Mab First
This scenario shows how to configure the MAB-first
authentication mode.
Test Successful MAB Authentication With Successful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses a correct MAC address and correct 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX192ygcXgDSkRhBGIersRbtPEJr7XzecnjxBdA63h/obxjwPkR/TgcTVoDvVjW0L00bgCXjqhLYhXA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.237 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.237/0.237/0.237/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1/m6t8hC6yhSh3xLwafAZHDrG1vGbZsrb0= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 1 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name N/A
Step 5: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.513 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.513/0.513/0.513/0.000 ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
802.1X: MAB: station successfully authenticatedShow output
Jun 04 16:22:33.177644 osdx hostapd[691960]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Jun 04 16:22:33.177944 osdx hostapd[691960]: connect[radius]: Network is unreachable Jun 04 16:22:33.177667 osdx hostapd[691960]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jun 04 16:22:33.177715 osdx hostapd[691960]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Jun 04 16:22:33.177718 osdx hostapd[691960]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Jun 04 16:22:33.193571 osdx hostapd[691960]: Discovery mode enabled on eth2 Jun 04 16:22:33.193649 osdx hostapd[691960]: eth2: interface state UNINITIALIZED->ENABLED Jun 04 16:22:33.193649 osdx hostapd[691960]: eth2: AP-ENABLED Jun 04 16:22:36.368062 osdx hostapd[691961]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Jun 04 16:22:36.368078 osdx hostapd[691961]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Jun 04 16:22:36.381609 osdx hostapd[691961]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB-first mode: Starting MAB authentication Jun 04 16:22:36.381647 osdx hostapd[691961]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Jun 04 16:22:36.381667 osdx hostapd[691961]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Jun 04 16:22:36.383943 osdx hostapd[691961]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Jun 04 16:22:36.383955 osdx hostapd[691961]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jun 04 16:22:36.384023 osdx hostapd[691961]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:22:36.384050 osdx hostapd[691961]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:22:36.384100 osdx hostapd[691961]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAPOL-Start from STA Jun 04 16:22:36.384322 osdx hostapd[691961]: eth2: RADIUS Received 20 bytes from RADIUS server Jun 04 16:22:36.384326 osdx hostapd[691961]: eth2: RADIUS Received RADIUS message Jun 04 16:22:36.384330 osdx hostapd[691961]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:22:36.384333 osdx hostapd[691961]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Jun 04 16:22:36.384342 osdx hostapd[691961]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Jun 04 16:22:36.384351 osdx hostapd[691961]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Jun 04 16:22:36.384354 osdx hostapd[691961]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Jun 04 16:22:36.384362 osdx hostapd[691961]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Jun 04 16:22:36.384364 osdx hostapd[691961]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 220F0EC8B6DDDF23
Test Successful MAB Authentication With Unsuccessful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses a correct MAC address, but wrong 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+aZ39YgtEeDgfQ4vPyTBIG7y9ey7rxhXeQkIWCX1QlhxrqpcjzPZpIsYQ5BiPeMCK321IVFdfDAQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.183 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.183/0.183/0.183/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1/VV0/8GvasxleNIxEPEf26wQyq444NBvM= set interfaces ethernet eth2 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 1 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name N/A
Step 5: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.666 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.666/0.666/0.666/0.000 ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
802.1X: MAB: station successfully authenticatedShow output
