870 osdx hostapd[58173]: eth2: RADIUS Received 20 bytes from RADIUS server May 04 18:13:49.515873 osdx hostapd[58173]: eth2: RADIUS Received RADIUS message May 04 18:13:49.515876 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:13:49.515880 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response May 04 18:13:49.515933 osdx hostapd[58173]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled May 04 18:13:49.515936 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X May 04 18:13:49.515939 osdx hostapd[58173]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames May 04 18:13:49.515941 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first: 802.1X authentication started May 04 18:13:49.515947 osdx hostapd[58173]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication May 04 18:13:49.515963 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 179) May 04 18:13:49.515975 osdx hostapd[58173]: eth2: RADIUS Received 20 bytes from RADIUS server May 04 18:13:49.515978 osdx hostapd[58173]: eth2: RADIUS Received RADIUS message May 04 18:13:49.515980 osdx hostapd[58173]: eth2: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet May 04 18:13:49.516266 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=179 len=10) from STA: EAP Response-Identity (1) May 04 18:13:49.516280 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'wrong' May 04 18:13:49.516342 osdx hostapd[58173]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:13:49.516353 osdx hostapd[58173]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:13:49.516561 osdx hostapd[58173]: eth2: RADIUS Received 80 bytes from RADIUS server May 04 18:13:49.516569 osdx hostapd[58173]: eth2: RADIUS Received RADIUS message May 04 18:13:49.516575 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:13:49.516607 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=180 len=22) from RADIUS server: EAP-Request-MD5 (4) May 04 18:13:49.516615 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 180) May 04 18:13:49.516815 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=180 len=6) from STA: EAP Response-unknown (3) May 04 18:13:49.516863 osdx hostapd[58173]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:13:49.516876 osdx hostapd[58173]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:13:49.517113 osdx hostapd[58173]: eth2: RADIUS Received 64 bytes from RADIUS server May 04 18:13:49.517118 osdx hostapd[58173]: eth2: RADIUS Received RADIUS message May 04 18:13:49.517121 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:13:49.517138 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=181 len=6) from RADIUS server: EAP-Request-PEAP (25) May 04 18:13:49.517143 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 181) May 04 18:13:49.517462 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=181 len=194) from STA: EAP Response-PEAP (25) May 04 18:13:49.517503 osdx hostapd[58173]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:13:49.517515 osdx hostapd[58173]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:13:49.518537 osdx hostapd[58173]: eth2: RADIUS Received 1068 bytes from RADIUS server May 04 18:13:49.518545 osdx hostapd[58173]: eth2: RADIUS Received RADIUS message May 04 18:13:49.518548 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:13:49.518570 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=182 len=1004) from RADIUS server: EAP-Request-PEAP (25) May 04 18:13:49.518576 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 182) May 04 18:13:49.518756 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=182 len=6) from STA: EAP Response-PEAP (25) May 04 18:13:49.518798 osdx hostapd[58173]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:13:49.518810 osdx hostapd[58173]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:13:49.518956 osdx hostapd[58173]: eth2: RADIUS Received 229 bytes from RADIUS server May 04 18:13:49.518961 osdx hostapd[58173]: eth2: RADIUS Received RADIUS message May 04 18:13:49.518964 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:13:49.518980 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=183 len=171) from RADIUS server: EAP-Request-PEAP (25) May 04 18:13:49.518987 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 183) May 04 18:13:49.520391 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=183 len=103) from STA: EAP Response-PEAP (25) May 04 18:13:49.520439 osdx hostapd[58173]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:13:49.520458 osdx hostapd[58173]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:13:49.520772 osdx hostapd[58173]: eth2: RADIUS Received 115 bytes from RADIUS server May 04 18:13:49.520777 osdx hostapd[58173]: eth2: RADIUS Received RADIUS message May 04 18:13:49.520779 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:13:49.520793 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=184 len=57) from RADIUS server: EAP-Request-PEAP (25) May 04 18:13:49.520799 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 184) May 04 18:13:49.521051 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=184 len=6) from STA: EAP Response-PEAP (25) May 04 18:13:49.521101 osdx hostapd[58173]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:13:49.521117 osdx hostapd[58173]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:13:49.521274 osdx hostapd[58173]: eth2: RADIUS Received 98 bytes from RADIUS server May 04 18:13:49.521282 osdx hostapd[58173]: eth2: RADIUS Received RADIUS message May 04 18:13:49.521287 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:13:49.521311 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=185 len=40) from RADIUS server: EAP-Request-PEAP (25) May 04 18:13:49.521318 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 185) May 04 18:13:49.521489 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=185 len=41) from STA: EAP Response-PEAP (25) May 04 18:13:49.521530 osdx hostapd[58173]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:13:49.521544 osdx hostapd[58173]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:13:49.521718 osdx hostapd[58173]: eth2: RADIUS Received 131 bytes from RADIUS server May 04 18:13:49.521724 osdx hostapd[58173]: eth2: RADIUS Received RADIUS message May 04 18:13:49.521728 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:13:49.521742 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=186 len=73) from RADIUS server: EAP-Request-PEAP (25) May 04 18:13:49.521749 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 186) May 04 18:13:49.521978 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=186 len=95) from STA: EAP Response-PEAP (25) May 04 18:13:49.522017 osdx