Reauth Period
This scenario shows how to configure the reauthentication period in a device with 802.1x/MAB authentication.
Test Reauth Period In 802.1X Mode
Description
This scenario shows how to configure the reauthentication period in a device with 802.1x authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode only-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 20 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/NczE5ogFSan2fxUIM/FUMCTU8PnbleXhWNQbNCedY4lyDnxoelRTfSp5znTXnfODCc7TqdZ4guw== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.628 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.628/0.628/0.628/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set interfaces ethernet eth2 supplicant encrypted-password U2FsdGVkX1/uIhHEywztxoAFFo88KUAcnj/yd33DDj8= set interfaces ethernet eth2 supplicant username testing set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: authenticatedShow output
Jun 04 16:13:58.449706 osdx hostapd[681228]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Jun 04 16:13:58.449974 osdx hostapd[681228]: connect[radius]: Network is unreachable Jun 04 16:13:58.449722 osdx hostapd[681228]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jun 04 16:13:58.449774 osdx hostapd[681228]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X, eap_server=0, eap_quiet_period=60, eap_max_retrans=2 Jun 04 16:13:58.449778 osdx hostapd[681228]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Jun 04 16:13:58.469533 osdx hostapd[681228]: Discovery mode enabled on eth2 Jun 04 16:13:58.469537 osdx hostapd[681228]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: enabling transmission of periodic EAP-Request frames Jun 04 16:13:58.469677 osdx hostapd[681228]: eth2: interface state UNINITIALIZED->ENABLED Jun 04 16:13:58.469677 osdx hostapd[681228]: eth2: AP-ENABLED Jun 04 16:13:59.951653 osdx OSDxCLI[655633]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jun 04 16:14:01.757021 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Jun 04 16:14:01.757034 osdx hostapd[681229]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Jun 04 16:14:01.773573 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: start authentication Jun 04 16:14:01.773604 osdx hostapd[681229]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Jun 04 16:14:01.773622 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAPOL-Start from STA Jun 04 16:14:01.773637 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Jun 04 16:14:01.773646 osdx hostapd[681229]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Jun 04 16:14:01.773677 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 59) Jun 04 16:14:01.774103 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=59 len=12) from STA: EAP Response-Identity (1) Jun 04 16:14:01.774118 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: STA identity 'testing' Jun 04 16:14:01.774153 osdx hostapd[681229]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jun 04 16:14:01.776603 osdx hostapd[681229]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:14:01.776637 osdx hostapd[681229]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:14:01.776892 osdx hostapd[681229]: eth2: RADIUS Received 80 bytes from RADIUS server Jun 04 16:14:01.776899 osdx hostapd[681229]: eth2: RADIUS Received RADIUS message Jun 04 16:14:01.776903 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:14:01.776924 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=60 len=22) from RADIUS server: EAP-Request-MD5 (4) Jun 04 16:14:01.776932 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 60) Jun 04 16:14:01.777173 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=60 len=6) from STA: EAP Response-unknown (3) Jun 04 16:14:01.777234 osdx hostapd[681229]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:14:01.777250 osdx hostapd[681229]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:14:01.777454 osdx hostapd[681229]: eth2: RADIUS Received 64 bytes from RADIUS server Jun 04 16:14:01.777469 osdx hostapd[681229]: eth2: RADIUS Received RADIUS message Jun 04 16:14:01.777474 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:14:01.777492 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=61 len=6) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:14:01.777499 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 61) Jun 04 16:14:01.777927 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=61 len=194) from STA: EAP Response-PEAP (25) Jun 04 16:14:01.777985 osdx hostapd[681229]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:14:01.777998 osdx hostapd[681229]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:14:01.779303 osdx hostapd[681229]: eth2: RADIUS Received 1068 bytes from RADIUS server Jun 04 16:14:01.779310 osdx hostapd[681229]: eth2: RADIUS Received RADIUS message Jun 04 16:14:01.779315 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:14:01.779336 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=62 len=1004) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:14:01.779343 