Jun 04 16:22:45.350311 osdx hostapd[692477]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Jun 04 16:22:45.350324 osdx hostapd[692477]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jun 04 16:22:45.350576 osdx hostapd[692477]: connect[radius]: Network is unreachable Jun 04 16:22:45.350371 osdx hostapd[692477]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Jun 04 16:22:45.350383 osdx hostapd[692477]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Jun 04 16:22:45.370135 osdx hostapd[692477]: Discovery mode enabled on eth2 Jun 04 16:22:45.370207 osdx hostapd[692477]: eth2: interface state UNINITIALIZED->ENABLED Jun 04 16:22:45.370207 osdx hostapd[692477]: eth2: AP-ENABLED Jun 04 16:22:48.504622 osdx hostapd[692478]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Jun 04 16:22:48.504643 osdx hostapd[692478]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Jun 04 16:22:48.518158 osdx hostapd[692478]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB-first mode: Starting MAB authentication Jun 04 16:22:48.518185 osdx hostapd[692478]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Jun 04 16:22:48.518199 osdx hostapd[692478]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Jun 04 16:22:48.519903 osdx hostapd[692478]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Jun 04 16:22:48.519915 osdx hostapd[692478]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jun 04 16:22:48.519998 osdx hostapd[692478]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:22:48.520029 osdx hostapd[692478]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:22:48.520054 osdx hostapd[692478]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAPOL-Start from STA Jun 04 16:22:48.520276 osdx hostapd[692478]: eth2: RADIUS Received 20 bytes from RADIUS server Jun 04 16:22:48.520280 osdx hostapd[692478]: eth2: RADIUS Received RADIUS message Jun 04 16:22:48.520284 osdx hostapd[692478]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:22:48.520288 osdx hostapd[692478]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Jun 04 16:22:48.520300 osdx hostapd[692478]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Jun 04 16:22:48.520311 osdx hostapd[692478]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Jun 04 16:22:48.520314 osdx hostapd[692478]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Jun 04 16:22:48.520321 osdx hostapd[692478]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Jun 04 16:22:48.520324 osdx hostapd[692478]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session A7BCB7F5E6C700A7
Test Successful MAB Authentication With Unsupported 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 does not support 802.1x authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX19Empm4Uh3Do4XdY/XveSwVcTZwIVNRpRRE3FsHjLp92HufOxWHZxZv+qWFGpaB7T4apxK58/7x9w== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.308 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.308/0.308/0.308/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.675 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.675/0.675/0.675/0.000 ms
Step 5: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 0 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name N/A
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.253 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.253/0.253/0.253/0.000 ms
Step 7: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
802.1X: MAB: station successfully authenticatedShow output
Jun 04 16:22:56.629258 osdx hostapd[692994]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Jun 04 16:22:56.629275 osdx hostapd[692994]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jun 04 16:22:56.629785 osdx hostapd[692994]: connect[radius]: Network is unreachable Jun 04 16:22:56.629326 osdx hostapd[692994]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Jun 04 16:22:56.629331 osdx hostapd[692994]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Jun 04 16:22:56.649102 osdx hostapd[692994]: Discovery mode enabled on eth2 Jun 04 16:22:56.649195 osdx hostapd[692994]: eth2: interface state UNINITIALIZED->ENABLED Jun 04 16:22:56.649195 osdx hostapd[692994]: eth2: AP-ENABLED Jun 04 16:23:01.649964 osdx hostapd[692995]: eth2: STA de:ad:be:ef:6c:12 DRIVER: Device discovered, triggering MAB authentication Jun 04 16:23:01.650003 osdx hostapd[692995]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Jun 04 16:23:01.650013 osdx hostapd[692995]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Jun 04 16:23:01.665112 osdx hostapd[692995]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB-first mode: Starting MAB authentication Jun 04 16:23:01.665140 osdx hostapd[692995]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Jun 04 16:23:01.665158 osdx hostapd[692995]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Jun 04 16:23:01.667167 osdx hostapd[692995]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Jun 04 16:23:01.667188 osdx hostapd[692995]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jun 04 16:23:01.667318 osdx hostapd[692995]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:23:01.667368 osdx hostapd[692995]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:23:01.667745 osdx hostapd[692995]: eth2: RADIUS Received 20 bytes from RADIUS server Jun 04 16:23:01.667755 osdx hostapd[692995]: eth2: RADIUS Received RADIUS message Jun 04 16:23:01.667763 osdx hostapd[692995]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:23:01.667771 osdx hostapd[692995]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Jun 04 16:23:01.667791 osdx hostapd[692995]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Jun 04 16:23:01.667814 osdx hostapd[692995]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Jun 04 16:23:01.667820 osdx hostapd[692995]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Jun 04 16:23:01.667844 osdx hostapd[692995]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Jun 04 16:23:01.667851 osdx hostapd[692995]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 3397A4B1434FFCA4
