Mab Fallback
This scenario shows how to configure the MAB-fallback
authentication mode.
Test Successful 802.1x Authentication With Successful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses the correct username and password.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX19CORGjfkbi/9xI0cUbp77BqGKpIVBbA1oGM4zsd2YA9p4rDyxummspltSAc4FHS+ZV2b5OcK19vg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.420 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.420/0.420/0.420/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX19MTqdAj2ofpZHk8YBmu6iJ+4YV+SP4JB4= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 6: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name testing
Step 7: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.259 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.259/0.259/0.259/0.000 ms
Step 8: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: authenticated - EAP type: 25 (PEAP)Show output
Jun 04 16:24:13.258537 osdx hostapd[695080]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Jun 04 16:24:13.258549 osdx hostapd[695080]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jun 04 16:24:13.258784 osdx hostapd[695080]: connect[radius]: Network is unreachable Jun 04 16:24:13.258599 osdx hostapd[695080]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Jun 04 16:24:13.258603 osdx hostapd[695080]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Jun 04 16:24:13.282480 osdx hostapd[695080]: Discovery mode enabled on eth2 Jun 04 16:24:13.282554 osdx hostapd[695080]: eth2: interface state UNINITIALIZED->ENABLED Jun 04 16:24:13.282578 osdx hostapd[695080]: eth2: AP-ENABLED Jun 04 16:24:16.474932 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Jun 04 16:24:16.474944 osdx hostapd[695081]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Jun 04 16:24:16.490495 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: start authentication Jun 04 16:24:16.490526 osdx hostapd[695081]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Jun 04 16:24:16.490530 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Jun 04 16:24:16.490534 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Jun 04 16:24:16.490549 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response Jun 04 16:24:16.490552 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAPOL-Start from STA Jun 04 16:24:16.490565 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Jun 04 16:24:16.490574 osdx hostapd[695081]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Jun 04 16:24:16.490601 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 173) Jun 04 16:24:16.490905 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=173 len=12) from STA: EAP Response-Identity (1) Jun 04 16:24:16.490916 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: STA identity 'testing' Jun 04 16:24:16.490948 osdx hostapd[695081]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jun 04 16:24:16.492718 osdx hostapd[695081]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:24:16.492745 osdx hostapd[695081]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:24:16.493009 osdx hostapd[695081]: eth2: RADIUS Received 80 bytes from RADIUS server Jun 04 16:24:16.493014 osdx hostapd[695081]: eth2: RADIUS Received RADIUS message Jun 04 16:24:16.493018 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:24:16.493037 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=174 len=22) from RADIUS server: EAP-Request-MD5 (4) Jun 04 16:24:16.493045 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 174) Jun 04 16:24:16.493292 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=174 len=6) from STA: EAP Response-unknown (3) Jun 04 16:24:16.493336 osdx hostapd[695081]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:24:16.493349 osdx hostapd[695081]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:24:16.493549 osdx hostapd[695081]: eth2: RADIUS Received 64 bytes from RADIUS server Jun 04 16:24:16.493555 osdx hostapd[695081]: eth2: RADIUS Received RADIUS message Jun 04 16:24:16.493558 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:24:16.493576 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=175 len=6) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:24:16.493582 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 175) Jun 04 16:24:16.493926 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=175 len=194) from STA: EAP Response-PEAP (25) Jun 04 16:24:16.493965 osdx hostapd[695081]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:24:16.493978 osdx hostapd[695081]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:24:16.494959 osdx hostapd[695081]: eth2: RADIUS Received 1068 bytes from RADIUS server Jun 04 16:24:16.494968 osdx hostapd[695081]: eth2: RADIUS Received RADIUS message Jun 04 16:24:16.494973 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:24:16.495004 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=176 len=1004) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:24:16.495013 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 176) Jun 04 16:24:16.495180 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=176 len=6) from STA: EAP Response-PEAP (25) Jun 04 16:24:16.495233 osdx hostapd[695081]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:24:16.495254 osdx hostapd[695081]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:24:16.495362 osdx hostapd[695081]: eth2: RADIUS Received 229 bytes from RADIUS server Jun 04 16:24:16.495368 osdx hostapd[695081]: eth2: RADIUS Received RADIUS message Jun 04 16:24:16.495373 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:24:16.495389 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=177 len=171) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:24:16.495400 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 177) Jun 04 16:24:16.496717 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=177 len=103) from STA: EAP Response-PEAP (25) Jun 04 16:24:16.496763 osdx hostapd[695081]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:24:16.496774 osdx hostapd[695081]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:24:16.497054 osdx hostapd[695081]: eth2: RADIUS Received 115 bytes from RADIUS server Jun 04 16:24:16.497060 osdx hostapd[695081]: eth2: RADIUS Received RADIUS message Jun 04 16:24:16.497064 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:24:16.497081 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=178 len=57) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:24:16.497090 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 178) Jun 04 16:24:16.497353 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=178 len=6) from STA: EAP Response-PEAP (25) Jun 04 16:24:16.497412 osdx hostapd[695081]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:24:16.497429 osdx