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 62) Jun 04 16:14:01.779563 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=62 len=6) from STA: EAP Response-PEAP (25) Jun 04 16:14:01.779614 osdx hostapd[681229]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:14:01.779628 osdx hostapd[681229]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:14:01.779781 osdx hostapd[681229]: eth2: RADIUS Received 229 bytes from RADIUS server Jun 04 16:14:01.779788 osdx hostapd[681229]: eth2: RADIUS Received RADIUS message Jun 04 16:14:01.779792 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:14:01.779809 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=63 len=171) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:14:01.779816 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 63) Jun 04 16:14:01.781742 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=63 len=103) from STA: EAP Response-PEAP (25) Jun 04 16:14:01.781792 osdx hostapd[681229]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:14:01.781805 osdx hostapd[681229]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:14:01.782090 osdx hostapd[681229]: eth2: RADIUS Received 115 bytes from RADIUS server Jun 04 16:14:01.782095 osdx hostapd[681229]: eth2: RADIUS Received RADIUS message Jun 04 16:14:01.782099 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:14:01.782116 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=64 len=57) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:14:01.782123 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 64) Jun 04 16:14:01.782396 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=64 len=6) from STA: EAP Response-PEAP (25) Jun 04 16:14:01.782444 osdx hostapd[681229]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:14:01.782457 osdx hostapd[681229]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:14:01.782599 osdx hostapd[681229]: eth2: RADIUS Received 98 bytes from RADIUS server Jun 04 16:14:01.782605 osdx hostapd[681229]: eth2: RADIUS Received RADIUS message Jun 04 16:14:01.782608 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:14:01.782623 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=65 len=40) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:14:01.782629 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 65) Jun 04 16:14:01.782838 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=65 len=43) from STA: EAP Response-PEAP (25) Jun 04 16:14:01.782890 osdx hostapd[681229]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:14:01.782905 osdx hostapd[681229]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:14:01.783050 osdx hostapd[681229]: eth2: RADIUS Received 131 bytes from RADIUS server Jun 04 16:14:01.783056 osdx hostapd[681229]: eth2: RADIUS Received RADIUS message Jun 04 16:14:01.783060 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:14:01.783077 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=66 len=73) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:14:01.783084 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 66) Jun 04 16:14:01.783330 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=66 len=97) from STA: EAP Response-PEAP (25) Jun 04 16:14:01.783365 osdx hostapd[681229]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:14:01.783376 osdx hostapd[681229]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:14:01.783567 osdx hostapd[681229]: eth2: RADIUS Received 140 bytes from RADIUS server Jun 04 16:14:01.783574 osdx hostapd[681229]: eth2: RADIUS Received RADIUS message Jun 04 16:14:01.783578 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:14:01.783595 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=67 len=82) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:14:01.783602 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 67) Jun 04 16:14:01.783762 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=67 len=37) from STA: EAP Response-PEAP (25) Jun 04 16:14:01.783799 osdx hostapd[681229]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:14:01.783809 osdx hostapd[681229]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:14:01.783938 osdx hostapd[681229]: eth2: RADIUS Received 104 bytes from RADIUS server Jun 04 16:14:01.783944 osdx hostapd[681229]: eth2: RADIUS Received RADIUS message Jun 04 16:14:01.783947 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:14:01.783961 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=68 len=46) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:14:01.783967 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 68) Jun 04 16:14:01.784115 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=68 len=46) from STA: EAP Response-PEAP (25) Jun 04 16:14:01.784147 osdx hostapd[681229]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:14:01.784157 osdx hostapd[681229]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:14:01.784317 osdx hostapd[681229]: eth2: RADIUS Received 175 bytes from RADIUS server Jun 04 16:14:01.784322 osdx hostapd[681229]: eth2: RADIUS Received RADIUS message Jun 04 16:14:01.784326 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:14:01.784354 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing' Jun 04 16:14:01.784359 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=3 id=68 len=4) from RADIUS server: EAP Success Jun 04 16:14:01.784375 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 68) Jun 04 16:14:01.784393 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Jun 04 16:14:01.784414 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 421291D2FACEE682 Jun 04 16:14:01.784418 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Step 5: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: Re-authentication period expiredShow output