Test Unsuccessful MAB Authentication With Successful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses an incorrect MAC address, but correct 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX19FDsJvCVRN5l98I8y6SlFfhOZ4SvfLwzQT0TibVouvLAHqK10S9osINFF4xftfqAutuaTuDkU11Q== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.367 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.367/0.367/0.367/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1/FpOrLXB6rxx1JyyLFWCxYeSpzzaqawaU= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 6: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name testing
Step 7: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.380 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.380/0.380/0.380/0.000 ms
Step 8: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X IEEE 802.1X: authenticated - EAP type: 25 (PEAP)Show output
Jun 04 16:23:11.443962 osdx hostapd[693519]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Jun 04 16:23:11.443978 osdx hostapd[693519]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jun 04 16:23:11.444207 osdx hostapd[693519]: connect[radius]: Network is unreachable Jun 04 16:23:11.444022 osdx hostapd[693519]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Jun 04 16:23:11.444026 osdx hostapd[693519]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Jun 04 16:23:11.471882 osdx hostapd[693519]: Discovery mode enabled on eth2 Jun 04 16:23:11.471968 osdx hostapd[693519]: eth2: interface state UNINITIALIZED->ENABLED Jun 04 16:23:11.471968 osdx hostapd[693519]: eth2: AP-ENABLED Jun 04 16:23:14.726425 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Jun 04 16:23:14.726441 osdx hostapd[693520]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Jun 04 16:23:14.743952 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: Starting MAB authentication Jun 04 16:23:14.743987 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Jun 04 16:23:14.744007 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Jun 04 16:23:14.746351 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Jun 04 16:23:14.746364 osdx hostapd[693520]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jun 04 16:23:14.746453 osdx hostapd[693520]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:23:14.746489 osdx hostapd[693520]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:23:14.746524 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA Jun 04 16:23:15.746580 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Jun 04 16:23:15.746624 osdx hostapd[693520]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Jun 04 16:23:15.746791 osdx hostapd[693520]: eth2: RADIUS Received 20 bytes from RADIUS server Jun 04 16:23:15.746795 osdx hostapd[693520]: eth2: RADIUS Received RADIUS message Jun 04 16:23:15.746800 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:23:15.746805 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Jun 04 16:23:15.746861 osdx hostapd[693520]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Jun 04 16:23:15.746864 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X Jun 04 16:23:15.746868 osdx hostapd[693520]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Jun 04 16:23:15.746871 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first: 802.1X authentication started Jun 04 16:23:15.746879 osdx hostapd[693520]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Jun 04 16:23:15.746896 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 28) Jun 04 16:23:15.746911 osdx hostapd[693520]: eth2: RADIUS Received 20 bytes from RADIUS server Jun 04 16:23:15.746914 osdx hostapd[693520]: eth2: RADIUS Received RADIUS message Jun 04 16:23:15.746917 osdx hostapd[693520]: eth2: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet Jun 04 16:23:15.747227 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=28 len=12) from STA: EAP Response-Identity (1) Jun 04 16:23:15.747237 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'testing' Jun 04 16:23:15.747298 osdx hostapd[693520]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:23:15.747311 osdx hostapd[693520]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:23:15.747533 osdx hostapd[693520]: eth2: RADIUS Received 80 bytes from RADIUS server Jun 04 16:23:15.747541 osdx hostapd[693520]: eth2: RADIUS Received RADIUS message Jun 04 16:23:15.747546 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:23:15.747583 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=29 