hostapd[695081]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:24:16.497571 osdx hostapd[695081]: eth2: RADIUS Received 98 bytes from RADIUS server Jun 04 16:24:16.497577 osdx hostapd[695081]: eth2: RADIUS Received RADIUS message Jun 04 16:24:16.497581 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:24:16.497605 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=179 len=40) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:24:16.497613 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 179) Jun 04 16:24:16.497794 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=179 len=43) from STA: EAP Response-PEAP (25) Jun 04 16:24:16.497835 osdx hostapd[695081]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:24:16.497848 osdx hostapd[695081]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:24:16.497997 osdx hostapd[695081]: eth2: RADIUS Received 131 bytes from RADIUS server Jun 04 16:24:16.498002 osdx hostapd[695081]: eth2: RADIUS Received RADIUS message Jun 04 16:24:16.498006 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:24:16.498021 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=180 len=73) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:24:16.498027 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 180) Jun 04 16:24:16.498311 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=180 len=97) from STA: EAP Response-PEAP (25) Jun 04 16:24:16.498351 osdx hostapd[695081]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:24:16.498362 osdx hostapd[695081]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:24:16.498577 osdx hostapd[695081]: eth2: RADIUS Received 140 bytes from RADIUS server Jun 04 16:24:16.498584 osdx hostapd[695081]: eth2: RADIUS Received RADIUS message Jun 04 16:24:16.498588 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:24:16.498608 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=181 len=82) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:24:16.498618 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 181) Jun 04 16:24:16.498803 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=181 len=37) from STA: EAP Response-PEAP (25) Jun 04 16:24:16.498841 osdx hostapd[695081]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:24:16.498854 osdx hostapd[695081]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:24:16.499016 osdx hostapd[695081]: eth2: RADIUS Received 104 bytes from RADIUS server Jun 04 16:24:16.499022 osdx hostapd[695081]: eth2: RADIUS Received RADIUS message Jun 04 16:24:16.499026 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:24:16.499040 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=182 len=46) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:24:16.499047 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 182) Jun 04 16:24:16.499227 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=182 len=46) from STA: EAP Response-PEAP (25) Jun 04 16:24:16.499280 osdx hostapd[695081]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:24:16.499296 osdx hostapd[695081]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:24:16.499493 osdx hostapd[695081]: eth2: RADIUS Received 175 bytes from RADIUS server Jun 04 16:24:16.499499 osdx hostapd[695081]: eth2: RADIUS Received RADIUS message Jun 04 16:24:16.499503 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:24:16.499528 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing' Jun 04 16:24:16.499533 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=3 id=182 len=4) from RADIUS server: EAP Success Jun 04 16:24:16.499548 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 182) Jun 04 16:24:16.499565 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Jun 04 16:24:16.499568 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 5F5C1455629E2A64 Jun 04 16:24:16.499572 osdx hostapd[695081]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Test Successful 802.1x Authentication With Unsuccessful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses the correct username and password, but an incorrect MAC address.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+8MYv85O9Q18WuzQ6w0kK1U/uXoyDCLqNIN4fgPno/M3tyc7or5pTMH2Pev8xfpY8ULBX+YgCY4A== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.612 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.612/0.612/0.612/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1/WFyuUJTTptLHd69EY2OEb8iFFMZjhvuU= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 6: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name testing
Step 7: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=2.13 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 2.134/2.134/2.134/0.000 ms
Step 8: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: authenticated - EAP type: 25 (PEAP)Show output
Jun 04 16:24:25.158468 osdx hostapd[695598]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Jun 04 16:24:25.158487 osdx hostapd[695598]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jun 04 16:24:25.158813 osdx hostapd[695598]: connect[radius]: Network is unreachable Jun 04 16:24:25.158551 osdx hostapd[695598]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Jun 04 16:24:25.158555 osdx hostapd[695598]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Jun 04 16:24:25.186351 osdx hostapd[695598]: Discovery mode enabled on eth2 Jun 04 16:24:25.186451 osdx hostapd[695598]: eth2: interface state UNINITIALIZED->ENABLED Jun 04 16:24:25.186451 osdx hostapd[695598]: eth2: AP-ENABLED Jun 04 16:24:28.358818 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Jun 04 16:24:28.358833 osdx hostapd[695599]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Jun 04 16:24:28.386340 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: start authentication Jun 04 16:24:28.386365 osdx hostapd[695599]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Jun 04 16:24:28.386369 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Jun 04 16:24:28.386371 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Jun 04 16:24:28.386385 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response Jun 04 16:24:28.386387 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA Jun 04 16:24:28.386395 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port Jun 04 16:24:28.386402 osdx hostapd[695599]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Jun 04 16:24:28.386427 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 53) Jun 04 16:24:28.386727 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=53 len=12) from STA: EAP Response-Identity (1) Jun 04 16:24:28.386736 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'testing' Jun 04 16:24:28.386757 osdx hostapd[695599]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jun 04 16:24:28.389002 osdx hostapd[695599]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:24:28.389030 osdx