Jun 04 16:14:02.342312 osdx OSDxCLI[655633]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jun 04 16:14:04.470582 osdx OSDxCLI[655633]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jun 04 16:14:06.533324 osdx OSDxCLI[655633]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jun 04 16:14:08.616053 osdx OSDxCLI[655633]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jun 04 16:14:10.700615 osdx OSDxCLI[655633]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jun 04 16:14:12.777736 osdx OSDxCLI[655633]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jun 04 16:14:14.848592 osdx OSDxCLI[655633]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jun 04 16:14:16.923001 osdx OSDxCLI[655633]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jun 04 16:14:18.994493 osdx OSDxCLI[655633]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jun 04 16:14:21.087688 osdx OSDxCLI[655633]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jun 04 16:14:21.791364 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Re-authentication period expired (20 seconds), triggering re-authentication Jun 04 16:14:21.791378 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Starting re-authentication (port will be unauthorized until authentication succeeds) Jun 04 16:14:21.791383 osdx hostapd[681229]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Jun 04 16:14:21.791425 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 98) Jun 04 16:14:21.791790 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=98 len=12) from STA: EAP Response-Identity (1) Jun 04 16:14:21.791804 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: STA identity 'testing' Jun 04 16:14:21.791883 osdx hostapd[681229]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:14:21.791918 osdx hostapd[681229]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:14:21.792180 osdx hostapd[681229]: eth2: RADIUS Received 80 bytes from RADIUS server Jun 04 16:14:21.792188 osdx hostapd[681229]: eth2: RADIUS Received RADIUS message Jun 04 16:14:21.792193 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:14:21.792231 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=99 len=22) from RADIUS server: EAP-Request-MD5 (4) Jun 04 16:14:21.792239 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 99) Jun 04 16:14:21.792489 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=99 len=6) from STA: EAP Response-unknown (3) Jun 04 16:14:21.792541 osdx hostapd[681229]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:14:21.792557 osdx hostapd[681229]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:14:21.792751 osdx hostapd[681229]: eth2: RADIUS Received 64 bytes from RADIUS server Jun 04 16:14:21.792758 osdx hostapd[681229]: eth2: RADIUS Received RADIUS message Jun 04 16:14:21.792762 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:14:21.792779 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=100 len=6) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:14:21.792785 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 100) Jun 04 16:14:21.793093 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=100 len=194) from STA: EAP Response-PEAP (25) Jun 04 16:14:21.793138 osdx hostapd[681229]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:14:21.793152 osdx hostapd[681229]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:14:21.794206 osdx hostapd[681229]: eth2: RADIUS Received 1068 bytes from RADIUS server Jun 04 16:14:21.794213 osdx hostapd[681229]: eth2: RADIUS Received RADIUS message Jun 04 16:14:21.794216 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:14:21.794246 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=101 len=1004) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:14:21.794254 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 101) Jun 04 16:14:21.794472 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=101 len=6) from STA: EAP Response-PEAP (25) Jun 04 16:14:21.794533 osdx hostapd[681229]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:14:21.794550 osdx hostapd[681229]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:14:21.794698 osdx hostapd[681229]: eth2: RADIUS Received 229 bytes from RADIUS server Jun 04 16:14:21.794703 osdx hostapd[681229]: eth2: RADIUS Received RADIUS message Jun 04 16:14:21.794708 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:14:21.794734 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=102 