len=22) from RADIUS server: EAP-Request-MD5 (4) Jun 04 16:23:15.747592 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 29) Jun 04 16:23:15.747797 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=29 len=6) from STA: EAP Response-unknown (3) Jun 04 16:23:15.747854 osdx hostapd[693520]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:23:15.747868 osdx hostapd[693520]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:23:15.748039 osdx hostapd[693520]: eth2: RADIUS Received 64 bytes from RADIUS server Jun 04 16:23:15.748042 osdx hostapd[693520]: eth2: RADIUS Received RADIUS message Jun 04 16:23:15.748045 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:23:15.748060 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=30 len=6) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:23:15.748065 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 30) Jun 04 16:23:15.748420 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=30 len=194) from STA: EAP Response-PEAP (25) Jun 04 16:23:15.748456 osdx hostapd[693520]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:23:15.748467 osdx hostapd[693520]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:23:15.749785 osdx hostapd[693520]: eth2: RADIUS Received 1068 bytes from RADIUS server Jun 04 16:23:15.749795 osdx hostapd[693520]: eth2: RADIUS Received RADIUS message Jun 04 16:23:15.749799 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:23:15.749829 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=31 len=1004) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:23:15.749837 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 31) Jun 04 16:23:15.750061 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=31 len=6) from STA: EAP Response-PEAP (25) Jun 04 16:23:15.750107 osdx hostapd[693520]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:23:15.750120 osdx hostapd[693520]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:23:15.750259 osdx hostapd[693520]: eth2: RADIUS Received 229 bytes from RADIUS server Jun 04 16:23:15.750264 osdx hostapd[693520]: eth2: RADIUS Received RADIUS message Jun 04 16:23:15.750267 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:23:15.750281 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=32 len=171) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:23:15.750286 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 32) Jun 04 16:23:15.752196 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=32 len=103) from STA: EAP Response-PEAP (25) Jun 04 16:23:15.752239 osdx hostapd[693520]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:23:15.752253 osdx hostapd[693520]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:23:15.752632 osdx hostapd[693520]: eth2: RADIUS Received 115 bytes from RADIUS server Jun 04 16:23:15.752637 osdx hostapd[693520]: eth2: RADIUS Received RADIUS message Jun 04 16:23:15.752641 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:23:15.752659 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=33 len=57) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:23:15.752669 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 33) Jun 04 16:23:15.752918 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=33 len=6) from STA: EAP Response-PEAP (25) Jun 04 16:23:15.752952 osdx hostapd[693520]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:23:15.752962 osdx hostapd[693520]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:23:15.753101 osdx hostapd[693520]: eth2: RADIUS Received 98 bytes from RADIUS server Jun 04 16:23:15.753106 osdx hostapd[693520]: eth2: RADIUS Received RADIUS message Jun 04 16:23:15.753109 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:23:15.753124 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=34 len=40) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:23:15.753130 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 34) Jun 04 16:23:15.753295 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=34 len=43) from STA: EAP Response-PEAP (25) Jun 04 16:23:15.753328 osdx hostapd[693520]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:23:15.753339 osdx hostapd[693520]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:23:15.753481 osdx hostapd[693520]: eth2: RADIUS Received 131 bytes from RADIUS server Jun 04 16:23:15.753486 osdx hostapd[693520]: eth2: RADIUS Received RADIUS message Jun 04 16:23:15.753488 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:23:15.753503 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=35 len=73) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:23:15.753509 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 35) Jun 04 16:23:15.753769 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=35 len=97) from STA: EAP Response-PEAP (25) Jun 04 16:23:15.753803 osdx hostapd[693520]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:23:15.753811 osdx hostapd[693520]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:23:15.754007 