hostapd[695599]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:24:28.389263 osdx hostapd[695599]: eth2: RADIUS Received 80 bytes from RADIUS server Jun 04 16:24:28.389268 osdx hostapd[695599]: eth2: RADIUS Received RADIUS message Jun 04 16:24:28.389272 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:24:28.389289 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=54 len=22) from RADIUS server: EAP-Request-MD5 (4) Jun 04 16:24:28.389295 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 54) Jun 04 16:24:28.389504 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=54 len=6) from STA: EAP Response-unknown (3) Jun 04 16:24:28.389543 osdx hostapd[695599]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:24:28.389555 osdx hostapd[695599]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:24:28.389735 osdx hostapd[695599]: eth2: RADIUS Received 64 bytes from RADIUS server Jun 04 16:24:28.389740 osdx hostapd[695599]: eth2: RADIUS Received RADIUS message Jun 04 16:24:28.389743 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:24:28.389759 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=55 len=6) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:24:28.389765 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 55) Jun 04 16:24:28.390087 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=55 len=194) from STA: EAP Response-PEAP (25) Jun 04 16:24:28.390128 osdx hostapd[695599]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:24:28.390139 osdx hostapd[695599]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:24:28.391321 osdx hostapd[695599]: eth2: RADIUS Received 1068 bytes from RADIUS server Jun 04 16:24:28.391331 osdx hostapd[695599]: eth2: RADIUS Received RADIUS message Jun 04 16:24:28.391336 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:24:28.391370 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=56 len=1004) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:24:28.391381 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 56) Jun 04 16:24:28.391680 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=56 len=6) from STA: EAP Response-PEAP (25) Jun 04 16:24:28.391744 osdx hostapd[695599]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:24:28.391763 osdx hostapd[695599]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:24:28.391961 osdx hostapd[695599]: eth2: RADIUS Received 229 bytes from RADIUS server Jun 04 16:24:28.391969 osdx hostapd[695599]: eth2: RADIUS Received RADIUS message Jun 04 16:24:28.391973 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:24:28.391994 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=57 len=171) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:24:28.392010 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 57) Jun 04 16:24:28.393962 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=57 len=103) from STA: EAP Response-PEAP (25) Jun 04 16:24:28.394058 osdx hostapd[695599]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:24:28.394090 osdx hostapd[695599]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:24:28.394663 osdx hostapd[695599]: eth2: RADIUS Received 115 bytes from RADIUS server Jun 04 16:24:28.394673 osdx hostapd[695599]: eth2: RADIUS Received RADIUS message Jun 04 16:24:28.394681 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:24:28.394724 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=58 len=57) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:24:28.394736 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 58) Jun 04 16:24:28.395158 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=58 len=6) from STA: EAP Response-PEAP (25) Jun 04 16:24:28.395235 osdx hostapd[695599]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:24:28.395259 osdx hostapd[695599]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:24:28.395527 osdx hostapd[695599]: eth2: RADIUS Received 98 bytes from RADIUS server Jun 04 16:24:28.395538 osdx hostapd[695599]: eth2: RADIUS Received RADIUS message Jun 04 16:24:28.395545 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:24:28.395578 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=59 len=40) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:24:28.395590 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 59) Jun 04 16:24:28.395941 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=59 len=43) from STA: EAP Response-PEAP (25) Jun 04 16:24:28.396011 osdx hostapd[695599]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:24:28.396032 osdx hostapd[695599]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:24:28.396339 osdx hostapd[695599]: eth2: RADIUS Received 131 bytes from RADIUS server Jun 04 16:24:28.396351 osdx hostapd[695599]: eth2: RADIUS Received RADIUS message Jun 04 16:24:28.396358 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:24:28.396393 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=60 len=73) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:24:28.396406 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 60) Jun 04 16:24:28.396893 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=60 len=97) from STA: EAP Response-PEAP (25) Jun 04 16:24:28.396973 osdx hostapd[695599]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:24:28.397000 osdx hostapd[695599]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:24:28.397323 osdx hostapd[695599]: eth2: RADIUS Received 140 bytes from RADIUS server Jun 04 16:24:28.397333 osdx hostapd[695599]: eth2: RADIUS Received RADIUS message Jun 04 16:24:28.397339 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:24:28.397371 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=61 len=82) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:24:28.397382 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 61) Jun 04 16:24:28.397707 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=61 len=37) from STA: EAP Response-PEAP (25) Jun 04 16:24:28.397781 osdx hostapd[695599]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:24:28.397799 osdx hostapd[695599]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:24:28.398041 osdx hostapd[695599]: eth2: RADIUS Received 104 bytes from RADIUS server Jun 04 16:24:28.398051 osdx hostapd[695599]: eth2: RADIUS Received RADIUS message Jun 04 16:24:28.398057 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:24:28.398088 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=62 len=46) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:24:28.398096 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 62) Jun 04 16:24:28.398352 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=62 len=46) from STA: EAP Response-PEAP (25) Jun 04 16:24:28.398408 osdx hostapd[695599]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:24:28.398426 osdx hostapd[695599]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:24:28.398744 osdx hostapd[695599]: eth2: RADIUS Received 175 bytes from RADIUS server Jun 04 16:24:28.398754 osdx hostapd[695599]: eth2: RADIUS Received RADIUS message Jun 04 16:24:28.398760 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:24:28.398799 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing' Jun 04 16:24:28.398805 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=3 id=62 len=4) from RADIUS server: EAP Success Jun 04 16:24:28.398830 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 62) Jun 04 16:24:28.398853 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authorizing port Jun 04 16:24:28.398859 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 RADIUS: starting accounting session CF07C5AC7867B220 Jun 04 16:24:28.398865 osdx hostapd[695599]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Test Unsuccessful 802.1x Authentication With Successful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses an incorrect username.