len=171) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:14:21.794741 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 102) Jun 04 16:14:21.796150 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=102 len=103) from STA: EAP Response-PEAP (25) Jun 04 16:14:21.796199 osdx hostapd[681229]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:14:21.796214 osdx hostapd[681229]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:14:21.796552 osdx hostapd[681229]: eth2: RADIUS Received 115 bytes from RADIUS server Jun 04 16:14:21.796557 osdx hostapd[681229]: eth2: RADIUS Received RADIUS message Jun 04 16:14:21.796561 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:14:21.796576 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=103 len=57) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:14:21.796581 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 103) Jun 04 16:14:21.796847 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=103 len=6) from STA: EAP Response-PEAP (25) Jun 04 16:14:21.796879 osdx hostapd[681229]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:14:21.796889 osdx hostapd[681229]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:14:21.797035 osdx hostapd[681229]: eth2: RADIUS Received 98 bytes from RADIUS server Jun 04 16:14:21.797040 osdx hostapd[681229]: eth2: RADIUS Received RADIUS message Jun 04 16:14:21.797042 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:14:21.797054 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=104 len=40) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:14:21.797058 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 104) Jun 04 16:14:21.797232 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=104 len=43) from STA: EAP Response-PEAP (25) Jun 04 16:14:21.797263 osdx hostapd[681229]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:14:21.797271 osdx hostapd[681229]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:14:21.797408 osdx hostapd[681229]: eth2: RADIUS Received 131 bytes from RADIUS server Jun 04 16:14:21.797413 osdx hostapd[681229]: eth2: RADIUS Received RADIUS message Jun 04 16:14:21.797416 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:14:21.797430 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=105 len=73) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:14:21.797434 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 105) Jun 04 16:14:21.797684 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=105 len=97) from STA: EAP Response-PEAP (25) Jun 04 16:14:21.797717 osdx hostapd[681229]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:14:21.797731 osdx hostapd[681229]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:14:21.797942 osdx hostapd[681229]: eth2: RADIUS Received 140 bytes from RADIUS server Jun 04 16:14:21.797947 osdx hostapd[681229]: eth2: RADIUS Received RADIUS message Jun 04 16:14:21.797950 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:14:21.797964 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=106 len=82) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:14:21.797969 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 106) Jun 04 16:14:21.798173 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=106 len=37) from STA: EAP Response-PEAP (25) Jun 04 16:14:21.798219 osdx hostapd[681229]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:14:21.798237 osdx hostapd[681229]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:14:21.798411 osdx hostapd[681229]: eth2: RADIUS Received 104 bytes from RADIUS server Jun 04 16:14:21.798418 osdx hostapd[681229]: eth2: RADIUS Received RADIUS message Jun 04 16:14:21.798422 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:14:21.798448 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=1 id=107 len=46) from RADIUS server: EAP-Request-PEAP (25) Jun 04 16:14:21.798462 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 107) Jun 04 16:14:21.798669 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: received EAP packet (code=2 id=107 len=46) from STA: EAP Response-PEAP (25) Jun 04 16:14:21.798708 osdx hostapd[681229]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:14:21.798721 osdx hostapd[681229]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:14:21.798918 osdx hostapd[681229]: eth2: RADIUS Received 175 bytes from RADIUS server Jun 04 16:14:21.798923 osdx hostapd[681229]: eth2: RADIUS Received RADIUS message Jun 04 16:14:21.798926 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:14:21.798947 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: old identity 'testing' updated with User-Name from Access-Accept 'testing' Jun 04 16:14:21.798950 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: decapsulated EAP packet (code=3 id=107 len=4) from RADIUS server: EAP Success Jun 04 16:14:21.798964 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 107) Jun 04 16:14:21.798972 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Jun 04 16:14:21.798975 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 421291D2FACEE682 Jun 04 16:14:21.798979 osdx hostapd[681229]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Test Reauth Period In MAB Mode