osdx hostapd[693520]: eth2: RADIUS Received 140 bytes from RADIUS server Jun 04 16:23:15.754011 osdx hostapd[693520]: eth2: RADIUS Received RADIUS message Jun 04 16:23:15.754014 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:23:15.754026 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=36 len=82) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:23:15.754031 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 36) Jun 04 16:23:15.754210 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=36 len=37) from STA: EAP Response-PEAP (25) Jun 04 16:23:15.754239 osdx hostapd[693520]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:23:15.754247 osdx hostapd[693520]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:23:15.754386 osdx hostapd[693520]: eth2: RADIUS Received 104 bytes from RADIUS server Jun 04 16:23:15.754391 osdx hostapd[693520]: eth2: RADIUS Received RADIUS message Jun 04 16:23:15.754393 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:23:15.754407 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=37 len=46) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:23:15.754412 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 37) Jun 04 16:23:15.754563 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=37 len=46) from STA: EAP Response-PEAP (25) Jun 04 16:23:15.754595 osdx hostapd[693520]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:23:15.754605 osdx hostapd[693520]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:23:15.754782 osdx hostapd[693520]: eth2: RADIUS Received 175 bytes from RADIUS server Jun 04 16:23:15.754786 osdx hostapd[693520]: eth2: RADIUS Received RADIUS message Jun 04 16:23:15.754789 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:23:15.754808 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing' Jun 04 16:23:15.754811 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=3 id=37 len=4) from RADIUS server: EAP Success Jun 04 16:23:15.754825 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 37) Jun 04 16:23:15.754840 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authorizing port Jun 04 16:23:15.754844 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 RADIUS: starting accounting session F627F3E4C863198C Jun 04 16:23:15.754854 osdx hostapd[693520]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Test Unsuccessful MAB Authentication With Unsuccessful 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 uses an incorrect MAC address and incorrect 802.1x credentials.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/lvAVxM/JaMwtczcWDhi6sfbTNTxPo8kiqe/f6z/uPPb4u2zquiDR4I/I34NmfTaqnnZM3hNLc7w== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.187 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.187/0.187/0.187/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX19HPZPme7RSD2LSEgq53vGrXbt5J0rMYMQ= set interfaces ethernet eth2 supplicant username wrong set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+UnauthorizedShow output
--------------------------------- Field Value --------------------------------- EAPoL Frames (Rx) 9 EAPoL Frames (Tx) 10 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Unauthorized Req Frames (Rx) 8 Req ID Frames (Rx) 1 Resp Frames (Tx) 9 Start Frames (Tx) 1
Step 5: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 8 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 10 EAPoL frames (Tx) 9 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 6: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 7: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X IEEE 802.1X: authentication failed - EAP type: 25 (PEAP)Show output
Jun 04 16:23:23.337847 osdx hostapd[694041]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Jun 04 16:23:23.337866 osdx hostapd[694041]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jun 04 16:23:23.338074 osdx hostapd[694041]: connect[radius]: Network is unreachable Jun 04 16:23:23.337905 osdx hostapd[694041]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Jun 04 16:23:23.337908 osdx hostapd[694041]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Jun 04 16:23:23.361726 osdx hostapd[694041]: Discovery mode enabled on eth2 Jun 04 16:23:23.361812 osdx hostapd[694041]: eth2: interface state UNINITIALIZED->ENABLED Jun 04 16:23:23.361812 osdx hostapd[694041]: eth2: AP-ENABLED Jun 04 16:23:26.624229 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Jun 04 16:23:26.624242 osdx hostapd[694042]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Jun 04 16:23:26.641776 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: Starting MAB authentication Jun 04 16:23:26.641815 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Jun 04 16:23:26.641834 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Jun 04 16:23:26.644215 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Jun 04 16:23:26.644229 osdx hostapd[694042]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jun 04 16:23:26.644317 