Network Access Server
This scenario shows different Network Access Server (NAS) configurations: server failover and VRF-aware communication.
Test 802.1X Authentication Against NAS Through a VRF-Aware Interface
Description
This scenario shows how to configure 802.1X authentication. It focuses on Authenticator/NAS communication, when performed via an VRF-aware Ethernet interface.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 vrf WAN set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode only-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 local-vrf WAN set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+r/K8Nghw/pbjN3os+iAQ9kEhKHQfaPRvyrwjiDsYFP8lBRZ3Gdmlq54T9E3ApiOHUj2R82je2NQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system vrf WAN
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 vrf WAN count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than: WAN PING 10.215.168.1 (10.215.168.1) from 10.215.168.64 WAN: 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.290 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.290/0.290/0.290/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1/HC5diuAjEhuxfZshd3H/P2eHbiehdhKs= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 6: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name testing
Step 7: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.478 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.478/0.478/0.478/0.000 ms
Test MAB Authentication Against NAS Through a VRF-Aware Interface
Description
This scenario shows how to configure MAB authentication. It focuses on Authenticator/NAS communication, when performed via an VRF-aware Ethernet interface.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 vrf WAN set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode only-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup1 local-vrf WAN set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+NOyToM2tZAooYHa/0B/Na/8jvtRHUGKtSHMycnLeVWVvIdSPL5vXAKQXdw8+YSsV1SzAbCsTiHg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system vrf WAN
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 vrf WAN count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than: WAN PING 10.215.168.1 (10.215.168.1) from 10.215.168.64 WAN: 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=1.25 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.250/1.250/1.250/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.482 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.482/0.482/0.482/0.000 ms
Step 5: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 0 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name N/A
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.684 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.684/0.684/0.684/0.000 ms
Test 802.1X Authentication With Server Failover
Description
This scenario shows how to configure 802.1X authentication. The primary Nework Access Server is not reachable, so the secondary one is used instead.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 vrf WAN set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode only-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup0 local-vrf WAN set system aaa group radius radgroup0 server MAIN set system aaa group radius radgroup1 local-vrf WAN set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 0 group radius radgroup0 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius MAIN address 10.215.168.2 set system aaa server radius MAIN encrypted-key U2FsdGVkX1+j5V/SKvP+o/M5478xy6Ecqep6nDIdueRIVCxX8DZ+S2gRPncbBS47iOF19Gej3tcfMEsLebZj6A== set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX18gmjwOKoTET0elXfWdeiNN4tOBcKSUqr0LiULozUeKxnkB0OuNmCZzBy9qDJdNPjpHLmMjuN/kiw== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system vrf WAN
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 vrf WAN count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than: WAN PING 10.215.168.1 (10.215.168.1) from 10.215.168.64 WAN: 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.368 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.368/0.368/0.368/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX19wiZo0xbSqUZ5jea9nhTBKYSKMP358bvs= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 supplicant show status at DUT1 and check if output contains the following tokens:
AuthorizedShow output
--------------------------------------------------- Field Value --------------------------------------------------- EAP State SUCCESS EAP TLS Cipher ECDHE-RSA-AES256-GCM-SHA384 EAP TLS Version TLSv1.2 PAE State AUTHENTICATED Supplicant Port Status Authorized WPA State COMPLETED
Step 5: Run command interfaces ethernet eth2 supplicant show stats at DUT1 and check if output matches the following regular expressions:
Port Status\s+AuthorizedShow output
------------------------------- Field Value ------------------------------- EAPoL Frames (Rx) 11 EAPoL Frames (Tx) 11 Invalid Frames (Rx) 0 Logoff Frames (Tx) 0 Port Status Authorized Req Frames (Rx) 9 Req ID Frames (Rx) 1 Resp Frames (Tx) 10 Start Frames (Tx) 1
Step 6: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+802\.1XShow output
--------------------------------------------- Field Value --------------------------------------------- Access Challenges 9 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode 802.1X Authentication Status Authorized (802.1X) Authentication Successes 1 EAPoL frames (Rx) 11 EAPoL frames (Tx) 11 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name testing