Description
This scenario shows how to configure the reauthentication period in a device with MAB authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode only-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 20 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX185BaDP36lUIB6gxFBOZ8iOThhk5SV0SrS5DFOdOFKGde8AASoDpGJcuykHK50tKsRKhZnCBEOFtw== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.898 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.898/0.898/0.898/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
MAB: station successfully authenticatedShow output
Jun 04 16:14:30.607338 osdx hostapd[681822]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Jun 04 16:14:30.607357 osdx hostapd[681822]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jun 04 16:14:30.607686 osdx hostapd[681822]: connect[radius]: Network is unreachable Jun 04 16:14:30.607413 osdx hostapd[681822]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-only, eap_server=0, eap_quiet_period=60, eap_max_retrans=5 Jun 04 16:14:30.607417 osdx hostapd[681822]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Jun 04 16:14:30.626245 osdx hostapd[681822]: Discovery mode enabled on eth2 Jun 04 16:14:30.626348 osdx hostapd[681822]: eth2: interface state UNINITIALIZED->ENABLED Jun 04 16:14:30.626348 osdx hostapd[681822]: eth2: AP-ENABLED Jun 04 16:14:33.955213 osdx OSDxCLI[655633]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jun 04 16:14:35.629109 osdx hostapd[681823]: eth2: STA de:ad:be:ef:6c:12 DRIVER: Device discovered, triggering MAB authentication Jun 04 16:14:35.629150 osdx hostapd[681823]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Jun 04 16:14:35.629160 osdx hostapd[681823]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Jun 04 16:14:35.642245 osdx hostapd[681823]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB-only mode: Starting MAB authentication Jun 04 16:14:35.642280 osdx hostapd[681823]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Jun 04 16:14:35.642298 osdx hostapd[681823]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Jun 04 16:14:35.644394 osdx hostapd[681823]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Jun 04 16:14:35.644407 osdx hostapd[681823]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jun 04 16:14:35.644492 osdx hostapd[681823]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:14:35.644524 osdx hostapd[681823]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:14:35.644813 osdx hostapd[681823]: eth2: RADIUS Received 20 bytes from RADIUS server Jun 04 16:14:35.644818 osdx hostapd[681823]: eth2: RADIUS Received RADIUS message Jun 04 16:14:35.644823 osdx hostapd[681823]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:14:35.644827 osdx hostapd[681823]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Jun 04 16:14:35.644837 osdx hostapd[681823]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Jun 04 16:14:35.644856 osdx hostapd[681823]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Jun 04 16:14:35.644859 osdx hostapd[681823]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Re-authentication enabled (next reauth in 20 seconds) Jun 04 16:14:35.644862 osdx hostapd[681823]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Jun 04 16:14:35.644876 osdx hostapd[681823]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Jun 04 16:14:35.644880 osdx hostapd[681823]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session D2D84C284AD0597A
Step 5: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: Re-authentication period expiredShow output
Jun 04 16:14:38.514018 osdx OSDxCLI[655633]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jun 04 16:14:41.701782 osdx OSDxCLI[655633]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jun 04 16:14:44.912762 osdx OSDxCLI[655633]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jun 04 16:14:48.113933 osdx OSDxCLI[655633]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jun 04 16:14:51.294330 osdx OSDxCLI[655633]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jun 04 16:14:54.484277 osdx OSDxCLI[655633]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jun 04 16:14:55.660075 osdx hostapd[681823]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Re-authentication period expired (20 seconds), triggering re-authentication Jun 04 16:14:55.660094 osdx hostapd[681823]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Jun 04 16:14:55.660152 osdx hostapd[681823]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Jun 04 16:14:55.660189 osdx hostapd[681823]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Jun 04 16:14:55.660215 osdx hostapd[681823]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:14:55.660256 osdx hostapd[681823]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:14:55.660537 osdx hostapd[681823]: eth2: RADIUS Received 20 bytes from RADIUS server Jun 04 16:14:55.660544 osdx hostapd[681823]: eth2: RADIUS Received RADIUS message Jun 04 16:14:55.660550 osdx hostapd[681823]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:14:55.660555 osdx hostapd[681823]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Jun 04 16:14:55.660577 osdx hostapd[681823]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Jun 04 16:14:55.660581 osdx hostapd[681823]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Re-authentication enabled (next reauth in 20 seconds) Jun 04 16:14:55.660585 osdx hostapd[681823]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Jun 04 16:14:55.660589 osdx hostapd[681823]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Jun 04 16:14:55.660592 osdx hostapd[681823]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session D2D84C284AD0597A