osdx hostapd[694042]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:23:26.644497 osdx hostapd[694042]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:23:26.644537 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAPOL-Start from STA Jun 04 16:23:27.644532 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Jun 04 16:23:27.644566 osdx hostapd[694042]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Jun 04 16:23:27.644740 osdx hostapd[694042]: eth2: RADIUS Received 20 bytes from RADIUS server Jun 04 16:23:27.644743 osdx hostapd[694042]: eth2: RADIUS Received RADIUS message Jun 04 16:23:27.644747 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:23:27.644751 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Jun 04 16:23:27.644800 osdx hostapd[694042]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Jun 04 16:23:27.644803 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X Jun 04 16:23:27.644807 osdx hostapd[694042]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Jun 04 16:23:27.644810 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first: 802.1X authentication started Jun 04 16:23:27.644817 osdx hostapd[694042]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Jun 04 16:23:27.644832 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 138) Jun 04 16:23:27.644847 osdx hostapd[694042]: eth2: RADIUS Received 20 bytes from RADIUS server Jun 04 16:23:27.644849 osdx hostapd[694042]: eth2: RADIUS Received RADIUS message Jun 04 16:23:27.644852 osdx hostapd[694042]: eth2: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet Jun 04 16:23:27.645175 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=138 len=10) from STA: EAP Response-Identity (1) Jun 04 16:23:27.645188 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: STA identity 'wrong' Jun 04 16:23:27.645248 osdx hostapd[694042]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:23:27.645264 osdx hostapd[694042]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:23:27.645499 osdx hostapd[694042]: eth2: RADIUS Received 80 bytes from RADIUS server Jun 04 16:23:27.645509 osdx hostapd[694042]: eth2: RADIUS Received RADIUS message Jun 04 16:23:27.645513 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:23:27.645537 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=139 len=22) from RADIUS server: EAP-Request-MD5 (4) Jun 04 16:23:27.645543 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 139) Jun 04 16:23:27.645776 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=139 len=6) from STA: EAP Response-unknown (3) Jun 04 16:23:27.645823 osdx hostapd[694042]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:23:27.645838 osdx hostapd[694042]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:23:27.646050 osdx hostapd[694042]: eth2: RADIUS Received 64 bytes from RADIUS server Jun 04 16:23:27.646055 osdx hostapd[694042]: eth2: RADIUS Received RADIUS message Jun 04 16:23:27.646058 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:23:27.646074 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=140 len=6) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:23:27.646081 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 140) Jun 04 16:23:27.646400 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=140 len=194) from STA: EAP Response-PEAP (25) Jun 04 16:23:27.646441 osdx hostapd[694042]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:23:27.646452 osdx hostapd[694042]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:23:27.647417 osdx hostapd[694042]: eth2: RADIUS Received 1068 bytes from RADIUS server Jun 04 16:23:27.647424 osdx hostapd[694042]: eth2: RADIUS Received RADIUS message Jun 04 16:23:27.647429 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:23:27.647455 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=141 len=1004) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:23:27.647463 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 141) Jun 04 16:23:27.647605 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=141 len=6) from STA: EAP Response-PEAP (25) Jun 04 16:23:27.647649 osdx hostapd[694042]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:23:27.647664 osdx hostapd[694042]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:23:27.647793 osdx hostapd[694042]: eth2: RADIUS Received 229 bytes from RADIUS server Jun 04 16:23:27.647798 osdx hostapd[694042]: eth2: RADIUS Received RADIUS message Jun 04 16:23:27.647801 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:23:27.647816 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=142 len=171) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:23:27.647822 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 142) Jun 04 16:23:27.649246 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=142 len=103) from STA: EAP Response-PEAP (25) Jun 04 16:23:27.649284 osdx hostapd[694042]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:23:27.649295 osdx