Step 7: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.663 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.663/0.663/0.663/0.000 ms
Step 8: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
No response from Authentication server 10.215.168.2Show output
Jun 04 16:13:17.205959 osdx hostapd[679951]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Jun 04 16:13:17.205976 osdx hostapd[679951]: eth2: RADIUS Authentication server 10.215.168.2:1812 Jun 04 16:13:17.206271 osdx hostapd[679951]: connect[radius]: No route to host Jun 04 16:13:17.206031 osdx hostapd[679951]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X, eap_server=0, eap_quiet_period=60, eap_max_retrans=2 Jun 04 16:13:17.206035 osdx hostapd[679951]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Jun 04 16:13:17.225682 osdx hostapd[679951]: Discovery mode enabled on eth2 Jun 04 16:13:17.225781 osdx hostapd[679951]: eth2: interface state UNINITIALIZED->ENABLED Jun 04 16:13:17.225781 osdx hostapd[679951]: eth2: AP-ENABLED Jun 04 16:13:20.496181 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Jun 04 16:13:20.496193 osdx hostapd[679952]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Jun 04 16:13:20.509730 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: start authentication Jun 04 16:13:20.509756 osdx hostapd[679952]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Jun 04 16:13:20.509771 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAPOL-Start from STA Jun 04 16:13:20.509782 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Jun 04 16:13:20.509795 osdx hostapd[679952]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Jun 04 16:13:20.509819 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 180) Jun 04 16:13:20.510206 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=180 len=12) from STA: EAP Response-Identity (1) Jun 04 16:13:20.510221 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: STA identity 'testing' Jun 04 16:13:20.510258 osdx hostapd[679952]: eth2: RADIUS Authentication server 10.215.168.2:1812 Jun 04 16:13:20.512738 osdx hostapd[679952]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:13:20.512779 osdx hostapd[679952]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:13:21.512893 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Resending RADIUS message (id=0) Jun 04 16:13:21.512927 osdx hostapd[679952]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Jun 04 16:13:23.513006 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Resending RADIUS message (id=0) Jun 04 16:13:23.513029 osdx hostapd[679952]: eth2: RADIUS Next RADIUS client retransmit in 4 seconds Jun 04 16:13:27.513414 osdx hostapd[679952]: eth2: RADIUS No response from Authentication server 10.215.168.2:1812 - failover (1º round) Jun 04 16:13:27.513424 osdx hostapd[679952]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jun 04 16:13:27.513472 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Resending RADIUS message (id=0) Jun 04 16:13:27.513500 osdx hostapd[679952]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Jun 04 16:13:27.513799 osdx hostapd[679952]: eth2: RADIUS Received 80 bytes from RADIUS server Jun 04 16:13:27.513803 osdx hostapd[679952]: eth2: RADIUS Received RADIUS message Jun 04 16:13:27.513806 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:13:27.513852 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=181 len=22) from RADIUS server: EAP-Request-MD5 (4) Jun 04 16:13:27.513861 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 181) Jun 04 16:13:27.514177 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=181 len=6) from STA: EAP Response-unknown (3) Jun 04 16:13:27.514241 osdx hostapd[679952]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:13:27.514259 osdx hostapd[679952]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:13:27.514485 osdx hostapd[679952]: eth2: RADIUS Received 64 bytes from RADIUS server Jun 04 16:13:27.514491 osdx hostapd[679952]: eth2: RADIUS Received RADIUS message Jun 04 16:13:27.514495 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:13:27.514518 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=182 len=6) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:13:27.514525 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 182) Jun 04 16:13:27.514955 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=182 len=194) from STA: EAP Response-PEAP (25) Jun 04 16:13:27.515000 osdx hostapd[679952]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:13:27.515016 osdx hostapd[679952]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:13:27.516004 osdx hostapd[679952]: eth2: RADIUS Received 1068 bytes from RADIUS server Jun 04 16:13:27.516011 osdx hostapd[679952]: eth2: RADIUS Received RADIUS message Jun 04 16:13:27.516014 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:13:27.516035 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=183 len=1004) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:13:27.516041 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 183) Jun 04 16:13:27.516213 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=183 len=6) from STA: EAP Response-PEAP (25) Jun 04 16:13:27.516252 osdx hostapd[679952]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:13:27.516263 osdx hostapd[679952]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:13:27.516408 osdx hostapd[679952]: eth2: RADIUS Received 229 bytes from RADIUS server Jun 04 16:13:27.516413 osdx hostapd[679952]: eth2: RADIUS Received