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/NonN1JGGY7BzQ49Y8f9dFfZhuo+hcRUW1Kdwj0xu6vcplV+m2ju79DKpTaV9zzekWBRLFtV+FDg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.356 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.356/0.356/0.356/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX19hnWQumYrnOGB7O6IXYYYoJM5T/4ze/Rg= set interfaces ethernet eth2 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 8 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 10 EAPoL frames (Tx) 10 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name wrong
Step 5: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.728 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.728/0.728/0.728/0.000 ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately 802.1X: MAB: station successfully authenticatedShow output
Jun 04 16:24:36.374615 osdx hostapd[696116]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Jun 04 16:24:36.374632 osdx hostapd[696116]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jun 04 16:24:36.374971 osdx hostapd[696116]: connect[radius]: Network is unreachable Jun 04 16:24:36.374690 osdx hostapd[696116]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Jun 04 16:24:36.374695 osdx hostapd[696116]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Jun 04 16:24:36.398305 osdx hostapd[696116]: Discovery mode enabled on eth2 Jun 04 16:24:36.398410 osdx hostapd[696116]: eth2: interface state UNINITIALIZED->ENABLED Jun 04 16:24:36.398410 osdx hostapd[696116]: eth2: AP-ENABLED Jun 04 16:24:39.594762 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Jun 04 16:24:39.594777 osdx hostapd[696117]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Jun 04 16:24:39.610307 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: start authentication Jun 04 16:24:39.610336 osdx hostapd[696117]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Jun 04 16:24:39.610339 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Jun 04 16:24:39.610341 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Jun 04 16:24:39.610356 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response Jun 04 16:24:39.610359 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAPOL-Start from STA Jun 04 16:24:39.610371 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Jun 04 16:24:39.610380 osdx hostapd[696117]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Jun 04 16:24:39.610406 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 193) Jun 04 16:24:39.610746 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=193 len=10) from STA: EAP Response-Identity (1) Jun 04 16:24:39.610758 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: STA identity 'wrong' Jun 04 16:24:39.610787 osdx hostapd[696117]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jun 04 16:24:39.612555 osdx hostapd[696117]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:24:39.612581 osdx hostapd[696117]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:24:39.612832 osdx hostapd[696117]: eth2: RADIUS Received 80 bytes from RADIUS server Jun 04 16:24:39.612839 osdx hostapd[696117]: eth2: RADIUS Received RADIUS message Jun 04 16:24:39.612843 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:24:39.612872 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=194 len=22) from RADIUS server: EAP-Request-MD5 (4) Jun 04 16:24:39.612880 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 194) Jun 04 16:24:39.613095 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=194 len=6) from STA: EAP Response-unknown (3) Jun 04 16:24:39.613142 osdx hostapd[696117]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:24:39.613158 osdx hostapd[696117]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:24:39.613355 osdx hostapd[696117]: eth2: RADIUS Received 64 bytes from RADIUS server Jun 04 16:24:39.613360 osdx hostapd[696117]: eth2: RADIUS Received RADIUS message Jun 04 16:24:39.613365 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:24:39.613381 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=195 len=6) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:24:39.613387 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 195) Jun 04 16:24:39.613775 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=195 len=194) from STA: EAP Response-PEAP (25) Jun 04 16:24:39.613812 osdx hostapd[696117]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:24:39.613823 osdx hostapd[696117]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:24:39.614793 osdx hostapd[696117]: eth2: RADIUS Received 1068 bytes from RADIUS server Jun 04 16:24:39.614801 osdx hostapd[696117]: eth2: RADIUS Received RADIUS message Jun 04 16:24:39.614806 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:24:39.614835 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=196 len=1004) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:24:39.614845 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 196) Jun 04 16:24:39.615012 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=196 len=6) from STA: EAP Response-PEAP (25) Jun 04 16:24:39.615054 osdx hostapd[696117]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:24:39.615069 osdx hostapd[696117]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:24:39.615202 osdx hostapd[696117]: eth2: RADIUS Received 229 bytes from RADIUS server Jun 04 16:24:39.615207 osdx hostapd[696117]: eth2: RADIUS Received RADIUS message Jun 04 16:24:39.615210 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:24:39.615231 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=197 len=171) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:24:39.615237 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 197) Jun 04 16:24:39.617110 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=197 len=103) from STA: EAP Response-PEAP (25) Jun 04 16:24:39.617149 osdx hostapd[696117]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:24:39.617164 