hostapd[694042]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:23:27.649585 osdx hostapd[694042]: eth2: RADIUS Received 115 bytes from RADIUS server Jun 04 16:23:27.649590 osdx hostapd[694042]: eth2: RADIUS Received RADIUS message Jun 04 16:23:27.649593 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:23:27.649606 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=143 len=57) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:23:27.649610 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 143) Jun 04 16:23:27.649848 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=143 len=6) from STA: EAP Response-PEAP (25) Jun 04 16:23:27.649877 osdx hostapd[694042]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:23:27.649885 osdx hostapd[694042]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:23:27.650028 osdx hostapd[694042]: eth2: RADIUS Received 98 bytes from RADIUS server Jun 04 16:23:27.650033 osdx hostapd[694042]: eth2: RADIUS Received RADIUS message Jun 04 16:23:27.650037 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:23:27.650051 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=144 len=40) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:23:27.650056 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 144) Jun 04 16:23:27.650217 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=144 len=41) from STA: EAP Response-PEAP (25) Jun 04 16:23:27.650246 osdx hostapd[694042]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:23:27.650256 osdx hostapd[694042]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:23:27.650396 osdx hostapd[694042]: eth2: RADIUS Received 131 bytes from RADIUS server Jun 04 16:23:27.650401 osdx hostapd[694042]: eth2: RADIUS Received RADIUS message Jun 04 16:23:27.650404 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:23:27.650414 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=145 len=73) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:23:27.650419 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 145) Jun 04 16:23:27.650675 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=145 len=95) from STA: EAP Response-PEAP (25) Jun 04 16:23:27.650711 osdx hostapd[694042]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:23:27.650721 osdx hostapd[694042]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:23:27.650916 osdx hostapd[694042]: eth2: RADIUS Received 104 bytes from RADIUS server Jun 04 16:23:27.650921 osdx hostapd[694042]: eth2: RADIUS Received RADIUS message Jun 04 16:23:27.650923 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:23:27.650937 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=1 id=146 len=46) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:23:27.650943 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 146) Jun 04 16:23:27.651127 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: received EAP packet (code=2 id=146 len=46) from STA: EAP Response-PEAP (25) Jun 04 16:23:27.651163 osdx hostapd[694042]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:23:27.651174 osdx hostapd[694042]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:23:28.651256 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=8) Jun 04 16:23:28.651297 osdx hostapd[694042]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Jun 04 16:23:28.651431 osdx hostapd[694042]: eth2: RADIUS Received 44 bytes from RADIUS server Jun 04 16:23:28.651433 osdx hostapd[694042]: eth2: RADIUS Received RADIUS message Jun 04 16:23:28.651437 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:23:28.651479 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: decapsulated EAP packet (code=4 id=146 len=4) from RADIUS server: EAP Failure Jun 04 16:23:28.651506 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 146) Jun 04 16:23:28.651518 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: unauthorizing port Jun 04 16:23:28.651521 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: authentication failed - EAP type: 25 (PEAP) Jun 04 16:23:28.651524 osdx hostapd[694042]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Authentication failed, enforcing quiet period (60 seconds) Jun 04 16:23:28.651527 osdx hostapd[694042]: eth2: RADIUS Received 44 bytes from RADIUS server Jun 04 16:23:28.651529 osdx hostapd[694042]: eth2: RADIUS Received RADIUS message Jun 04 16:23:28.651531 osdx hostapd[694042]: eth2: RADIUS No matching RADIUS request found (type=0 id=8) - dropping packet
Test Unsuccessful MAB Authentication With Unsupported 802.1x Fallback
Description
This scenario shows how to configure MAB authentication with 802.1x fallback. DUT1 does not support 802.1x authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+pq7Y4drD/CduaNThUcurhyJuc3NWWGFxoP5MbvXaKZLRfPU22/5MEd6G28Z+hqUwmhFVrpJkA0Q== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.682 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.682/0.682/0.682/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 mac '00:11:22:33:44:55' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Failures\s+[1-9]\d?Show output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 1 Authentication Mode N/A Authentication Status Unauthorized Authentication Successes 0 EAPoL frames (Rx) 0 EAPoL frames (Tx) 2 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC 00:11:22:33:44:55 Session User Name N/A