Test Reauth Period In MAB-Fallback Mode
Description
This scenario shows how to configure the reauthentication period in a device with 802.1x/MAB authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode 802.1x-MAB set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 20 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/NcuXPbCuyJkSSV5jhmmlOs3AgJdf6lzHCh1nLxjYEFBPYA07gXV+lz64wqENdbck243bPpegvqw== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.353 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.353/0.353/0.353/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
MAB: station successfully authenticatedShow output
Jun 04 16:15:04.298419 osdx hostapd[682397]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Jun 04 16:15:04.298437 osdx hostapd[682397]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jun 04 16:15:04.298672 osdx hostapd[682397]: connect[radius]: Network is unreachable Jun 04 16:15:04.298484 osdx hostapd[682397]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=802.1X+MAB-fallback, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Jun 04 16:15:04.298488 osdx hostapd[682397]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Jun 04 16:15:04.346279 osdx hostapd[682397]: Discovery mode enabled on eth2 Jun 04 16:15:04.346252 osdx hostapd[682397]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: enabling transmission of periodic EAP-Request frames Jun 04 16:15:04.346380 osdx hostapd[682397]: eth2: interface state UNINITIALIZED->ENABLED Jun 04 16:15:04.346380 osdx hostapd[682397]: eth2: AP-ENABLED Jun 04 16:15:07.546312 osdx OSDxCLI[655633]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jun 04 16:15:09.348175 osdx hostapd[682398]: eth2: STA de:ad:be:ef:6c:12 DRIVER: Device discovered, triggering MAB authentication Jun 04 16:15:09.348221 osdx hostapd[682398]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Jun 04 16:15:09.348230 osdx hostapd[682398]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Jun 04 16:15:09.374361 osdx hostapd[682398]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: start authentication Jun 04 16:15:09.374389 osdx hostapd[682398]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: disabling transmission of periodic EAP-Request frames Jun 04 16:15:09.374393 osdx hostapd[682398]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB fallback mode: Scheduling MAB trigger in 30 seconds if no 802.1X response Jun 04 16:15:09.374396 osdx hostapd[682398]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Jun 04 16:15:09.374411 osdx hostapd[682398]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Jun 04 16:15:09.374424 osdx hostapd[682398]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Jun 04 16:15:09.374459 osdx hostapd[682398]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 185) Jun 04 16:15:11.790121 osdx OSDxCLI[655633]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jun 04 16:15:12.377137 osdx hostapd[682398]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 185) Jun 04 16:15:16.060884 osdx OSDxCLI[655633]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jun 04 16:15:18.382165 osdx hostapd[682398]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 185) Jun 04 16:15:20.262281 osdx OSDxCLI[655633]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jun 04 16:15:24.493574 osdx OSDxCLI[655633]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jun 04 16:15:28.685027 osdx OSDxCLI[655633]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jun 04 16:15:30.393171 osdx hostapd[682398]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: aborting authentication Jun 04 16:15:30.393181 osdx hostapd[682398]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: EAP max retrans reached, triggering MAB fallback immediately Jun 04 16:15:30.393187 osdx hostapd[682398]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Jun 04 16:15:30.393229 osdx hostapd[682398]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Jun 04 16:15:30.395603 osdx hostapd[682398]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Jun 04 16:15:30.395617 osdx hostapd[682398]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jun 04 16:15:30.395703 osdx hostapd[682398]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:15:30.395739 osdx hostapd[682398]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:15:30.395761 