osdx hostapd[696117]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:24:39.617468 osdx hostapd[696117]: eth2: RADIUS Received 115 bytes from RADIUS server Jun 04 16:24:39.617474 osdx hostapd[696117]: eth2: RADIUS Received RADIUS message Jun 04 16:24:39.617481 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:24:39.617502 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=198 len=57) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:24:39.617510 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 198) Jun 04 16:24:39.617771 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=198 len=6) from STA: EAP Response-PEAP (25) Jun 04 16:24:39.617826 osdx hostapd[696117]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:24:39.617843 osdx hostapd[696117]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:24:39.618007 osdx hostapd[696117]: eth2: RADIUS Received 98 bytes from RADIUS server Jun 04 16:24:39.618013 osdx hostapd[696117]: eth2: RADIUS Received RADIUS message Jun 04 16:24:39.618018 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:24:39.618034 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=199 len=40) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:24:39.618041 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 199) Jun 04 16:24:39.618184 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=199 len=41) from STA: EAP Response-PEAP (25) Jun 04 16:24:39.618232 osdx hostapd[696117]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:24:39.618244 osdx hostapd[696117]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:24:39.618395 osdx hostapd[696117]: eth2: RADIUS Received 131 bytes from RADIUS server Jun 04 16:24:39.618400 osdx hostapd[696117]: eth2: RADIUS Received RADIUS message Jun 04 16:24:39.618405 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:24:39.618420 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=200 len=73) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:24:39.618426 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 200) Jun 04 16:24:39.618652 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=200 len=95) from STA: EAP Response-PEAP (25) Jun 04 16:24:39.618686 osdx hostapd[696117]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:24:39.618696 osdx hostapd[696117]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:24:39.618839 osdx hostapd[696117]: eth2: RADIUS Received 104 bytes from RADIUS server Jun 04 16:24:39.618844 osdx hostapd[696117]: eth2: RADIUS Received RADIUS message Jun 04 16:24:39.618848 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:24:39.618862 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=201 len=46) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:24:39.618868 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 201) Jun 04 16:24:39.619013 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=201 len=46) from STA: EAP Response-PEAP (25) Jun 04 16:24:39.619047 osdx hostapd[696117]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:24:39.619057 osdx hostapd[696117]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:24:40.619099 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Resending RADIUS message (id=8) Jun 04 16:24:40.619131 osdx hostapd[696117]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Jun 04 16:24:40.619295 osdx hostapd[696117]: eth2: RADIUS Received 44 bytes from RADIUS server Jun 04 16:24:40.619299 osdx hostapd[696117]: eth2: RADIUS Received RADIUS message Jun 04 16:24:40.619302 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:24:40.619355 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=4 id=201 len=4) from RADIUS server: EAP Failure Jun 04 16:24:40.619383 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 201) Jun 04 16:24:40.619397 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Jun 04 16:24:40.619401 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) Jun 04 16:24:40.619404 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately Jun 04 16:24:40.619409 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Jun 04 16:24:40.619460 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Jun 04 16:24:40.619469 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Jun 04 16:24:40.619487 osdx hostapd[696117]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:24:40.619545 osdx hostapd[696117]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:24:40.619568 osdx hostapd[696117]: eth2: RADIUS Received 44 bytes from RADIUS server Jun 04 16:24:40.619571 osdx hostapd[696117]: eth2: RADIUS Received RADIUS message Jun 04 16:24:40.619574 osdx hostapd[696117]: eth2: RADIUS No matching RADIUS request found (type=0 id=8) - dropping packet Jun 04 16:24:40.619730 osdx hostapd[696117]: eth2: RADIUS Received 20 bytes from RADIUS server Jun 04 16:24:40.619732 osdx hostapd[696117]: eth2: RADIUS Received RADIUS message Jun 04 16:24:40.619735 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:24:40.619738 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Jun 04 16:24:40.619761 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Jun 04 16:24:40.619763 osdx hostapd[696117]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Jun 04 16:24:40.619770 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Jun 04 16:24:40.619773 osdx hostapd[696117]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session FBD08408D99DE750
Test Unsuccessful 802.1x Authentication With Unsuccessful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 uses an incorrect username and MAC address.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX19wxGxuFdyfrToAdUwVdkN+RezSL9JzKFPH2OLzIfIW47Gm/bM14SDoh4qe/97o55omAOlIG2JL9g== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.416 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.416/0.416/0.416/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX19mF/tbArA2MfZNCFoU/CYQRiB9VrmEOVE= set interfaces ethernet eth2 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+UnauthorizedShow output
--------------------------------- Field Value --------------------------------- EAPoL Frames (Rx) 10 EAPoL Frames (Tx) 10 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Unauthorized Req Frames (Rx) 8 Req ID Frames (Rx) 1 Resp Frames (Tx) 9 Start Frames (Tx) 1
Step 5: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 8 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 10 EAPoL frames (Tx) 10 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 6: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 7: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately 802.1X: MAB: Authentication failedShow output