RADIUS message Jun 04 16:13:27.516416 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:13:27.516428 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=184 len=171) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:13:27.516433 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 184) Jun 04 16:13:27.517824 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=184 len=103) from STA: EAP Response-PEAP (25) Jun 04 16:13:27.517868 osdx hostapd[679952]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:13:27.517881 osdx hostapd[679952]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:13:27.518202 osdx hostapd[679952]: eth2: RADIUS Received 115 bytes from RADIUS server Jun 04 16:13:27.518208 osdx hostapd[679952]: eth2: RADIUS Received RADIUS message Jun 04 16:13:27.518212 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:13:27.518228 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=185 len=57) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:13:27.518235 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 185) Jun 04 16:13:27.518439 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=185 len=6) from STA: EAP Response-PEAP (25) Jun 04 16:13:27.518476 osdx hostapd[679952]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:13:27.518489 osdx hostapd[679952]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:13:27.518617 osdx hostapd[679952]: eth2: RADIUS Received 98 bytes from RADIUS server Jun 04 16:13:27.518622 osdx hostapd[679952]: eth2: RADIUS Received RADIUS message Jun 04 16:13:27.518626 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:13:27.518641 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=186 len=40) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:13:27.518646 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 186) Jun 04 16:13:27.518818 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=186 len=43) from STA: EAP Response-PEAP (25) Jun 04 16:13:27.518849 osdx hostapd[679952]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:13:27.518859 osdx hostapd[679952]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:13:27.519018 osdx hostapd[679952]: eth2: RADIUS Received 131 bytes from RADIUS server Jun 04 16:13:27.519022 osdx hostapd[679952]: eth2: RADIUS Received RADIUS message Jun 04 16:13:27.519025 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:13:27.519037 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=187 len=73) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:13:27.519042 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 187) Jun 04 16:13:27.519289 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=187 len=97) from STA: EAP Response-PEAP (25) Jun 04 16:13:27.519322 osdx hostapd[679952]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:13:27.519333 osdx hostapd[679952]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:13:27.519487 osdx hostapd[679952]: eth2: RADIUS Received 140 bytes from RADIUS server Jun 04 16:13:27.519492 osdx hostapd[679952]: eth2: RADIUS Received RADIUS message Jun 04 16:13:27.519495 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:13:27.519510 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=188 len=82) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:13:27.519515 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 188) Jun 04 16:13:27.519684 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=188 len=37) from STA: EAP Response-PEAP (25) Jun 04 16:13:27.519717 osdx hostapd[679952]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:13:27.519727 osdx hostapd[679952]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:13:27.519885 osdx hostapd[679952]: eth2: RADIUS Received 104 bytes from RADIUS server Jun 04 16:13:27.519891 osdx hostapd[679952]: eth2: RADIUS Received RADIUS message Jun 04 16:13:27.519894 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:13:27.519907 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=189 len=46) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:13:27.519912 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 189) Jun 04 16:13:27.520062 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=189 len=46) from STA: EAP Response-PEAP (25) Jun 04 16:13:27.520089 osdx hostapd[679952]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:13:27.520099 osdx hostapd[679952]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:13:27.520254 osdx hostapd[679952]: eth2: RADIUS Received 175 bytes from RADIUS server Jun 04 16:13:27.520258 osdx hostapd[679952]: eth2: RADIUS Received RADIUS message Jun 04 16:13:27.520261 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:13:27.520279 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing' Jun 04 16:13:27.520281 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=3 id=189 len=4) from RADIUS server: EAP Success Jun 04 16:13:27.520293 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 189) Jun 04 16:13:27.520307 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Jun 04 16:13:27.520310 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session BEAB3E44A82BCFF9 Jun 04 16:13:27.520314 osdx hostapd[679952]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Test MAB Authentication With Server Failover
Description
This scenario shows how to configure MAB authentication. The primary Nework Access Server is not reachable, so the secondary one is used instead.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 vrf WAN set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode only-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 0 set system aaa group radius radgroup0 local-vrf WAN set system aaa group radius radgroup0 server MAIN set system aaa group radius radgroup1 local-vrf WAN set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 0 group radius radgroup0 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius MAIN address 10.215.168.2 set system aaa server radius MAIN encrypted-key U2FsdGVkX1+7rv2iaeWc6gmeFH+ign3+TahmbinexSOzT5LAORJeTRxGH4pc3G4BxeMkuKZ9uKC414jh83B6Lg== set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+VZfeW1mzLw0AUJfFl1uzWCwc3CSJcY2nPXcW8P6v5rta1rZgzLnJrwnYkNDbuCfOJrRLETtOPNw== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system vrf WAN
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 vrf WAN count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than: WAN PING 10.215.168.1 (10.215.168.1) from 10.215.168.64 WAN: 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=1.33 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.330/1.330/1.330/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command interfaces ethernet eth2 authenticator show stats at DUT0 and check if output matches the following regular expressions:
Authentication Successes\s+1 Authentication Mode\s+MABShow output
------------------------------------------- Field Value ------------------------------------------- Access Challenges 0 Authentication Backend RADIUS Authentication Failures 0 Authentication Mode MAB Authentication Status Authorized (MAB) Authentication Successes 1 EAPoL frames (Rx) 0 EAPoL frames (Tx) 0 Quiet Period 60 Reauthenticate FALSE Reauthenticate Period 0 Session Time 0 Session User MAC de:ad:be:ef:6c:12 Session User Name N/A
Step 5: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.386 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.386/0.386/0.386/0.000 ms
Step 6: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
No response from Authentication server 10.215.168.2Show output
Jun 04 16:13:36.899875 osdx hostapd[680597]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Jun 04 16:13:36.899887 osdx hostapd[680597]: eth2: RADIUS Authentication server 10.215.168.2:1812 Jun 04 16:13:36.900126 osdx hostapd[680597]: connect[radius]: No route to host Jun 04 16:13:36.899927 osdx hostapd[680597]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-only, eap_server=0, eap_quiet_period=60, eap_max_retrans=5 Jun 04 16:13:36.899930 osdx hostapd[680597]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Jun 04 16:13:36.927732 osdx hostapd[680597]: Discovery mode enabled on eth2 Jun 04 16:13:36.927788 osdx hostapd[680597]: eth2: interface state UNINITIALIZED->ENABLED Jun 04 16:13:36.927788 osdx hostapd[680597]: eth2: AP-ENABLED Jun 04 16:13:41.928626 osdx hostapd[680598]: eth2: STA de:ad:be:ef:6c:12 DRIVER: Device discovered, triggering MAB authentication Jun 04 16:13:41.928677 osdx hostapd[680598]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Jun 04 16:13:41.928691 osdx hostapd[680598]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Jun 04 16:13:41.943811 osdx hostapd[680598]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB-only mode: Starting MAB authentication Jun 04 16:13:41.943844 osdx hostapd[680598]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Jun 04 16:13:41.943858 osdx hostapd[680598]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Jun 04 16:13:41.945561 osdx hostapd[680598]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Jun 04 16:13:41.945572 osdx hostapd[680598]: eth2: RADIUS Authentication server 10.215.168.2:1812 Jun 04 16:13:41.945655 osdx hostapd[680598]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:13:41.945759 osdx hostapd[680598]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:13:42.945835 osdx hostapd[680598]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Resending RADIUS message (id=128) Jun 04 16:13:42.945861 osdx hostapd[680598]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Jun 04 16:13:44.946595 osdx hostapd[680598]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Resending RADIUS message (id=128) Jun 04 16:13:44.946620 osdx hostapd[680598]: eth2: RADIUS Next RADIUS client retransmit in 4 seconds Jun 04 16:13:48.947602 osdx hostapd[680598]: eth2: RADIUS No response from Authentication server 10.215.168.2:1812 - failover (1º round) Jun 04 16:13:48.947615 osdx hostapd[680598]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jun 04 16:13:48.947671 osdx hostapd[680598]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Resending RADIUS message (id=128) Jun 04 16:13:48.947732 osdx hostapd[680598]: eth2: RADIUS Next RADIUS client retransmit in 2 seconds Jun 04 16:13:48.948044 osdx hostapd[680598]: eth2: RADIUS Received 20 bytes from RADIUS server Jun 04 16:13:48.948048 osdx hostapd[680598]: eth2: RADIUS Received RADIUS message Jun 04 16:13:48.948052 osdx hostapd[680598]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:13:48.948057 osdx hostapd[680598]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Jun 04 16:13:48.948095 osdx hostapd[680598]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Jun 04 16:13:48.948115 osdx hostapd[680598]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Jun 04 16:13:48.948119 osdx hostapd[680598]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Jun 04 16:13:48.948129 osdx hostapd[680598]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Jun 04 16:13:48.948133 osdx hostapd[680598]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 4F147853435F7186