osdx hostapd[682398]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Jun 04 16:15:30.395777 osdx hostapd[682398]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 234) Jun 04 16:15:30.396025 osdx hostapd[682398]: eth2: RADIUS Received 20 bytes from RADIUS server Jun 04 16:15:30.396033 osdx hostapd[682398]: eth2: RADIUS Received RADIUS message Jun 04 16:15:30.396036 osdx hostapd[682398]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:15:30.396041 osdx hostapd[682398]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Jun 04 16:15:30.396063 osdx hostapd[682398]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Jun 04 16:15:30.396077 osdx hostapd[682398]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Jun 04 16:15:30.396080 osdx hostapd[682398]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Re-authentication enabled (next reauth in 20 seconds) Jun 04 16:15:30.396082 osdx hostapd[682398]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Jun 04 16:15:30.396090 osdx hostapd[682398]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Jun 04 16:15:30.396092 osdx hostapd[682398]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 2D253DC58CDFB70A
Step 5: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: Re-authentication period expiredShow output
Jun 04 16:15:33.164864 osdx OSDxCLI[655633]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jun 04 16:15:36.356281 osdx OSDxCLI[655633]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jun 04 16:15:39.517227 osdx OSDxCLI[655633]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jun 04 16:15:42.682591 osdx OSDxCLI[655633]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jun 04 16:15:45.894052 osdx OSDxCLI[655633]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jun 04 16:15:49.090310 osdx OSDxCLI[655633]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jun 04 16:15:50.413127 osdx hostapd[682398]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Re-authentication period expired (20 seconds), triggering re-authentication Jun 04 16:15:50.413146 osdx hostapd[682398]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB fallback: Scheduling MAB trigger in 30 seconds if no 802.1X response Jun 04 16:15:50.413151 osdx hostapd[682398]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Timeout registered, will trigger if no 802.1X response Jun 04 16:15:50.413181 osdx hostapd[682398]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: unauthorizing port Jun 04 16:15:50.413187 osdx hostapd[682398]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Trying RADIUS authentication Jun 04 16:15:50.413203 osdx hostapd[682398]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Sending EAP Packet (identifier 212)
Test Reauth Period In MAB-First Mode
Description
This scenario shows how to configure the reauthentication period in a device with MAB/802.1X authentication.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth2 address 192.168.100.1/24 set interfaces ethernet eth2 authenticator 802.1x max-retransmissions 2 set interfaces ethernet eth2 authenticator aaa authentication list1 set interfaces ethernet eth2 authenticator log-level debug set interfaces ethernet eth2 authenticator mode MAB-802.1x set interfaces ethernet eth2 authenticator quiet-period 60 set interfaces ethernet eth2 authenticator reauth-period 20 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/68jfa4CHskUmjorndiBL1WzEk0T2xUVqdiVBIOZHGjQ6ocp0IUtr4zi02HzXoBuOUmiW9DtzWwQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.380 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.380/0.380/0.380/0.000 ms
Step 3: Set the following configuration in DUT1 :
set interfaces ethernet eth2 address 192.168.100.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
MAB: station successfully authenticatedShow output
Jun 04 16:15:59.948722 osdx hostapd[682999]: eth2: IEEE 802.11 Fetching hardware channel/rate support not supported. Jun 04 16:15:59.948740 osdx hostapd[682999]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jun 04 16:15:59.948978 osdx hostapd[682999]: connect[radius]: Network is unreachable Jun 04 16:15:59.948786 osdx hostapd[682999]: eth2: IEEE 802.1X Initializing IEEE 802.1X: mode=MAB-first, eap_server=0, eap_quiet_period=60, eap_max_retrans=2, mab_timeout=30 Jun 04 16:15:59.948790 osdx hostapd[682999]: eth2: IEEE 802.1X IEEE 802.1X: Enabling packet capture discovery mode Jun 04 16:15:59.972621 osdx hostapd[682999]: Discovery mode enabled on eth2 Jun 04 16:15:59.972622 osdx hostapd[682999]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: enabling transmission of periodic EAP-Request frames Jun 04 16:15:59.972716 osdx hostapd[682999]: eth2: interface state UNINITIALIZED->ENABLED Jun 04 16:15:59.972716 osdx hostapd[682999]: eth2: AP-ENABLED Jun 04 16:16:03.268656 osdx OSDxCLI[655633]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jun 04 16:16:04.974492 osdx hostapd[683000]: eth2: STA de:ad:be:ef:6c:12 DRIVER: Device discovered, triggering MAB authentication Jun 04 16:16:04.974542 osdx