Jun 04 16:24:49.504396 osdx hostapd[696634]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Jun 04 16:24:49.504411 osdx hostapd[696634]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jun 04 16:24:49.504631 osdx hostapd[696634]: connect[radius]: Network is unreachable Jun 04 16:24:49.504451 osdx hostapd[696634]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Jun 04 16:24:49.504454 osdx hostapd[696634]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Jun 04 16:24:49.528315 osdx hostapd[696634]: Discovery mode enabled on eth2 Jun 04 16:24:49.528370 osdx hostapd[696634]: eth2: interface state UNINITIALIZED->ENABLED Jun 04 16:24:49.528394 osdx hostapd[696634]: eth2: AP-ENABLED Jun 04 16:24:52.686817 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Jun 04 16:24:52.686831 osdx hostapd[696635]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Jun 04 16:24:52.716373 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: start authentication Jun 04 16:24:52.716404 osdx hostapd[696635]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Jun 04 16:24:52.716408 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Jun 04 16:24:52.716411 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Jun 04 16:24:52.716426 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Cancelled MAB trigger - received 802.1X response Jun 04 16:24:52.716429 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA Jun 04 16:24:52.716438 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port Jun 04 16:24:52.716447 osdx hostapd[696635]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Jun 04 16:24:52.716469 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 64) Jun 04 16:24:52.716846 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=64 len=10) from STA: EAP Response-Identity (1) Jun 04 16:24:52.716858 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'wrong' Jun 04 16:24:52.716887 osdx hostapd[696635]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jun 04 16:24:52.718765 osdx hostapd[696635]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:24:52.718792 osdx hostapd[696635]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:24:52.719033 osdx hostapd[696635]: eth2: RADIUS Received 80 bytes from RADIUS server Jun 04 16:24:52.719041 osdx hostapd[696635]: eth2: RADIUS Received RADIUS message Jun 04 16:24:52.719045 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:24:52.719071 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=65 len=22) from RADIUS server: EAP-Request-MD5 (4) Jun 04 16:24:52.719080 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 65) Jun 04 16:24:52.719338 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=65 len=6) from STA: EAP Response-unknown (3) Jun 04 16:24:52.719400 osdx hostapd[696635]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:24:52.719416 osdx hostapd[696635]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:24:52.719638 osdx hostapd[696635]: eth2: RADIUS Received 64 bytes from RADIUS server Jun 04 16:24:52.719645 osdx hostapd[696635]: eth2: RADIUS Received RADIUS message Jun 04 16:24:52.719649 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:24:52.719669 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=66 len=6) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:24:52.719677 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 66) Jun 04 16:24:52.720157 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=66 len=194) from STA: EAP Response-PEAP (25) Jun 04 16:24:52.720204 osdx hostapd[696635]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:24:52.720238 osdx hostapd[696635]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:24:52.721239 osdx hostapd[696635]: eth2: RADIUS Received 1068 bytes from RADIUS server Jun 04 16:24:52.721246 osdx hostapd[696635]: eth2: RADIUS Received RADIUS message Jun 04 16:24:52.721249 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:24:52.721273 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=67 len=1004) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:24:52.721281 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 67) Jun 04 16:24:52.721487 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=67 len=6) from STA: EAP Response-PEAP (25) Jun 04 16:24:52.721540 osdx hostapd[696635]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:24:52.721590 osdx hostapd[696635]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:24:52.721716 osdx hostapd[696635]: eth2: RADIUS Received 229 bytes from RADIUS server Jun 04 16:24:52.721721 osdx hostapd[696635]: eth2: RADIUS Received RADIUS message Jun 04 16:24:52.721724 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:24:52.721745 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=68 len=171) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:24:52.721751 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 68) Jun 04 16:24:52.723115 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=68 len=103) from STA: EAP Response-PEAP (25) Jun 04 16:24:52.723164 osdx hostapd[696635]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:24:52.723178 osdx hostapd[696635]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:24:52.723469 osdx hostapd[696635]: eth2: RADIUS Received 115 bytes from RADIUS server Jun 04 16:24:52.723475 osdx hostapd[696635]: eth2: RADIUS Received RADIUS message Jun 04 16:24:52.723478 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:24:52.723493 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=69 len=57) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:24:52.723499 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 69) Jun 04 16:24:52.723765 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=69 len=6) from STA: EAP Response-PEAP (25) Jun 04 16:24:52.723813 osdx hostapd[696635]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:24:52.723827 osdx hostapd[696635]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:24:52.723975 osdx hostapd[696635]: eth2: RADIUS Received 98 bytes from RADIUS server Jun 04 16:24:52.723981 osdx hostapd[696635]: eth2: RADIUS Received RADIUS message Jun 04 16:24:52.723984 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:24:52.723999 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=70 len=40) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:24:52.724005 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 70) Jun 04 16:24:52.724191 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=70 len=41) from STA: EAP Response-PEAP (25) Jun 04 16:24:52.724237 osdx hostapd[696635]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:24:52.724252 osdx hostapd[696635]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:24:52.724416 osdx hostapd[696635]: eth2: RADIUS Received 131 bytes from RADIUS server Jun 04 16:24:52.724421 osdx hostapd[696635]: eth2: RADIUS Received RADIUS message Jun 04 16:24:52.724425 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:24:52.724443 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=71 len=73) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:24:52.724450 