Step 5: Expect a failure in the following command:
Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. --- 192.168.100.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X IEEE 802.1X: EAP authentication timeoutShow output
Jun 04 16:23:36.604748 osdx hostapd[694554]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Jun 04 16:23:36.604773 osdx hostapd[694554]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jun 04 16:23:36.605080 osdx hostapd[694554]: connect[radius]: Network is unreachable Jun 04 16:23:36.604826 osdx hostapd[694554]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Jun 04 16:23:36.604850 osdx hostapd[694554]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Jun 04 16:23:36.624631 osdx hostapd[694554]: Discovery mode enabled on eth2 Jun 04 16:23:36.624719 osdx hostapd[694554]: eth2: interface state UNINITIALIZED->ENABLED Jun 04 16:23:36.624719 osdx hostapd[694554]: eth2: AP-ENABLED Jun 04 16:23:41.625299 osdx hostapd[694557]: eth2: STA 00:11:22:33:44:55 DRIVER: Device discovered, triggering MAB authentication Jun 04 16:23:41.625335 osdx hostapd[694557]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: New STA 00:11:22:33:44:55 added Jun 04 16:23:41.625345 osdx hostapd[694557]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Jun 04 16:23:41.640670 osdx hostapd[694557]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: Starting MAB authentication Jun 04 16:23:41.640698 osdx hostapd[694557]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Starting RADIUS query Jun 04 16:23:41.640713 osdx hostapd[694557]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Name = 00:11:22:33:44:55 Jun 04 16:23:41.642429 osdx hostapd[694557]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: User-Password = 00:11:22:33:44:55 Jun 04 16:23:41.642443 osdx hostapd[694557]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jun 04 16:23:41.642514 osdx hostapd[694557]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:23:41.642542 osdx hostapd[694557]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:23:42.642636 osdx hostapd[694557]: eth2: STA 00:11:22:33:44:55 RADIUS: Resending RADIUS message (id=128) Jun 04 16:23:42.642679 osdx hostapd[694557]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Jun 04 16:23:42.642869 osdx hostapd[694557]: eth2: RADIUS Received 20 bytes from RADIUS server Jun 04 16:23:42.642874 osdx hostapd[694557]: eth2: RADIUS Received RADIUS message Jun 04 16:23:42.642880 osdx hostapd[694557]: eth2: STA 00:11:22:33:44:55 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:23:42.642886 osdx hostapd[694557]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB: Processing RADIUS response Jun 04 16:23:42.642947 osdx hostapd[694557]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Jun 04 16:23:42.642952 osdx hostapd[694557]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first mode: MAB failed, transitioning to 802.1X Jun 04 16:23:42.642957 osdx hostapd[694557]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Jun 04 16:23:42.642962 osdx hostapd[694557]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: MAB-first: 802.1X authentication started Jun 04 16:23:42.642971 osdx hostapd[694557]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Jun 04 16:23:42.642993 osdx hostapd[694557]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 80) Jun 04 16:23:42.643012 osdx hostapd[694557]: eth2: RADIUS Received 20 bytes from RADIUS server Jun 04 16:23:42.643016 osdx hostapd[694557]: eth2: RADIUS Received RADIUS message Jun 04 16:23:42.643021 osdx hostapd[694557]: eth2: RADIUS No matching RADIUS request found (type=0 id=128) - dropping packet Jun 04 16:23:45.644523 osdx hostapd[694557]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 80) Jun 04 16:23:50.533154 osdx OSDxCLI[655633]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jun 04 16:23:51.649488 osdx hostapd[694557]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: Sending EAP Packet (identifier 80) Jun 04 16:23:58.733109 osdx OSDxCLI[655633]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jun 04 16:24:03.660494 osdx hostapd[694557]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: aborting authentication Jun 04 16:24:03.660509 osdx hostapd[694557]: eth2: STA 00:11:22:33:44:55 IEEE 802.1X: EAP authentication timeout - enforcing 60 second quiet period before retrying Jun 04 16:24:03.660521 osdx hostapd[694557]: eth2: STA 00:11:22:33:44:55 MLME: MLME-DEAUTHENTICATE.indication(00:11:22:33:44:55, 2) Jun 04 16:24:03.660523 osdx hostapd[694557]: eth2: STA 00:11:22:33:44:55 MLME: MLME-DELETEKEYS.request(00:11:22:33:44:55)