hostapd[683000]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: New STA de:ad:be:ef:6c:12 added Jun 04 16:16:04.974553 osdx hostapd[683000]: eth2: IEEE 802.1X IEEE 802.1X: Disabling packet capture discovery mode Jun 04 16:16:04.992649 osdx hostapd[683000]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB-first mode: Starting MAB authentication Jun 04 16:16:04.992682 osdx hostapd[683000]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Jun 04 16:16:04.992697 osdx hostapd[683000]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Jun 04 16:16:04.994400 osdx hostapd[683000]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Jun 04 16:16:04.994410 osdx hostapd[683000]: eth2: RADIUS Authentication server 10.215.168.1:1812 Jun 04 16:16:04.994485 osdx hostapd[683000]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:16:04.994514 osdx hostapd[683000]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:16:04.994563 osdx hostapd[683000]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Sending EAP-Request/Identity frame Jun 04 16:16:04.994580 osdx hostapd[683000]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Next EAP-Request/Identity retransmit in 20 seconds Jun 04 16:16:04.994833 osdx hostapd[683000]: eth2: RADIUS Received 20 bytes from RADIUS server Jun 04 16:16:04.994838 osdx hostapd[683000]: eth2: RADIUS Received RADIUS message Jun 04 16:16:04.994842 osdx hostapd[683000]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:16:04.994846 osdx hostapd[683000]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Jun 04 16:16:04.994860 osdx hostapd[683000]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Identity set to 'de:ad:be:ef:6c:12' Jun 04 16:16:04.994876 osdx hostapd[683000]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Jun 04 16:16:04.994879 osdx hostapd[683000]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Re-authentication enabled (next reauth in 20 seconds) Jun 04 16:16:04.994881 osdx hostapd[683000]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Jun 04 16:16:04.994893 osdx hostapd[683000]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Jun 04 16:16:04.994896 osdx hostapd[683000]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 426FE4636027CD04
Step 5: Run command system journal show | grep "osdx hostapd" at DUT0 and check if output contains the following tokens:
IEEE 802.1X: Re-authentication period expiredShow output
Jun 04 16:16:07.722403 osdx OSDxCLI[655633]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jun 04 16:16:10.903456 osdx OSDxCLI[655633]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jun 04 16:16:14.102040 osdx OSDxCLI[655633]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jun 04 16:16:17.271088 osdx OSDxCLI[655633]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jun 04 16:16:20.441696 osdx OSDxCLI[655633]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jun 04 16:16:23.615404 osdx OSDxCLI[655633]: User 'admin' executed a new command: 'system journal show | grep "osdx hostapd"'. Jun 04 16:16:24.995459 osdx hostapd[683000]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Sending EAP-Request/Identity frame Jun 04 16:16:24.995490 osdx hostapd[683000]: eth2: STA 01:80:c2:00:00:03 IEEE 802.1X: Next EAP-Request/Identity retransmit in 20 seconds Jun 04 16:16:25.009519 osdx hostapd[683000]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: Re-authentication period expired (20 seconds), triggering re-authentication Jun 04 16:16:25.009538 osdx hostapd[683000]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Starting RADIUS query Jun 04 16:16:25.009576 osdx hostapd[683000]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Name = de:ad:be:ef:6c:12 Jun 04 16:16:25.009604 osdx hostapd[683000]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: User-Password = de:ad:be:ef:6c:12 Jun 04 16:16:25.009628 osdx hostapd[683000]: eth2: RADIUS Sending RADIUS message to authentication server Jun 04 16:16:25.009669 osdx hostapd[683000]: eth2: RADIUS Next RADIUS client retransmit in 1 seconds Jun 04 16:16:25.009974 osdx hostapd[683000]: eth2: RADIUS Received 20 bytes from RADIUS server Jun 04 16:16:25.009978 osdx hostapd[683000]: eth2: RADIUS Received RADIUS message Jun 04 16:16:25.009982 osdx hostapd[683000]: eth2: STA de:ad:be:ef:6c:12 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec Jun 04 16:16:25.009985 osdx hostapd[683000]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Processing RADIUS response Jun 04 16:16:25.010015 osdx hostapd[683000]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: station successfully authenticated Jun 04 16:16:25.010018 osdx hostapd[683000]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: MAB: Re-authentication enabled (next reauth in 20 seconds) Jun 04 16:16:25.010020 osdx hostapd[683000]: eth2: IEEE 802.1X IEEE 802.1X: Discovery already disabled Jun 04 16:16:25.010024 osdx hostapd[683000]: eth2: STA de:ad:be:ef:6c:12 IEEE 802.1X: authorizing port Jun 04 16:16:25.010027 osdx hostapd[683000]: eth2: STA de:ad:be:ef:6c:12 RADIUS: starting accounting session 426FE4636027CD04