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 71) Jun 04 16:24:52.724715 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=71 len=95) from STA: EAP Response-PEAP (25) Jun 04 16:24:52.724755 osdx hostapd[696635]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:24:52.724767 osdx hostapd[696635]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:24:52.724918 osdx hostapd[696635]: eth2: RADIUS Received 104 bytes from RADIUS server Jun 04 16:24:52.724924 osdx hostapd[696635]: eth2: RADIUS Received RADIUS message Jun 04 16:24:52.724927 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:24:52.724946 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=72 len=46) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:24:52.724953 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 72) Jun 04 16:24:52.725143 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=72 len=46) from STA: EAP Response-PEAP (25) Jun 04 16:24:52.725179 osdx hostapd[696635]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:24:52.725189 osdx hostapd[696635]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:24:53.725288 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=8) Jun 04 16:24:53.725322 osdx hostapd[696635]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Jun 04 16:24:53.725511 osdx hostapd[696635]: eth2: RADIUS Received 44 bytes from RADIUS server Jun 04 16:24:53.725515 osdx hostapd[696635]: eth2: RADIUS Received RADIUS message Jun 04 16:24:53.725519 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:24:53.725567 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=4 id=72 len=4) from RADIUS server: EAP Failure Jun 04 16:24:53.725599 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 72) Jun 04 16:24:53.725613 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port Jun 04 16:24:53.725617 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) Jun 04 16:24:53.725619 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: 802.1X authentication failed, triggering MAB fallback immediately Jun 04 16:24:53.725623 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Jun 04 16:24:53.725651 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Jun 04 16:24:53.725659 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Jun 04 16:24:53.725672 osdx hostapd[696635]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:24:53.725686 osdx hostapd[696635]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:24:53.725699 osdx hostapd[696635]: eth2: RADIUS Received 44 bytes from RADIUS server Jun 04 16:24:53.725702 osdx hostapd[696635]: eth2: RADIUS Received RADIUS message Jun 04 16:24:53.725705 osdx hostapd[696635]: eth2: RADIUS No matching RADIUS request found (type=0 id=8) - dropping packet Jun 04 16:24:54.725779 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Jun 04 16:24:54.725815 osdx hostapd[696635]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Jun 04 16:24:54.725973 osdx hostapd[696635]: eth2: RADIUS Received 20 bytes from RADIUS server Jun 04 16:24:54.725976 osdx hostapd[696635]: eth2: RADIUS Received RADIUS message Jun 04 16:24:54.725980 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:24:54.725984 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Jun 04 16:24:54.726029 osdx hostapd[696635]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Jun 04 16:24:54.726031 osdx hostapd[696635]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Jun 04 16:24:54.726034 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Authentication failed, entering held state (quiet period 60 sec) Jun 04 16:24:54.726036 osdx hostapd[696635]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Retry timeout registered for 60 seconds Jun 04 16:24:54.726043 osdx hostapd[696635]: eth2: RADIUS Received 20 bytes from RADIUS server Jun 04 16:24:54.726045 osdx hostapd[696635]: eth2: RADIUS Received RADIUS message Jun 04 16:24:54.726047 osdx hostapd[696635]: eth2: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet
Test Unsupported 802.1x Authentication With Successful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 does not support 802.1x authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+f/tcPi3pn4j1TKLg3drT3E8fOp0C0b2OFkms0Og1Rd/9E+hhl/+Ch1I3l+DuydpkQ3miQnhWHNA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.646 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.646/0.646/0.646/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.441 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.441/0.441/0.441/0.000 ms
Step 5: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 0 EAPoL frames (Tx) 4 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name N/A
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.492 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.492/0.492/0.492/0.000 ms
Step 7: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately 802.1X: MAB: station successfully authenticatedShow output
Jun 04 16:25:01.141532 osdx hostapd[697142]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Jun 04 16:25:01.141811 osdx hostapd[697142]: connect[radius]: Network is unreachable Jun 04 16:25:01.141545 osdx hostapd[697142]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jun 04 16:25:01.141593 osdx hostapd[697142]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Jun 04 16:25:01.141597 osdx hostapd[697142]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Jun 04 16:25:01.169403 osdx hostapd[697142]: Discovery mode enabled on eth2 Jun 04 16:25:01.169487 osdx hostapd[697142]: eth2: interface state UNINITIALIZED->ENABLED Jun 04 16:25:01.169487 osdx hostapd[697142]: eth2: AP-ENABLED Jun 04 16:25:06.170270 osdx hostapd[697143]: eth2: STA de:ad:be:ef:6c:12 DRIVER: Device discovered, triggering MAB authentication Jun 04 16:25:06.170311 osdx hostapd[697143]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Jun 04 16:25:06.170320 osdx hostapd[697143]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Jun 04 16:25:06.185478 osdx hostapd[697143]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: start authentication Jun 04 16:25:06.185516 osdx hostapd[697143]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Jun 04 16:25:06.185521 osdx hostapd[697143]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Jun 04 16:25:06.185524 osdx hostapd[697143]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Jun 04 16:25:06.185546 osdx hostapd[697143]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Jun 04 16:25:06.185555 osdx hostapd[697143]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Jun 04 16:25:06.185586 osdx hostapd[697143]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 179) Jun 04 16:25:09.188276 osdx hostapd[697143]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 179) Jun 04 16:25:15.193312 osdx hostapd[697143]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 179) Jun 04 