hostapd[58173]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:13:49.522027 osdx hostapd[58173]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:13:49.522182 osdx hostapd[58173]: eth2: RADIUS Received 104 bytes from RADIUS server May 04 18:13:49.522188 osdx hostapd[58173]: eth2: RADIUS Received RADIUS message May 04 18:13:49.522192 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:13:49.522205 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=187 len=46) from RADIUS server: EAP-Request-PEAP (25) May 04 18:13:49.522211 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 187) May 04 18:13:49.522362 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=187 len=46) from STA: EAP Response-PEAP (25) May 04 18:13:49.522396 osdx hostapd[58173]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:13:49.522407 osdx hostapd[58173]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:13:50.522493 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=8) May 04 18:13:50.522522 osdx hostapd[58173]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds May 04 18:13:50.522637 osdx hostapd[58173]: eth2: RADIUS Received 44 bytes from RADIUS server May 04 18:13:50.522641 osdx hostapd[58173]: eth2: RADIUS Received RADIUS message May 04 18:13:50.522644 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:13:50.522690 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=4 id=187 len=4) from RADIUS server: EAP Failure May 04 18:13:50.522712 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 187) May 04 18:13:50.522725 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port May 04 18:13:50.522729 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) May 04 18:13:50.522732 osdx hostapd[58173]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Authentication failed, enforcing quiet period (60 seconds) May 04 18:13:50.522736 osdx hostapd[58173]: eth2: RADIUS Received 44 bytes from RADIUS server May 04 18:13:50.522738 osdx hostapd[58173]: eth2: RADIUS Received RADIUS message May 04 18:13:50.522740 osdx hostapd[58173]: eth2: RADIUS No matching RADIUS request found (type=0 id=8) - dropping packet
Test Unsuccessful MAB Authentication With Unsupported 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 does not support 802.1x authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX19+G9x2DfgIaUtCRE05eZjHjAmoiLHml0pK7QmCVWpSupvO+n9+QWiizKcNjJ9VEdKadoRiYdzXrw== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.230 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.230/0.230/0.230/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 0 EAPoL frames (Tx) 2 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 5: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X IEEE 802.1X: EAP authentication timeoutShow output
May 04 18:13:57.387917 osdx hostapd[58680]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. May 04 18:13:57.387932 osdx hostapd[58680]: eth2: RADIUS Authentication server 10.215.168.1:1812 May 04 18:13:57.388268 osdx hostapd[58680]: connect[radius]: Network is unreachable May 04 18:13:57.387969 osdx hostapd[58680]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 May 04 18:13:57.387973 osdx hostapd[58680]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode May 04 18:13:57.403799 osdx hostapd[58680]: Discovery mode enabled on eth2 May 04 18:13:57.403880 osdx hostapd[58680]: eth2: interface state UNINITIALIZED->ENABLED May 04 18:13:57.403903 osdx hostapd[58680]: eth2: AP-ENABLED May 04 18:14:02.404166 osdx hostapd[58681]: eth2: STA 00:11:22:33:44:55 DRIVER: Device discovered, triggering MAB authentication May 04 18:14:02.404210 osdx hostapd[58681]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added May 04 18:14:02.404221 osdx hostapd[58681]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode May 04 18:14:02.419877 osdx hostapd[58681]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: Starting MAB authentication May 04 18:14:02.419910 osdx hostapd[58681]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query May 04 18:14:02.419926 osdx hostapd[58681]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 May 04 18:14:02.421867 osdx hostapd[58681]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 May 04 18:14:02.421882 osdx hostapd[58681]: eth2: RADIUS Authentication server 10.215.168.1:1812 May 04 18:14:02.421970 osdx hostapd[58681]: eth2: RADIUS Sending RADIUS message to authentication server May 04 18:14:02.422007 osdx hostapd[58681]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds May 04 18:14:03.422081 osdx hostapd[58681]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) May 04 18:14:03.422114 osdx hostapd[58681]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds May 04 18:14:03.422250 osdx hostapd[58681]: eth2: RADIUS Received 20 bytes from RADIUS server May 04 18:14:03.422255 osdx hostapd[58681]: eth2: RADIUS Received RADIUS message May 04 18:14:03.422260 osdx hostapd[58681]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec May 04 18:14:03.422264 osdx hostapd[58681]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response May 04 18:14:03.422314 osdx hostapd[58681]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled May 04 18:14:03.422316 osdx hostapd[58681]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X May 04 18:14:03.422319 osdx hostapd[58681]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames May 04 18:14:03.422322 osdx hostapd[58681]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first: 802.1X authentication started May 04 18:14:03.422327 osdx hostapd[58681]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication May 04 18:14:03.422340 osdx hostapd[58681]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 76) May 04 18:14:06.423153 osdx hostapd[58681]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 76) May 04 18:14:11.204972 osdx OSDxCLI[4873]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. May 04 18:14:12.428171 osdx hostapd[58681]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 76) May 04 18:14:19.389048 osdx OSDxCLI[4873]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. May 04 18:14:24.439203 osdx hostapd[58681]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: aborting authentication May 04 18:14:24.439226 osdx hostapd[58681]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: EAP authentication timeout - enforcing 60 second quiet period before retrying May 04 18:14:24.439249 osdx hostapd[58681]: eth2: STA 00:11:22:33:44:55 MLME: MLME-DEAUTHENTICATE.indication(00:11:22:33:44:55, 2) May 04 18:14:24.439256 osdx hostapd[58681]: eth2: STA 00:11:22:33:44:55 MLME: MLME-DELETEKEYS.request(00:11:22:33:44:55)