16:25:27.202255 osdx hostapd[697143]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: aborting authentication Jun 04 16:25:27.202263 osdx hostapd[697143]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately Jun 04 16:25:27.202267 osdx hostapd[697143]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Jun 04 16:25:27.202302 osdx hostapd[697143]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Jun 04 16:25:27.203989 osdx hostapd[697143]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Jun 04 16:25:27.204000 osdx hostapd[697143]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jun 04 16:25:27.204073 osdx hostapd[697143]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:25:27.204103 osdx hostapd[697143]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:25:27.204121 osdx hostapd[697143]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Jun 04 16:25:27.204138 osdx hostapd[697143]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 142) Jun 04 16:25:27.204366 osdx hostapd[697143]: eth2: RADIUS Received 20 bytes from RADIUS server Jun 04 16:25:27.204372 osdx hostapd[697143]: eth2: RADIUS Received RADIUS message Jun 04 16:25:27.204375 osdx hostapd[697143]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:25:27.204379 osdx hostapd[697143]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Jun 04 16:25:27.204390 osdx hostapd[697143]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Jun 04 16:25:27.204409 osdx hostapd[697143]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Jun 04 16:25:27.204413 osdx hostapd[697143]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Jun 04 16:25:27.204422 osdx hostapd[697143]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Jun 04 16:25:27.204425 osdx hostapd[697143]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 45270396E2EA4C98
Test Unsupported 802.1x Authentication With Unsuccessful MAB Fallback
Description
This scenario shows how to configure 802.1x authentication with MAB fallback. DUT1 does not support 802.1x authentication and uses an incorrect MAC address.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+isi/OVGA3hTeMyoRb5c/NN7r+4k40nyp4moW7u1XMCmylNQop3O2opEVFOMMTu/UOQcNpXWh+Pg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.602 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.602/0.602/0.602/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 2 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 0 EAPoL frames (Tx) 4 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 5: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately 802.1X: MAB: Authentication failedShow output
Jun 04 16:25:37.218205 osdx hostapd[697704]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Jun 04 16:25:37.218416 osdx hostapd[697704]: connect[radius]: Network is unreachable Jun 04 16:25:37.218216 osdx hostapd[697704]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jun 04 16:25:37.218248 osdx hostapd[697704]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Jun 04 16:25:37.218251 osdx hostapd[697704]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Jun 04 16:25:37.246150 osdx hostapd[697704]: Discovery mode enabled on eth2 Jun 04 16:25:37.246243 osdx hostapd[697704]: eth2: interface state UNINITIALIZED->ENABLED Jun 04 16:25:37.246243 osdx hostapd[697704]: eth2: AP-ENABLED Jun 04 16:25:42.246788 osdx hostapd[697705]: eth2: STA 00:11:22:33:44:55 DRIVER: Device discovered, triggering MAB authentication Jun 04 16:25:42.246833 osdx hostapd[697705]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Jun 04 16:25:42.246843 osdx hostapd[697705]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Jun 04 16:25:42.266224 osdx hostapd[697705]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: start authentication Jun 04 16:25:42.266254 osdx hostapd[697705]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Jun 04 16:25:42.266258 osdx hostapd[697705]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Jun 04 16:25:42.266261 osdx hostapd[697705]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Jun 04 16:25:42.266284 osdx hostapd[697705]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port Jun 04 16:25:42.266292 osdx hostapd[697705]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Jun 04 16:25:42.266316 osdx hostapd[697705]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 235) Jun 04 16:25:45.269006 osdx hostapd[697705]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 235) Jun 04 16:25:51.273971 osdx hostapd[697705]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 235) Jun 04 16:26:03.283846 osdx hostapd[697705]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: aborting authentication Jun 04 16:26:03.283856 osdx hostapd[697705]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately Jun 04 16:26:03.283861 osdx hostapd[697705]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Jun 04 16:26:03.283903 osdx hostapd[697705]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Jun 04 16:26:03.286243 osdx hostapd[697705]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Jun 04 16:26:03.286257 osdx hostapd[697705]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jun 04 16:26:03.286340 osdx hostapd[697705]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:26:03.286377 osdx hostapd[697705]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:26:03.286397 osdx hostapd[697705]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Jun 04 16:26:03.286413 osdx hostapd[697705]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 251) Jun 04 16:26:04.286970 osdx hostapd[697705]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Jun 04 16:26:04.287003 osdx hostapd[697705]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Jun 04 16:26:04.287211 osdx hostapd[697705]: eth2: RADIUS Received 20 bytes from RADIUS server Jun 04 16:26:04.287215 osdx hostapd[697705]: eth2: RADIUS Received RADIUS message Jun 04 16:26:04.287218 osdx hostapd[697705]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:26:04.287222 osdx hostapd[697705]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Jun 04 16:26:04.287266 osdx hostapd[697705]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Jun 04 16:26:04.287270 osdx hostapd[697705]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Jun 04 16:26:04.287273 osdx hostapd[697705]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Authentication failed, entering held state (quiet period 60 sec) Jun 04 16:26:04.287276 osdx hostapd[697705]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Retry timeout registered for 60 seconds Jun 04 16:26:04.287283 osdx hostapd[697705]: eth2: RADIUS Received 20 bytes from RADIUS server Jun 04 16:26:04.287286 osdx hostapd[697705]: eth2: RADIUS Received RADIUS message Jun 04 16:26:04.287289 osdx hostapd[697705]: eth2: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet