You are on page 1of 365

Table of Contents

1.1.1.1.1.1.1. Subject\Production\SW Development\Feature Test Plans - Dev


Handoff\802.1x\CFD_Analysis ................................................................................... 5
1.1.1.1.1.1.1.1. Test: Test Name : 802.1x_CLCA_108818_IOP_with_STP .......... 5
1.1.1.1.1.1.1.2. Test: Test Name :
802.1x_CLCA_122837_Verifying_settings_after_re-enabled ................................ 8
1.1.1.1.1.1.1.3. Test: Test Name : 802.1x_CLCA_134114_MAC-
auth_with_mixed_mode ....................................................................................... 13
1.1.1.1.1.1.1.4. Test: Test Name :
802.1x_CLCA_106214_Disabling_port_when_allowed_RADIUS_GVRP_VLANS
.............................................................................................................................. 17
1.1.1.1.1.1.1.5. Test: Test Name : 802.1x_CLCA_199478_connection to port
using PEAP can erase existing ACL for other MAC address............................... 21
1.1.1.1.1.1.1.6. Test: Test Name : 802.1x_CLCA_170012_AP connected through
2610 switch are not 802.1x authenticated............................................................ 24
1.1.1.1.1.1.1.7. Test: Test Name : 8021x_CLCA_241399_Radius accounting start
packets are sometimes delayed after successful 802.1x authentication ............. 26
1.1.1.1.1.1.1.8. Test: Test Name :
802.1x_Auth_Failure_CLCA_236982_Authentication failure with Aastra phone
that is doing both 802.1x and mac authentication ................................................ 28
1.1.1.1.1.1.1.9. Test: Test Name : 802.1x_mac-auth_CLCA_235976_Cisco
phones will NOT authenticate to correct VLAN .................................................... 31
1.1.1.1.1.1.1.10. Test: Test Name : 802.1x_CLCA_CR244438_Any configuration
change done at port level that causes de-authentication of all the
clients_User_Role ................................................................................................ 34
1.1.1.1.1.1.1.11. Test: Test Name : 802.1x_CLCA_CR244438_Any configuration
change done at port level that causes de-authentication of all the clients_Vlan . 37
1.1.1.1.1.1.1.12. Test: Test Name : 802.1x_CLCA_CR245547_Macq Bank Cisco
VoIP phones seem to drop out of MAC address table on 5412 switch ................ 40
1.1.1.1.1.1.1.13. Test: Test Name : 802.1x_CLCA_245042_EAP_TLS_Jumbo . 43
1.1.1.1.1.1.1.14. Test: Test Name : 802.1x_CLCA_211376_EAPOL_Logoff ...... 46
1.1.1.1.1.1.1.15. Test: Test Name :
802.1x_CLCA_243452_EAP_TLS_Fragmentation .............................................. 49
1.1.1.1.1.1.2. Subject\Production\SW Development\Feature Test Plans - Dev
Handoff\802.1x\Functionality_Testing ..................................................................... 53
1.1.1.1.1.1.2.1. Test: Test Name : 802.1x_6.3 Phone_PC_Authentication ......... 53
1.1.1.1.1.1.2.2. Test: Test Name :
802.1x_6.1_Multiple_Vendor_Supplicant_Authentication.................................... 56
1.1.1.1.1.1.2.3. Test: Test Name : 802.1x_1.01_Basic_Port_Based ................... 58
1.1.1.1.1.1.2.4. Test: Test Name : 802.1x_1.02_Basic_User_Mode ................... 61
1.1.1.1.1.1.2.5. Test: Test Name :
802.1x_2.03_Authenticator_Values_Held_Over_Reboot .................................... 65
1.1.1.1.1.1.2.6. Test: Test Name : 802.1x_2.04_Authenticator_Statistics ........... 67
1.1.1.1.1.1.2.7. Test: Test Name : 802.1x_2.05_Authenticator_EAP_Messages 71
1.1.1.1.1.1.2.8. Test: Test Name : 802.1x_2.06_Authenticator_Mode_Auto-
Failed_Reauthentication ...................................................................................... 74
1.1.1.1.1.1.2.9. Test: Test Name :
802.1x_2.09_Authenticator_Mode_Auto_Successful_Re-authentication ............ 77
1.1.1.1.1.1.2.10. Test: Test Name :
802.1x_2.12_Authenticator_Supported_EAP_Types .......................................... 80
1.1.1.1.1.1.2.11. Test: Test Name :
802.1x_2.13_Authenticator_User_Mode_Port_Hopping ..................................... 83
1.1.1.1.1.1.2.12. Test: Test Name : 802.1x_2.17_RADIUS_Assigned_Rate_Limit-
Egress .................................................................................................................. 86

1 18/2/2019
1.1.1.1.1.1.2.13. Test: Test Name : 802.1x_2.18_RADIUS_Assigned_Rate_Limit-
Ingress .................................................................................................................. 90
1.1.1.1.1.1.2.14. Test: Test Name : 802.1x_1.21_Config-CLI_Boundary_Values 94
1.1.1.1.1.1.2.15. Test: Test Name : 802.1x_2.82_Cached_Re-
Authentication_Persistant_Configuration ............................................................. 97
1.1.1.1.1.1.2.16. Test: Test Name : 802.1x_2.76_RADIUS_Unique_Session_ID 99
1.1.1.1.1.1.2.17. Test: Test Name :
802.1x_2.46_Port_Based_Mode_Values_Held_Over_Reboot ......................... 103
1.1.1.1.1.1.2.18. Test: Test Name : 802.1x_2.55_NAS_Attributes_MS-RAS-
Vendor_Attribute ................................................................................................ 105
1.1.1.1.1.1.2.19. Test: Test Name : 802.1x_2.61_RADIUS_Access-
Accept_with_Reply-Message ............................................................................. 109
1.1.1.1.1.1.2.20. Test: Test Name :
802.1x_2.62_RADIUS_Message_Authenticator_in_packet .............................. 111
1.1.1.1.1.1.2.21. Test: Test Name : 802.1x_2.63_RADIUS_Proxy_Server ....... 115
1.1.1.1.1.1.2.22. Test: Test Name : 802.1x_2.64_RADIUS_Server__Redundancy
............................................................................................................................ 118
1.1.1.1.1.1.2.23. Test: Test Name :
802.1x_2.69_Authenticator_Port_Hoping_With_NO_Link_Down ..................... 120
1.1.1.1.1.1.2.24. Test: Test Name : 802.1x_2.65_RADIUS_Server_Interoperability
............................................................................................................................ 123
1.1.1.1.1.1.2.25. Test: Test Name : 802.1x_2.70_RADIUS_AVPs_in_Access-
Request_during_supplicant_auth ....................................................................... 126
1.1.1.1.1.1.2.26. Test: Test Name : 802.1x_6.4 Phone_PC_Hoping_Move ...... 129
1.1.1.1.1.1.2.27. Test: Test Name : 802.1x_2.14_RADIUS_Assigned_CoS ..... 132
1.1.1.1.1.1.2.28. Test: Test Name : 802.1x_2.15_RADIUS_Assigned_Egress-
VLAN-Name ....................................................................................................... 134
1.1.1.1.1.1.2.29. Test: Test Name : 802.1x_2.16_RADIUS_Assigned_Egress-
VLANID .............................................................................................................. 139
1.1.1.1.1.1.2.30. Test: Test Name : 802.1x_2.81_Cached_Re-
Authentication_Basic_Functionality ................................................................... 142
1.1.1.1.1.1.2.31. Test: Test Name :
802.1x_Cached_Reauth_F_09_Reachable_Radius_Cached_Reauth_Period . 147
1.1.1.1.1.1.2.32. Test: Test Name :
802.1x_Cached_Reauth_F_11_Reachable_Radius_Different_Credentials...... 150
1.1.1.1.1.1.2.33. Test: Test Name :
802.1x_Cached_Reauth_F_16_UnReachable_Radius_Different_User_Credential
s .......................................................................................................................... 153
1.1.1.1.1.1.2.34. Test: Test Name : RFC_4675_on_2510_B_01.
VLAN_ID_tagged ............................................................................................... 156
1.1.1.1.1.1.2.35. Test: Test Name : RFC_4675_on_2510_B_02. VLAN
_Name_tagged ................................................................................................... 161
1.1.1.1.1.1.2.36. Test: Test Name : RFC_4675_on_2510_B_03.
VLAN_ID_untagged ........................................................................................... 166
1.1.1.1.1.1.2.37. Test: Test Name : RFC_4675_on_2510_B_04.
VLAN_Name_untagged ..................................................................................... 171
1.1.1.1.1.1.2.38. Test: Test Name :
Session_Timeout_CoA_F_08_PC_Behind_IP_Phone ...................................... 176
1.1.1.1.1.1.2.39. Test: Test Name : Port_Bounce_Host_PC_Behind_IP_Phone
............................................................................................................................ 180
1.1.1.1.1.1.2.40. Test: Test Name :
Special_488_02_PortSpeedVSA_with_Different_Port_Speed .......................... 183
1.1.1.1.1.1.2.41. Test: Test Name : Radius-Filter-
ID_F_04_ipv6_Functionality_8021x ................................................................... 186

2 18/2/2019
1.1.1.1.1.1.2.42. Test: Test Name : Radius-Filter-
ID_F_01_ipv4_Functionality_802.1x .................................................................. 190
1.1.1.1.1.1.2.43. Test: Test Name : Radius-Filter-
ID_I_02_Interop_Radius_Assigned_ACL .......................................................... 194
1.1.1.1.1.1.2.44. Test: Test Name :
Radius_F_53._RFC_4675_On_User_Priority_Table ......................................... 199
1.1.1.1.1.1.2.45. Test: Test Name : 802.1x_RADIUS Assigned VLAN .............. 204
1.1.1.1.1.1.2.46. Test: Test Name : Disconnect_Message_PC_Behind_IP_Phone
............................................................................................................................ 207
1.1.1.1.1.1.2.47. Test: Test Name : 802.1x_01_CLI_Help_Text_Verification.... 210
1.1.1.1.1.1.2.48. Test: Test Name : 802.1x_02_SNMP_Read .......................... 224
1.1.1.1.1.1.2.49. Test: Test Name : 802.1x_03_REST_Read ........................... 227
1.1.1.1.1.1.2.50. Test: Test Name : 802.1x_04_REST_Write............................ 229
1.1.1.1.1.1.2.51. Test: Test Name : 802.1x_EAP_Retries_Timeout .................. 231
1.1.1.1.1.1.2.52. Test: Test Name :
802.1x_Quiet_Discovery_Authentication_Attempts ........................................... 235
1.1.1.1.1.1.2.53. Test: Test Name : 802.1x_4.01_HA_-_Redundancy_Switchover
............................................................................................................................ 239
1.1.1.1.1.1.2.54. Test: Test Name : 802.1x_Force_Authorized_Reauthentication
............................................................................................................................ 242
1.1.1.1.1.1.3. Subject\Production\SW Development\Feature Test Plans - Dev
Handoff\802.1x\IFD_Analysis ................................................................................ 246
1.1.1.1.1.1.3.1. Test: Test Name : 802.1x_Trunk_Port ...................................... 246
1.1.1.1.1.1.3.2. Test: Test Name :
Radius_F_35._Attributes_Dynamic_Xauthmode ............................................... 248
1.1.1.1.1.1.3.3. Test: Test Name :
802.1x_Subsequent_Users_Radius_Assigned_Attributes ................................ 254
1.1.1.1.1.1.3.4. Test: Test Name : 802.1x_Idle_Session_Timeout .................... 257
1.1.1.1.1.1.3.5. Test: Test Name : 802.1x_EAP-ID-Compliance ....................... 260
1.1.1.1.1.1.3.6. Test: Test Name : 802.1x_Machine_User_Auth_Mac_Auth..... 265
1.1.1.1.1.1.3.7. Test: Test Name : 802.1x_Deauthentication_of_Guest_Clients 267
1.1.1.1.1.1.4. Subject\Production\SW Development\Feature Test Plans - Dev
Handoff\802.1x\Interop Testing ............................................................................. 271
1.1.1.1.1.1.4.1. Test: Test Name : 802.1x_3.02_Loopback_BPDU_protection . 271
1.1.1.1.1.1.4.2. Test: Test Name :
802.1x_2.47_RADIUS_Accounting_Enable_Disable ......................................... 273
1.1.1.1.1.1.4.3. Test: Test Name :
802.1x_2.48_RADIUS_Accounting_Interim_Update_Record............................ 277
1.1.1.1.1.1.4.4. Test: Test Name :
802.1x_2.49_RADIUS_Accounting_Requests_Retransmitted .......................... 282
1.1.1.1.1.1.4.5. Test: Test Name :
802.1x_2.50_RADIUS_Accounting_Start_Stop_Record ................................... 284
1.1.1.1.1.1.4.6. Test: Test Name :
802.1x_2.51_RADIUS_Accouting_Unique_Session_ID .................................... 291
1.1.1.1.1.1.4.7. Test: Test Name : Radius_Tracking_I_01_Radius_Server_Groups
............................................................................................................................ 296
RADIUS tracking feature already provides periodic information on whether radius server is
reachable or not, we can use this information on which radius server among the ones configured
is to be contacted. If radius-tracking says none of the servers are reachable, we can completely
bypass the retry mechanism and apply the back-up authentication method if configured. This
saves the client times to get access on the network. .................................................................. 296
1.1.1.1.1.1.4.8. Test: Test Name : Critical_VLAN_F_22_PC_Critical_Role ...... 300
1.1.1.1.1.1.4.9. Test: Test Name : 802.1x_Preauth_Role.................................. 304
1.1.1.1.1.1.4.10. Test: Test Name : 802.1x_Reject_Role .................................. 308

3 18/2/2019
1.1.1.1.1.1.4.11. Test: Test Name : 802.1x_cdp_lldp_bypass ........................... 311
1.1.1.1.1.1.4.12. Test: Test Name :
802.1x_Port_Security_Mac_Lockdown_Lockout ............................................... 316
1.1.1.1.1.1.4.13. Test: Test Name : 802.1x_Radius_Over_IPSec ..................... 321
1.1.1.1.1.1.4.14. Test: Test Name : 802.1x_Non_Default_VRF ........................ 324
1.1.1.1.1.1.4.15. Test: Test Name : 802.1x_DSNOOP ...................................... 327
1.1.1.1.1.1.5. Subject\Production\SW Development\Feature Test Plans - Dev
Handoff\802.1x\Supportability ................................................................................ 331
1.1.1.1.1.1.5.1. Test: Test Name : 802.1x_S_01._CopySupportFiles ............... 331
1.1.1.1.1.1.5.2. Test: Test Name : 802.1x_S_02._DiagDump ........................... 335
1.1.1.1.1.1.5.3. Test: Test Name : 802.1x_S_03._EventLogs ........................... 339
1.1.1.1.1.1.5.4. Test: Test Name : 802.1x_S_04._ShowTech ........................... 342
1.1.1.1.1.1.5.5. Test: Test Name : 802.1x_S_05._Checkpoint .......................... 344
1.1.1.1.1.1.5.6. Test: Test Name : 802.1x_S_06_Config_Migration_CLI .......... 348
1.1.1.1.1.1.5.7. Test: Test Name : 802.1x_S_07_Config_Migration_JSON ...... 351
1.1.1.1.1.1.5.8. Test: Test Name : 802.1x_S_08_Core_Dump .......................... 354
1.1.1.1.1.1.5.9. Test: Test Name : 802.1x_S_09_Memory_leak ....................... 357
1.1.1.1.1.1.5.10. Test: Test Name : 802.1x_S_10_Debug_Logs ....................... 360

4 18/2/2019
1.1.1.1.1.1.1. Subject\Production\SW Development\Feature Test
Plans - Dev Handoff\802.1x\CFD_Analysis

Test List :

1.1.1.1.1.1.1.1. Test: Test Name :


802.1x_CLCA_108818_IOP_with_STP
Test: Test ID :158614
Test: Subject : CFD_Analysis
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019
Test: Type : MANUAL
Test: Description : Defect:
108818 Enabling 802.1x on a port causes the switch CPU to significantly elevate, when frames
hit a STP blocked port.

OBJECTIVE:
Test 802.1X interoperability with spanning tree.

Requirements:

Equipments

1. DUT
2. Radius Server (IAS or Freeradius)
3. Supplicant which can be other switch or software installed on operating systems (OpenX,
Windows default supplicant), wpa_supplicant in linux.
4. Ixia Port

Setup:

The Supplicant device is connected to the DUT. Radius server and Ixia port should be connected
and configured with the DUT.

HOST--------DUT-----RADIUS
|
Ixia Port

Description:

The test would configure the DUT with appropriate commands required to enable 802.1x port
based functionality and verify interoperability when spanning tree is enabled.

5 18/2/2019
Attachments:
HPN#108818 - Enabling 802.1x on a port causes the switch CPU to significantly elevate when
frames hit a STP blocked port..msg

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
90780

Test: Automated : Yes


Test: Automated Test Name :
scripts/testSuite/networkSecurity/802dot1x/802dot1xCLCA/802dot1x_CLCA_IopWithStp.tcl
Test: Automation Progress : 4 - Released to Production
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 4 - Urgent
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : CFD - PVOS;Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: PVOS CR-ID : 108818
Test: BP Filter: HPE
Test: GUID: ALMTP157C158614

6 18/2/2019
Steps :
Step Name Description Expected Result
Erase DUT previous configurations, DUT# show running-config
Step 1 please don't connect any devices to
DUT yet.
should display default config.

Loop two empty ports together (This DUT#show interfaces brief


is to ensure a spanning-tree blocking should display ports status as
port.)
UP.
Enable spanning-tree.
DUT(config)# spanning-tree DUT#show spanning-tree
displays one port forwarding
and one port in blocking
state.

Step 2 Connect Ixia Port and Packets should be received


transmit ARP requests for a by DUT
random IP into the switch.
This can be done at as low a
rate as 81frames per second

Enable aaa port-access authenticator Verify config using:


Step 3 on a random down port : show running-config
(config)# radius-server host
23.0.0.218 key go4gold18
DUT(config)# aaa authentication
port-access dot1x authenticator
auth-method eap-radius
aaa authentication port-access
auth-mode device-mode

Enable 802.1X authentication on a


port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa
authentication port-access dot1x
authenticator enable
switch(config-if)#
DUT(config)# aaa port-access
dot1x authenticator enable

Verify CPU utilization


Step 4 CPU utilization should be low
DUT# show system resource-
(< 10%)
utilization

Supplicant should be authenticated.


Step 5 Authenticate supplicant with
Verify using:
valid credentials
* show aaa authentication port-
access dot1x authenticator
interface all port-statistics
* show aaa authentication port-
access dot1x authenticator

7 18/2/2019
Step Name Description Expected Result
interface all client-status
* show aaa authentication port-
access interface all client-status

Modify STP Mode to non-default


Step 6 parameter. Check valid configuration.

DUT(config)# spanning-tree mode


<stp mode> DUT(config)# show running-
Check stepnotes. config
DUT(config)# show spanning-
tree
Repeat steps 1 to 5 Results should the same.
Step 7

Verify CPU utilization


Step 8 CPU utilization should be low
DUT# show system resource-
(< 10%)
utilization

1.1.1.1.1.1.1.2. Test: Test Name :


802.1x_CLCA_122837_Verifying_settings_after_re-enabled
Test: Test ID :158616
Test: Subject : CFD_Analysis
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019
Test: Type : MANUAL
Test: Description : Defect:
122837 - clients having issues with authentication when dot1x and mac auth are both configured on a port

Objective:
Verify that 802.1x (Port Based Network Access) and MAC Address based network Access works simultaneously on the
same port. Verify also that the client is authenticated and the mac-address still appear in the mac-address table, also
check that After 802.1x has been enabled and disabled if 802.1x config values are changed, such as client-limit and auth-
vid, the 802 .1x will not reload the new config values when re-enabled.

Requirements:
- Device Under Test
- Radius Server (IAS or Freeradius)
- Supplicants which can be other switches or software installed on operating systems (OpenX, Windows default
supplicant), wpa_supplicant in linux.
-DHCP Server (optional)
Topology:

8 18/2/2019
Supplicant--------------DUT----------------Radius Server

Test Setups:
1. Enable 802.1x Port Based
2. Disable 802.1x Port Based
3. Configure 802.1x specific settings
4. Enable 802.1x Port Based again
5. Verify that 802.1x loaded new settings
6. Verify the mac-address still appear in the mac-address table

Description:
This test will refer to the topology depicted in the attachment file.
When port access is configured on the switches,'show port-access authenticator <port#> client' output shows that the
client is authenticated and the mac-address still appear in the mac-address table. After 802.1x has been enabled and
disabled if 802.1x config values are changed, such as client-limit and auth-vid, the 802 .1x should reload the new settings
values when re-enabled.

Attachments:
122837_Topology.jpg

References:
Access Security Guide (ProCurve 8200zl, 6200yl, 5400zl, 3500yl): www.procurve.com <http://www.procurve.com>
RFC 3580 - IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
102283

Test: Automated : Yes


Test: Automated Test Name :
scripts/testSuite/networkSecurity/802dot1x/802dot1xCLCA/802dot1x_CLCA_802dot1xVerifyingS
ettingsAfterRe-enabled.tcl
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 4 - Urgent
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : CFD - PVOS;Leveraged from PVOS

9 18/2/2019
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: PVOS CR-ID : 122837
Test: BP Filter: HPE
Test: GUID: ALMTP157C158616

10 18/2/2019
Steps :
Step Name Description Expected Result
Step 1 - Topology Connect topology depicted in 1. Erase should be successful
the attachment file and DUT should have Default
1. Erase switch configuration config
and reboot. - (config)# erase startup-
2. Check all the ports are up config
use "show interface brie" and 2. Connection should be
"show running config" successful and both the ports
commands. should be up
- (config)# show running-
config

Step 2- Radius Server Configure the commands Switch should accept the
listed below. configuration and should be
Configuration displayed with the commands
Example: listed below.
- (config)# show radius
(config)# radius-server host
<ip address> key <key>

DUT(config)# aaa authentication Switch should accept the


Step 3- 802.1x Basic port-access dot1x authenticator configuration and should be
Configuration auth-method eap-radius
aaa authentication port-access
displayed with the commands listed
below.
auth-mode device-mode - (config)# show running-config

Enable 802.1X authentication on a


port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa
authentication port-access dot1x
authenticator enable
switch(config-if)#
DUT(config)# aaa port-access
dot1x authenticator enable

Enable mac authentication on the Switch should accept the


Step 4- Mac-Based Basic port configuration and should be
Configuration switch# configure terminal
displayed with the commands listed
below.
switch(config)# interface 1/1/1 - (config)# show running-config
switch(config-if)#aaa
authentication port-access mac-
auth No crashes must be occur on the
switch(config-if-macauth)#enable SW.

Step 5 - Authenticate Authenticate the user with Switch should receive


802.1x software Access-Accept and
Supplicant 802.1x Authenticated client should
be displayed on the auth-vid
VLAN-ID.

11 18/2/2019
Step Name Description Expected Result
Check actual configuration.
- (config)# show port-access
authenticator <PORT-LIST>

DUT should display the


Step 6 - Display Mac- Verify that DUT can display
Authenticated mac-address on a
MAC addresses learned on a
Address learned authenticated port, a PORT-
singular port.

LIST, a VLAN-ID,

Disable 802.1x Port Based and Verify actual configuration.


Step 7 - Disable 802.1x and change 802.1x specific settings Example:
modify settings aaa authentication port-access
auth-mode client-mode - (config)# show running-config

DUT should receive Access-Accept


Step 8 - Re Authenticate and Authenticated client should be
Client MAC-based displayed on the correct auth-vid

Verify that 802.1x loaded new


Step 9 - Enable 802.1x with Enable 802.1x Port Based again and settings
reauthenticate the supplicant with
new settings and Reauth new settings loaded
client

aaa authentication port-access


auth-mode device-mode

Verify that DUT can display MAC Verify the mac-address still appear in
Step 10 - Display Mac- addresses learned once again on a the mac-address table
Address learned authenticated port, a PORT-LIST, a
VLAN-ID,

Save the configuration and reboot No crashes must be occur, verify the
Step 11 - Reboot DUT the DUT. Repeat steps 5 and 6. actual running configuration, the
Example: mac-address client appears in the
(config)# write memory mac-address table once is
(config)# boot system primary authenticated again.

12 18/2/2019
1.1.1.1.1.1.1.3. Test: Test Name : 802.1x_CLCA_134114_MAC-
auth_with_mixed_mode
Test: Test ID :158617
Test: Subject : CFD_Analysis
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019
Test: Type : MANUAL
Test: Description : Defect:
134114 - Switch seems to successfully authenticating an 802.1x client and shows that the client has been placed into the
correct VLAN but is not allowing any ingress traffic from that authenticated client

Objective:
This test case verifies the correct authentication using 802.1x and mac-auth methods on the same port while the mixed-
mode authentication is enabled. The client once authenticated should be placed into the correct VLAN and it should be
able to reach the DUT.

Requirements:
- Radius server / DHCP server
- Host/PC/Switch as supplicant
- DUT

Test Setup:
This test case will refer to the topology attached to Step 1. Have a Radius server configured for 802.1X and MacAuth
clients. Connect a client to the switch.
Topology:
Supplicant-----Hub---------DUT----------------Radius Server
and Ixia

Description:
Using 802.1x and mac-auth methods on the same port while the mixed-mode authentication is enabled, the client once
authenticated should be placed into the correct VLAN and it should be able to reach the DUT. All traffic from that client
authenticated should be allowed through DUT.

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
102333

Test: Automated : Yes

13 18/2/2019
Test: Automated Test Name :
scripts/testSuite/networkSecurity/802dot1x/802dot1xCLCA/802dot1x_CLCA_MacAuthWithMixed
Mode.tcl
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 4 - Urgent
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : CFD - PVOS;Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: PVOS CR-ID : 134114
Test: BP Filter: HPE
Test: GUID: ALMTP157C158617

14 18/2/2019
Steps :
Step Name Description Expected Result
Step 1 Connect the TEST setup as
described in the
134114_TOPOLOGY.jpg
diagram

Step 2 Configure a Radius server User account should be


with at least two users created with no errors on the
account for this test. Radius server. The Radius
server should run properly as
expected.

(config)# radius-server host


Step 4 23.0.0.218 key go4gold18
The RADIUS server is set.
DUT(config)# aaa authentication
The encryption type is set.
port-access dot1x authenticator auth- 802.1x Authentication is
method eap-radius configured on the desired
port.
aaa authentication port-access auth-
mode client-mode

Enable 802.1X authentication on a


port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa authentication
port-access dot1x authenticator
enable
switch(config-if)#
DUT(config)# aaa port-access dot1x
authenticator enable
Configure the DUT to use the
RADIUS server:

Configure the same port(s) for Mac


Step 5 Authentication method.
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)#aaa
authentication port-access mac-
auth
switch(config-if-macauth)#enable

Configure Auth-Role and Reject-Role


Step 14 to use the same vlan example vlan
10

Step 7 Attempt to authenticate the The clients are successfully


802.1x client and MAC-Auth authenticated and placed on
client, verify the connectivity the correct vlan.
to vlan 10 (in our example)
from both clients.

The clients should still be a member Both clients should be authenticated


Step 8 of the untagged vlan (VLAN 10). and correct information should be

15 18/2/2019
Step Name Description Expected Result
Clients should be able to displayed.
communicate to other nodes in the
vlan 10.

Verify both clients are successfully


authenticated

l802.1x client should be


Step 9 Deauthenticate the clients.
authenticated successfully on vlan
10.
Now authenticate the 802.1x
client with correct credentials. The authentication fails and the client
should be placed as unauth client
into the vlan 10.
Authenticate the MAC-Auth
client using invalid
credentials.

802.1x client should not be


Step 10 Deauthenticate the clients.
authenticated.
Authenticate the MAC-Auth
client using correct
credentials.

Attempt to authenticate the


802.1X clien using invalid
credentials.

802.1x client should be authenticated


Step 11 Deauthenticate the clients.
successfully on vlan 10.
Now authenticate the 802.1x The authentication fails and the client
client with correct credentials. should be placed as guest client

Authenticate the MAC-Auth


client using invalid
credentials.

The mac client is successfully


Step 12 Deauthenticate the clients.
authenticated and placed into the
vlan 10 and 802.1x client should not
Authenticate the MAC-Auth be authenticated, instead it should be
client using correct placed as guest into mac-
credentials. authentication.

Attempt to authenticate the


802.1X clien using invalid
credentials.

Enable the mixed mode


Step 6 authentication on authenticator port
The DUT should accept the
command and the
(2 in our example)
appropriate show running-
HP-Switch(config)# interface 1/1/1 config command should
HP-Switch(config-if)# aaa reflect this.
authentication port-access mixed-
mode enable

16 18/2/2019
Step Name Description Expected Result

Disable mixed mode on the Mixed mode command should be


Step 13 authenticator port removed from the configuration and
both client should be
HP-Switch(config)# interface 1/1/1 deauthenticated.
HP-Switch(config-if)# aaa
authentication port-access mixed- Unauth mac client should not be
mode disable authenticated and sent to the reject
role
Deauthenticate both clients.

Authenticate the 802.1X using valid


credentials.

Attempt to authenticate the MAC-


Auth client with invalid credentials.

Unauth 802.1x client should not be


Step 14 Deauthenticate both clients.
authenticated.
Authenticate the MAC-Auth
client using correct
credentials.

Attempt to authenticate the


802.1X client with invalid
credentials.

1.1.1.1.1.1.1.4. Test: Test Name :


802.1x_CLCA_106214_Disabling_port_when_allowed_RADIUS_GVR
P_VLANS
Test: Test ID :158619
Test: Subject : CFD_Analysis
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019
Test: Type : MANUAL
Test: Description : Defect:
106214 - Disabling a port with a Radius assigned MVRP vlan leads to an NMI

Objective:
This test case will verify the client will be moved to GVRP VLAN assigned from RADIUS server when having port-access
configured and after the port is disabled.

Requirements:

17 18/2/2019
- DUT
- Switch
- Radius Server
- 802.1X Client

Topology:
Supplicant--------------DUT----------------Radius Server
|
MVRP Switch

Test Setup:
Have DUT and Switch connected with GVRP enabled. Configure Radius server users to assign to GVRP VLAN.

Description:
When allowing Radius assigned GVRP VLANS, the client after authenticated will be moved to the VLAN learned via
GVRP. Despite the client being removed and connected back, the client should always be moved to the Radius GVRP
VLAN assigned.

Attachments:
106214_RADIUS_GVRP_VLANS.doc
106214_Topology.jpg

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
102840

Test: Automated : Yes


Test: Automated Test Name :
scripts/testSuite/networkSecurity/802dot1x/802dot1xCLCA/802dot1x_CLCA_802dot1xDisablingP
ortWhenAllowedRadiusGvrpVlans.tcl
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 4 - Urgent
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : CFD - PVOS;Leveraged from PVOS
Test: Topology Name : None

18 18/2/2019
Test: Test Sub-Area : System Functional
Test: PVOS CR-ID : 106214
Test: BP Filter: HPE
Test: GUID: ALMTP157C158619

19 18/2/2019
Steps :
Step Name Description Expected Result
Setup Connect the topology The switch should accept the
attached configuration and the same
106214_Topology.jpg should be displayed with the
show commands.
config)# radius-server host
23.0.0.218 key go4gold18
DUT(config)# aaa authentication
port-access dot1x authenticator
auth-method eap-radius

aaa authentication port-access


auth-mode device-mode

Enable 802.1X authentication on a


port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa
authentication port-access dot1x
authenticator enable
switch(config-if)#
DUT(config)# aaa port-access
dot1x authenticator enable

Configure DUT switch to allow port- The port will be authenticated. The
Test with Mvrp-vlans access on Mvrp vlans: client should be able to ping across
VLAN 400.
Authenticate a port so that the Verify that the DUT now advertises
Radius Server moves the port to an the vlan through MVRP to the all
existing MVRP VLAN. (VLAN 400) other connected switches.

Verify the client is authenticated and


moved to VLAN 400:
DUT(Config)# show port-access
authenticator
DUT(config)# show VLAN 400

Once the client is authenticated and


Test with disable/enable port moved to MVRP VLAN 400, disable
Disabling the port should not
the port connected to the client:
cause any problems.

Once the port is enabled


Then enable the port again: back, the client should be
Try to authenticate the client again.
able to authenticate again
and moved to VLAN 400.
Verify the client is authenticated once
again and moved to VLAN 400:

Disconnect the Client that is enabling


Disconnect/Re-connect client the MVRP VLAN. And reconnect
The port will become
authenticated and moved to
again.
VLAN 400.
Verify the client is authenticated one
more time and moved to VLAN 400:

Enable MVRP Enable MVRP in the DUT and the


All switches should accept
other MVRP switch: the configuration above

20 18/2/2019
Step Name Description Expected Result
DUT(config)# Mvrp without any problems. We
DUT(config)# interface <ports> no
turn off all the ports in the
shut
MVRPSWITCH1(config)# erase- switches to avoid any
startup config unnoticed spanning tree loop.
wait for reboot, disable all interfaces
MVRPSWITCH(config)# MVRP
MVRPSWITCH(config)# vlan 400
MVRPSWITCH(config)# interface
<port> enable

1.1.1.1.1.1.1.5. Test: Test Name : 802.1x_CLCA_199478_connection


to port using PEAP can erase existing ACL for other MAC address
Test: Test ID :158630
Test: Subject : CFD_Analysis
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019
Test: Type : MANUAL
Test: Description : Defect:

8200 K.15.16.0012m 802.1X connection to port using PEAP can erase existing ACL for other MAC address

Objective:

This testcase verifies that when multiple clients connect to a port with uses same authentication method but different
EAPmethods, and first client is configured with a radius applied ACL and second client is not, the second client does not
get authenticated and the Radius ACL of the first client remains intact

Requirements:

Switch,Radius server,client1(switch), client2(workstation).

Test Setup:

Refer the attached topology

Attachments
Topology

Test: Execution Status : No Run

21 18/2/2019
Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 09/12/2018: Test Case migrated from PVOS Test ID:
136695

Test: Automated : Dev Funnel


Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 4 - Urgent
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : CFD - PVOS;Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: PVOS CR-ID : 199478
Test: BP Filter: HPE
Test: GUID: ALMTP157C158630

22 18/2/2019
Steps :
Step Name Description Expected Result
Make the topology as shown in the
Topology attachment

Configure the DUT port connected to Switch should take the configuration
DUT_802.1x the hub to use 802.1x for client without any errors
authentication;
Verify the config using
config)# radius-server host
23.0.0.218 key go4gold18
DUT(config)# aaa authentication
port-access dot1x authenticator show running-config
auth-method eap-radius show config

aaa authentication port-access * show aaa authentication port-


auth-mode device-mode access dot1x authenticator
interface all port-statistics
Enable 802.1X authentication on a * show aaa authentication port-
port: access dot1x authenticator
``` interface all client-status
switch# configure terminal * show aaa authentication port-
switch(config)# interface 1/1/1 access interface all client-status
switch(config-if)# aaa
authentication port-access dot1x
authenticator enable
switch(config-if)#
DUT(config)# aaa port-access
dot1x authenticator enable

Enable Spanning Tree and configure Switch should take the configuration
enable SPT, BPDU protection BPDU protection and admin-edge- without any errors
and admin-edge-port port
Verify using show spanning-tree
spanning tree enable
spanning-tree A2 admin-edge-port
spanning-tree A2 bpdu-protection
no spanning-tree bpdu-throttle

Configure the client 01 with eap-MD5 After the initiaization, client 01 should
Client01_Supplicant_EAP- get authenticated and the Radius
MD5 ACL should get applied

show running-config
show config

* show aaa authentication port-


access dot1x authenticator
interface all port-statistics
* show aaa authentication port-
access dot1x authenticator
interface all client-status
* show aaa authentication port-
access interface all client-status

Configure the second client as The second client without radius ACL
Client02_Supplicant_PEAP 802.1x client using username as should not get authenticated and the
'steve' and password as 'procurve', ACL for the first client should remain
No radius ACL should be configured intact.
for this client.

23 18/2/2019
Step Name Description Expected Result
show running-config
show config

* show aaa authentication port-


access dot1x authenticator
interface all port-statistics
* show aaa authentication port-
access dot1x authenticator
interface all client-status
* show aaa authentication port-
access interface all client-status

Repeat steps 4, 6 and 7, with clients The second client without radius ACL
Repeat using differnet ans switch configured to use below should not get authenticated and the
combinations of EAP combination
EAP-MD5 and EAP-TLS
ACL for the first client should remain
intact.
methods EAP-TLS and PEAP

show running-config
show config

* show aaa authentication port-


access dot1x authenticator
interface all port-statistics
* show aaa authentication port-
access dot1x authenticator
interface all client-status
* show aaa authentication port-
access interface all client-status

1.1.1.1.1.1.1.6. Test: Test Name : 802.1x_CLCA_170012_AP


connected through 2610 switch are not 802.1x authenticated
Test: Test ID :158632
Test: Subject : CFD_Analysis
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019
Test: Type : MANUAL
Test: Description : Defect:

2610 - R.11.107 -AP connected through 2610 switch are not 802.1x authenticated

Objective:

This testcase verifies that when an AP is connected to a port configured for 802.1x port based access with no unauth vlan
configured, authentication happens successfuly

Requirements:

24 18/2/2019
Switch,Radius server,Client(Access Point)

Test Setup:

Radius---------DUT----------AP

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 09/12/2018: Test Case migrated from PVOS Test ID:
138148

Test: Automated : Not Feasible


Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 4 - Urgent
Test: Test Suited for OSTL? : N
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : CFD - PVOS;Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: PVOS CR-ID : 170012
Test: BP Filter: HPE
Test: GUID: ALMTP157C158632

25 18/2/2019
Steps :
Step Name Description Expected Result
Enable 802.1x port based Verify the config using;
Step 1_DUT Config authentication on port connected to Show run
AP
config)# radius-server host
23.0.0.218 key go4gold18
DUT(config)# aaa authentication
port-access dot1x authenticator auth-
method eap-radius

aaa authentication port-access auth-


mode device-mode

Enable 802.1X authentication on a


port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa authentication
port-access dot1x authenticator
enable
switch(config-if)#
DUT(config)# aaa port-access dot1x
authenticator enable

Configure Radius server to


Step 2_Radius Config authenticate the AP

Disable and enable the link If the credentials are correct the AP
Step 3_Initiate Authentication connected to AP shoud be successfully authenticated;
from AP Verify using;

* show aaa authentication port-


access dot1x authenticator
interface all port-statistics
* show aaa authentication port-
access dot1x authenticator
interface all client-status
* show aaa authentication port-
access interface all client-status

1.1.1.1.1.1.1.7. Test: Test Name : 8021x_CLCA_241399_Radius


accounting start packets are sometimes delayed after successful
802.1x authentication
Test: Test ID :158633
Test: Subject : CFD_Analysis

26 18/2/2019
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019
Test: Type : MANUAL
Test: Description : Objective:

This test case verifies the Radius accounting start packets are sometimes delayed after successful 802.1x authentication
Topology:
Radius server
|
DUT---------Dhcp Server
|
Supplicant
Test Case Description:
Validate the Radius Accounting packets get triggered correctly to the Supplicant after successful authentication.

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 10/12/2018: Test Case migrated from PVOS Test ID:
150027

Test: Automated : Dev Funnel


Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 4 - Urgent
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : CFD - PVOS;IFD - PVOS;Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: PVOS CR-ID : 241399,176857
Test: BP Filter: HPE

27 18/2/2019
Test: GUID: ALMTP157C158633

Steps :
Step Name Description Expected Result
Connect Switch to the Client Client should be coonected to the
Step 1 switch

Verify that Dhcp server and Radius


Step 2 Configure Dhcp Server and Server is reachable to the Switch.
the Radius Server to the
Switch.

Configure Dhcp-Snooping , Radius Verify that Windows client get ip


Step 3 Server and windows client for port address from the D-snoop table.
mirroring to capture packets on client
port in the switch

Configure dot1x authenitcation and


Step 4 aaa accounting commands in the Check in the packet capture
switch and Authenticate the
client.And validate the Packet
whether accounting start
capture for the Client. packets triggers corretly
without any delay on client
port after successful
authenitcation.

1.1.1.1.1.1.1.8. Test: Test Name :


802.1x_Auth_Failure_CLCA_236982_Authentication failure with
Aastra phone that is doing both 802.1x and mac authentication
Test: Test ID :158634
Test: Subject : CFD_Analysis
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019
Test: Type : MANUAL
Test: Description : Objective:
Verify that 802.1x authentication is successful with Aastra/Cisco IP phone that is doing both 802.1x and mac
authentication on same port

28 18/2/2019
Requirements:
One 2 member stack DUT which supports 802.1x/mac-auth
Radius server

IP Phone Astra/Cisco supports dot1x authentication

Setup:

IP Phone<==========>DUT<=========>Radius Server

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 10/12/2018: Test Case migrated from PVOS
Test ID: 152510

Test: Automated : Not Feasible


Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 4 - Urgent
Test: Test Suited for OSTL? : N
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : CFD - PVOS;Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: PVOS CR-ID : 236982
Test: BP Filter: HPE
Test: GUID: ALMTP157C158634

29 18/2/2019
Steps :
Step Name Description Expected Result
Topology is setup .
Step 1 - Topology Setup Connect the devices according the
topology shown.

(config)# radius-server host


Step 2 - Setup Radius and 23.0.0.218 key go4gold18 Use the command "Show running-
Dot1x DUT(config)# aaa authentication
port-access dot1x authenticator
config" to verify the
commandnfiguration is present in
auth-method eap-radius switch.
aaa authentication port-access
auth-mode device-mode

Enable 802.1X authentication on a


port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa
authentication port-access dot1x
authenticator enable
switch(config-if)#
DUT(config)# aaa port-access
dot1x authenticator enable
HP-Switch(config)# interface 1/1/1
HP-Switch(config-if)# aaa
authentication port-access client-
limit 2

Enable mac authentication on the


port

switch# configure terminal


switch(config)# interface 1/1/1
switch(config-if)#aaa
authentication port-access mac-
auth
switch(config-if-macauth)#enable

Set up the radius server for Use the command show aaa
Step 3 - Setup the radius authenticating using mac-address authentication port-access
server for mac-auth credential.
Add mac-address of IP Phone to
interface all client-status to verify
the client
user database for successfully
authenticating using mac-auth. is successfully authenticated using
the mac-auth

30 18/2/2019
Step Name Description Expected Result

Set up the radius server for


Step 4 - Setup the radius authenticating using dot1x credential. Use the command

server for dot1x Add desired username and password


to user database for successfully
authenticating using dot1x.

* show aaa authentication port-


Configure the dot1x credential on IP access dot1x authenticator
Phone. interface all port-statistics
* show aaa authentication port-
access dot1x authenticator
interface all client-status
* show aaa authentication port-
access interface all client-status

is successfully authenticated using


the dot1x.

Reboot the switch using boot system Verify the IP Phone is successfully
Step 5 comand. authenticated using dot1x
show port-access authenticator
<port> clients detail

1.1.1.1.1.1.1.9. Test: Test Name : 802.1x_mac-


auth_CLCA_235976_Cisco phones will NOT authenticate to correct
VLAN
Test: Test ID :158635
Test: Subject : CFD_Analysis
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019
Test: Type : MANUAL
Test: Description : Objective:
Verify that 802.1x authentication is successful with Aastra/Cisco IP phone that is doing both 802.1x and mac
authentication on same port

31 18/2/2019
Requirements:
One DUT which supports 802.1x/mac-auth
Radius server

IP Phone Astra/Cisco supports dot1x authentication

Setup: Topology

Radius server<===================>DUT<==========>IP Phone

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 10/12/2018: Test Case migrated from PVOS Test ID:
152511

Test: Automated : Not Feasible


Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 4 - Urgent
Test: Test Suited for OSTL? : N
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : CFD - PVOS;Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: PVOS CR-ID : 235976
Test: BP Filter: HPE
Test: GUID: ALMTP157C158635

32 18/2/2019
Steps :
Step Name Description Expected Result
Topology is setup .
Step 1 - Topology Setup Connect the devices according the Verify LACP trunks are up.
topology show and configure LACP show lacp
trunk between DUT and Cisco. Cisco
#sh lacp neighbor

Cisco
=====
interface Port-channel 5
description lagginterface
switchport access vlan x
interface range GigabitEthernet 0/15
- 16
description lagg-test
switchport
switchport access vlan X
channel-group 5 mode active
channel-protocol lacp

Set the following configuration in the


Step 2 - Setup Radius and DUT for radius server, dot1x,mac- Use the command "Show running-
Dot1x auth config" to verify the
commandnfiguration is present in
switch.

Set up the radius server for


Step 3 - Setup the radius authenticating using mac-address
server for mac-auth credential.
Add mac-address of IP Phones to
user database for successfully
authenticating using mac-auth.
* show aaa authentication
port-access interface all
client-status

verify the client s


successfully
authenticated using the mac-
auth.

33 18/2/2019
Step Name Description Expected Result

Set up the radius server for


Step 4 - Setup the radius authenticating using dot1x credential. Dot1x credentials are configured on
Radius server
server for dot1x Add desired username and password
to user database for successfully
* show aaa authentication port-
authenticating using dot1x.
access interface all client-status

Step 5 - Authenticate the verify the client PC is authenticated.

dot1x client PC using


credentials configured in the Configure the dot1x credential on PC
and authenticate using dot1x and
PC is successfully authenticated
using the dot1x and IP Phone is
previous step and Phone with authenticate IP Phone using mac- successfully authenticated using mac
auth auth.
mac-auth
verify the IP Phone is authenticated
with mac-auth.
* show aaa authentication port-
access interface all client-status

1.1.1.1.1.1.1.10. Test: Test Name : 802.1x_CLCA_CR244438_Any


configuration change done at port level that causes de-authentication
of all the clients_User_Role
Test: Test ID :158636
Test: Subject : CFD_Analysis
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019

34 18/2/2019
Test: Type : MANUAL
Test: Description : Objective: To Verify any port level parameters changes in 802.1x shouldnt affect mac
authentication and any port changes in Mac Authentication should deauth only Mac Clients, shouldnt affect 802.1x Clients
with user role attributes
Topology:
DUT----Hub-----Two Clients - 1 for 802.1x and 1 for Mac Authentication
|
Radius Server
Description:
Any configuration change done at port level that causes de-authentication of all the clients is causing MAC address to be
dropped from MAC table. This is causing VOIP phones and other devices to be deauthenticated

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 10/12/2018: Test Case migrated from PVOS Test ID:
155166

Test: Automated : Dev Funnel


Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 4 - Urgent
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : CFD - PVOS;Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: PVOS CR-ID : 244438
Test: BP Filter: HPE
Test: GUID: ALMTP157C158636

35 18/2/2019
Steps :
Step Name Description Expected Result
Load the switch with image with the Verify the image is loaded
Step 1 CR 244438 fixed successfully using "show version"

Configure Vlan with IP and


Step 2 reachability to radius server Verify the configuration using
vlan 1
ip addres 20.1.1.1/24
"show run"
exit

Configure 802.1x and Mac Verify the configuration using "show


Step 3 authentication on all the ports except run"
uplink port connecting to radius
server
config)# radius-server host
23.0.0.218 key go4gold18
DUT(config)# aaa authentication
port-access dot1x authenticator
auth-method eap-radius

aaa authentication port-access


auth-mode device-mode

Enable 802.1X authentication on a


port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa
authentication port-access dot1x
authenticator enable
switch(config-if)#
DUT(config)# aaa port-access
dot1x authenticator enable
Enable Mac authentication on a
port:
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)#aaa
authentication port-access mac-
auth
switch(config-if-macauth)#enable

Authenticate two clients using 802.1x Verify the Clients are authenticated
Step 4 and Mac Authentication successfully

Authenticate 802.1x Client with user Verify the Clients are authenticated
Step 5 role dot1x-auth-role and Mac Client successfully
using mac-auth-role

Enable user role in the switch Verify the configuration changes


Step 6 port-access role mac-auth-role using "show run"
vlan access <id-1>
exit
port-access role dot1x-auth-role
vlan access <id-2>
exit

36 18/2/2019
Step Name Description Expected Result
Configure user-role parameters for
Step 7 Mac Auth user role one by one

1.Verify the 802.1x Client is


never
deauthenticated in any of the
configuration change using

2.Verify the mac client is


deauthenticated/authenticated
over all the configuration
changes
everytime using

onfigure user-role parameters for 1.Verify the 802.1x and Mac Client is
Step 8 dot1x Auth user role one by one never deauthenticated in any of the
configuration change

Step 9

1.1.1.1.1.1.1.11. Test: Test Name : 802.1x_CLCA_CR244438_Any


configuration change done at port level that causes de-authentication
of all the clients_Vlan
Test: Test ID :158637

37 18/2/2019
Test: Subject : CFD_Analysis
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019
Test: Type : MANUAL
Test: Description : Objective: To Verify any port level parameters changes in 802.1x shouldnt affect mac
authentication and any port changes in Mac Authentication should deauth only Mac Clients, shouldnt affect 802.1x
Clients.
Topology:
DUT----Hub-----Two Clients - 1 for 802.1x and 1 for Mac
|
Radius Server
Description:
Any configuration change done at port level that causes de-authentication of all the clients is causing MAC address to be
dropped from MAC table. This is causing VOIP phones and other devices to be deauthenticated

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 10/12/2018: Test Case migrated from PVOS Test ID:
155167

Test: Automated : Dev Funnel


Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 4 - Urgent
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : CFD - PVOS;Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: PVOS CR-ID : 244438
Test: BP Filter: HPE
Test: GUID: ALMTP157C158637

38 18/2/2019
Steps :
Step Name Description Expected Result
Load the switch with image with the Verify the image is loaded
Step 1 CR 244438 fixed successfully using "show version"

Configure Vlan with IP and Verify the configuration using "show


Step 2 reachability to radius server run"
vlan 1
ip addres 20.1.1.1/24
exit

config)# radius-server host Verify the configuration using "show


Step 4 23.0.0.218 key go4gold18 run"
DUT(config)# aaa authentication
port-access dot1x authenticator
auth-method eap-radius

aaa authentication port-access


auth-mode device-mode

Enable 802.1X authentication on a


port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa
authentication port-access dot1x
authenticator enable
switch(config-if)#
DUT(config)# aaa port-access
dot1x authenticator enable
Enable Mac authentication on a
port:
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)#aaa
authentication port-access mac-
auth
switch(config-if-macauth)#enable
Configure 802.1x and Mac
authentication on all the ports except
uplink port connecting to radius
server

Authenticate two clients using 802.1x Verify the Clients are authenticated
Step 5 and Mac Authentication successfully

Configure port-level parameters for 1.Verify the 802.1x Client is never


Step 6 Mac authentication one by one on deauthenticated in any of the
the port connected with Hub configuration change
2.Verify the mac client is
deauthenticated/authenticated over
all the configuration changes
everytime

Configure 802.1x Port level


Step 7 parameters one by one on the port
connected with Hub

39 18/2/2019
Step Name Description Expected Result
1.Verify the 802.1x and Mac
Client is never
deauthenticated in
any of the configuration
change

1.1.1.1.1.1.1.12. Test: Test Name : 802.1x_CLCA_CR245547_Macq


Bank Cisco VoIP phones seem to drop out of MAC address table on
5412 switch
Test: Test ID :158638
Test: Subject : CFD_Analysis
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019
Test: Type : MANUAL
Test: Description : Objective: When phone is capable of doing 802.1x Authentication and Mac Authentication.
Phone should be placed in correct user role or vlan post successfull authentication
Topology:
DUT----IP Phone
|
Radius Server
Description:
The issue cu observed is that Cisco VoIP phones seem to drop out of the MAC address table on the switch, though there
seems to be an arp entry, however it is no longer tied to a port. As the switch has no MAC address entry, packets are not
being forwarded to the phone so it goes into a “registering” state as it tries to re-establish communication with its Call
Manager.

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 10/12/2018: Test Case migrated from PVOS Test ID:
155168

40 18/2/2019
Test: Automated : Not Feasible
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 4 - Urgent
Test: Test Suited for OSTL? : N
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : CFD - PVOS;Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: PVOS CR-ID : 245547
Test: BP Filter: HPE
Test: GUID: ALMTP157C158638

41 18/2/2019
Steps :
Step Name Description Expected Result
Load the switch with image with the Verify the image is loaded
Step 1 CR 244438 fixed successfully using "show version"

Verify the configuration using "show


Step 2 Configure Vlan with IP and run"
reachability to radius server
vlan 1
ip addres 20.1.1.1/24
exit

Configure 802.1x and Mac Verify the configuration using "show


Step 3 authentication on all the ports except run"
uplink port connecting to radius
server
config)# radius-server host
23.0.0.218 key go4gold18
DUT(config)# aaa authentication
port-access dot1x authenticator
auth-method eap-radius

aaa authentication port-access


auth-mode device-mode

Enable 802.1X authentication on a


port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa
authentication port-access dot1x
authenticator enable
switch(config-if)#
DUT(config)# aaa port-access
dot1x authenticator enable
Enable Mac authentication on a
port:
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)#aaa
authentication port-access mac-
auth
switch(config-if-macauth)#enable

Configure difference DUR in CPPM Verify the configuration in CPPM


Step 4 when phone is mac authenticated

Configure different DUR in CPPM Verify the configuration in CPPM


Step 5 when phone is 802.1x authenticated

Enable download user-role in the Attached the configuration for


Step 6 switch afer creating/installing TA DUR.Verify the configuration
Profile in the switch changes using "show run"

Beffore Enabling EAP-MD5 in the Verify the phone 802.1x


Step 7 phone and try for authentication by authentication timesout first time and

42 18/2/2019
Step Name Description Expected Result
powering on the off Mac Authentication success . Verify
the Mac Auth DUR is able correctly

Enable EAP-MD5 Authentication on Verify the phone is 802.1x


Step 8 the phone authentication successfull and Phone
Mac is removed from the Mac
Authentication user role and
authenticated via 802.1x
authentication user role using

Repeat Steps 8 and 9 after


Step 9 1. Port Toggle
2.Port Bounce from CPPM
3.Disconnect Message from CPPM
4.boot system flash

1.1.1.1.1.1.1.13. Test: Test Name :


802.1x_CLCA_245042_EAP_TLS_Jumbo
Test: Test ID :166382
Test: Subject : CFD_Analysis
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 22/1/2019
Test: Type : MANUAL
Test: Description : Objective:
Verify that 802.1x authentication is successful with jumbo / without jumbo enabled

Setup:
Supplicant<==========>DUT<=========>Radius Server

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 10/12/2018: Test Case migrated from PVOS Test ID:
152510

43 18/2/2019
Test: Automated : Not Feasible
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 4 - Urgent
Test: Test Suited for OSTL? : N
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : CFD - PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: PVOS CR-ID : 245042
Test: BP Filter: HPE
Test: GUID: ALMTP157C166382

44 18/2/2019
Steps :
Step Name Description Expected Result
Topology is setup .
Step 1 - Topology Setup Connect the devices according the
topology shown.

(config)# radius-server host


Step 2 - Setup Radius and 23.0.0.218 key go4gold18 Use the command "Show running-
Dot1x DUT(config)# aaa authentication
port-access dot1x authenticator
config" to verify the
commandnfiguration is present in
auth-method eap-radius switch.
aaa authentication port-access
auth-mode device-mode

Enable 802.1X authentication on a


port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa
authentication port-access dot1x
authenticator enable
switch(config-if)#
DUT(config)# aaa port-access
dot1x authenticator enable
HP-Switch(config)# interface 1/1/1
HP-Switch(config-if)# aaa
authentication port-access client-
limit 2

Register certificate used for EAP-TLS Clients and servers should use
Step 3 authentication with more than 1500 configured certificate.
bytes and ensure the same is used
while authenticating clients.

Authentication shouldn't suceed as


Step 4 radius access request it will be more
than 1512 bytes

Enabled jumbo in the VRF used for


Step 5 radius requests

Trigger Authentication of the client Verify the client authentication will be


Step 6 again with certificate size more than successfull now
1500 bytes

45 18/2/2019
1.1.1.1.1.1.1.14. Test: Test Name :
802.1x_CLCA_211376_EAPOL_Logoff
Test: Test ID :166388
Test: Subject : CFD_Analysis
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 22/1/2019
Test: Type : MANUAL
Test: Description : Objective:
Verify that 802.1x authentication is successful with jumbo / without jumbo enabled

Setup:
Supplicant<==========>DUT<=========>Radius Server

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 10/12/2018: Test Case migrated from PVOS Test ID:
152510

Test: Automated : Not Feasible


Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 4 - Urgent
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : CFD - PVOS;Leveraged from PVOS

46 18/2/2019
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: PVOS CR-ID : 211376
Test: BP Filter: HPE
Test: GUID: ALMTP157C166388

47 18/2/2019
Steps :
Step Name Description Expected Result
Step 1 - Topology Setup Connect the devices according the Topology is setup .
topology shown.

(config)# radius-server host


Step 2 - Setup Radius and 23.0.0.218 key go4gold18 Use the command "Show running-
Dot1x DUT(config)# aaa authentication
port-access dot1x authenticator
config" to verify the
commandnfiguration is present in
auth-method eap-radius switch.
aaa authentication port-access
auth-mode device-mode

Enable 802.1X authentication on a


port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa
authentication port-access dot1x
authenticator enable
switch(config-if)#
DUT(config)# aaa port-access
dot1x authenticator enable
HP-Switch(config)# interface 1/1/1
HP-Switch(config-if)# aaa
authentication port-access client-
limit 2

Authenticate the Client with correct


Step 3 credentials present in Radius Server

Verify the client


authentication is successfull

Send a EAPOL Logoff from Verify client didnt logoff and


Step 4 Broadcast Mac instead of Multicast appropriate error message is thrown
Mac. Screen shot attached

48 18/2/2019
1.1.1.1.1.1.1.15. Test: Test Name :
802.1x_CLCA_243452_EAP_TLS_Fragmentation
Test: Test ID :169194
Test: Subject : CFD_Analysis
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 7/2/2019
Test: Type : MANUAL
Test: Description : Objective:
Verify that 802.1x authentication is successful with jumbo / without jumbo enabled with EAP-TLS Fragmentation

Setup:
Supplicant<==========>DUT<=========>Radius Server

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 10/12/2018: Test Case migrated from PVOS Test ID:
152510

Test: Automated : Not Feasible


Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 4 - Urgent
Test: Test Suited for OSTL? : N
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : CFD - PVOS

49 18/2/2019
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: PVOS CR-ID : 243452
Test: BP Filter: HPE
Test: GUID: ALMTP157C169194

50 18/2/2019
Steps :
Step Name Description Expected Result
Topology is setup .
Step 1 - Topology Setup Connect the devices according the
topology shown.

(config)# radius-server host


Step 2 - Setup Radius and 23.0.0.218 key go4gold18
Dot1x DUT(config)# aaa authentication
port-access dot1x authenticator
Use the command "Show
auth-method eap-radius running-config" to verify the
aaa authentication port-access
auth-mode device-mode commandnfiguration is
Enable 802.1X authentication on a present in switch.
port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa
authentication port-access dot1x
authenticator enable
switch(config-if)#
DUT(config)# aaa port-access
dot1x authenticator enable
HP-Switch(config)# interface 1/1/1
HP-Switch(config-if)# aaa
authentication port-access client-
limit 2

Register certificate used for EAP-TLS Clients and servers should use
Step 3 authentication with more than 5000 configured certificate.
bytes and ensure the same is used
while authenticating clients.

Authentication shouldn't suceed as


Step 4 radius access request it will be more
than 1512 bytes

Enabled jumbo in the VRF used for


Step 5 radius requests

Trigger Authentication of the client Verify the client authentication will be


Step 6 again with certificate size more than successfull now with EAP Packets
5000 bytes being fragmented since the radius
certificate size shouldnt be more than
4096

51 18/2/2019
52 18/2/2019
1.1.1.1.1.1.2. Subject\Production\SW Development\Feature Test
Plans - Dev Handoff\802.1x\Functionality_Testing

Test List :

1.1.1.1.1.1.2.1. Test: Test Name : 802.1x_6.3


Phone_PC_Authentication
Test: Test ID :158545
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019
Test: Type : MANUAL
Test: Description : Objective
This test will verify that 802.1x authentication works correctly when using a phone and a pc in
tandem connected to the same port (i.e. pc through phone)
Overview
Different 802.1x supplicants with different host OS need to be tested to ensure that the DUT
works correctly with all of them. The test should cover as large a variety of Xsupplicant software
as well as the different OSes this supplicant softwares run on. This test does not need to cover
the functions of the RADIUS sever (vlan assignement, and other AVPs). It only covers the
interaction of the supplicant software with the authenticator (DUT).

Requirements
Different pcs with different OS and supplicant software, pnone
DUT
RADIUS Server.

Test Setups
The setup for this tes is straight forward. The only complexity is the number of pc hosts being
attached to the DUT.

PCHosts<====>DUT<----->RADIUS server

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
69195

53 18/2/2019
Test: Automated : Not Feasible
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 4 - Urgent
Test: Test Suited for OSTL? : N
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C158545

54 18/2/2019
Steps :
Step Name Description Expected Result
Configure 802.1x 1. Configure DUT for 802.1x Switch should accept
port authentication. configuration and it should be
displayed by the appropriate
show commands

Configure vlans Switchs houdl accept


configuration and it should be
displayed by the appropriate
show commands
Configure RADIUS 3. Configured DUT for Switchs houdl accept
Radius.4. Configure Radius configuration and it should be
server accordingly displayed by the appropriate
show commands
Authenticate phone 5. Authenticate Phone (verify Phone should be
phone works correctly, and authenticated correctly and
gets put in the correct vlan). placed in the correcct vlan

Authenticate PC 6. Authenticate PC by itself to PC should be authenticated


make sure it works. correctly and placed in the
(disconnect phone) correct vlan

Authenticate PC and Phone 7. Authenticate PC and Both PC and Phone should


Phone both together. be authenticated correctly
and placed in the correct
vlans

Test different combinations 8. Repeatedly authenticate All combinations should work


and re-authenticate the
phone and pc in different correctly. The switch should
possible combinations. (Verify be able to handle all
that phone functionality does
not affect pc functionality and
vise versa)

Reboot phone 9. Reboot the phone while pc Depending on the phone and
is connected and check
behavior the way they are connected
to the port the pc might be
disconnected from the port.
However, if the pc is not
connected through the phone
it should not be affected by

55 18/2/2019
Step Name Description Expected Result
the phone being
disconnected.
Reboot PC 10. Reboot the pc while Phone should not be affected
phone is connected and at all by pc rebooting
check behavior.

1.1.1.1.1.1.2.2. Test: Test Name :


802.1x_6.1_Multiple_Vendor_Supplicant_Authentication
Test: Test ID :158546
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019
Test: Type : MANUAL
Test: Description : Objective
This test verifies compatibility between 802.1x port Authenticators and different vendor 802.1x
supplicants

Overview
Different 802.1x supplicants with different host OS need to be tested to ensure that the DUT
works correctly with all of them. The test should cover as large a variety of Xsupplicant software
as well as the different OSes this supplicant softwares run on. This test does not need to cover
the functions of the RADIUS sever (vlan assignement, and other AVPs). It only covers the
interaction of the supplicant software with the authenticator (DUT).

Requirements
Different pcs with different OS and supplicant software
DUT
RADIUS Server.

Test Setups
The setup for this tes is straight forward. The only complexity is the number of pc hosts being
attached to the DUT.

PCHosts<====>DUT<----->RADIUS server

Test: Execution Status : No Run


Test: Comments :

56 18/2/2019
_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
69196

Test: Automated : Dev Funnel


Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 3 - High
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C158546

57 18/2/2019
Steps :
Step Name Description Expected Result
Call Call
<1.1.802.1x_Basic_Port_Based>
Port-Based Mode Verify ports are configured for All Xsupplicants should
port-based (no client-limit). Start authenticate succesfully if
testing 802.1x supplicants of they are configured correctly
different vendors. ( Include and have the correct
combination of different credentials
supplicants authenticating on
the same ports at different times
and connecting at the same
time)

User-Base Mode Configure multiple ports of DUT All Xsupplicants should


as 802.1x port authenticators as authenticate succesfully if
user-level they are configured correctly
Start testing 802.1x supplicants and have the correct
of different vendors on the same credentials
802.1x authenticator port.

1.1.1.1.1.1.2.3. Test: Test Name : 802.1x_1.01_Basic_Port_Based


Test: Test ID :158548
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019
Test: Type : MANUAL
Test: Description :
OBJECTIVE:
Tet basic configuration of 802.1x port-based port-access. .

Requirements:

Equipments

1. DUT
2. Radius Server (IAS or Freeradius)
3. Supplicants which can be other switches or software installed on operating systems (OpenX,
Windows default supplicant), wpa_supplicant in linux.

Setup:

58 18/2/2019
The Supplicant device is connected to the DUT. Radius server should be connected and
configured with the DUT.

HOSTS--------DUT-----RADIUS

The attached diagram 802_1X_BASIC_TESTTOPOLOGY.jpg contains the test topology diagram


used for the configuration example. Only the DUT, RADIUS server, and one 802.1x supplicant
device need to be connected for this test.

Description:

The test would configure the DUT with appropriate commands required to enable 802.1x port
based functionality.

REFERENCES:

RFC 3580 - IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage
Guidelines
http://www.faqs.org/rfcs/rfc3580.html

Access Security Guide (ProCurve 8200zl, 6200yl, 5400zl, 3500yl)


www.procurve.com

Attachments:

802_1X_BASIC_TESTTOPOLOGY.jpg - Test topology used for the configuration example.


802_1X_BASIC_TESTTOPOLOGY.vsd - vizio version of test diagram.

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
69198

Test: Automated : Yes


Test: Automated Test Name :
scripts/testSuite/networkSecurity/802dot1x/802dot1xConfiguration/802dot1xBasicPortBased.tcl
Test: Automation Progress : 4 - Released to Production
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4

59 18/2/2019
Test: Platform Independent : Y
Test: Plan Priority : 2 - Medium
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : IFD - PVOS;Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: PVOS CR-ID : 232760
Test: BP Filter: HPE
Test: GUID: ALMTP157C158548

60 18/2/2019
Steps :
Step Name Description Expected Result
Erase switch configuration using the
SETUP 1 - 802.1x Port- erase startup-config command and The switch should accept the
configuration and the same should
Based Configuration reboot. Once the DUT has rebooted
configure the commands listed below. be displayed with the command listed
You might have to modify port below in the show commands
numbers and command parameter
values to meet the requirements of the
platform and the network infrastructure
(IP address, radius key) used for
testing. * show aaa authentication port-
The following example refers to the access dot1x authenticator
test topology depicted in the attached interface all port-statistics
file * show aaa authentication port-
802_1X_BASIC_TESTTOPOLOGY.jpg access dot1x authenticator
interface all client-status
Example * show aaa authentication port-
Configured RADIUS authentication access interface all client-status
DUT(config)# vlan 23 untagged 48
DUT(config)# vlan 23 ip address
23.0.0.201/24
DUT(config)# radius-server key
somesecret
DUT(config)# radius-server host
23.0.0.216
DUT(config)# aaa authentication
port-access dot1x authenticator
auth-method eap-radius
aaa authentication port-access
auth-mode device-mode

Enable 802.1X authentication on a


port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa authentication
port-access dot1x authenticator
enable
switch(config-if)#
DUT(config)# aaa port-access dot1x
authenticator enable

1.1.1.1.1.1.2.4. Test: Test Name : 802.1x_1.02_Basic_User_Mode


Test: Test ID :158549
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019
Test: Type : MANUAL

61 18/2/2019
Test: Description : OBJECTIVE:

Test the basic configuration of 802.1x user mode feature

Requirement:

Equipments

1. DUT
2. Radius Server (IAS or Freeradius)
3. Supplicants which can be other switches or software installed on operating systems (OpenX,
Windows default supplicant).

Setup:

The Supplicant device is connected to the DUT. Radius server should be connected and
configured with the DUT.

HOSTS--------DUT-----RADIUS

Description:

The test would configure the DUT with appropriate commands required to enable 802.1x user
mode functionality. The test case works on K.13, K.14 and K.15 but fails on Lager.

REFERENCES:

RFC 3580 - IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage
Guidelines
http://www.faqs.org/rfcs/rfc3580.html

Access Security Guide (ProCurve 8200zl, 6200yl, 5400zl, 3500yl)


www.procurve.com

Attachments:

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
69199

Test: Automated : Yes


Test: Automated Test Name :
scripts/testSuite/networkSecurity/802dot1x/802dot1xConfiguration/802dot1xBasicUserMode.tcl
Test: Content Last Modified Date : 7/12/2018

62 18/2/2019
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 2 - Medium
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C158549

63 18/2/2019
Steps :
Step Name Description Expected Result
switch should accept the
User mode Configuration Erase switch configuration using the configuration and should be
erase startup-config command and displayed with the commands listed
reboot. Once the DUT has rebooted below.
configure the commands listed
below. You might have to modify port show running-config
numbers and command parameter show config
values to meet the requirements of * show aaa authentication port-
the platform and the network access dot1x authenticator
infrastructure (IP address, radius interface all port-statistics
key) used for testing. * show aaa authentication port-
access dot1x authenticator
Example interface all client-status
* show aaa authentication port-
(config)# radius-server host access interface all client-status
23.0.0.218 key go4gold18

DUT(config)# aaa authentication


port-access dot1x authenticator
auth-method eap-radius
aaa authentication port-access
auth-mode device-mode

Enable 802.1X authentication on a


port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa
authentication port-access dot1x
authenticator enable
switch(config-if)#
DUT(config)# aaa port-access
dot1x authenticator enable
Configure user-role
switch(config)# port-access role
auth
switch(config-pa-role)# vlan
access <vid>
switch(config-pa-role)# vlan trunk
allowed <vid>
switch(config-pa-role)# exit
switch(config)#
switch# configure terminal
switch(config-if)#aaa
authentication port-access auth-
role auth

Verify Functionality Configure the RADIUS server The client should authenticate
with the appropriate correctly if the right
username/password for a credentials are used and the
simple access accept (no port should become
vlan assigned attributes), and authenticated.
authetnicate a client pc using
any 802.1x supplicant

64 18/2/2019
Step Name Description Expected Result
software

1.1.1.1.1.1.2.5. Test: Test Name :


802.1x_2.03_Authenticator_Values_Held_Over_Reboot
Test: Test ID :158554
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019
Test: Type : MANUAL
Test: Description :
Objective:
This test verifies that the configuration of 802.1x authenticator ports is persistant across reboots.

Requirements:
A single DUT (Device Under Test) should suffice to cover the simpler cases of this test.

Setup:
This test requires only the DUT

Description:
802.1x authenticator configuration should be presistent accross reboots if they have been saved
to the startup-config (write mem). The test should test for scenarios where ports have been
configured and the configuration has been saved to memory. After that, if anything causes the
device under test to reboot, the configuration on the ports should be the same as the one which
was saved to flash.

Procurve Manual: Access Security Guide (ProCurve 8200zl, 6200yl, 5400zl, 3500yl)
www.procurve.com

Attachments:

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
69204

65 18/2/2019
Test: Automated : Yes
Test: Automated Test Name :
scripts/testSuite/networkSecurity/802dot1x/802dot1xBasicFunctionality/802dot1xAuthValHeldOve
rReboot.tcl
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 2 - Medium
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C158554

66 18/2/2019
Steps :
Step Name Description Expected Result
Enable 802.1x authenticator The values should be the same as before the reboot.
Reboot after on port 1, . Use CLI to Show commands
configuration change following
parameters:
### Show information related to 802.1X ports
#### Syntax
switch# configure terminal `show aaa authentication port-access dot1x authenticator
switch(config)# interface interface <interface-name | all> port-statistics`
1/1/1 | Token | Help
switch(config-if)# aaa string
authentication port-access |
dot1x authenticator |---------------------|------------------------------------------------------
switch(config-if-dot1x-auth)# -----------------------------------------|
enable | show | Show running system
switch(config-if-dot1x- information |
auth)#cached-reauth | aaa | Authentication, Authorization and
switch(config-if-dot1x- Accounting |
auth)#cached-reauth-period | authentication | Show AAA authentication
30 information |
switch(config-if-dot1x- | port-access | Show Port Access
auth)#max-retries 3 information. |
switch(config-if-dot1x- | dot1x | Show 802.1X
auth)#quiet-period 30 information. |
switch(config-if-dot1x- | authenticator | Show 802.1X authenticator
auth)#reauth information. |
switch(config-if-dot1x- | interface | Show 802.1X information for
auth)#reauth-period 50 interface. |
switch(config-if-dot1x- | port-statistics | Show 802.1X statistics for
auth)#discovery-period 50 interface. |
switch(config-if-dot1x-
auth)#eapol-timeout 40
switch(config-if-dot1x-
auth)#max-eapol-requests 5
switch(config-if-dot1x-
auth)#authorized
switch(config-if-dot1x-
auth)#exit

save configuration (write


mem)
Reboot the device and verify
that switch displays and hold
the configured values:

1.1.1.1.1.1.2.6. Test: Test Name :


802.1x_2.04_Authenticator_Statistics
Test: Test ID :158555
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019

67 18/2/2019
Test: Type : MANUAL
Test: Description :
Objective:
Test verifies authenticator session statistics are collected and displayed correctly

Requirements:
Statistics for 802.1x authenticator ports should be collected, displayed and managed (cleared)
correctly.

Setup::
HOST --------DUT-------RADIUS

Description:
Once a host is authenticated the statistics information should be dsiplayed as expected on the
switch

Attachments:

REFERENCES:

RFC 3580 - IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage
Guidelines
http://www.faqs.org/rfcs/rfc3580.html

RFC 3748: http://www.ietf.org/rfc/rfc3748.txt

Access Security Guide (ProCurve 8200zl, 6200yl, 5400zl, 3500yl)

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
69205

Test: Automated : Yes


Test: Automated Test Name :
scripts/testSuite/networkSecurity/802dot1x/802dot1xBasicFunctionality/802dot1xAuthenticatorSta
ts.tcl
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4

68 18/2/2019
Test: Platform Independent : Y
Test: Plan Priority : 2 - Medium
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C158555

69 18/2/2019
Steps :
Step Name Description Expected Result
Call Call <802.1x 1.01
Basic_Port_Based>
Verify 802.1x -Use a host with a 802.1x The 802.1x authenticator statistics are
supplicant and displayed. This can be verified by the
Statistics authenticate command
succcessfully using valid
credentials show port-access authenticator statistics

Enter command toclear Counters should be cleared by comShow information for


Clear Statistics authenticator port statistics. For active 802.1X authentication sessions
example: #### Syntax
clear dot1x authenticator `show aaa authentication port-access dot1x
statistics 1/1/1 authenticator interface <interface-name | all> client-
status [mac <mac-address>]`
#### Help
| Token | Help
string
|
|---------------------|-----------------------------------------------------
------------------------------------------|
| show | Show running system
information |
| aaa | Authentication, Authorization and
Accounting |
| authentication | Show AAA authentication
information |
| port-access | Show Port Access
information. |
| dot1x | Show 802.1X
information. |
| authenticator | Show 802.1X authenticator
information. |
| interface | Show 802.1X information for
interface. |
| client-status | Show 802.1X client
status. |
| mac | Show 802.1X information for
MAC. |mand

Thsi can be verified by the command

Check values after -Save configuration There should be no session statistics records
-Disconnect the pc once the switch reboots.
reboot -Reboot the switch
(reload)
-Once the switch reboots
ok look at the port-access
authenticator session
counters and statistics

- Plug the PC back in an


Check Session authenticate using the correct
The session-counters should display the
correct session status and time. After logging
Status Counters credentials
-Look at the session-counters. off the session status blank and time should
Example command: be 0
show aaa authentication port-

70 18/2/2019
Step Name Description Expected Result
access dot1x authenticator Authenticator session statistics are displayed
interface <interface-name |
all> port-statistics`
for ports that have had or are having an open
-Log off and uplug the PC session, regardless of the port control mode
-Look at the session-counters. value during the session. All fields in output
Example command: should update correctly.
show aaa authentication port-
access dot1x authenticator
interface <interface-name |
all> port-statistics`
-Look at the statistics as well

1.1.1.1.1.1.2.7. Test: Test Name :


802.1x_2.05_Authenticator_EAP_Messages
Test: Test ID :158556
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019
Test: Type : MANUAL
Test: Description :
Objective:
This test verifies the required EAP messages are exchanged between the 802.1x
authenticator(DUT) and the supplicant (host).

Requirements:
1. Host PC with supplicants
2. DUT
3. Radius Servers

Setup:
HOST --------DUT-------RADIUS

Description:
The test verifies that the required EAP-Messages are exchanged between the switch and the
supplicant. The four generic EAP-Message types are EAP-Request, EAP-Response, EAP-
Success,EAP-Failure

The test case fails on Lager.

Attachments:

REFERENCES:

71 18/2/2019
RFC 3580 - IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage
Guidelines
http://www.faqs.org/rfcs/rfc3580.html

RFC 3748: http://www.ietf.org/rfc/rfc3748.txt

Access Security Guide (ProCurve 8200zl, 6200yl, 5400zl, 3500yl)

www.procurve.com

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
69206

Test: Automated : Yes


Test: Automated Test Name :
scripts/testSuite/networkSecurity/802dot1x/802dot1xBasicFunctionality/802dot1xAuthenticatorEa
pMsgs.tcl
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 3 - High
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C158556

72 18/2/2019
Steps :
Step Name Description Expected Result
Call Call <802.1x 1.01
Basic_Port_Based>
Validate EAP-Messages 1. Connect a supplicant to the 1. Before the supplicant is
port configured as trigerred for authentication
authenticator. Start a network EAP-Request identity
analyzer on the supplicant messages will be send from
machine and observe the the switch to the supplicant.
packets. This message is trigerred at
random intervals.

2. Authenticate the supplicant 2. Once the client is trigerred


with valid credentials for authentication, EAP-
Response message is
trigerred from the client to the
DUT. Based on the protocol
used , a series of EAP-
request and EAP-response
packets will be exchanged.
Once the authentication is
successful EAP-Negotiation
will conclude by EAP-
3. Authenticate the supplicant Success message.
with invalid credentials

3. If the authentication is
unsuccessful EAP-
Negotiation will conclude by
EAP-Failure message

Test EAP-Request-Identity Connect a supplicant to the Before the supplicant is


port configured as trigerred for authentication
packets authenticator. Start a network EAP-Request identity packets
analyzer on the supplicant should be send from the DUT
machine and observe the to the supplicant
packets

Test EAP-Response Identity Authenticate the client Once the client is trigerred for
successfully with valid authentication, EAP-
packets credentials and observe it Response packets should be
with a network Analyzer send from the supplicant to
the DUT.

Test EAP-Success packets Observe the EAP-Packets for A successfull authentication


a succesfull authentication should be concluded by a
with a network analyzer EAP-Success Message

73 18/2/2019
Step Name Description Expected Result
Test EAP-Failure packets Authenticate the client with EAP-Negotiation should be
unsuccessfull and should be
invalid credentials and concluded by a EAP-Failure
observe the packets with a message

network analyzer

1.1.1.1.1.1.2.8. Test: Test Name :


802.1x_2.06_Authenticator_Mode_Auto-Failed_Reauthentication
Test: Test ID :158557
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019
Test: Type : MANUAL
Test: Description :
Objective:
This test verifies that the client is authenticated or Rejected based on the credentials provided
with authenticator mode configured as auto and the port remains blocked on an unsuccesfull
authentication.

Requirements:
1. Supplicant
2. DUT
3. Radius Server

Setup
Supplicant-------------DUT-------------Radius Server

Description:
Once the supplicant authenticates on a port configured as authenticator , client status will be
authenticated. Once reauthentication is trigerred from the authenticator and invalid credentials
supplied, the supplicant is forced to authenticate , but the client status should be rejected and the
port should be blocked.

Attachments:

REFERENCES:

RFC 3580 - IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage
Guidelines
http://www.faqs.org/rfcs/rfc3580.html

74 18/2/2019
Access Security Guide (ProCurve 8200zl, 6200yl, 5400zl, 3500yl)
www.procurve.com

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
69207

Test: Automated : Yes


Test: Automated Test Name :
scripts/testSuite/networkSecurity/802dot1x/802dot1xBasicFunctionality/802dot1xAuthModeAutoF
ailedReauth.tcl
Test: Automation Progress : 4 - Released to Production
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 3 - High
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C158557

75 18/2/2019
Steps :
Step Name Description Expected Result
Call Call <802.1x 1.01
Basic_Port_Based>
Authenticate with valid Connect a pc with an 802.1x The authentication should
supplicant to one of the ports succeed and the client status
credentials configured as authenticator should become
and authenticate using the "Authenticated" and the port
correct credentials should be open.

The client status can be


verified by the following
commands

Example

show port-access
authenticator clients 3

The supplicant PC should be


able to ping any devices
which are connected on the
default vlan (in this example)

Force the authenticator port to The client status of the port should
Test Invalid Credentials on reauthenticate using the following now be Rejected-no vlan
Reauthentication command
HP-Switch(config)# interface 1/1/1 The port should be blocked by AAA.
HP-Switch(config-if)#aaa (Verify by the command log -r)
authentication port-access
reauthenticate The client should not have access to
but this time when prompted enter the any devices on the switch
the incorrect credentials on the
supplicant.

Based on the supplicant which is


used you maye be able to pre-
configure with invalid credentials (X-
Supplicant, Procurve Switch)

For native supplicant on Windows ,


the invalid credentials should be
supplied once the authenticator
window pop up

The client status of the port should


Test Invalid Credentials with Force the authenticator port to now not Rejected-unauth-vlan
unauth-vid configured on reauthenticate with the following
command The client should be able to ping
Reauthentication devices which reside on the unauth-
HP-Switch(config)# interface 1/1/1 vid.
HP-Switch(config-if)#aaa
authentication port-access
reauthenticate

76 18/2/2019
Step Name Description Expected Result

but this time when prompted enter


the incorrect credentials.

Based on the supplicant which is


used you maye be able to pre-
configure with invalid credentials (X-
Supplicant, Procurve Switch)

For native supplicant on Windows ,


the invalid credentials should be
supplied once the authenticator
window pop up

1.1.1.1.1.1.2.9. Test: Test Name :


802.1x_2.09_Authenticator_Mode_Auto_Successful_Re-
authentication
Test: Test ID :158578
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019
Test: Type : MANUAL
Test: Description :
Objective:
This test verifies the reauthentication feature for ports configured as authenticator on the switch.

Requirements:
-Supplicant pc or procurve switch as supplicant
-DUT Switch which supports 802.1x authentication
-RADIUS Server

Setup:
The host or the switch (configured as supplicant ) should be connected to the port configured as
802.1x authenticator on the DUT.

Host/Supplicant<-------->DUT<---------->Radius Server

The example commands in this test refer to the topology diagram depicted in the file
802_1X_BASIC_TESTTOPOLOGY.jpg. However only the supplicant client connected to port 2,
and the RADIUS server need to be connected to execute this test.

77 18/2/2019
Description:
After a supplicant is successfully authenticated, and when the reauthenticate for the authenticator
port is triggered, the supplicant should be logged off and forced to re-authenticate again.

.
References:
Procurve Manual: Access Security Guide (ProCurve 8200zl, 6200yl, 5400zl, 3500yl)
www.procurve.com

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
69228

Test: Automated : Yes


Test: Automated Test Name :
scripts/testSuite/networkSecurity/802dot1x/802dot1xBasicFunctionality/802dot1xAuthMdAutoSuc
cessReAuth.tcl
Test: Automation Progress : 4 - Released to Production
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 4 - Urgent
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C158578

78 18/2/2019
Steps :
Step Name Description Expected Result
Call Call <802.1x 1.01
Basic_Port_Based>
Start the ethernet sniffer software on The authenticator should send a
Reauthenticate on the the supplicant pc connected to port 2 reauthentication request to the
authenticator of the DUT (port configured as
authenticator), and start a capture.
supplicant should remove the
supplicant from the authorized clients
.
Trigger reauthentication for port 2 of The reauthentication request can be
the DUT seen in the sniffer capture.
This will be a "request-identity"
Example: packet

HP-Switch(config)# interface 1/1/1 The status of the client can be


HP-Switch(config-if)#aaa observed using the following
authentication port-access commands, which will display the
reauthenticate unauth clients on the port.
`show aaa authentication port-
*Depending on the supplicant access dot1x authenticator
software being used and its interface <interface-name | all>
configuration you might or might not client-status [mac <mac-address>]
need to re-enter the appropriate
credentials.

`show aaa authentication port-


Re-Auth period Start the ethernet sniffer
access dot1x authenticator
software on the supplicant pc interface <interface-name | all>
connected to port 2 of the client-status [mac <mac-address>]
DUT (port configured as The re-auth period should be
authenticator), and start a displayed in the output of the
appropriate show commands.
capture. Example:

Configure the re-auth period


for port 2 of the DUT, on The authenticator should send a
reauthentication request to the
which the supplicant is
supplicant after an amount of time
already authenticated. equal to the re-auth period (in our
example it is 60 seconds).
Example: It should remove the suppllicant from
the authorized clients.
DUT(confgi)# aaa port-
The reauthentication request be seen
access authenticator 2 using the packet analyzer. This
reauth-period 60 would typically be EAP-logoff packet.

The status of the client can be


observed using the following
commands, which will display the
unauth clients on the port.
Example:
`show aaa authentication port-
access dot1x authenticator
interface <interface-name | all>
client-status [mac <mac-address>

79 18/2/2019
1.1.1.1.1.1.2.10. Test: Test Name :
802.1x_2.12_Authenticator_Supported_EAP_Types
Test: Test ID :158582
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019
Test: Type : MANUAL
Test: Description :
Objective:
This test verifies that all possible eap type works with the switch configured as authenticator.

Requirements:
Supplicant PC or ProCurve switch as supplicant
DUT Switch which supports 802.1x authentication
Radius Server

Test Setup:
The host or the switch (configured as supplicant ) should be connected to the port configured as
802.1x authenticator on the DUT.

Host<-------->DUT<-------------->Radius Server

Description:
The functionality of various eap protocols will be tested and verified. EAP-MD5, PEAP, EAP-TLS.

*EAP-TLS is not an option which can be selected in the supplicant software. EAP-TLS stands for:
EAP-Transport Layer Security, which is defined by rfc 5216. For the purposes of this test we can
use certificates to implement EAP-TLS. That should suffice for our test, even though EAP-TLS
can be implemented using other methods. The supplicants will have to be configured to use
certificates to authenticate to the RADIUS server. The instructions on how to setup the RADIUS
sever to accept certificates and how to distribute the certificates to the supplicants is beyond the
scope of this instructions. It is suggested that a Microsoft windows domain be set up and used to
distribute the security certificates to clients/users. The certificate facilities provided by a Microsoft
Windows domain make them easy to use by those who do not have a full understanding of how
security certificate works (private/public).

References:
ProCurve Manual: Access Security Guide (ProCurve 8200zl, 6200yl, 5400zl, 3500yl)
www.procurve.com

http://h40060.www4.hp.com/procurve/uk/en/pdfs/application-notes/AN-S3_ProCurve-802.1X-
Vista-XP-final-081108.pdf

http://open1x.sourceforge.net/

http://support.microsoft.com/kb/313664

80 18/2/2019
Test: Execution Status : No Run
Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
69232

Test: Automated : Yes


Test: Automated Test Name :
scripts/testSuite/networkSecurity/802dot1x/802dot1xBasicFunctionality/802dot1xAuthSupportedE
APTypes.tcl
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 4 - Urgent
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : IFD - PVOS;Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: PVOS CR-ID : 173689
Test: BP Filter: HPE
Test: GUID: ALMTP157C158582

81 18/2/2019
Steps :
Step Name Description Expected Result
Call Call <802.1x 1.01
Basic_Port_Based>
The supplicant should authenticate
Test EAP-MD5 Authenticate a supplicant
succesfully.
which is configured for EAP-
MD5. This can be verified by the following
commands
The supplicant can be a show aaa authentication port-
access dot1x authenticator
windows or Linux PC with
interface <interface-name | all>
supplicant software client-status [mac <mac-address>
configured or a procurve
switch which has the
supplicant configured.

Supplicant software can be


windows XP native supplicant
or WPA supplicant for Linux.
XSupplicant is another
supplicant software.

The supplicant should be


Test EAP-TLS with Authenticate a supplicant
authenticated successfully
which is configured for EAP-
certificates TLS. This can be verified by the following
commands
The supplicant can be a show aaa authentication port-
access dot1x authenticator
windows or Linux PC with interface <interface-name | all>
supplicant software client-status [mac <mac-address>
configured.

Supplicant software can be


windows XP native supplicant
or WPA supplicant for Linux.
XSupplicant is another
supplicant software.

Supplicant authentication can


be different based on the type
of supplicant software which
is installed.

Example:

1. XSupplicant displays the


connect/reconnect tab on the
software. The connect button
on the supplicant should be
triggerred for authentication.
Supplicant should be
configured for EAP-TLS .

82 18/2/2019
Step Name Description Expected Result
2. Windows native supplicant
can also be used for EAP-
TLS. Simply configure the
suppilcant to use
certificates.(see note below)

EAP-TLS is not an option


which can be selected in the
supplicant software. EAP-TLS
stands for: EAP-Transport
Layer Security, which is
defined by rfc 5216. For the
purposes of this test we can
use certificates to implement
EAP-TLS. That should suffice
for our test, even though
EAP-TLS can be
implemented using other
methods. The supplicants will
have to be configured to use
certificates to authenticate to
the RADIUS server. The
instructions on how to setup
the RADIUS sever to accept
certificates and how to
distribute the certificates to
the supplicants is beyond the
scope of this instructions. It is
suggested that a Microsoft
windows domain be set up
and used to distribute the
security certificates to
clients/users. The certificate
facilities provided by a
Microsoft Windows domain
make them easy to use by
those who do not have a full
understanding of how security
certificate works
(private/public).

1.1.1.1.1.1.2.11. Test: Test Name :


802.1x_2.13_Authenticator_User_Mode_Port_Hopping
Test: Test ID :158583
Test: Subject : Functionality_Testing

83 18/2/2019
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019
Test: Type : MANUAL
Test: Description :
Objective:
This test verifies that supplicant devices can authenticate succesfully on different ports configured
as authenticator

Requirements:
Supplicant PC or procurve switch as supplicant
DUT Switch which supports 802.1x authentication
Radius Server

Setup:
The host or the switch (configured as supplicant ) should be connected to the port configured as
802.1x authenticator on the DUT.

Host<-------->DUT<-------------->Radius Server

Description:
This test verifies that supplicant devices once authenticated succesfully, can be removed from the
connected port and made to authenticate on another port configured as authenticator. The test
case is failing on Lager.

References:
Procurve Manual: Access Security Guide (ProCurve 8200zl, 6200yl, 5400zl, 3500yl)
www.procurve.com

http://h40060.www4.hp.com/procurve/uk/en/pdfs/application-notes/AN-S3_ProCurve-802.1X-
Vista-XP-final-081108.pdf

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
69233

Test: Automated : Yes


Test: Automated Test Name :
scripts/testSuite/networkSecurity/802dot1x/802dot1xBasicFunctionality/802dot1xAuthUsrModePo
rtHopping.tcl
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj

84 18/2/2019
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 2 - Medium
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C158583

85 18/2/2019
Steps :
Step Name Description Expected Result
Call Call <802.1x 1.01
Basic_Port_Based>
Supplicant Authentication Configure and authenticate The supplicant device should be
the supplicant on the authenticated and this can be verified
authenticator port. The by the following commands. The
supplicant can be provurve Auth-clients value in the command
will display the status information.
switch supplicant or Windows
/Linux PC which supports
supplicant software.

show aaa authentication port-


access dot1x authenticator
interface <interface-name | all>
client-status [mac <mac-address>

Move the supplicant to another port


Supplicant move configured as authenticator and The supplicant should be able to
trigger authentication. authenticate successfully.The Auth-
clients value in the command will
Supplicant authentication can be display the status information.
different based on the type of
supplicant software which is installed.
show aaa authentication port-
Example: access dot1x authenticator
interface <interface-name | all>
1. XSupplicant displays the client-status [mac <mac-address>
connect/reconnect tab on the
software. The connect button on the
supplicant should be triggerred for
authentication

1.1.1.1.1.1.2.12. Test: Test Name :


802.1x_2.17_RADIUS_Assigned_Rate_Limit-Egress
Test: Test ID :158584
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019
Test: Type : MANUAL
Test: Description :
Objective:
This test case will verify that the DUT is able to override a Rate Limit configuration for a port in

86 18/2/2019
which a successful authentication has occurred.

Requirements:
Supplicant PC or procurve switch as supplicant
DUT Switch which supports 802.1x authentication
Radius Server

Setup:
The host or the switch (configured as supplicant ) should be connected to the port configured as
802.1x authenticator on the DUT.

Host<-------->DUT<-------------->Radius Server

Description:
This test case will verify that the DUT is able to override a Rate Limit configuration for a port in
which a successful authentication has occurred. The DUT will apply the Rate Limit settings for the
port as configured in the freeRadius user's file, based on the HP-bandwidth-max-egress attribute.

The test case fails on K.13 and it is not supported on Lager.

References:
http://open1x.sourceforge.net/

http://support.microsoft.com/kb/313664

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
69237

Test: Automated : Dev Funnel


Test: Automated Test Name :
scripts/testSuite/networkSecurity/802dot1x/802dot1xBasicFunctionality/802dot1xRadiusAssgndRt
LmtEgress.tcl
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 3 - High
Test: Test Suited for OSTL? : Y

87 18/2/2019
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C158584

88 18/2/2019
Steps :
Step Name Description Expected Result
Call Call <802.1x 1.01
Basic_Port_Based>
Supplicant speed-duplex Supplicant speed-duplex The port-setting should be
configuration saved. This can be verified by
configuration the command
Configure the supplicant port
for 1000 Mbps link. The
supplicant can be a procurve This can be verified by the
switch which is configured as command
supplicant or a Windows or
linux PC which has the show interfaces brief
necessary supplicant
software Status and Counters - Port
Status
Example:
| Intrusion MDI Flow Bcast
(config)# interface 4 Port Type | Alert Enabled
(config)# speed-duplex auto- Status Mode Mode Ctrl Limit
1000 ------ --------- + --------- ------- ---
--- ---------- ----- ----- ------
1 100/1000T | No Yes Down
1000FDx MDIX off 0
2 100/1000T | No Yes Down
1000FDx MDIX off 0
3 100/1000T | No Yes Down
1000FDx Auto off 0
4 100/1000T | No Yes Down
1000FDx Auto off 0
5 100/1000T | No Yes Down
1000FDx Auto off 0
6 100/1000T | No Yes Down
1000FDx Auto off 0
7 100/1000T | No Yes Down
1000FDx Auto off 0
8 100/1000T | No Yes Down
1000FDx Auto off 0
9 100/1000T | No Yes Down
1000FDx Auto off 0
10 100/1000T | No Yes Down
1000FDx Auto off 0
11 100/1000T | No Yes Down
1000FDx Auto off 0
12 100/1000T | No Yes Down
1000FDx Auto off 0
13 100/1000T | No Yes Down
1000FDx Auto off 0
14 100/1000T | No Yes Down
1000FDx Auto off 0
15 100/1000T | No Yes Down
1000FDx Auto off 0

89 18/2/2019
Step Name Description Expected Result
16 100/1000T | No Yes Down
1000FDx Auto off 0
17 100/1000T | No Yes Down
1000FDx Auto off 0
18 100/1000T | No Yes Down
1000FDx Auto off 0

Configuigure the RADIUS server to The supplicant should be


Supplicant Authentication send the aruba-bandwidth-max- authenticated succesfully and the %
egress attribute.Configure and egress limit should be applied to the
authenticate the supplicant on the port and verified in the kbps outlimit
port configured as authenticator. field. This can be verified by the
command
* show aaa authentication port-
access dot1x authenticator
interface all port-statistics
* show aaa authentication port-
access dot1x authenticator
interface all client-status
* show aaa authentication port-
access interface all client-status

Repeat steps Results should be as


Repeat the above test steps expected as in test steps
for different values of 500000
and 900000

Repeat the steps for speed


10 Mbps and values 1000,
50000, 90000

1.1.1.1.1.1.2.13. Test: Test Name :


802.1x_2.18_RADIUS_Assigned_Rate_Limit-Ingress
Test: Test ID :158585
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019
Test: Type : MANUAL
Test: Description :
Objective:
This test case will verify that the DUT is able to override a Rate Limit configuration for a port in
which a successful authentication has occurred.

90 18/2/2019
Requirements:
Supplicant PC or procurve switch as supplicant
DUT Switch which supports 802.1x authentication
Radius Server

Setup:
The host or the switch (configured as supplicant ) should be connected to the port configured as
802.1x authenticator on the DUT.

Host<-------->DUT<-------------->Radius Server

Description:
This test case will verify that the DUT is able to override a Rate Limit configuration for a port in
which a successful authentication has occurred. The DUT will apply the Rate Limit settings for the
port as configured in the configured RADIUS user account, based on the HP-bandwidth-max-
ingress attribute.

References:
http://open1x.sourceforge.net/

http://support.microsoft.com/kb/313664

Procurve Manual: Access Security Guide (ProCurve 8200zl, 6200yl, 5400zl, 3500yl)

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
69238

Test: Automated : Yes


Test: Automated Test Name :
scripts/testSuite/networkSecurity/802dot1x/802dot1xBasicFunctionality/802dot1xRadAssignedRt
LmtIngress.tcl
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 3 - High
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0

91 18/2/2019
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : IFD - PVOS;Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: PVOS CR-ID : 211800
Test: BP Filter: HPE
Test: GUID: ALMTP157C158585

92 18/2/2019
Steps :
Step Name Description Expected Result
Call Call <802.1x 1.01
Basic_Port_Based>
Supplicant speed-duplex Configure the supplicant port The port-setting should be
for 1000 Mbps link. The saved. This can be verified by
configuration supplicant can be a procurve the command
switch which is configured as
supplicant or a Windows or
linux PC which has the This can be verified by the
necessary supplicant command
software
show interfaces brief
Example:
Status and Counters - Port
(config)# interface 4 Status
(config)# speed-duplex auto-
1000 | Intrusion MDI Flow Bcast
Port Type | Alert Enabled
Status Mode Mode Ctrl Limit
------ --------- + --------- ------- ---
--- ---------- ----- ----- ------
1 100/1000T | No Yes Down
1000FDx MDIX off 0
2 100/1000T | No Yes Down
1000FDx MDIX off 0
3 100/1000T | No Yes Down
1000FDx Auto off 0
4 100/1000T | No Yes Down
1000FDx Auto off 0
5 100/1000T | No Yes Down
1000FDx Auto off 0
6 100/1000T | No Yes Down
1000FDx Auto off 0
7 100/1000T | No Yes Down
1000FDx Auto off 0
8 100/1000T | No Yes Down
1000FDx Auto off 0
9 100/1000T | No Yes Down
1000FDx Auto off 0
10 100/1000T | No Yes Down
1000FDx Auto off 0
11 100/1000T | No Yes Down
1000FDx Auto off 0
12 100/1000T | No Yes Down
1000FDx Auto off 0
13 100/1000T | No Yes Down
1000FDx Auto off 0
14 100/1000T | No Yes Down
1000FDx Auto off 0
15 100/1000T | No Yes Down
1000FDx Auto off 0

93 18/2/2019
Step Name Description Expected Result
16 100/1000T | No Yes Down
1000FDx Auto off 0
17 100/1000T | No Yes Down
1000FDx Auto off 0
18 100/1000T | No Yes Down
1000FDx Auto off

Configure the RADIUS server to The supplicant should be


Supplicant Authentication send aruba-bandwidth-max- authenticated succesfully and the %
ingress . Configure and authenticate ingress limit should be applied to the
the supplicant on the port configured port and verified in the kbps inlimit
as authenticator. field. This can be verified by the
command
Supplicant authentication can be * show aaa authentication port-
different based on the type of access dot1x authenticator
supplicant software which is installed. interface all port-statistics
* show aaa authentication port-
access dot1x authenticator
interface all client-status
* show aaa authentication port-
access interface all client-status

1.1.1.1.1.1.2.14. Test: Test Name : 802.1x_1.21_Config-


CLI_Boundary_Values
Test: Test ID :158588
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019
Test: Type : MANUAL
Test: Description :
Objective:
Verify periods like cached reauth,quiet,discovery etc can be configured thorugh the CLI for 802.1x pot-access. Case tests
only configuration not functionality.

Requirements:
DUT - Device Under Test is a switch which supports the cached-rauth configuration for port-access authentication.

Setup:
Singe DUT - This test only tests configuration, not functionality

Description:
Test is inteded to verify you can configure all the parameters of cached re-autnetication for 802.1x port-access via the
CLI.

94 18/2/2019
Test: Execution Status : No Run
Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
69241

Test: Automated : Yes


Test: Automated Test Name :
scripts/testSuite/networkSecurity/802dot1x/802dot1xConfiguration/802dot1xCachedReAuthConfi
gCLI.tcl
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 2 - Medium
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : IFD - PVOS;Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: PVOS CR-ID : 211799
Test: BP Filter: HPE
Test: GUID: ALMTP157C158588

95 18/2/2019
Steps :
Step Name Description Expected Result
Use the CLI to verify that you can * show aaa authentication port-
Configure 802.1x port-access configure the 802.1x port-access access dot1x authenticator
authentication authentication to use cached-
reauthentication, for all possible
interface all port-statistics
* show aaa authentication port-
authentication methods. Also test access dot1x authenticator
that using the "?" displays the interface all client-status
cached-reauth option were * show aaa authentication port-
appropriate and the necessary access interface all client-status
parameters.
Then leave the 802.1x port-access
authentication as eap-radius cached-
reauth
Exmaple:

switch# configure terminal


switch(config)# interface 1/1/1
switch(config-if)# aaa
authentication port-access dot1x
authenticator cached-reauth
switch(config-if)#
```

Use the CLI to configure the 802.1x


Configure 802.1x cached- authenticator ports cached-reauth-
The DUT should not allow
you to configure the cached-
reauth-period period
reauth-period above max
Test to make sure you are not value, nor below min-value.
allowed to set the tiem above the Once the ports are configure
max value or below the min value.
their correct cached-reauth-
Then configure the value to be 60
seconds. period should show up in the
Also test that using the "?" displays output of show running-
the cached-reauth option were config
appropriate and the
Example:
Configure cached re-auth period on a
port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa
authentication port-access dot1x
authenticator cached-reauth-
period 300
switch(config-if)#

Repeat the above steps for the


Step 3 following periods
Configure cached re-authentication
period on a port](#configure-cached-
re-authentication-period-on-a-port)
- [Configure maximum
authentication attempts on a
port](#configure-maximum-
authentication-attempts-on-a-port)
- [Configure quiet
period on a port](#configure-quiet-
period-on-a-port)
- [Configure re-
authentication period on a
port](#configure-re-authentication-
period-on-a-port)

96 18/2/2019
Step Name Description Expected Result
- [Configure discovery
period on a port](#configure-
discovery-period-on-a-port)
- [Configure EAPOL
timeout on a port](#configure-
eapol-timeout-on-a-port)
- [Configure maximum
EAPOL requests on a
port](#configure-maximum-eapol-
requests-on-a-port)

1.1.1.1.1.1.2.15. Test: Test Name : 802.1x_2.82_Cached_Re-


Authentication_Persistant_Configuration
Test: Test ID :158590
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019
Test: Type : MANUAL
Test: Description :
Objective:
This test verifies that once a Device Under Test has been configure for cached-reauth 802.1x port-access authentication
and the configuration has been saved the configuration is persistant accross reboot, and can be saved to and recovered
from tftp server.

Requirements:
DUT - Device Under Test is a switch which supports the cached-rauth configuration for port-access authentication.
SNMP workstationg - PC with snmp software which wil be used to set/read OIDs on the DUT

Setup:
Topology:
Supplicant--------------DUT----------------Radius Server.

Description:
Test is inteded to verify you can configure all the parameters of cached re-autnetication for 802.1x port-access via the
CLI. The following commands must be tested:
DUT(config)# aaa authentication port-access eap-radius ?
DUT(config)# aaa authentication port-access eap-radius cached-reauth

DUT(config)# aaa authentication port-access chap-radius ?


DUT(config)# aaa authentication port-access chap-radius cached-reauth

DUT(config)# aaa port-access authenticator <port-list > ?


DUT(config)# aaa port-access authenticator <port-list> cached-reauth-period <MinValue-MaxValue>

Test: Execution Status : No Run

97 18/2/2019
Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
69243

Test: Automated : Yes


Test: Automated Test Name :
scripts/testSuite/networkSecurity/802dot1x/802dot1xBasicFunctionality/802dot1xCachReAuthPer
sisConfig.tcl
Test: Automation Progress : 4 - Released to Production
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 4 - Urgent
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: Automation/Product CR : 228691
Test: BP Filter: HPE
Test: GUID: ALMTP157C158590

98 18/2/2019
Steps :
Step Name Description Expected Result
Call <802.1x 1.01
Call Basic_User_Mode>

Call Call <802.1x Cached_Re-


Authentication_Config-CLI>
*WITHOUT* first saving th In both cases, the switch should
Reload DUT configuration (no write mem), issue reload and the configuration of the
the boot system primary command DUT should be the same as before
to reboot the switch. When asked to reload/boot command.
save configuration replay yes, to You can use the show running
save configuration
Example:

Example.
DUT(config)# boot system primary
System will be rebooted from primary
image. Do you want to continue
[y/n]? y
Do you want to save current
configuration [y/n/^C]?y

TFTP transfer Transfer config off switch via The configuration should be
tftp transferred to and from the
Erase startup config and tftp server successfully. After
reboot downloading the configuration
Reload config from tftp to from the server the dut should
switch startup config. reboot and the configuration
should be the same which
was originally uploaded to the
tftp server.

Call Call <802.1x Cached_Re-


Authentication_Config-
SNMP>

1.1.1.1.1.1.2.16. Test: Test Name :


802.1x_2.76_RADIUS_Unique_Session_ID
Test: Test ID :158592
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019

99 18/2/2019
Test: Type : MANUAL
Test: Description :
Objective:
This test verifies that the session-id used by the RADIUS process in the Device Under Test (DUT)
is unique even after the device is rebooted.

Requirements:

DUT Switch which supports 802.1x authentication.


PC with supplicant software or Switch supplicant.
Radius Server.

Test Setup:

Supplicant--------DUT---------Radius Server
The example commands refer to the topology diagram in the file
802_1X_BASIC_TESTTOPOLOGY.jpg. However, only one supplicant and a radius servers need
to be connected to the DUT (Device Under Test).

Description:

The test verifies that the radius session id's for the user changes after DUT reboot. The DUT
configured Access-request packet to the radius server with a unique session ID. After DUT reboot
, the access-request packets are send with a different session ID.

References:

Procurve Manual: Access Security Guide (ProCurve 8200zl, 6200yl, 5400zl, 3500yl)
www.procurve.com
www.microsoft.com
www.freeradius.org
Requirements:
The requirements for this test case are:
<list as bulleted items using a "-" for each bullet of the equipment needed, software versions
required, traffic tools, etc.>

Setup:
<Describe the topologies and equipment needed to perform this test case. This includes, but is
not limited to:
· Topology diagram (include as an attachment in the first step)
· Infrastructure setup: clients, servers, Ixia, etc.
· 3rd party devices>

Description:
The session ID sent to RADIUS server should be safe against the switch reboot (it should be
unique even after reboot).
Freeradius
radius -Xyz
look for Acct-Unique-session-ID = "##"
Aegis
Acct-session-ID : ##

Attachments:

100 18/2/2019
<Describe the attachments found with this test case. List them appropriately in Setup or
Description, and under this heading>
. Topology Diagram - Step 1 Attachment
. Wiring detail - Attachment Tab

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
69246

Test: Automated : Yes


Test: Automated Test Name :
scripts/testSuite/networkSecurity/802dot1x/802dot1xBasicFunctionality/802dot1xRadiusUniqSess
ionID.tcl
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 2 - Medium
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C158592

101 18/2/2019
Steps :
Step Name Description Expected Result
Call Call <802.1x 1.01
Basic_Port_Based>
Leave the DUT in port-based mode (no
STEP 1 - Port-Base and client-limit), connect more than one client
The session-ids used for
each one of the hosts
unique session-id to a single port (use L1-HUB on port 1 in
our example), and after successfully (clients) connected to the
authenticating one of the clients, same port should be unique.
reauthenticate the same client several
times. Verify that the session-ids used
each time are unique. You can use a
traffic analyzer on the RADIUS server to
look at the RADIUS requests.

If using FreeRadius, check the file at:


/var/log/radius/radacct/authenticator ip
add/
eg: On the free radius run: #gedit
/var/log/radius/radacct/10.10.1.254/detail-
2010527
(The Switch needs to be set for
accounting: aaa accounting port-
access start-stop radius)
I.E.

Acct-Session-Id = "009900000001"

STEP 2 - Use-Mode and Configure the switch for Use- The session-ids used for
Mode authentication (client-limit),
unique session-id connect more than one client to each one of the hosts
a single port (use L1-HUB on (clients) connected to the
port 1 in our example), and verify
that the session-ids for each same port should be unique.
client are unique. You can use a
traffic analyzer on the RADIUS
server to look at the RADIUS
requests.

STEP 3 - Reboot and unique Configure the switch for Use- The session-ids used for
Mode authentication (client-limit), each one of the hosts
session-id connect more than one client to (clients) connected to the
a single port (use L1-HUB on same port should be unique,
port 1 in our example), and verify even after the switch has
that the session-ids for each rebooted.
client are unique. Reboot the
switch and when the switch
finishes rebooting reauthenticate
the clients again. Verify that the
session-ids are unique even
across reboots. You can use a
traffic analyzer on the RADIUS
server to look at the RADIUS
requests.

102 18/2/2019
1.1.1.1.1.1.2.17. Test: Test Name :
802.1x_2.46_Port_Based_Mode_Values_Held_Over_Reboot
Test: Test ID :158593
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019
Test: Type : MANUAL
Test: Description :
Objective:

This test verifies that the configuration after reboot is persistent.

Requirements:

DUT Switch which supports 802.1x authentication.

Test Setup:

Topology:
Supplicant--------------DUT----------------Radius Server

Description:

The test verifies that the configuration after saving, is persistant after DUT reboot. The test case fails on Lager.

References:

Procurve Manual: Access Security Guide (ProCurve 8200zl, 6200yl, 5400zl, 3500yl)
www.procurve.com

Attachments:

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
69247

Test: Automated : Yes

103 18/2/2019
Test: Automated Test Name :
scripts/testSuite/networkSecurity/802dot1x/802dot1xBasicFunctionality/802dot1xPtBasedMdValH
ldOvReboot.tcl
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 2 - Medium
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C158593

104 18/2/2019
Steps :
Step Name Description Expected Result
Call Call <802.1x 1.01
Basic_Port_Based>
STEP 1 - DUT reload Reboot the DUT by using the After the DUT reboots the
reload command. (Make sure configuration should remain
you have configure the persistent. This can be
correct default-startup with verified by the command
the default-startup
command). Save the show running-config
configuration when asked to
do so

Example

DUT# reload
System will be rebooted from
secondary image. Do you
want to continue [y/n]? y
Do you want to save current
configuration [y/n/^C]? y

STEP 2 - DUT reboot Reboot the DUT by using the After the DUT reboots the
appropriate boot system
command configuration should remain
persistent. This can be
Example verified by the command

DUT# boot system flash


primary config config1 show running-config
System will be rebooted from
secondary image. Do you
want to continue [y/n]? y
Do you want to save current
configuration [y/n/^C]? y

1.1.1.1.1.1.2.18. Test: Test Name : 802.1x_2.55_NAS_Attributes_MS-


RAS-Vendor_Attribute
Test: Test ID :158602
Test: Subject : Functionality_Testing
Test: Status : Active

105 18/2/2019
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019
Test: Type : MANUAL
Test: Description :
Objective:

This test verify that the DUT provides the MS-RAS-Vendor Attribute for all radius access request and accounting-request
packets.

Requirements:

DUT Switch which supports 802.1x authentication.


PC with supplicant software or Switch supplicant.
Radius Server.

Test Setup:

Supplicant--------DUT---------Radius Server

The example commands refer to the topology diagram in the file 802_1X_BASIC_TESTTOPOLOGY.jpg. However, only
one supplicant and a radius servers need to be connected to the DUT (Device Under Test).

Description:

This test verify that the DUT provides the MS-RAS-Vendor Attribute for all access request and accounting-request
packets. The NAS/DUT will apply the MS-RAS-Vendor Attribute and assign the attribute to vendor id 14823.The purpose
of the MS-RAS-Vendor Attribute is to provide the RADIUS server with an attribute that can uniquely identify the vendor
type of NAS that supplied the request.

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
69256

Test: Automated : Yes


Test: Automated Test Name :
scripts/testSuite/networkSecurity/802dot1x/802dot1xBasicFunctionality/802dot1xNASAttrMSRAS
VendorAttr.tcl
Test: Automation Progress : 4 - Released to Production
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 2 - Medium

106 18/2/2019
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C158602

107 18/2/2019
Steps :
Step Name Description Expected Result
Call Call <802.1x 1.01
Basic_Port_Based>
MS-RAS -Vendor attribute should only be present in the Access-
STEP 1 - Configure a packet
Request packet with value 14823:
analyzer on the port
Supplicant on which the radius Example:
Authentication server is connected
on the DUT. Access-Request packet from host 10.1.1.51 port 1812, id=66,
length=358
Authenticate the
supplicant. The Framed-MTU = 1480
supplicant can be a NAS-IP-Address = 10.1.1.51
workstation with NAS-Identifier = "ProCurve Switch 3500yl-24G"
User-Name = "steve"
supplicant software Service-Type = Framed-User
installed or switch Framed-Protocol = PPP
with the supplicant NAS-Port = 1
feature. Observe the NAS-Port-Type = Ethernet
NAS-Port-Id = "1"
Access-Request, Called-Station-Id = "00-1c-2e-96-b9-c0"
Access-Challenge Calling-Station-Id = "00-1b-78-ab-9f-90"
and Access-Accept Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Packets generated Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
from the DUT to the
Tunnel-Private-Group-Id:0 = "1"
server State = 0x2692ca0a2696ceef91030f47ae0401e4
EAP-Message =
0x0204001b0410afa64d7e46f034250da7256fb74f4ba97374657665
Message-Authenticator = 0x06a05d30a6beea6b2c09f85c95fd701b
MS-RAS-Vendor = 14823
HP-Attr-255 = 0x011a0000000b28
HP-Attr-255 = 0x011a0000000b2e
HP-Attr-255 = 0x011a0000000b3d
HP-Attr-255 = 0x0138
HP-Attr-255 = 0x013a
HP-Attr-255 = 0x0140
HP-Attr-255 = 0x0141
HP-Attr-255 = 0x0151

Access-Accept of id 66 to 10.1.1.51 port 1812


EAP-Message = 0x03040004
Message-Authenticator =
0x00000000000000000000000000000000
User-Name = "steve"

Enable accounting on the This should be viewed with following configuration


STEP 2 - Enable DUT
accounting DUT(config) # aaa
show aaa accounting
show aaa accounting port-access
accounting port-access show running-config
start-stop radius

MS-RAS Vendor Advert Attribute should be present in the


STEP 3- Disconnect and
Accounting request packets with value 14823
reconnect the
Reconnect supplicant and Example:
supplicant authenticate.
Observe the Accounting-Request packet from host 10.1.1.51 port 1813, id=94,
length=136
accounting request
packets generated

108 18/2/2019
Step Name Description Expected Result
from the DUT to the Acct-Session-Id = "012900000052"
Acct-Status-Type = Start
radius server
Service-Type = Framed-User
Acct-Authentic = RADIUS
NAS-Port = 1
Calling-Station-Id = "00-1B-78-AB-9F-90"
NAS-IP-Address = 10.1.1.51
NAS-Identifier = "ProCurve Switch 3500yl-24G"
User-Name = "steve"
MS-RAS-Vendor = 14823
Acct-Delay-Time = 0

1.1.1.1.1.1.2.19. Test: Test Name : 802.1x_2.61_RADIUS_Access-


Accept_with_Reply-Message
Test: Test ID :158605
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019
Test: Type : MANUAL
Test: Description :
Objective:

This test verifies that when the reply-message attribute is configured for the user in the radius
server the message is not transmitted to the user in the form of EAP-Notify message.

Requirements:

DUT Switch which supports 802.1x authentication.


PC with supplicant software or Switch supplicant.
Radius Server.

Test Setup:

Supplicant--------DUT---------Radius Server

The example commands refer to the topology diagram in the file


802_1X_BASIC_TESTTOPOLOGY.jpg. However, only one supplicant and a radius servers need
to be connected to the DUT (Device Under Test).
Description:

The test verifies that after a succesful user authentication, if the reply-message attribute is
included in the access-accept message the message is not transmitted to the user in the form of
EAP-Notify messages.

109 18/2/2019
Test: Execution Status : No Run
Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
69259

Test: Automated : Yes


Test: Automated Test Name :
scripts/testSuite/networkSecurity/802dot1x/802dot1xBasicFunctionality/802dot1xRadAccessAcce
ptReplyMsg.tcl
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 2 - Medium
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C158605

110 18/2/2019
Steps :
Step Name Description Expected Result
Call Call <802.1x 1.01
Basic_Port_Based>
SETUP - Configure Configure reply-message The radius server configuration should be
attribute for the user in saved.
user in radius the radius server. The
configuration would vary
based on the flavor of
radius which is used.

Example:

myuser User-Password
=="mypass"
Tunnel-Medium-type=6,
Tunnel-Type =VLAN,
Reply-Message= "hello"

STEP 1 - Supplicant Configure a packet Radius Access-Accept should be send


analyzer on the radius with the Reply-Message attribute from the
Authentication server and the supplciant radius server to the DUT. There should be
or mirror the port on the no EAP-Notify messages send from the
switch on which the DUT to the supplicant.
radius server and the
client is connected . Example:
Authenticate the
supplicant. The Access-Accept of id 66 to 10.1.1.51 port
supplicant can be a 1812
workstation with the EAP-Message = 0x03040004
supplicant software or it Message-Authenticator =
can be a switch with the 0x00000000000000000000000000000000
supplicant feature. User-Name = "steve"
Reply-Message = "hello"

1.1.1.1.1.1.2.20. Test: Test Name :


802.1x_2.62_RADIUS_Message_Authenticator_in_packet
Test: Test ID :158606
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019

111 18/2/2019
Test: Type : MANUAL
Test: Description :
Objective:

This test verifies that the Radius access-request packets contains the Message-authenticator
attribute.

Requirements:

DUT Switch which supports 802.1x authentication.


PC with supplicant software or Switch supplicant.
Radius Server.

Test Setup:

Supplicant--------DUT---------Radius Server

The example commands refer to the topology diagram in the file


802_1X_BASIC_TESTTOPOLOGY.jpg. However, only one supplicant and a radius servers need
to be connected to the DUT (Device Under Test).

Description:

Radius Access -request from the DUT should contain the Message - Authenticator attribute. In
procurve switches, this field is available by default.

References:

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
69260

Test: Automated : Yes


Test: Automated Test Name :
scripts/testSuite/networkSecurity/802dot1x/802dot1xBasicFunctionality/802dot1xRadMsgAuthInP
acket.tcl
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4

112 18/2/2019
Test: Platform Independent : Y
Test: Plan Priority : 2 - Medium
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C158606

113 18/2/2019
Steps :
Step Name Description Expected Result
Call Call <802.1x 1.01
Basic_Port_Based>
Step 2 - Supplicant Configure a packet analyzer The Radius Access-Request
on the radius server or mirror packet should contain the
authentication the port on the switch on Message-authenticator
which the radius server is attribute
connected . Authenticate the
supplicant. Observe the
Radius-Access request
packets The supplicant can
be a workstation with the
supplicant software or it can
be a switch with the
supplicant feature.

Step 3 - Enable message Enable message The configuration should be


authenticator check on the saved on the radius server
authenticator radius server. This would
make the radius server
mandate the check for
message authenticator
attribute in the Radius-Access
request packet. The
configuration will vary
dependent on the flavor of
radius which is deployed and
would be available on the
respective websites

Step 4 - Supplicant Configure a packet analyzer The Access-request packet


on the radius server or mirror should contain the message
authentication the port on the switch on authenticator attribute and the
which the radius server is radius server should send
connected . Authenticate the Access-Accept to the DUT
supplicant. Observe the
Radius-Access request
packets The supplicant can
be a workstation with the
supplicant software or it can
be a switch with the
supplicant feature.

114 18/2/2019
1.1.1.1.1.1.2.21. Test: Test Name :
802.1x_2.63_RADIUS_Proxy_Server
Test: Test ID :158607
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019
Test: Type : MANUAL
Test: Description : Objective:

This test verifies that the DUT works as expected when a radius proxy is configured

Requirements:

DUT Switch which supports 802.1x authentication.


PC with supplicant software or Switch supplicant.
Radius Server.

Test Setup:

Supplicant--------DUT---------Radius Server

The example commands refer to the topology diagram in the file


802_1X_BASIC_TESTTOPOLOGY.jpg. However, only one supplicant and a radius servers need
to be connected to the DUT (Device Under Test).

Description:

The DUT should be able to send and recieve radius packets in a radius proxy environment.

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
69261

Test: Automated : Yes


Test: Automated Test Name :
scripts/testSuite/networkSecurity/802dot1x/802dot1xBasicFunctionality/802dot1xRadiusProxySer
ver.tcl
Test: Content Last Modified Date : 7/12/2018

115 18/2/2019
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 2 - Medium
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C158607

116 18/2/2019
Steps :
Step Name Description Expected Result
Call Call <802.1x 1.01
Basic_Port_Based>
SETUP - Configure Radius Configure a radius proxy The radius proxy
server and a valid radius configuration should be saved
proxy server. The proxy succesfully
configuration would vary
based on the flavor of radius
deployed and would be
available in the respective
websites.

STEP 1 - Supplicant Configure a packet analyzer The Radius access-request


on the radius server and packets should be forwarded
authentication radius proxy server or mirror from the radius proxy server
the port on the switch on to the radius server and after
which the radius server and succesful authentication the
the radius proxy server is radius Acces-Accept packet
connected . Authenticate the from the Radius server
supplicant. Observe the should be send to the radius
Radius-Access request proxy server which will
packets The supplicant can eventually be forwarded to
be a workstation with the the DUT
supplicant software or it can
be a switch with the
supplicant feature.

STEP 2 - Supplicant fail Authenticate the supplicant The Radius Access-Request


with invalid credentials
authentication should be forwarded from the
radius proxy server to the
radius server. After failed
authentication the Radius
Access-Reject should be
send from the Radius server
to the radius proxy server and
this should eventually be
forwarded to the DUT

117 18/2/2019
1.1.1.1.1.1.2.22. Test: Test Name :
802.1x_2.64_RADIUS_Server__Redundancy
Test: Test ID :158608
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019
Test: Type : MANUAL
Test: Description :
Objective:
Tests verifies that when the switch is configured as an 802.1x NAS using RADIUS authentication,
backup RADIUS servers are used if the primary server is not available. It also tests the
functionality of the dead-time parameter.

Requirements:
- DUT: Device Under Test is a switch capable of acting as and 802.1x NA (authenticator) and
RADIUS as the port-access authentication method.
- SERVERS: 3 x RADIUS servers to be used as primary and two backup authentication servers.

- PC: host to be used as 802.1x supplicant.

Setup:
Supplicant PC <---->DUT <===> 3x RADIUS servers

The example commands refer to the topology diagram in the file


802_1X_BASIC_TESTTOPOLOGY.jpg. However, only one supplicant and 3 radius servers need
to be connected to the DUT (Device Under Test).

Description:
When more than one RADIUS server is configured in the DUT, and port-access authentication is
set to use RADIUS, the DUT will attempt to authenticate against each server in the order they
were entered (and are displayed by the show radius command). If a server is not reachable it
will time out, and the DUT will move down to the next server to try and authenticate.
The DUT will make its way down the list of servers until there is not more to try. If the last server
is reached and timeout occurs authentication should fail.
The radius parameter dead-time is the time the DUT will place a RADIUS server in the "dead"
state. During this period of time the server will not try to authenticate using the timed out server
for any authentication requests. After the dead-time has expired the DUT will once again try to
reauthenticate against the server. If the server times out once again, the cycle will repeat.

*NOTE: the timeout values for 802.1x authenticator and radius server timeouts should be
configured such that the radius server times out *before* the authenticator times out.

This test case is failing on Lager.

Attachments:

118 18/2/2019
Requirements:
Basic authenticator tests do not fail, if there are several RADIUS servers configured and first
server in the list is unreachable (timeouts should be set appropriately).

Setup:
Radius-server dead-time 5
· Ensure authentication from Server 2
· Reconnect server 1
· Wait ~ 5 minutes
· Ensure next authentication is from server 1.

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
69262

Test: Automated : Yes


Test: Automated Test Name :
scripts/testSuite/networkSecurity/802dot1x/802dot1xBasicFunctionality/802dot1xRadiusServerRe
dundancy.tcl
Test: Automation Progress : 4 - Released to Production
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 3 - High
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE

119 18/2/2019
Test: GUID: ALMTP157C158608

Steps :
Step Name Description Expected Result
Call Call <802.1x 1.01
Basic_Port_Based>
Connect two more RADIUS servers The new RADIUS servers should be
Step 2 - Configure Backup to the DUT and make the appropriate displayed in the order you entered
RADIUS Servers configuration changes so the DUT
can reach them.
them with NO encryption key listed.
Example:
In our example we connect two more DUT(config)# show radius
RADIUS servers to ports 46 and 47
of the DUT and assigned them ip
addresses in the same range as the
primary RADIUS server. The new
radius servers will use the global
encryption key
Example:
Physically connect the two servers to
ports 46 and 47
DUT(config)# radius-server host
23.0.0.217
DUT(config)# radius-server host
23.0.0.218

Step 3 - Test first server Configure the correct timeout After the timeout time the port
settings. shoudl become authenticated
backup by the second server in the
Make the primary radius list
server (first in list) become
unavilable.
Try to authenticate.

Step 4 - Test second server Configure the correct timeout After 2 times the timeout time
settings. the port should become
backup authenticated by the third
Make the primary and server server in the list
secondary radius server (first
and second in list) become
unavailable.
Try to authenticate.

1.1.1.1.1.1.2.23. Test: Test Name :


802.1x_2.69_Authenticator_Port_Hoping_With_NO_Link_Down
Test: Test ID :158609
Test: Subject : Functionality_Testing

120 18/2/2019
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019
Test: Type : MANUAL
Test: Description :
Objective:
This test case verifies that if an authenticated 802.1x supplicant moves to another port without
bringing the link down it is still required to authenticate on the new port.

Requirements:
- DUT. Device Under Test capable of acting as an 802.1x NAS (authenticator)
- RADIUS Server.
- 2 x L1 HUBs: L1 hubs which will be used to connect/disconnect pcs to DUT without bringing link
down.
- 2 x Hosts with 802.1x supplicant software.

Setup:
2 PCs<------------->(2 x L1 HUB) <----->(DUT)<--------->RADIUS SERVER

The file 802_1X_BASIC_TESTOPOLOGY.jpg contains a diagram reference by the commands in


the test steps. Not all devices on the diagram are needed for the test. Only the following devices
need to be connected to the DUT: The server attached to port 48 which will be used as a
RADIUS sever, and the L1 HUB connect to port 1. A second L1 HUB is needed for this test. This
second L1 HUB will be attached to port 2 which is also configured as an authenticator port. Hosts
pcs will be attached to L1 HUB in our example.

This test case is failing on Lager.

Description:
When the DUT is configured as an 802.1x NAS (authenticator), and device authenticates on ones
of its ports using 802.1x supplicant, the device should not be allowed to physically move to
another port without having to reauthenticate. This is easily accomplished if the device is directly
connected to the DUT because the loss of link will be detected by the DUT and the client will be
"deauthenticated". However, when the link is not loss, as is the case of a device connected to the
DUT through a HUB, the DUT will not detect a link loss and will not be "aware" that the client is
not longer present on the port. It will only know the client has moved to another port because its
mac address (the device's) will show up in another port. If this is the case (and the DUT is not
configured to allow this), the client should have to reauthenticate again., AND the client should
become "unauthenticated" in the original port.

Attachments:

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
69265

121 18/2/2019
Test: Automated : Yes
Test: Automated Test Name :
scripts/testSuite/networkSecurity/802dot1x/802dot1xBasicFunctionality/802dot1xAuthenticatorPor
tHopping.tcl
Test: Automation Progress : 4 - Released to Production
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 2 - Medium
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C158609

122 18/2/2019
Steps :
Step Name Description Expected Result
Call Call <802.1x 1.01
Basic_Port_Based>
After configuring user-mode and
STEP 1 - Test User mode Configure user-mode and test
supplying the correct credentials, the
that PC1 can authenticate on
Authentication port 1 of the DUT using
mac address used by PC1 should be
allowed access to the network. I.e. it
supplicant software and the is authenticated through 802.1x.
correct credentials Example:

STEP 2 - Test Port Move Connect second L1 HUB to After PC is authenticated on


port 2 of the DUT and enable the new port ( port 2), it
the port. should not be listed as
Move the host which is authenticated on port 1.
already authenticated on port
1 (PC1) to a port on the newly
connected L1 HUB, and
reauthenticate
You might have to ping from
PC1 after connecting it to the
new L1 HUB to force the
authentication to take place.

1.1.1.1.1.1.2.24. Test: Test Name :


802.1x_2.65_RADIUS_Server_Interoperability
Test: Test ID :158610
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019
Test: Type : MANUAL
Test: Description :
Objective:
This test verifies that the switch can use RADIUS servers from different vendors to accomplish
802.1x authentication

Requirements:
- 802.1x supplicant pc
- Switch which supports radius and 802.1x
- Multiple RADIUS server from different vendors

123 18/2/2019
Setup:
Setup:
Supplicant PC <---->DUT <===> x RADIUS servers

The example commands refer to the topology diagram in the file


802_1X_BASIC_TESTTOPOLOGY.jpg. However, only one supplicant and multiple radius servers
need to be connected to the DUT (Device Under Test).

Description:
Devices under test (DUTs) which support RADIUS as one of the authentication methods for
802.1x port-access should exhibit no dependency on the vendor of the RADIUS server software
used. This should be true as long as such software adheres to the appropriate RFCs. The test
should attempt to execute this test using as many different RADIUS vendors as deemed
appropriate at the time. The same 802.1x supplicant should be used in all tests to eliminate any
issues which arise due to the supplicant/RADIUS server combination, because the goal of the
test is to verify the DUT/RADIUS interaction not the supplicant/RADIUS interaction.

The test case fails on Lager build.


Attachments:

Summary

Overview
Devices Under Test (DUTs) which support RADIUS as one of the authentication methods use by
ports configured to act as 802.1x authenticators should exhibit no dependency on the vendor of
the RADIUS server software used. This should be true as long as such software adheres to the
appropriate RFCs. The test should attempt to execute this test using as many different RADIUS
vendors as deemed appropriate at the time. The same 802.1x supplicant should be used in all
tests to eliminate any issues which arise due to the supplicant/RADIUS server combination,
because the goal of the test is to verify the DUT/RADIUS interaction not the supplicant/RADIUS
interaction.

References:
RFC 3580 - IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage
Guidelines, http://www.faqs.org/rfcs/rfc3580.html

ProCurve Manual: Access Security Guide , www.procurve.com

Requirements
PC with 802.1x supplicant
DUT which supports 802.1x port-access control and RADIUS authentication
RADIUS server software from different vendors.

Test Setups
PC w/supplicant <----------->DUT<--------------->RADIUS server

Test: Execution Status : No Run


Test: Comments :

124 18/2/2019
_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
69266

Test: Automated : Yes


Test: Automated Test Name :
scripts/testSuite/networkSecurity/802dot1x/802dot1xBasicFunctionality/802dot1xRadiusServerInt
eroperability.tcl
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 2 - Medium
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C158610

125 18/2/2019
Steps :
Step Name Description Expected Result
Call Call <802.1x 1.01
Basic_Port_Based>
Configure each one of the different
Step 2 - Test Backup Server vendor RADIUS severs as primary
and backup authentication servers,
and verify that each one of them will
take over as backp if the primary if
the other ones are not available.
For example, we will use three
servers of different vendors:
23.0.0.216 CPPM 2003
23.0.0.221 CiscoISE 2008
23.0.0.211 freeradius

DUT

1.1.1.1.1.1.2.25. Test: Test Name :


802.1x_2.70_RADIUS_AVPs_in_Access-
Request_during_supplicant_auth
Test: Test ID :158611
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019
Test: Type : MANUAL
Test: Description :
Objective:
This test verifies that all the expected Attribute Value Pairs (AVPs) are present in the Access-
Request Packet sent by the switch when a host tries to access an 802.1x authenticator port with
an 802.1x supplicant.

Requirements:
-Client PC with 802.1x supplicant software
-Device under Test which supports the 802.1x authenticator configuration
-Server: RADIUS and Network Analyzer software

Setup:
PCClient<------>DUT<------>Server(Network Analyzer and RADIUS software)

The file 802_1X_BASIC_TESTOPOLOGY.jpg contains a diagram reference by the commands in

126 18/2/2019
the test steps. Not all devices on the diagram are needed for the test. Only the following devices
need to be connected to the DUT: The server attached to port 48 which will be used as a
RADIUS sever AND as a network analyzer, and host PC attached to port 2 of DUT.

Description:
RFC 2865 contains a list of AVPs should might be sent by the device under test when
communicating with a RADIUS server during the 802.1x authentication process. This test
particular looks at the avps which should be included in the Access-Request packet. The tester
should verify that all the mandatory AVPs are present.

This test case is failing in Lager.

Attachments:
RFC 2685 - Remote Authentication Dial In User Service (RADIUS)

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
69267

Test: Automated : Yes


Test: Automated Test Name :
scripts/testSuite/networkSecurity/802dot1x/802dot1xBasicFunctionality/802dot1xRdAVPInAccRe
qDuringSuppAuth.tcl
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 2 - Medium
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE

127 18/2/2019
Test: GUID: ALMTP157C158611

Steps :
Step Name Description Expected Result
Call Call <802.1x 1.01
Basic_Port_Based>
Configure switch for port-access
STEP 1 - Test Port-Based authentication through radius using
The following AVPS should
be present in the Access-
EAP eap
Enable the network analyzer on the Request packet from the NAS
RADIUS server so it will capture the (DUT). *consult rfc2865 for
appropriate RADIUS packets expected values. Look for
Authenticate an 802.1x supplicant
connected to port 2 and capture the
missing or incorrect values,
Access-Request RADIUS packets like the MTU being too large
between the switch (NAS) and the (not what the switch is
RADIUS server configured to), etc..
Consult RFC-2865 section
4.1 for a more detail
description of access-request
packets (see attached
document)

Framed-MUT(12): 1480
NAS-IP-Address(4): 1.1.1.1
NAS-Identifier(32):
NAShostname
User-Name(1): procurve
Service-Type(6): Framed-
User(2)
Framed-Protocol(7): PPP(1)
NAS-port(5): 25
NAS-Port-Type(61):
Ethernet(15)
NAS-Port-Id(87): B1
Called-Station-Id(30): 00-17-
a4-c7-4f-00
Calling-Station-Id(31): 00-0e-
7f-08-e9-00
Connect-Info(77_ CONNECT
Ethenet 100Mbps Full duplex
Tunnel-Type(64) Tag=0x00:
VLAN (13)
Tunnel-Medium-Type(65)
Tag=0x00: IEEE-802(6)
Tunnel-Private-Group-Id(81):
300
EAP-Message(79) Last
Segment[1]
Etc...

128 18/2/2019
1.1.1.1.1.1.2.26. Test: Test Name : 802.1x_6.4
Phone_PC_Hoping_Move
Test: Test ID :158613
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019
Test: Type : MANUAL
Test: Description : Objective
This test will verify that 802.1x authentication works correctly when PC connected in tandem to
phone on the same prot is hoping from one phone to another (i.e. pc through phone1 moves to
phone2)
Overview
Different 802.1x supplicants with different host OS need to be tested to ensure that the DUT
works correctly with all of them. The test should cover as large a variety of Xsupplicant software
as well as the different OSes this supplicant softwares run on. This test does not need to cover
the functions of the RADIUS sever (vlan assignement, and other AVPs). It only covers the
interaction of the supplicant software with the authenticator (DUT).

Requirements
Different pcs with different OS and supplicant software, pnone
DUT
RADIUS Server.

Test Setups
The setup for this tes is straight forward. The only complexity is the number of pc hosts being
attached to the DUT.

PCHosts<====>DUT<----->RADIUS server

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
69269

Test: Automated : Not Feasible


Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj

129 18/2/2019
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 3 - High
Test: Test Suited for OSTL? : N
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C158613

130 18/2/2019
Steps :
Step Name Description Expected Result
Configure 802.1x 1. Configure DUT for 802.1x Switch should accept
port authentication on 2 ports configuration and it should be
displayed by the appropriate
show commands

Configure RADIUS 3. Configure DUT with radius Switch should accept


server configuration and it should be
4. Configure Radius server displayed by the appropriate
accordingly show commands

5. Authenticate Phone 1 and Phone 2


Authenticate phone on different ports (i.e port 1 and port
Phones should be
2)(verify phones work correctly).
authenticated correctly and
placed in the correcct vlan

Authenticate PC 6. Authenticate PC by itself to PC should be authenticated


make sure it works.
(disconnect phone) correctly and placed in the
correct vlan
Authenticate PC and Phone 7. Authenticate PC and Both PC and Phone should
Phone 1 both together. be authenticated correctly
and placed in the correct
vlans

PC Authentication should fail


Move PC Move PC from Pnone 1 to
Phone 2
Enable Client-move on both the
Enable Move phone ports

Verify the configuration using


"show run"

Move PC from Phone 1 to Phone 2 Verify new authentication request is


Move PC triggered for the PC and it is
successfull

Client-based auth Repeat test using client- Authentication should work


based authentication properly when PC is hoping
configured on DUT between phones

131 18/2/2019
1.1.1.1.1.1.2.27. Test: Test Name :
802.1x_2.14_RADIUS_Assigned_CoS
Test: Test ID :158620
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019
Test: Type : MANUAL
Test: Description :
Objective:
This test verifies that after a successfull 8021x authentication , DUT is correctly applying the Radius assigned CoS
settingson to authenticated port.

Requirements:
DUT Switch which supports 802.1x authentication
Supplicant PC or procurve switch as supplicant
Radius Server

Setup:
The host or the switch (configured as supplicant ) should be connected to the port configured as 802.1x authenticator on
the DUT.
Topology:
Supplicant--------------DUT----------------Radius Server

Description:
The user file in radius server will contain the COS values. Once a user is successfully authenticated the COS values will
be apppied for the port on the DUT.
*The COS in HP switch is an attribute with the following RADIUS definitions.
VENDOR 11
attribute 40
attribute type string
If you are using FREERADIUS you can just include the attached dictionary.hp file in the dictionary files of your freeradius
server.
Use the attached file " AdditionsToRADIUSusersfile.txt " to configure CoS value within the radius users file.
If you are using Microsoft IAS or NPS, please consult the respective manuals on how to add a vendor attribute with the
values listed above.

Also note that radius attributes


HP-CoS is the exact same attribute as HP-port-priority-regeneration-table, so you can use either name when defininig its
value in the user file

References:
Procurve Manual: Access Security Guide (ProCurve 8200zl, 6200yl, 5400zl, 3500yl)

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
104458

132 18/2/2019
Test: Automated : Yes
Test: Automated Test Name :
scripts/testSuite/networkSecurity/802dot1x/802dot1xBasicFunctionality/802dot1x_RadiusAssigne
dCoS.tcl
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 3 - High
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C158620

133 18/2/2019
Steps :
Step Name Description Expected Result
Call Call <802.1x 1.01
Basic_Port_Based>
1)CoS value is set on the Radius
Step-2 Supplicant 1)Configure the RADIUS
server.
server to send back CoS
authentication values in the access-accept 2)The supplicant is successfully
packets to set the CoS value authenticated and the Radius
to 77777777. assigned CoS value is assigned to
authenticated port correctly by DUT.
Consult the manual of your Verify using the CLI
RADIUS server on how to do show aaa authentication port-
this. access dot1x authenticator
interface all port-statistics
See note below. * show aaa authentication port-
access dot1x authenticator
2)Successfully authenticate interface all client-status
the supplicant on the port * show aaa authentication port-
access interface all client-status
configured as authenticator.

Verify the DUT assigns the


Radius assigned CoS value
correctly on to the
authenticated port.

Step 3 Verify CoS Connect a IXIA port to DUT Captuered packet displays
as tagged port to receive the CoS value same as
traffic send from radius assigned CoS value.
authenticated client.

Monitor the traffic received on


IXIA port to verify radius
assigned CoS value is
present.

1.1.1.1.1.1.2.28. Test: Test Name :


802.1x_2.15_RADIUS_Assigned_Egress-VLAN-Name
Test: Test ID :158621
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019

134 18/2/2019
Test: Type : MANUAL
Test: Description :
Objective:
This test case will verify that the DUT is able to override the existing VLAN configuration for a port
in which a successful authentication takes place against a RADIUS server and the server sends
back the Egress-VLAN-Name attribute.

Requirements:
Supplicant PC or procurve switch as supplicant
DUT Switch which supports 802.1x authentication
Radius Server

Setup:
The host or the switch (configured as supplicant ) should be connected to the port configured as
802.1x authenticator on the DUT.

Host<-------->DUT<-------------->Radius Server

Description:
This test case will check the functionality of the Egress-VLAN-Name attribute, without and in
conjunction with the Tunnel-Private-Group-ID attribute. Use of the Egress-VLAN-Name should
provide a means for assigning tagged VLAN ids for traffic leaving the port. In cases where the
ingress and egress VLANs are the same, then the Tunnel-Private-Group ID must be used, as the
Egress-VLAN-Name will ONLY configure the egress VLAN.

References:
Procurve Manual: Access Security Guide (ProCurve 8200zl, 6200yl, 5400zl, 3500yl)

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
104459

Test: Automated : Yes


Test: Automated Test Name :
scripts/testSuite/networkSecurity/802dot1x/802dot1xBasicFunctionality/802dot1x_RadAsgEgVlan
Name.tcl
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y

135 18/2/2019
Test: Plan Priority : 3 - High
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C158621

136 18/2/2019
Steps :
Step Name Description Expected Result
Call Call <802.1x 1.01
Basic_Port_Based>
Step-2 Configure VLAN name Configure VLAN on the DUT Verify VLAN name is
displayed on DUT using CLI
on DUT Example:
show running-config
(config)# VLAN 200 show vlan

Configure VLAN Name for the


associated VLAN

(vlan-300)# name TESTVLAN

1)Configure the RADIUS server to


Step-3 Untagged vlan send back the untagged Egress-
assignment VLAN-Name attributes in its access-
accept packet.
Egress-VLAN-Name= " 2
TESTVLAN",
1)HP-Egress-VLAN-Name is
# The above configuration is set for
untagged vlan with Vlan Name configured correctly on
TESTVLAN. The 2 in Egress-VLAN-
Name specifies that it is untagged Radius server.
#

2)Authenticate the client successfully


using correct credentials. 2)Client is successfully
Verify DUT assigns Radius assigned authenticated.
untagged Egress-VLAN-Name on
authenticated port.
The authenticated port should
now be a untagged member
of the Radius assigned
Egress-VLAN-Name.

This is vlan 200 in our


example.

This can be verified by the


command

137 18/2/2019
Step Name Description Expected Result

show aaa authentication


port-access dot1x
authenticator interface all
port-statistics

* show aaa authentication


port-access dot1x
authenticator interface all
client-status

* show aaa authentication


port-access interface all
client-status

1)Configure the RADIUS server to


Step-4 Tagged vlan send back the tagged Egress-VLAN-
1)HP-Egress-VLAN-Name is
configured correctly on
assignment Name attributes in its access-accept
packet. Radius server.

Egress-VLAN-Name= " 2)Client is successfully


1TESTVLAN",
authenticated.
# The above configuration is set for
tagged vlan with Vlan Name The authenticated port should
TESTVLAN. The 1 in Egress-VLAN- now be a tagged member of
Name specifies that it is tagged
the Radius assigned Egress-
#
VLAN-Name.
2)Authenticate the client successfully
using correct credentials. This is vlan 200 in our
example.
Verify DUT assigns Radius assigned
tagged Egress-VLAN-Name on
authenticated port. This can be verified by the
command

show port-access

138 18/2/2019
Step Name Description Expected Result
authenticator
show vlan 200

Step 5 Radius VLAN not Configure the RADIUS server Authentication fails as vlan is
to send back the tagged not present in DUT with
configuered on switch Egress-VLAN-Name to the appropriate error message.
switch which is not present on
DUT show log -r

Step-6 Smae vlan configured


as tagged and untagged vlan

1.1.1.1.1.1.2.29. Test: Test Name :


802.1x_2.16_RADIUS_Assigned_Egress-VLANID
Test: Test ID :158622
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019
Test: Type : MANUAL
Test: Description :
Objective:
This test case will verify that the DUT is able to override the existing VLAN configuration for a port
in which is succseully authenticated against a RADIUS server and the server sends back the
Egress-VLANID attribute in the access-accept packet.

Requirements:
Supplicant PC or procurve switch as supplicant
DUT Switch which supports 802.1x authentication
Radius Server

Setup:
The host or the switch (configured as supplicant ) should be connected to the port configured as
802.1x authenticator on the DUT.

Host<-------->DUT<-------------->Radius Server

Description:
This test case will provide instructions for testing the Egress-VLANID attribute, without and in
conjunction with the Tunnel-Private-Group-ID attribute. Use of the Egress-VLANID should provide
a means for assigning tagged VLAN ids for traffic leaving the port. In cases where the ingress

139 18/2/2019
and egress VLANs are the same, then the Tunnel-Private-Group ID must be used, as the Egress-
VLAN-ID will ONLY configure the egress VLAN.

References:
Procurve Manual: Access Security Guide (ProCurve 8200zl, 6200yl, 5400zl, 3500yl)

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
104460

Test: Automated : Yes


Test: Automated Test Name :
scripts/testSuite/networkSecurity/802dot1x/802dot1xBasicFunctionality/802dot1x_RadAsgEgVlan
Id.tcl
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 3 - High
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C158622

140 18/2/2019
Steps :
Step Name Description Expected Result
Call Call <802.1x 1.01
Basic_Port_Based>
Step-2 Configure VLAN ID Configure vlans on the DUT Vlans should be created and
this should be displayed on
on DUT Example the output of the command

(config)# vlan 100 show running-config


(config)# vlan 101 show vlan

1)Configure the RADIUS server to 1)HP-Egress-VLAN-ID is configured


Step-3 Untagged vlan send back the untagged Egress- correctly on Radius server.
assignment VLAN-ID attributes in its access-
accept packet. 2)Client is successfully
authenticated.
Example
Egress-VLANID= 0x32000064 The authenticated port should now
be a untagged member of the Radius
# The above configuration is set for assigned Egress-VLAN-ID.
untagged vlan with Vlan ID 100. The
0x32 in Egress-VLAN-ID specifies This is vlan 100 in our example.
that it is untagged
# This can be verified by the command
show aaa authentication port-
2)Authenticate the client successfully access dot1x authenticator
using correct credentials. interface all port-statistics
* show aaa authentication port-
Verify DUT assigns Radius assigned access dot1x authenticator
untagged Egress-VLAN-ID on interface all client-status
authenticated port. * show aaa authentication port-
access interface all client-status

1)Configure the RADIUS server to 1)HP-Egress-VLAN-ID is configured


Step-4 Tagged vlan send back the tagged Egress-VLAN- correctly on Radius server.
assignment ID attributes in its access-accept
packet. 2)Client is successfully
authenticated.
Example
Egress-VLANID= 0x31000065 The authenticated port should now
be a tagged member of the Radius
# The above configuration is set for assigned Egress-VLAN-Name.
untagged vlan with Vlan ID 101. The
0x31 in Egress-VLAN-ID specifies This is vlan 101 in our example.
that it is tagged
# This can be verified by the command
show aaa authentication port-
2)Authenticate the client successfully access dot1x authenticator
using correct credentials. interface all port-statistics
* show aaa authentication port-
Verify DUT assigns Radius assigned access dot1x authenticator
tagged Egress-VLAN-ID on interface all client-status
authenticated port. * show aaa authentication port-
access interface all client-status

141 18/2/2019
1.1.1.1.1.1.2.30. Test: Test Name : 802.1x_2.81_Cached_Re-
Authentication_Basic_Functionality
Test: Test ID :158623
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019
Test: Type : MANUAL
Test: Description :
Objective:
Test verifies the basic functioaliyt of cached-reauthentication method for 802.1x port-base access.

Requirements:
1. DUT
2. Radius Server (IAS or Freeradius)
3. Supplicant PC or procurve switch as supplicant

Setup:
Topology:
Supplicant--------------DUT----------------Radius Server

Description:
Test should verify the basic functionality of the cached-reauth option for 802.1x port-access method. Cached-rauth allows
for ports which are already authenticated to reauthenticate even if the radius server is unavailable. The feature allows
already authenticated supplicants to remain authenticated while blocking new unauthenticated access.

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
104467

Test: Automated : Yes


Test: Automated Test Name :
scripts/testSuite/networkSecurity/802dot1x/802dot1xBasicFunctionality/802dot1x_cachedReAuth
BasicFunc.tcl
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x

142 18/2/2019
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 4 - Urgent
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : IFD - PVOS;Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: PVOS CR-ID : 236328
Test: BP Filter: HPE
Test: GUID: ALMTP157C158623

143 18/2/2019
Steps :
Step Name Description Expected Result
Call <802.1x 1.02
Call Basic_User_Mode>

Call Call <802.1x Cached_Re-


Authentication_Config-CLI>
1)Supplicant is successfully
Step-3 Authenticate the 1)Authenticate the supplicant using authenticated.
valid credentials.
802.1x supplicant Verify using
* show aaa authentication port-
2)Configure the authenticator port to access dot1x authenticator
have reauthenticaton period of 15 interface all port-statistics
seconds, and a cached-reauth period * show aaa authentication port-
of 120 seconds. access dot1x authenticator
Example: interface all client-status
* show aaa authentication port-
access interface all client-status

2)Configuration is accepted without


any error
switch# configure terminal Verify using
switch(config)# interface 1/1/1 * show aaa authentication port-
switch(config-if)# aaa access dot1x authenticator
authentication port-access dot1x interface all port-statistics
authenticator * show aaa authentication port-
switch(config-if-dot1x-auth)# access dot1x authenticator
reauth interface all client-status
switch(config-if-dot1x- * show aaa authentication port-
auth)#reauth-period 15 access interface all client-status
switch(config-if-dot1x- (config)# sh running-config
auth)#cached-reauth
switch(config-if-dot1x- 3)Supplicant is authenticated
auth)#cached-reauth-period 120
3)Disable/Enable the authenticator Verify using show port-access
ports (port a2-a4 ) to force authenticator
authentication
Example:
DUT(config)# interface a2-a4
disable
DUT(config)# interface a2-a4
enable

1)Disable the RADIUS server by


Step-4 Verify Cached-reauth disabling the port or stopping service

Monitor the status of the


authenticator ports .

Repeat the test with different cached- 1)The DUT will not be able to
reauth-periods configured.
reach the RADIUS server.
Try to authenticate a new client
during cached-reauthentication Verify using show log -r
period
and after cached-reauthentication
timer expiry
Once the reauthentication
period in the authenticator
ports expires (15 sedonds in

144 18/2/2019
Step Name Description Expected Result
our example), the DUT will try
to reauthenticate the ports but
will not be able to reach
radius server.

Since cached-reauth is
enable the porst will remain
authenticated until the
cached-reuath-period
configured for the
authenticator ports expires
(120 secons in our example)
Once cached-reauth timer is
expired supplicant is in
un-authenticated state.
You can verify this by using
the appropriate show
commands.
Example
* show aaa authentication
port-access dot1x
authenticator interface all
port-statistics

* show aaa authentication


port-access dot1x
authenticator interface all
client-status

* show aaa authentication


port-access interface all
client-status

145 18/2/2019
Step Name Description Expected Result

2)Results should be same


as aboe

3)New client authentication


is not allowed during
cached-reauth period and
client fails authentication.

New client authentication


fails after
cached-reauthentication
period since radius server
is unreachable.

1)Supplicant is authenticated
Step-5 Test cached-reauth 1)Reconnect the radius
successfully again.
server and toggle the ports to
with valid credentials force an authentication.
verify using
* show aaa authentication port-
access dot1x authenticator
Wait for the ports to be interface all port-statistics
* show aaa authentication port-
succesfully authenticated access dot1x authenticator
again. interface all client-status
* show aaa authentication port-
2)Disable the RADIUS server access interface all client-status
and it is unreachable for DUT. 2)DUT tries to reauthenticate the
client once reauth-period expires and
3)After cached-reauth timer puts client into authenticated state
expires reconnect the until cached-reauth timer expires.
radius server.
3)Client is again authenticated as the
Radius server is reachable and
4)Repeat the test with correct credentials are used.
different cached-reauth-
4)Result is identical to the above
periods configured. steps.

146 18/2/2019
Step Name Description Expected Result

1)Supplicant is authenticated
TStep-6 Test cached-reauth 1)Reconnect the radius
successfully again.
server and toggle the ports to
with invalid credentials force an authentication.
verify using
* show aaa authentication port-
access dot1x authenticator
Wait for the ports to be interface all port-statistics
* show aaa authentication port-
succesfully authenticated access dot1x authenticator
again. interface all client-status
* show aaa authentication port-
2)Disable the RADIUS server access interface all client-status
and it is unreachable for DUT. 2)DUT tries to reauthenticate the
client once reauth-period expires and
3)After cached-reauth timer puts client into authenticated state
expires reconnect the until cached-reauth timer expires.
radius server. 3)Client is not authenticated as
incorrect credentials are used
4)Repeat the test with eventhough the Radius server is
different cached-reauth- reachable .
periods configured. 4)Result is identical to the above
steps.

1.1.1.1.1.1.2.31. Test: Test Name :


802.1x_Cached_Reauth_F_09_Reachable_Radius_Cached_Reauth_
Period
Test: Test ID :164832
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 9/1/2019
Test: Type : MANUAL
Test: Description : Objective : To Verify the functionality of 802.1x cached reauth. When radius server is available
during the cached reauth period
Topology:
DUT-----------Radius server
|
|
Hub-----------Win 7 Supplicant
|
|
Ixia Supplicant
Test Case Desciption:
1. Configure 802.1x authentication in the port connected to hub with user mode

147 18/2/2019
2.Configure cached reauth, reauth period
3. Make the radius server is not reachable
5.Try to authenticate both the clients

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 09/12/2018: Test Case migrated from PVOS Test ID:
149504

Test: Automated : Not Feasible


Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 4 - Urgent
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C164832

148 18/2/2019
Steps :
Step Name Description Expected Result
Configure dot1x auth on port with
Step1:configure dot1x reauth-period and cached-reauth-
authentication period
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa authentication
port-access dot1x authenticator
switch(config-if-dot1x-auth)# enable
switch(config-if-dot1x-auth)#cached-
reauth
switch(config-if-dot1x-auth)#cached-
reauth-period 300
switch(config-if-dot1x-auth)#reauth
switch(config-if-dot1x-auth)#reauth-
period 50
switch(config-if-dot1x-auth)#exit

Bringup dot1x client on port


Step 2: Bringup dot1x-client configured with valid crede ntials

Trigger bi-directional traffic b/w dot1x Traffic flow will be successful b/w
Step 3: Initiate traffic/Ping win7 supplicant cleints
from clients
Disconnect the radius server and Client will continue to be in
Step 4: Disable radius-server check the dot1x client authenticated state and cached
reauth will start after the reauth-
period expiry
* show aaa authentication port-
access dot1x authenticator interface
all port-statistics
* show aaa authentication port-
access dot1x authenticator interface
all client-status
* show aaa authentication port-
access interface all client-status

Bringup the radius server and check Client will be authenticated during the
Step 6: Enable radius-server the dot1x client reauth-period since radius is
reachable now
* show aaa authentication port-
access dot1x authenticator
interface all port-statistics
* show aaa authentication port-
access dot1x authenticator
interface all client-status
* show aaa authentication port-
access interface all client-status

149 18/2/2019
1.1.1.1.1.1.2.32. Test: Test Name :
802.1x_Cached_Reauth_F_11_Reachable_Radius_Different_Credenti
als
Test: Test ID :164833
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 9/1/2019
Test: Type : MANUAL
Test: Description : Objective :
To Verify the functionality of 802.1x cached reauth. When radius server is available during the cached reauth period

Topology:
DUT-----------Radius server
|
|
Hub-----------Win 7 Supplicant
|
|
Ixia Supplicant
Test Case Desciption:
1. Configure 802.1x authentication in the port connected to hub with user mode
2.Configure cached reauth, reauth period
3. Make the radius server is not reachable
5.Try to authenticate both the clients

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 09/12/2018: Test Case migrated from PVOS Test ID:
149506

Test: Automated : Not Feasible


Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 3 - High
Test: Test Suited for OSTL? : Y

150 18/2/2019
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C164833

151 18/2/2019
Steps :
Step Name Description Expected Result
Configure dot1x auth on port with
Step1:configure dot1x reauth-period and cached-reauth-
authentication period
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa authentication
port-access dot1x authenticator
switch(config-if-dot1x-auth)# enable
switch(config-if-dot1x-auth)#cached-
reauth
switch(config-if-dot1x-auth)#cached-
reauth-period 300
switch(config-if-dot1x-auth)#reauth
switch(config-if-dot1x-auth)#reauth-
period 50
switch(config-if-dot1x-auth)#exit

Bringup dot1x client on port


Step 2: Bringup dot1x-client configured with valid crede ntials

Trigger bi-directional traffic b/w dot1x Traffic flow will be successful b/w
Step 3: Initiate traffic/Ping win7 supplicant cleints
from clients
Disconnect the radius server and Client will continue to be in
Step 4: Disable radius-server check the dot1x client authenticated state and cached
reauth will start after the reauth-
period expiry
* show aaa authentication port-
access dot1x authenticator interface
all port-statistics
* show aaa authentication port-
access dot1x authenticator interface
all client-status
* show aaa authentication port-
access interface all client-status

Change the credentials in the Client will be de-authenticated during


Step 6: Enable radius-server Supplicant. Credentials shouldnt be the reauth-period since radius is
present in Radius Server.Bringup the reachable now , with invalid
radius server and check the dot1x credentials
client * show aaa authentication port-
access dot1x authenticator
interface all port-statistics
* show aaa authentication port-
access dot1x authenticator
interface all client-status
* show aaa authentication port-
access interface all client-status

152 18/2/2019
1.1.1.1.1.1.2.33. Test: Test Name :
802.1x_Cached_Reauth_F_16_UnReachable_Radius_Different_User
_Credentials
Test: Test ID :164834
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 9/1/2019
Test: Type : MANUAL
Test: Description : Objective : To Verify the configuration of cached-reauth for the authentication of 802.1x clients
Topology:
DUT-----------Radius server
|
|
Hub-----------Win 7 Supplicant
|
|
Ixia Supplicant
Test Case Desciption:
1. Configure 802.1x authentication in the port connected to hub with user mode
2.Configure cached reauth, reauth period
3. Make the radius server is not reachable
5.Try to authenticate both the clients

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 09/12/2018: Test Case migrated from PVOS Test ID:
149509

Test: Automated : Not Feasible


Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 3 - High
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0

153 18/2/2019
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C164834

154 18/2/2019
Steps :
Step Name Description Expected Result
Configure dot1x auth on port with
Step1:configure dot1x reauth-period and cached-reauth-
authentication period
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa authentication
port-access dot1x authenticator
switch(config-if-dot1x-auth)# enable
switch(config-if-dot1x-auth)#cached-
reauth
switch(config-if-dot1x-auth)#cached-
reauth-period 300
switch(config-if-dot1x-auth)#reauth
switch(config-if-dot1x-auth)#reauth-
period 50
switch(config-if-dot1x-auth)#exit

Bringup dot1x client on port


Step 2: Bringup dot1x-client configured with valid crede ntials

Trigger bi-directional traffic b/w dot1x Traffic flow will be successful b/w
Step 3: Initiate traffic/Ping win7 supplicant cleints
from clients
Disconnect the radius server and
Step 4: Disable radius-server check the dot1x client

Client will continue to be in


authenticated state and
cached reauth will start after
the reauth-period expiry

* show aaa authentication


port-access dot1x
authenticator interface all
port-statistics

* show aaa authentication


port-access dot1x
authenticator interface all

155 18/2/2019
Step Name Description Expected Result
client-status

* show aaa authentication


port-access interface all
client-status

Change the credentials in the Client will be de-authenticated during


Change Credentials Supplicant. the reauth-period since credentials is
changed during reauth
* show aaa authentication port-
access dot1x authenticator
interface all port-statistics
* show aaa authentication port-
access dot1x authenticator
interface all client-status
* show aaa authentication port-
access interface all client-status

1.1.1.1.1.1.2.34. Test: Test Name : RFC_4675_on_2510_B_01.


VLAN_ID_tagged
Test: Test ID :166740
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 23/1/2019
Test: Type : MANUAL
Test: Description :
Objective:
The purpose of this test is to verify that switch ports can be assigned as tagged members of an egress VLAN via RADIUS
by specifying the VLAN ID in the RADIUS users file.

Requirements:
A PC or a second switch to act as an 802.1X supplicant
A PC or a traffic generator (IXIA or equivalent) to act a client for MAC authentication
A RADIUS server (Free RADIUS or other)

156 18/2/2019
Note: setup for RADIUS servers other that Free RADIUS is not addressed in this test document.

Setup:
Note: This network setup serves as an example only, and is intended to show one way to accomplish the objectives of the
test,
rather than to limit the test to a particular setup.

Connect 802.1X supplicant and a traffic analyzer (Wireshark or equivalent) to port 1 of the DUT via repeater 1.
Connect mac-auth client and a traffic analyzer (Wireshark or equivalent) to port 2 of the DUT via repeater 2 .
Connect IXIA port 2 to port 4 of the DUT
Connect the RADIUS server to port 20 of the DUT

The 80.21X Supplicant device must be running supplicant software, and be set up to authenticate.
The Free RADIUS server "users" file (/etc/freeradius/users) must contain the following entry for 80.21X authentication
"tagged11" Auth-Type :=CHAP, User-Password := "pass",
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Type= VLAN,
Egress-VLANID=0x3100000b ,

The Free RADIUS server "users" file (/etc/freeradius/users) must contain the following entry for Mac authentication:

"000000000001" Auth-Type :=CHAP, User-Password := "00000000001",


Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Type= VLAN,
Egress-VLANID=0x3100000b ,

Note: it is assumed that the dictionary files etc. are set up to include entries required for RFC 4675, later versions of Free
RADIUS include these by default.

Description:
RFC 4675 requires that compliant authenticators provide the ability to assign a port an egress VLAN either tagged or
untagged based on the VLAN name or VLAN ID.
This test verifies that the switch ports can be assigned as tagged members of an egress VLAN via RADIUS by specifying
the VLAN ID in the RADIUS users file.

Attachments:
Web authentication tips.doc (tips on how to set up web authentication)

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
69675

Test: Automated : Dev Funnel


Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 2 - Medium

157 18/2/2019
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C166740

158 18/2/2019
Steps :
Step Name Description Expected Result
1) DUT starting configuration This test case assumes a starting
The erase startup config
point of a blank configuration.
command should prompt the
Clear the configuration switch to reboot and return
(erase startup config). the configuration to the
default values.
Add VLANs :
(vlan 1 ip address 10.1.100.101/24)
(vlan 11 name tag11) The Show running-config
(vlan 11 untagged 4) output should indicate that
(vlan 12 name tag12) the authentication setup
(vlan 13 name untag13)
reflect the commands that
(vlan 14 name untag14)
(vlan 15 name priority) were run in this step.
(config)# radius-server host
23.0.0.218 key go4gold18
DUT(config)# aaa authentication
port-access dot1x authenticator
auth-method eap-radius
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa
authentication port-access dot1x
authenticator enable
switch(config-if)#
DUT(config)# aaa port-access
dot1x authenticator enable
Enable mac authentication on the
port 2
switch# configure terminal
switch(config)# interface 1/1/2
switch(config-if)#aaa
authentication port-access mac-
auth
switch(config-if-macauth)#enable

Step 2 Connect 802.1X supplicant The link LEDs should


and a traffic analyzer correctly indicate connections
(Wireshark or equivalent) to on DUT ports 1,2,3,4, and 20.
port 1 of the DUT via repeater
1.
Connect mac-auth client and
a traffic analyzer (Wireshark
or equivalent) to port 2 of the
DUT via repeater 2.
Connect web-auth client and
a traffic analyzer (Wireshark
or equivalent) to port 3 of the
DUT via repeater 3.
Connect IXIA port 2 to port 4
of the DUT.
Connect the RADIUS server
to port 20 of the DUT.

159 18/2/2019
Step Name Description Expected Result

Add the following entries to


3) RADIUS Server Setup the Free RADIUS users file. The RADIUS server is configured
The first entry will be used by 802.1X properly to allow 802.1X
user. authentication, and Mac
The second entry will be used by authentication.
Mac auth users (the mac address of
the client is used as the username
and password)
Be sure to restart the RADIUS
service after making changes to the
users file.

"tag11" Auth-Type :=CHAP, User-


Password := "pass",
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Type= VLAN,
Egress-VLANID=0x3100000b ,

"000000000001" Auth-Type :=CHAP,


User-Password := "00000000001",
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Type= VLAN,
Egress-VLANID=0x3100000b ,

nitiate authentication.-
4) Authenticate the On the 802.1X supplicant by entering
The show command outputs
Supplicant / Clients the username= tag11, password=
pass. should indicate that each of
the users was successfully
On the Mac Auth client by sending authenticated.
traffic into the port with a mac
address of 000000000001.
Check that each was authenticated.
(show port-access authenticator)
(show port-access mac-based)
(show port-access web-based)

The show port-access command


5) Verify the effects of the Verify that each of the clients
outputs should show a "yes" under
was set to egress packets to
authentication VLAN 11 tagged.
Tagged VLANs for each
authentication type.
* show aaa authentication port- The show vlan 11 command output
access interface all client-status should show:
Port 1 is 802.1X authenticated
Port 2 is mac-authenticated

The show vlans ports command


output should show the mode for
each port as Tagged.

Set IXIA port 2 to send untagged The X authenticated port should


6) Verify that egress packets packets with an unlearned Source egress frames with tags as required
are tagged on egress VLAN Mac address onto DUT port 4
(port 4 is untagged on VLAN 11).
by the RADIUS applied attributes.
The MAC authenticated port should
egress frames with tags as required
Check that the X authenticated port by the RADIUS applied attributes.
(1) egresses frames with tags as
required by the RADIUS applied
attributes:

160 18/2/2019
Step Name Description Expected Result
Start the Wireshark capture on DUT
port 1.
Check that the packets generated by
IXIA exit switch port 1 with tags for
VLAN 11.

Check that the Mac authenticated


port (2) egresses frames with tags as
required by the RADIUS applied
attributes:
Start the Wireshark capture on DUT
port 2.
Check that the packets generated by
IXIA exit switch port 2 with tags for
VLAN 11.

1.1.1.1.1.1.2.35. Test: Test Name : RFC_4675_on_2510_B_02. VLAN


_Name_tagged
Test: Test ID :166741
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 23/1/2019
Test: Type : MANUAL
Test: Description :

Objective:
The purpose of this test is to verify that switch ports can be assigned as tagged members of an
egress VLAN via RADIUS by specifying the VLAN Name in the RADIUS users file.

Requirements:
A PC or a second switch to act as an 802.1X supplicant
A PC or a traffic generator (IXIA or equivalent) to act a client for MAC authentication
A PC with an IE or Firefox browser to act as a Web Auth client.
A RADIUS server (Free RADIUS or other)
Note: setup for RADIUS servers other that Free RADIUS is not addressed in this test document.

Setup:
Note: This network setup serves as an example only, and is intended to show one way to
accomplish the objectives of the test,
rather than to limit the test to a particular setup.

Connect 802.1X supplicant and a traffic analyzer (Wireshark or equivalent) to port 1 of the DUT
via repeater 1.
Connect mac-auth client and a traffic analyzer (Wireshark or equivalent) to port 2 of the DUT via

161 18/2/2019
repeater 2 .
Connect web-auth client and a traffic analyzer (Wireshark or equivalent) to port 3 of the DUT via
repeater 3.
Connect IXIA port 2 to port 4 of the DUT
Connect the RADIUS server to port 20 of the DUT

The 80.21X Supplicant device must be running supplicant software, and be set up to
authenticate.
The Free RADIUS server "users" file (/etc/freeradius/users) must contain the following entry for
80.21X authentication and for Web authentication:

"tag12" Auth-Type :=CHAP, User-Password := "pass",


Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Type= VLAN,
Egress-VLAN-Name = "1tag12,

The Free RADIUS server "users" file (/etc/freeradius/users) must contain the following entry for
Mac authentication:

"000000000002" Auth-Type :=CHAP, User-Password := "00000000002",


Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Type= VLAN,
Egress-VLAN-Name = "1tag12,

Note: it is assumed that the dictionary files etc. are set up to include entries required for RFC
4675, later versions of Free RADIUS include these by default.

Description:
RFC 4675 requires that compliant authenticators provide the ability to assign a port an egress
VLAN either tagged or untagged based on the VLAN name or VLAN ID.
This test verifies that the switch ports can be assigned as tagged members of an egress VLAN
via RADIUS by specifying the VLAN Name in the RADIUS users file.

Attachments:
Web authentication tips.doc (tips on how to set up web authentication)

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
69676

Test: Automated : Dev Funnel


Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj

162 18/2/2019
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 2 - Medium
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C166741

163 18/2/2019
Steps :
Step Name Description Expected Result
This test case assumes a starting
1) DUT starting configuration point of a blank configuration.
The erase startup config
Clear the configuration
command should prompt the
(erase startup config). switch to reboot and return
the configuration to the
Add VLANs : default values.
(vlan 1 ip address 10.1.100.101/24)
(vlan 11 name tag11)
(vlan 12 name tag12) The Show running-config
(vlan 12 untagged 4) output should indicate that
(vlan 13 name untag13) the authentication setup
(vlan 14 name untag14)
reflect the commands that
(vlan 15 name priority)
were run in this step.
(config)# radius-server host
23.0.0.218 key go4gold18
DUT(config)# aaa authentication
port-access dot1x authenticator
auth-method eap-radius
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa
authentication port-access dot1x
authenticator enable
switch(config-if)#
DUT(config)# aaa port-access
dot1x authenticator enable
Enable mac authentication on the
port 2
switch# configure terminal
switch(config)# interface 1/1/2
switch(config-if)#aaa
authentication port-access mac-
auth
switch(config-if-macauth)#enable

Connect 802.1X supplicant and a


2) Network Setup traffic analyzer (Wireshark or
The link LEDs should
equivalent) to port 1 of the DUT via
correctly indicate connections
repeater 1. on DUT ports 1,2,3,4, and 20
Connect mac-auth client and a traffic
analyzer (Wireshark or equivalent) to
port 2 of the DUT via repeater 2.
Connect IXIA port 2 to port 4 of the
DUT.
Connect the RADIUS server to port
20 of the DUT.

Add the following entries to the Free


3) RADIUS Server Setup RADIUS users file.
The first entry will be used by 802.1X
user.
The second entry will be used by
Mac auth users (the mac address of
the client is used as the username
and password)
Be sure to restart the RADIUS The RADIUS server is
service after making changes to the
users file. configured
"tag12" Auth-Type :=CHAP, User- properly to allow 802.1X
Password := "pass",

164 18/2/2019
Step Name Description Expected Result
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802, authentication, and Mac
Tunnel-Type= VLAN,
Egress-VLAN-Name = "1tag12,
authentication.

"000000000002" Auth-Type :=CHAP,


User-Password := "00000000002",
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Type= VLAN,
Egress-VLAN-Name = "1tag12,

Initiate authentication.-
4) Authenticate the On the 802.1X supplicant by entering
The show command outputs
should indicate that each of
Supplicant / Clients the username= tag12, password=
pass. the users was successfully
On the Mac Auth client by sending authenticated.
traffic into the port with a mac
address of 000000000002.
Check that each was authenticated.
(show port-access authenticator)
(show port-access mac-based)
(show port-access web-based)

The show port-access command


5) Verify the effects of the Verify that each of the clients
outputs should show a "yes" under
was set to egress packets to
authentication VLAN 12 (name= tag12)
Tagged VLANs for each
authentication type.
tagged. The show vlan 12 command output
* show aaa authentication port- should show:
access interface all client-status Port 1 is 802.1X authenticated
Port 2 is mac-authenticated
The show vlans ports command
output should show the mode for
each port as Tagged on VLAN 12.

Set IXIA port 2 to send untagged The X authenticated port should


6) Verify that egress packets packets with an unlearned Source egress frames with tags as required
are tagged on egress VLAN Mac address onto DUT port 4
(port 4 is untagged on VLAN 12).
by the RADIUS applied attributes.
The MAC authenticated port should
egress frames with tags as required
Check that the X authenticated port by the RADIUS applied attributes.
(1) egresses frames with tags as
required by the RADIUS applied
attributes:
Start the Wireshark capture on DUT
port 1.
Check that the packets generated by
IXIA exit switch port 1 with tags for
VLAN 12.

Check that the MAC authenticated


port (2) egresses frames with tags as
required by the RADIUS applied
attributes.
Start the Wireshark capture on DUT
port 2.
Check that the packets generated by
IXIA exit switch port 2 with tags for
VLAN 12.

165 18/2/2019
Step Name Description Expected Result

1.1.1.1.1.1.2.36. Test: Test Name : RFC_4675_on_2510_B_03.


VLAN_ID_untagged
Test: Test ID :166742
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 23/1/2019
Test: Type : MANUAL
Test: Description :
Objective:
The purpose of this test is to verify that switch ports can be assigned as untagged members of an
egress VLAN via RADIUS by specifying the VLAN ID in the RADIUS users file.

Requirements:
A PC or a second switch to act as an 802.1X supplicant
A PC or a traffic generator (IXIA or equivalent) to act a client for MAC authentication
A PC with an IE or Firefox browser to act as a Web Auth client.
A RADIUS server (Free RADIUS or other)
Note: setup for RADIUS servers other that Free RADIUS is not addressed in this test document.

Setup:
Note: This network setup serves as an example only, and is intended to show one way to
accomplish the objectives of the test,
rather than to limit the test to a particular setup.

Connect 802.1X supplicant and a traffic analyzer (Wireshark or equivalent) to port 1 of the DUT
via repeater 1.
Connect mac-auth client and a traffic analyzer (Wireshark or equivalent) to port 2 of the DUT via
repeater 2 .
Connect web-auth client and a traffic analyzer (Wireshark or equivalent) to port 3 of the DUT via
repeater 3.
Connect IXIA port 2 to port 4 of the DUT
Connect the RADIUS server to port 20 of the DUT

The 80.21X Supplicant device must be running supplicant software, and be set up to
authenticate.
The Free RADIUS server "users" file (/etc/freeradius/users) must contain the following entry for
80.21X authentication and for Web authentication:

166 18/2/2019
"untag13" Auth-Type :=CHAP, User-Password := "pass",
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Type= VLAN,
Egress-VLANID=0x3200000d,

The Free RADIUS server "users" file (/etc/freeradius/users) must contain the following entry for
Mac authentication:

"000000000003" Auth-Type :=CHAP, User-Password := "00000000003",


Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Type= VLAN,
Egress-VLANID=0x3200000d,

Note: it is assumed that the dictionary files etc. are set up to include entries required for RFC
4675, later versions of Free RADIUS include these by default.

Description:
RFC 4675 requires that compliant authenticators provide the ability to assign a port an egress
VLAN either tagged or untagged based on the VLAN name or VLAN ID.
This test verifies that the switch ports can be assigned as untagged members of an egress VLAN
via RADIUS by specifying the VLAN ID in the RADIUS users file.

Attachments:
Web authentication tips.doc (tips on how to set up web authentication)

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
69677

Test: Automated : Dev Funnel


Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 3 - High
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0

167 18/2/2019
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C166742

168 18/2/2019
Steps :
Step Name Description Expected Result
1) DUT starting configuration This test case assumes a starting
The erase startup config
point of a blank configuration. command should prompt the
Clear the configuration switch to reboot and return
(erase startup config). the configuration to the
Add VLANs :
default values.
(vlan 1 ip address 10.1.100.101/24)
(vlan 11 name tag11) The Show running-config
(vlan 12 name tag12) output should indicate that
(vlan 13 name untag13)
(vlan 13 untagged 4)
the authentication setup
(vlan 14 name untag14) reflect the commands that
(vlan 15 name priority) were run in this step.
Authentication setup.

(config)# radius-server host


23.0.0.218 key go4gold18
DUT(config)# aaa authentication
port-access dot1x authenticator
auth-method eap-radius
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa
authentication port-access dot1x
authenticator enable
switch(config-if)#
DUT(config)# aaa port-access
dot1x authenticator enable
Enable mac authentication on the
port 2
switch# configure terminal
switch(config)# interface 1/1/2
switch(config-if)#aaa
authentication port-access mac-
auth
switch(config-if-macauth)#enable

Connect 802.1X supplicant and a


2) Network Setup traffic analyzer (Wireshark or
The link LEDs should
equivalent) to port 1 of the DUT via
correctly indicate connections
repeater 1. on DUT ports 1,2,3,4,20, and
Connect mac-auth client and a traffic 21
analyzer (Wireshark or equivalent) to
port 2 of the DUT via repeater 2 .
Connect IXIA port 2 to port 4 of the
DUT
Connect the RADIUS server to port
20 of the DUT.

Add the following entries to the Free


3) RADIUS Server Setup RADIUS users file. The RADIUS server is configured
The first entry will be used by 802.1X properly to allow 802.1X
. authentication and Mac

169 18/2/2019
Step Name Description Expected Result
The second entry will be used by authentication.
Mac auth users (the mac address of
the client is used as the username
and password)
Be sure to restart the RADIUS
service after making changes to the
users file.

"untag13" Auth-Type :=CHAP, User-


Password := "pass",
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Type= VLAN,
Egress-VLANID=0x3200000d,

"000000000003" Auth-Type :=CHAP,


User-Password := "00000000003",
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Type= VLAN,
Egress-VLANID=0x3200000d,

Initiate authentication.-
4) Authenticate the On the 802.1X supplicant by entering
The show command outputs
should indicate that each of
Supplicant / Clients the username= untag13, password=
pass. the users was successfully
On the Mac Auth client by sending authenticated.
traffic into the port with a mac
address of 000000000003.
Check that each was authenticated.
(show port-access authenticator)
(show port-access mac-based)
(show port-access web-based)

The show port-access command


5) Verify the effects of the Verify that each of the clients
outputs should show a "no" under
was set to egress packets to
authentication VLAN 13 (name= untag13)
Tagged VLANs for each
authentication type, and show "13"
untagged. under Untagged VLAN.
* show aaa authentication port- The show vlan 13 command output
access interface all client-status should show:
Port 1 is 802.1X authenticated
Port 2 is mac-authenticated
The show vlans ports command
output should show the mode for
each port as untagged on VLAN 13.

Set IXIA port 2 to send untagged


6) Verify that egress packets packets with an unlearned Source
are untagged on egress Mac address onto DUT port 4
(port 4 is untagged on VLAN 13).
VLAN
Check that the X authenticated port
(1) egresses frames without tags as The X authenticated port
required by the RADIUS applied
attributes: should
Start the Wireshark capture on DUT
port 1. egress frames without tags as
Check that the packets generated by
IXIA exit switch port 1 without tags. required by the RADIUS
Check that the MAC authenticated applied
port (2) egresses frames without tags

170 18/2/2019
Step Name Description Expected Result
as required by the RADIUS applied
attributes. attributes.
Start the Wireshark capture on DUT
port 2.
The MAC authenticated port
Check that the packets generated by should egress frames without
IXIA exit switch port 2 without tags.
tags as required by the
RADIUS
applied attributes.

1.1.1.1.1.1.2.37. Test: Test Name : RFC_4675_on_2510_B_04.


VLAN_Name_untagged
Test: Test ID :166743
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 23/1/2019
Test: Type : MANUAL
Test: Description :
Objective:
The purpose of this test is to verify that switch ports can be assigned as untagged members of an
egress VLAN via RADIUS by specifying the VLAN Name in the RADIUS users file.

Requirements:
A PC or a second switch to act as an 802.1X supplicant
A PC or a traffic generator (IXIA or equivalent) to act a client for MAC authentication
A PC with an IE or Firefox browser to act as a Web Auth client.
A RADIUS server (Free RADIUS or other)
Note: setup for RADIUS servers other that Free RADIUS is not addressed in this test document.
3 PCs running Wireshark or equivalent traffic analyzer (one is sufficient but will require rerunning
some test steps multiple times)
3 Multiport repeaters (hubs) (one is sufficient but will require rerunning some test steps multiple
times).

171 18/2/2019
Setup:
Note: This network setup serves as an example only, and is intended to show one way to
accomplish the objectives of the test,
rather than to limit the test to a particular setup.

Connect 802.1X supplicant and a traffic analyzer (Wireshark or equivalent) to port 1 of the DUT
via repeater 1.
Connect mac-auth client and a traffic analyzer (Wireshark or equivalent) to port 2 of the DUT via
repeater 2 .
Connect web-auth client and a traffic analyzer (Wireshark or equivalent) to port 3 of the DUT via
repeater 3.
Connect IXIA port 2 to port 4 of the DUT
Connect the RADIUS server to port 20 of the DUT.

The 80.21X Supplicant device must be running supplicant software, and be set up to
authenticate.
The Free RADIUS server "users" file (/etc/freeradius/users) must contain the following entry for
80.21X authentication and for Web authentication:

"untag14" Auth-Type :=CHAP, User-Password := "pass",


Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Type= VLAN,
Egress-VLAN-Name = "2untag14,

The Free RADIUS server "users" file (/etc/freeradius/users) must contain the following entry for
Mac authentication:

"000000000004" Auth-Type :=CHAP, User-Password := "00000000004",


Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Type= VLAN,
Egress-VLAN-Name = "2untag14,

Note: it is assumed that the dictionary files etc. are set up to include entries required for RFC
4675, later versions of Free RADIUS include these by default.

Description:
RFC 4675 requires that compliant authenticators provide the ability to assign a port an egress
VLAN either tagged or untagged based on the VLAN name or VLAN ID.
This test verifies that the switch ports can be assigned as untagged members of an egress VLAN
via RADIUS by specifying the VLAN Name in the RADIUS users file.

Attachments:
Web authentication tips.doc (tips on how to set up web authentication)

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
69678

172 18/2/2019
Test: Automated : Not Feasible
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 3 - High
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C166743

173 18/2/2019
Steps :
Step Name Description Expected Result
1) DUT starting configuration This test case assumes a starting
The erase startup config
point of a blank configuration. command should prompt the
Clear the configuration switch to reboot and return
(erase startup config). the configuration to the
Add VLANs :
default values.
(vlan 1 ip address 10.1.100.101/24)
(vlan 11 name tag11) The Show running-config
(vlan 12 name tag12) output should indicate that
(vlan 13 name untag13)
(vlan 14 name untag14)
the authentication setup
(vlan 14 untagged 4) reflect the commands that
(vlan 15 name priority) were run in this step.

(config)# radius-server host


23.0.0.218 key go4gold18
DUT(config)# aaa authentication
port-access dot1x authenticator
auth-method eap-radius
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa
authentication port-access dot1x
authenticator enable
switch(config-if)#
DUT(config)# aaa port-access
dot1x authenticator enable
Enable mac authentication on the
port 2
switch# configure terminal
switch(config)# interface 1/1/2
switch(config-if)#aaa
authentication port-access mac-
auth
switch(config-if-macauth)#enable

Connect 802.1X supplicant and a


2) Network Setup traffic analyzer (Wireshark or
The link LEDs should
correctly indicate connections
equivalent) to port 1 of the DUT via
repeater 1. on DUT ports 1,2,3,4, and 20.
Connect mac-auth client and a traffic
analyzer (Wireshark or equivalent) to
port 2 of the DUT via repeater 2 .

Connect IXIA port 2 to port 4 of the


DUT
Connect the RADIUS server to port
20 of the DUT.

174 18/2/2019
Step Name Description Expected Result
Add the following entries to the Free
3) RADIUS Server Setup RADIUS users file.
The first entry will be used by
802.1X.
The second entry will be used by
Mac auth users (the mac address of
the client is used as the username
and password)
Be sure to restart the RADIUS The RADIUS server is
service after making changes to the
users file. configured
"untag14" Auth-Type :=CHAP, User- properly to allow 802.1X
Password := "pass",
Tunnel-Type = VLAN, authentication and Mac
Tunnel-Medium-Type = IEEE-802,
Tunnel-Type= VLAN, authentication.
Egress-VLAN-Name = "2untag14,

"000000000004" Auth-Type :=CHAP,


User-Password := "00000000004",
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Type= VLAN,
Egress-VLAN-Name = "2untag14,

Initiate authentication.-
4) Authenticate the On the 802.1X supplicant by entering
The show command outputs
should indicate that each of
Supplicant / Clients the username= untag14, password=
pass. the users was successfully
authenticated.
On the Mac Auth client by sending
traffic into the port with a mac
address of 000000000004.
Check that each was authenticated.
* show aaa authentication port-
access interface all client-status

The show port-access command


5) Verify the effects of the Verify that each of the clients
outputs should show "14" under
was set to egress packets to
authentication VLAN 14 (name= untag14)
untagged VLANs for each
authentication type.
untagged. The show vlan 14 command output
* show aaa authentication port- should show:
access interface all client-status Port 1 is 802.1X authenticated
Port 2 is mac-authenticated
The show vlans ports command
output should show the mode for
each port as untagged on VLAN 14.

Set IXIA port 2 to send untagged The X authenticated port should


6) Verify that egress packets packets with an unlearned Source egress frames without tags as
are untagged on egress Mac address onto DUT port 4
(port 4 is untagged on VLAN 13).
required by the RADIUS applied
attributes.
VLAN
Check that the X authenticated port The MAC authenticated port should
(1) egresses frames without tags as egress frames without tags as
required by the RADIUS applied required by the RADIUS applied
attributes: attributes.
Start the Wireshark capture on DUT
port 1.
Check that the packets generated by

175 18/2/2019
Step Name Description Expected Result
IXIA exit switch port 1 without tags.

Check that the MAC authenticated


port (2) egresses frames without tags
as required by the RADIUS applied
attributes.
Start the Wireshark capture on DUT
port 2.
Check that the packets generated by
IXIA exit switch port 2 without tags.

1.1.1.1.1.1.2.38. Test: Test Name :


Session_Timeout_CoA_F_08_PC_Behind_IP_Phone
Test: Test ID :166803
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 24/1/2019
Test: Type : MANUAL
Test: Description : Objective:

The purpose of this test case is to verify functionality of session timeout VSA to force reauthenticate clients in
1. Mac Client - IP Phone
2.802.1x Client - PC
PC Behind IP Phone Scenario
Requirements:

Single DUT
Mac Client
802.1x Client
Radius Server
Topology:
Topology:
Supplicant and Ixia (Phone)------Hub--------DUT----------------Radius Server
Feature Description:
1. The RADIUS Change of Authorization (CoA) feature provides a mechanism to change the attributes of an
authentication session after it is authenticated

2. SESSION-TIMEOUT being an IETF attribute , it has been used on RADIUS-CoA to trigger reauthentication
after a specified time period

1. Advantages

2. Customers can reauthenticate only suspicious clients by sending Radius CoA with Session Timeout Attribute
without traffic disruption

3. SESSION-TIMEOUT being an IETF attribute as this should work across vendors.

176 18/2/2019
4. It enables a unified interface in a RADIUS server to trigger reauthentication of clients across multi vendor
access switches

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 10/12/2018: Test Case migrated from PVOS Test ID:
153409

Test: Automated : Dev Funnel


Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 3 - High
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : IFD - PVOS;Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: PVOS CR-ID : 242375
Test: BP Filter: HPE
Test: GUID: ALMTP157C166803

177 18/2/2019
Steps :
Step Name Description Expected Result
Configure Vlan with ip-address Verify the configuration changes
Step 1 using "show run"

Configure radius server on the same


Step 2 subnet as the vlan ip address
configured on Step1
radius-server host 23.0.0.218 key
go4gold18

Verify the configuration


changes
using "show run"

Configure two vlans in the DUT Verify the configuration changes


Step 3 vlan <id> using "show run"
exit
vlan <id>
exit

Configure 802.1x and mac


Step 4 authentication on the same port Verify the configuration
connected to PC behind IP Phone
DUT(config)# aaa authentication
changes using "show run"
port-access dot1x authenticator
auth-method eap-radius

aaa authentication port-access


auth-mode client-mode

Enable 802.1X authentication on a


port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa
authentication port-access dot1x
authenticator enable
switch(config-if)#
DUT(config)# aaa port-access
dot1x authenticator enable

Enable mac authentication on the


port
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)#aaa
authentication port-access mac-
auth
switch(config-if-macauth)#enable

Step 5 Start supplicant in 802.1x Verify the clients are placed


configured windows port and in user role using

178 18/2/2019
Step Name Description Expected Result
traffic from mac auth 1.show port-access <port>
configured phone clients detailed

Start sending traffic from 802.1x and Verify the traffic is successfully
Step 6 mac auth port to a destination ixia flowing
ports placed in corresponding data
vlans
Vlan <data-vlan-1>
untag <destination-ixia-port1>
Vlan <data-vlan-2>
untag <destination-ixia-port2>

Send a Radius CoA through


Step 7 freeradius radclient app to force
reauthenticate mac client , by
including Session-Timeout and
Termination Action Attributes
echo "User-Name =
'd4c9efb60180',\ # Mac address
/username of the client
NAS-Port-Id = '1/2',\ #
Authenticator port in switch
NAS-IP-Address = 20.1.1.1,\
#Ip address of Authenticator switch
Calling-Station-Id = 'd4-c9-ef-b6-01-
80',\ #Mac address of client
Session-Timeout=60,\
Termination-Action=1" | radclient
20.1.1.1:3799 43 procurve

Verify the debug logs, When CoA is


Step 8 sent from radius server , switch does
the following for the mac client
1. CoA ACK is received
2.* show aaa authentication port-
access interface all client-status
Run the debug session in updates the session timeout as
(When Client receives the Session-
switch Timeout as 60 seconds after it is
authenticated for 10 seconds, in the
to verify the CoA ACK is sent show command Session-Timeout will
be displayed as = Actual Session
running Time + Session Timeout
VSA Time (i.e 10+60=70))
3.Verify the Mac Client is
reauthenticated after the session
timeout period and traffic flows
successfully
000

Repeat Step 7 and 8 for 802.1x


Step 9 Client with different reauth period

179 18/2/2019
1.1.1.1.1.1.2.39. Test: Test Name :
Port_Bounce_Host_PC_Behind_IP_Phone
Test: Test ID :166812
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 24/1/2019
Test: Type : MANUAL
Test: Description : Objective:

The purpose of this test case is to verify functionality of session timeout VSA to force reauthenticate clients in
1. Mac Client - IP Phone
2.802.1x Client - PC
PC Behind IP Phone Scenario
Requirements:

Single DUT
Mac Client
802.1x Client
Radius Server
Topology:
Topology:
Supplicant and Ixia (Phone)------Hub--------DUT----------------Radius Server
Feature Description:
1. The RADIUS Change of Authorization (CoA) feature provides a mechanism to change the attributes of an
authentication session after it is authenticated

2. SESSION-TIMEOUT being an IETF attribute , it has been used on RADIUS-CoA to trigger reauthentication
after a specified time period

1. Advantages

2. Customers can reauthenticate only suspicious clients by sending Radius CoA with Session Timeout Attribute
without traffic disruption

3. SESSION-TIMEOUT being an IETF attribute as this should work across vendors.

4. It enables a unified interface in a RADIUS server to trigger reauthentication of clients across multi vendor
access switches

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 10/12/2018: Test Case migrated from PVOS Test ID:
153409

180 18/2/2019
Test: Automated : Dev Funnel
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 3 - High
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C166812

181 18/2/2019
Steps :
Step Name Description Expected Result
Configure Vlan with ip-address Verify the configuration changes
Step 1 using "show run"

Configure radius server on the same Verify the configuration changes


Step 2 subnet as the vlan ip address using "show run"
configured on Step1
radius-server host 23.0.0.218 key
go4gold18

Configure two vlans in the DUT Verify the configuration changes


Step 3 vlan <id> using "show run"
exit
vlan <id>
exit

Configure 802.1x and mac Verify the configuration changes


Step 4 authentication on the same port using "show run"
connected to PC behind IP Phone
DUT(config)# aaa authentication
port-access dot1x authenticator
auth-method eap-radius

aaa authentication port-access


auth-mode client-mode

Enable 802.1X authentication on a


port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa
authentication port-access dot1x
authenticator enable
switch(config-if)#
DUT(config)# aaa port-access
dot1x authenticator enable

Enable mac authentication on the


port
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)#aaa
authentication port-access mac-
auth
switch(config-if-macauth)#enable

Start supplicant in 802.1x configured Verify the clients are placed in user
Step 5 windows port and traffic from mac role using
auth configured phone 1.show port-access <port> clients
detailed

Start sending traffic from 802.1x and Verify the traffic is successfully
Step 6 mac auth port to a destination ixia flowing
ports placed in corresponding data
vlans
Vlan <data-vlan-1>
untag <destination-ixia-port1>
Vlan <data-vlan-2>
untag <destination-ixia-port2>

182 18/2/2019
Step Name Description Expected Result

Send a Radius Port Bounce Host


Step 7 CoA with timing of 20 seconds
through CPPM to force toggle the
802.1x client

Run the debug session in switch to Verify the debug logs, When CoA is
Step 8 verify the CoA ACK is sent sent from radius server , switch does
the following for the mac client
1. CoA ACK is received
2.* show aaa authentication port-
access interface all client-status
3. Verify both PC and Phone
deauthenticated because of port
down event and port came online
after 20 seconds

000

1.1.1.1.1.1.2.40. Test: Test Name :


Special_488_02_PortSpeedVSA_with_Different_Port_Speed
Test: Test ID :166916
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 25/1/2019
Test: Type : MANUAL
Test: Description : Objective:
The purpose of this test case is to check different port speed correctly gets applied to a particular port.

Requirements:
Dut: Authenticator
Workstation: Radius server
HUB
Multiple Workstation as Dot1x Supplicant

Topology:
Supplicant and Ixia (Phone)------Hub--------DUT----------------Radius Server

HP-PORT-SPEED vsa values to be set in users file:


10-half 10 Mbps, half duplex.
100-half 100 Mbps, half duplex.
10-full 10 Mbps, full duplex.
100-full 100 Mbps, full duplex.
1000-full 1000 Mbps, full duplex.
auto Use Auto Negotiation for speed and duplex mode.
auto-10 10 Mbps, use Auto Negotiation for duplex mode.

183 18/2/2019
auto-100 100 Mbps, use Auto Negotiation for duplex mode.
auto-1000 1000 Mbps, use Auto Negotiation for duplex mode.
auto-10-100 10 or 100 Mbps, use Auto Negotiation for duplex mode.
auto-10g 10 Gbps, use Auto Negotiation for duplex mode.

Test: Execution Status : No Run


Test: Change Status : Not Changed

Test: Automated : Dev Funnel


Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 2 - Medium
Test: Test Suited for OSTL? : Y
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : Leveraged from PVOS
Test: Script Library Parameters : 15
Test: Module : Y
Test: Test Sub-Area : System Functional
Test: Automation/Product CR : System
Test: BP Filter: HP
Test: GUID: ALMTP157C166916

184 18/2/2019
Steps :
Step Name Description Expected Result
Step 1: Configure Create a setup as attached.
Verify that radius server is
Configure radius server and enable reachable and configured
Authentication dot1x authentication. correctly
Verify that dot1x
authentication is enabled and
port speed vsa is also
enabled correctly.
(config)# radius-server host
23.0.0.218 key go4gold18 (config)#show radius
DUT(config)# aaa authentication
port-access dot1x authenticator (config)#show port-access
auth-method eap-radius config

aaa authentication port-access


auth-mode device-mode

Enable 802.1X authentication on a


port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa
authentication port-access dot1x
authenticator enable
switch(config-if)#
DUT(config)# aaa port-access
dot1x authenticator enable

1. Check the current port speed


Step 2: Current port speed (config)#show interface brief
Since the port is already at
the desired speed, the switch
2. Set the Aruba-Port-Speed VSA will do nothing to the
value in users file to the same speed configuration or to the port.
as current port speed
Verify that there is no
accounting START and
STOP for this authentication.

Now set the speed which is different Verify that after the authentication,
Step 3: Set new port speed than the current speed. link flaps again and new port speed
Set the Aruba-Port-Speed VSA value is set.
to different speed than the current
speed. If the port speed set by VSA is
HP-Switch(config)# interface 1/1/1 different thatn the current setting, the
HP-Switch(config-if)#aaa switch port resets and comes back
authentication port-access up with the specific speed setting.
reauthenticate
Reauthenticate the client.

Now set the port speed which is not


Step 4: Unsupported Port supported on the port (i.e. if the port

185 18/2/2019
Step Name Description Expected Result
supports only 100/1000T, than try to
Speed set port speed to 10/10g)

Reauthenticate the client


HP-Switch(config)# interface 1/1/1 Verify that a log message is
HP-Switch(config-if)#aaa
authentication port-access logged: Invalid port-speed
reauthenticate
VSA with speed %s
on port %s

Set all the supporeted port speed on


Step 5: Different port speed the port. (i.e. if port supports
100/100T, than set 100-half, 100-full,
1000-half, 1000-full, auto, auto-100,
auto-1000)

Reauthenticate the client Verify that authentication is


HP-Switch(config)# interface 1/1/1
HP-Switch(config-if)#aaa successful and also verify
authentication port-access
reauthenticate that every time speed
is set via Port-Speed VSA,
link flaps

1.1.1.1.1.1.2.41. Test: Test Name : Radius-Filter-


ID_F_04_ipv6_Functionality_8021x
Test: Test ID :166917
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 25/1/2019
Test: Type : MANUAL

186 18/2/2019
Test: Description : Objective:

To Verify the behavior of ipv6 ACLs applied to 802.1x authenticated ports through Radius Filter-Id attribute.

Supported Platforms:

All Platforms

Requirements:

DUT
Radius Server
IXIA Port
Supplicant

Topology:

Topology:
Destination ixia
|
Supplicant-------DUT----------------Radius Server

Description:

A RADIUS-assigned ACL is configured on a RADIUS server for assignment to a given port when the server authenticates
a specific client on that port. When the server authenticates a client associated with that ACL, the ACL is assigned to the
port the client is using. The ACL then filters the IP traffic received inbound on that port from the authenticated client. If the
RADIUS server supports both IPv4 and IPv6 ACEs, then the ACL assigned by the server can be used to filter both traffic
types, or filter IPv4 traffic and drop IPv6 traffic. When the client session ends, the ACL is removed from the port. The
switch allows as many RADIUS-assigned ACLs on a port as it allows authenticated clients.

In the RADIUS protocol, the IP ACL for an authenticated user can be passed to the access-control devices in two ways:
1. use the Filter-Id attribute - to give the ID of a pre-defined ACL;
2. use the NAS-Filter-Rule attribute to explicitly define (a set of) filter rules.
A Filter-Id is an alphabetic-string identifier, or name, corresponding to an IP ACL that is pre-configured on the access-
control device.There is no support for Filter-Id attribute in PVOS switches. Now the support of Filter-Id attribute to PVOS
switches is added.

Reference Documents:

http://ent61.sharepoint.hp.com/teams/hpn-lab/essw/_layouts/OSSSearchResults.aspx?k=radius%20filter-
id&cs=This%20Site&u=http%3A%2F%2Fent61.sharepoint.hp.com%2Fteams%2Fhpn-lab%2Fessw

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 09/12/2018: Test Case migrated from PVOS Test ID:
115045

Test: Automated : Yes


Test: Automated Test Name :
scripts/testSuite/networkSecurity/RadiusFilterID/featureTesting/Zion_Radius_Filter-
ID_F_ipv6_Functionality_8021x_Auth.tcl

187 18/2/2019
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 3 - High
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C166917

188 18/2/2019
Steps :
Step Name Description Expected Result
Step 1 Set up the topology as given Topology is set up as given
in details tab.

Step 2 Configure IPV6 address on Verify the configuration


the DUT with the same changes using "show run"
subnet as Radius Server
vlan 1
ipv6 address 2001::1/64

Step 3 Configure Radius server and Verify the configuration


secret key changes using ""show run"

radius-server host <ip-


address> key <key>

Verify the configuration changes


Step 4 Configure 802.1x
using "show run"
authentication on port 1
DUT(config)# aaa authentication
port-access dot1x authenticator
auth-method eap-radius

aaa authentication port-access


auth-mode device-mode

Enable 802.1X authentication on a


port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa
authentication port-access dot1x
authenticator enable
switch(config-if)#
DUT(config)# aaa port-access
dot1x authenticator enable

Configure radius server with user-


Step 5 name/password of the client to be
username Cleartext-
Password := "password"
authenticated and radius-filterid
attribute Filter-ID = 101

Step 6 Configure ACL with multiples Verify the configuration


ACEs in DUT changes using "show run"
and "show access-list <list-
ipv6 access-list <acl-name> name>"
permit ipv6 any host
2002::3
deny ipv6 any host 2002::4

Step 7 Authenticate the client on Check the "Radius Accept"


port1.Verify client is Packet through wireshark.

189 18/2/2019
Step Name Description Expected Result
authenticated and ACL is Verify the Filter-ID attribute is
applied to the port through present
filter-id attribute using

* show aaa authentication port-


access interface all client-status

* show aaa authentication port-


Step 8 Send traffic that matches the
access interface all client-status
ACEs both ingress and
egrees.Check ACEs are
applied only to the ingress
traffic

Step 9 Send ingress traffic that Verify the traffic is dropped

doesnt matches the ACEs.

1.1.1.1.1.1.2.42. Test: Test Name : Radius-Filter-


ID_F_01_ipv4_Functionality_802.1x
Test: Test ID :166918
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 25/1/2019
Test: Type : MANUAL
Test: Description : Objective:

To Verify the behavior of ACLs applied to 802.1x authenticated ports through Radius Filter-Id attribute.

Supported Platforms:

All Platforms

Requirements:

DUT
Radius Server
IXIA Ports

Topology:

Topology:
Destination ixia

190 18/2/2019
|
Supplicant-------DUT----------------Radius Server

Description:

A RADIUS-assigned ACL is configured on a RADIUS server for assignment to a given port when the server authenticates
a specific client on that port. When the server authenticates a client associated with that ACL, the ACL is assigned to the
port the client is using. The ACL then filters the IP traffic received inbound on that port from the authenticated client. If the
RADIUS server supports both IPv4 and IPv6 ACEs, then the ACL assigned by the server can be used to filter both traffic
types, or filter IPv4 traffic and drop IPv6 traffic. When the client session ends, the ACL is removed from the port. The
switch allows as many RADIUS-assigned ACLs on a port as it allows authenticated clients.

In the RADIUS protocol, the IP ACL for an authenticated user can be passed to the access-control devices in two ways:
1. use the Filter-Id attribute - to give the ID of a pre-defined ACL;
2. use the NAS-Filter-Rule attribute to explicitly define (a set of) filter rules.
A Filter-Id is an alphabetic-string identifier, or name, corresponding to an IP ACL that is pre-configured on the access-
control device.There is no support for Filter-Id attribute in PVOS switches. Now the support of Filter-Id attribute to PVOS
switches is added.

Reference Documents:

http://ent61.sharepoint.hp.com/teams/hpn-lab/essw/_layouts/OSSSearchResults.aspx?k=radius%20filter-
id&cs=This%20Site&u=http%3A%2F%2Fent61.sharepoint.hp.com%2Fteams%2Fhpn-lab%2Fessw

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 09/12/2018: Test Case migrated from PVOS Test ID:
115047

Test: Automated : Yes


Test: Automated Test Name :
scripts/testSuite/networkSecurity/RadiusFilterID/featureTesting/Zion_Radius_Filter-
ID_F_ipv4_Functionality_802_1x.tcl
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 3 - High
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature

191 18/2/2019
Test: Test Case Attributes : Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: Automation/Product CR : 228728
Test: BP Filter: HPE
Test: GUID: ALMTP157C166918

192 18/2/2019
Steps :
Step Name Description Expected Result
Step 1 Set up the topology as given Topology is set up as given
in details tab.

Step 2 Configure IP address on the Verify the configuration


DUT with the same subnet as changes using "show run"
Radius Server
vlan 1
ip address 20.1.1.1/24

Step 3 Configure Radius server and Verify the configuration


secret key changes using ""show run"

radius-server host <ip-


address> key <key>

Configure authentication on port 1 Verify the configuration changes


Step 4 DUT(config)# aaa authentication using and "show run"
port-access dot1x authenticator
auth-method eap-radius

aaa authentication port-access


auth-mode device-mode

Enable 802.1X authentication on a


port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa
authentication port-access dot1x
authenticator enable
switch(config-if)#
DUT(config)# aaa port-access
dot1x authenticator enable

Configure radius server with user-


Step 5 name/password of the client to be
username Cleartext-
Password := "password"
authenticated and radius-filterid
attribute Filter-ID = 101

Verify the configuration changes


Step 6 Configure ACL with multiples
using "show run"
ACEs in DUT

ip access-list extended
"101"
permit tcp any any eq 10
deny udp any any eq 10
remark "deny udp any any
eq 10"
exit

193 18/2/2019
Step Name Description Expected Result
Authenticate the client on port1.Verify
Step 7 client is authenticated and ACL is Check the "Radius Accept"
applied to the port through filter-id
attribute using
Packet through wireshark.
* show aaa authentication port- Verify the Filter-ID attribute is
access interface all client-status
present

Step 8 Send traffic that matches the


ACEs both ingress and
egrees.Check ACEs are
applied only to the ingress
traffic of ACEs. Verify the
remark entry is ignored

Step 9 Send ingress traffic that Verify the traffic is dropped


doesnt matches the ACE

1.1.1.1.1.1.2.43. Test: Test Name : Radius-Filter-


ID_I_02_Interop_Radius_Assigned_ACL
Test: Test ID :166919
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 25/1/2019
Test: Type : MANUAL
Test: Description : Objective:

To Verify the behavior of ipv4/ipv6 ACLs applied to authenticated ports through Radius Filter-Id attribute along with radius
assigned ACLs

Supported Platforms:

All Platforms

Requirements:

DUT
Radius Server
Ixia
Supplicant

Topology:
Destination ixia
|

194 18/2/2019
Supplicant-------DUT----------------Radius Server

Description:

A RADIUS-assigned ACL is configured on a RADIUS server for assignment to a given port when the server authenticates
a specific client on that port. When the server authenticates a client associated with that ACL, the ACL is assigned to the
port the client is using. The ACL then filters the IP traffic received inbound on that port from the authenticated client. If the
RADIUS server supports both IPv4 and IPv6 ACEs, then the ACL assigned by the server can be used to filter both traffic
types, or filter IPv4 traffic and drop IPv6 traffic. When the client session ends, the ACL is removed from the port. The
switch allows as many RADIUS-assigned ACLs on a port as it allows authenticated clients.

In the RADIUS protocol, the IP ACL for an authenticated user can be passed to the access-control devices in two ways:
1. use the Filter-Id attribute - to give the ID of a pre-defined ACL;
2. use the NAS-Filter-Rule attribute to explicitly define (a set of) filter rules.
A Filter-Id is an alphabetic-string identifier, or name, corresponding to an IP ACL that is pre-configured on the access-
control device.There is no support for Filter-Id attribute in PVOS switches. Now the support of Filter-Id attribute to PVOS
switches is added.

Reference Documents:

http://ent61.sharepoint.hp.com/teams/hpn-lab/essw/_layouts/OSSSearchResults.aspx?k=radius%20filter-
id&cs=This%20Site&u=http%3A%2F%2Fent61.sharepoint.hp.com%2Fteams%2Fhpn-lab%2Fessw

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 09/12/2018: Test Case migrated from PVOS Test ID:
114965

Test: Automated : Dev Funnel


Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 3 - High
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : Leveraged from PVOS
Test: Topology Name : None

195 18/2/2019
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C166919

196 18/2/2019
Steps :
Step Name Description Expected Result
Step 1 Set up the topology as given Topology is set up as given
in details tab.

Step 2 Configure IP address on the Verify the configuration


DUT with the same subnet as changes using "show run"
Radius Server
vlan 1
ip address 20.1.1.1/24
ipv6 address 2001::1/64

Step 3 Configure Radius server and Verify the configuration


secret key. changes using ""show run"

radius-server host <ip-


address> key <key>

Verify the configuration changes


Step 4 Configure 802.1x user-based
using "show run"
authentication on port

DUT(config)# aaa authentication


port-access dot1x authenticator
auth-method eap-radius

aaa authentication port-access


auth-mode client-mode

Enable 802.1X authentication on a


port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa
authentication port-access dot1x
authenticator enable
switch(config-if)#
DUT(config)# aaa port-access
dot1x authenticator enable

Step 5 user1 Cleartext-Password := user1 Cleartext-Password :=


"password1" "password1"
Service-Type = Framed-User, Service-Type = Framed-User,
Framed-Protocol = PPP, Framed-Protocol = PPP,
Framed-Filter-Id += "101" Framed-Filter-Id += "101"
Framed-Filter-Id = "102" Framed-Filter-Id = "102"

"user2" Cleartext-Password "user2" Cleartext-Password


:= "password2" := "password2"
Nas-filter-rule = "permit in 6 Nas-filter-rule = "permit in 6
from any to 20.1.1.12 1001 from any to 20.1.1.12 1001
cnt", cnt",
Nas-filter-rule += "deny in 6 Nas-filter-rule += "deny in 6

197 18/2/2019
Step Name Description Expected Result
from any to 20.1.1.13 1002 from any to 20.1.1.13 1002
cnt", cnt",

Step 6 Configure ACL with multiples Verify the configuration


ACEs in DUT changes using "show run"
and "show access-list <list-
ip access-list extended 101 name>"
permit tcp any 20.1.1.10/24
permit udp any 20.1.1.10/24
deny tcp any 20.1.1.20/24
deny udp any 20.1.1.20/24
exit

ipv6 access-list 102


permit tcp any 2001::2/64
deny tcp any 2001::3/64
permit udp any 2001::2/64
deny udp any 2001::3/64
exit

*
Step 7 Authenticate the client1 on
Check the "Radius Accept"
port1.Verify client is authenticated
Packet through wireshark.
and ACLs are applied to the port Verify the Filter-ID attribute is
through filter-id attribute using present
show aaa authentication port-
access interface all client-status

Verify the access-list hit count using


Step 8 Send continous traffic that
show aaa authentication port-
matches the ACEs both access interface all client-status
ingress and egrees via both
the clients.Check ACEs are
applied only to the ingress
traffic of client1

Authenticate the client2 on


Step 9 port1.Verify client is authenticated Check the "Radius Accept"
and ACL is applied to the port
through filter rule attribute
Packet through wireshark.
show aaa authentication port- Verify the Filter Rule attribute
access interface all client-status
is present
Send continous traffic that Verify the access-list hit count using
Step 10 show aaa authentication port-
matches the ACEs both access interface all client-status
ingress and egrees via both
the clients.Check ACEs are
applied only to ingress traffic
of clients

198 18/2/2019
1.1.1.1.1.1.2.44. Test: Test Name :
Radius_F_53._RFC_4675_On_User_Priority_Table
Test: Test ID :166920
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 25/1/2019
Test: Type : MANUAL
Test: Description : Objective:
The purpose of this test is to verify that the switch can remap user priorities of incoming packets as required by RFC 4675

Requirements:
A PC or a second switch to act as an 802.1X supplicant
A PC or a traffic generator (IXIA or equivalent) to act a client for MAC authentication
A RADIUS server (Free RADIUS or other)
3 multiport repeaters (hubs) (one is sufficient but would require running some sections of the test multiple times)
Note: setup for RADIUS servers other that Free RADIUS is not addressed in this test document.

Setup:
Note: This network setup serves as an example only, and is intended to show one way to accomplish the objectives of the
test,
rather than to limit the test to a particular setup.

Connect 802.1X supplicant and a traffic generator (IXIA or equivalent) to port 1 of the DUT via repeater 1.
Connect mac-auth client and a traffic generator (IXIA or equivalent) to port 2 of the DUT via repeater 2 .
Connect a traffic analyzer (Wireshark or equivalent) to port 4 of the DUT
Connect the RADIUS server to port 20 of the DUT.

The 80.21X Supplicant device must be running supplicant software, and be set up to authenticate.
The Free RADIUS server "users" file (/etc/freeradius/users) must contain the following entry for 80.21X authentication and
for Web authentication:

"priority" Auth-Type :=CHAP, User-Password := "pass",


Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
User-Priority-Table= 00000000,

The Free RADIUS server "users" file (/etc/freeradius/users) must contain the following entry for Mac authentication:

"000000000005" Auth-Type :=CHAP, User-Password := "00000000005",


Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
User-Priority-Table= 00000000,

Note: it is assumed that the RADIUS dictionary files etc. are set up to include entries required for RFC 4675, later versions
of FreeRADIUS include these by default.

Description:
RFC 4675 requires that compliant authenticators provide the ability to assign a port an egress VLAN either tagged or
untagged based on the VLAN name or VLAN ID.
It also requires that device to be able to remap user priorities of incoming packets.
This test verifies that the switch can remap user priorities of incoming packets as required.
This test is written for switches that remap all incoming values to a single priority.

Attachments:
Web authentication tips.doc (tips on how to set up web authentication)

199 18/2/2019
Test: Execution Status : No Run
Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
74344

Test: Automated : Yes


Test: Automated Test Name :
scripts/testSuite/networkSecurity/Radius/featureTesting/RADIUS_F_OnUserPriorityTable.tcl
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 2 - Medium
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C166920

200 18/2/2019
Steps :
Step Name Description Expected Result
Step 1 - DUT starting This test case assumes a The erase startup config
starting point of a blank command should prompt the
configuration configuration. switch to reboot and return
Clear the configuration the configuration to the
(erase startup config). default values.

Add VLANs : The Show running-config


(vlan 1 ip address output should indicate that
10.1.100.101/24) the authentication setup
(vlan 11 name tag11) reflect the commands that
(vlan 12 name tag12) were run in this step.
(vlan 13 name untag13)
(vlan 14 name untag14)
(vlan 15 name priority)
(vlan 15 tagged 1-4)
(config)# radius-server host
23.0.0.218 key go4gold18
DUT(config)# aaa authentication
port-access dot1x authenticator auth-
method eap-radius

aaa authentication port-access auth-


mode client-mode

Enable 802.1X authentication on a


port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa authentication
port-access dot1x authenticator
enable
switch(config-if)#
DUT(config)# aaa port-access dot1x
authenticator enable
Enable mac authentication on the
port
switch# configure terminal
switch(config)# interface 1/1/2
switch(config-if)#aaa authentication
port-access mac-auth
switch(config-if-macauth)#enable

Connect an 802.1X supplicant and


Step 2 - Network Setup IXIA port 1to port 1 of the DUT via
The link LEDs should
repeater 1.
correctly indicate connections
Connect a Mac-auth client and IXIA on DUT ports 1,2,3,4,and 20
port 2 to port 2 of the DUT via
repeater 2.
Connect a traffic analyzer (IXIA port
4) to port 4 of the DUT
Connect the RADIUS server to port
20 of the DUT.

Add the following entries to the Free The RADIUS server is configured
Step 3 - RADIUS Server RADIUS users file. properly to allow 802.1X

201 18/2/2019
Step Name Description Expected Result
The first entry will be used by 802.1X authentication, and Mac
Setup user. authentication.
The second entry will be used by
Mac auth users (the mac address of
the client is used as the username
and password)
Be sure to restart the RADIUS
service after making changes to the
users file.

Example configuration

"priority" Auth-Type :=CHAP, User-


Password := "pass"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
User-Priority-Table= 00000000,

"000000000005" Auth-Type :=CHAP,


User-Password := "00000000005"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
User-Priority-Table= 00000000,

Initiate authentication.-
Step 4 - Authenticate the Bring the link state down and up on
The show command outputs
Supplicant / Clients ports 1,2 (disconnect/reconnect).
On the 802.1X supplicant enter the should indicate that each of
username= priority, password= pass. the users was successfully
On the Mac Auth client by sending authenticated.
traffic into the port with a Mac
address of 000000000005.
Check that each was authenticated.

Verify that each of the clients was The show port-access command
Step 5 - Verify the effects of authenticated and assigned to remap outputs should show 00000000
the authentication to User Priority= 00000000. under Port COS.
Port 1 is 802.1X authenticated
Port 2 is mac-authenticated
The show qos port-priority command
output should show 0 under Radius
Override for each of the 3 ports.

The X authenticated port should


Step 6 - Verify that egress Set IXIA port 1 to send tagged remap the priority of the received
packets contain the correct packets (vlan= 15 priority= other than
RADIUS assigned value)
packets to the value specified by the
RADIUS assigned attribute.
priority information with the Source Mac address of the
802.1x authenticated user onto DUT The Mac authenticated port should
port 1 remap the priority of the received
(ports 1-4 are tagged on VLAN 15) packets to the value specified by the
Check that the X authenticated port RADIUS assigned attribute.
(1) remaps the priority to the RADIUS
assigned value.
Start the IXIA capture on DUT port 4.
Check that the captured packets
contain the correct priority (RADIUS
assigned attribute) value in the tag.
Stop the IXIA traffic on port 1

Set IXIA port 2 to send tagged


packets (vlan= 15 priority= other than
RADIUS assigned value)

202 18/2/2019
Step Name Description Expected Result
with the Source Mac address of the
Mac authenticated user onto DUT
port 2
(ports 1-4 are tagged on VLAN 15)
Check that the Mac authenticated
port (2) remaps the priority to the
RADIUS assigned value.
Start the IXIA capture on DUT port 4.
Check that the captured packets
contain the correct priority (RADIUS
assigned attribute) value in the tag.
Stop the IXIA traffic on port 2

Step 7 - Rerun the test for Change the RADUS user As above

each of the valid values entries to each of the 8 valid


values, and rerun the test
from step 3.
There are 8 valid values
(00000000, 11111111,
22222222, 33333333,
44444444, 55555555,
66666666, 77777777)
See the following example:
"priority" Auth-Type :=CHAP,
User-Password := "pass",
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-
802,
User-Priority-Table=
11111111,

"000000000005" Auth-Type
:=CHAP, User-Password :=
"00000000005",
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-
802,
User-Priority-Table=
11111111,

203 18/2/2019
Step Name Description Expected Result
Authentication should fail for all 2
Step 8 - Rerun the test for Change the RADUS user
authentication methods when invalid
entries for the 2 users to
invalid values invalid values, and rerun the
user priorities are used.

test from step 3.


Invalid values would include
(88888888, -11111111,
aaaaaaaa etc. )
See the following example:
"priority" Auth-Type :=CHAP,
User-Password := "pass",
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-
802,
User-Priority-Table=
88888888,

"000000000005" Auth-Type
:=CHAP, User-Password :=
"00000000005",
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-
802,
User-Priority-Table=
88888888,

1.1.1.1.1.1.2.45. Test: Test Name : 802.1x_RADIUS Assigned VLAN


Test: Test ID :166921
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 25/1/2019
Test: Type : MANUAL

Test: Description : REQUIREMENTS:


This test case will verify that the DUT is able to override a VLAN configuration for a port in which a successful
authentication has occurred. The DUT will "move" the VLAN for the port, after having received the following RADIUS
attributes:
Tunnel-Medium-Type=802
Tunnel-Private-Group-ID=<DESIRED_VLAN_OTHER_THAN_DEFAULT>
Tunnel-Type=VLAN
An example freeRadius configuration would look similar to the following "users" file entry:
myuser User-Password=="mypass"
Tunnel-Medium-Type = 6,
Tunnel-Type = VLAN,
Tunnel-Private-Group-ID = 100

204 18/2/2019
REFERENCES:
RFC 3580 - IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines
http://www.faqs.org/rfcs/rfc3580.html

RFC 4675 - RADIUS Attributes for Virtual LAN and Priority Support
http://www.faqs.org/rfcs/rfc4675.html

Access Security Guide (ProCurve 8200zl, 6200yl, 5400zl, 3500yl)


www.procurve.com

SETUP:
Single node setup with single 802.1x client connected to single port.

1. Enable 802.1x authentication on aplicable ports

2. Configure the 802.1x authentication for radius


example: aaa authentication port-access eap-radius

3. Activate 802.1x authentication on DUT

4. Configure a radius server for authentication and create one user accounts.

5. Create a VLAN on the DUT that the user can be 'moved' into. In most cases it is best to setup a couple of VLANs e.g.
VLAN 100 and VLAN 101 for example with DHCP scopes that would provide different ranges of IP leases. If the right IP
Address range is received on the client then it is clear that the correct VLAN was applied. Leave the port untagged in the
Default VLAN or some other VLAN until a successful authentication occurs.

Topology:
Supplicant--------------DUT----------------Radius Server

Test: Execution Status : No Run


Test: Comments : Adolfo Duarte <adolfo.duarte_hp.com>, 2/23/2009: Previously under:
8021x Raddius Assigned Attributes

Test: Automated : Dev Funnel


Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 3 - High
Test: Test Suited for OSTL? : Y
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : Leveraged from PVOS
Test: Topology Name : No
Test: Regression : Security

205 18/2/2019
Test: Script Library Parameters : 60
Test: Test Sub-Area : System Functional
Test: Automation/Product CR : System
Test: BP Filter: HP
Test: GUID: ALMTP157C166921

Steps :
Step Name Description Expected Result
Authenticate a workstation using the The user is successfully
Step 1 802.1x supplicant, and verify that the authenticated, and the port is 'moved'
correct VLAN is applied to the port, to the desired VLAN.
after a successful authentication
(config)# radius-server host Verify port is moved within 4 sec
23.0.0.218 key go4gold18 * show aaa authentication port-
DUT(config)# aaa authentication access dot1x authenticator
port-access dot1x authenticator interface all client-status
auth-method eap-radius * show aaa authentication port-
access interface all client-status
aaa authentication port-access
auth-mode client-mode

Enable 802.1X authentication on a


port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa
authentication port-access dot1x
authenticator enable
switch(config-if)#
DUT(config)# aaa port-access
dot1x authenticator enable

Step 2 Change the Tunnel-Private- The user is successfully


Group-ID attribute on the authenticated, and the port is
RADIUS server, and re- 'moved' to the desired VLAN.
authenticate the client. If you configured DHCP for
that vlan you should obtain
the correct ip address

Verify the port is moved


within 4 sec

Step 3 Apply a VLAN for Tunnel- The client fails authentication


Private-Group-ID, that does even though the correct
not exist on the DUT, and re- username and password are
authenticate the client used

206 18/2/2019
1.1.1.1.1.1.2.46. Test: Test Name :
Disconnect_Message_PC_Behind_IP_Phone
Test: Test ID :166922
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 25/1/2019
Test: Type : MANUAL
Test: Description : Objective:

The purpose of this test case is to verify functionality of session timeout VSA to force reauthenticate clients in
1. Mac Client - IP Phone
2.802.1x Client - PC
PC Behind IP Phone Scenario
Requirements:

Single DUT
Mac Client
802.1x Client
Radius Server
Topology:
Topology:
Supplicant and Ixia (Phone)------Hub--------DUT----------------Radius Server
Feature Description:
1. The RADIUS Change of Authorization (CoA) feature provides a mechanism to change the attributes of an
authentication session after it is authenticated

2. SESSION-TIMEOUT being an IETF attribute , it has been used on RADIUS-CoA to trigger reauthentication
after a specified time period

1. Advantages

2. Customers can reauthenticate only suspicious clients by sending Radius CoA with Session Timeout Attribute
without traffic disruption

3. SESSION-TIMEOUT being an IETF attribute as this should work across vendors.

4. It enables a unified interface in a RADIUS server to trigger reauthentication of clients across multi vendor
access switches

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 10/12/2018: Test Case migrated from PVOS Test ID:
153409

Test: Automated : Dev Funnel


Test: Content Last Modified Date : 7/12/2018

207 18/2/2019
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 3 - High
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C166922

208 18/2/2019
Steps :
Step Name Description Expected Result
Configure Vlan with ip-address Verify the configuration changes
Step 1 using "show run"

Configure radius server on the same Verify the configuration changes


Step 2 subnet as the vlan ip address using "show run"
configured on Step1
radius-server host 23.0.0.218 key
go4gold18

Verify the configuration changes


Step 3 Configure two vlans in the using "show run"
DUT
vlan <id>
exit
vlan <id>
exit

Configure 802.1x and mac Verify the configuration changes


Step 4 authentication on the same port using "show run"
connected to PC behind IP Phone
DUT(config)# aaa authentication
port-access dot1x authenticator
auth-method eap-radius

aaa authentication port-access


auth-mode client-mode

Enable 802.1X authentication on a


port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa
authentication port-access dot1x
authenticator enable
switch(config-if)#
DUT(config)# aaa port-access
dot1x authenticator enable

Enable mac authentication on the


port
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)#aaa
authentication port-access mac-
auth
switch(config-if-macauth)#enable

Start supplicant in 802.1x configured Verify the clients are placed in user
Step 5 windows port and traffic from mac role using
auth configured phone 1.show port-access <port> clients
detailed

Start sending traffic from 802.1x and Verify the traffic is successfully
Step 6 mac auth port to a destination ixia flowing

209 18/2/2019
Step Name Description Expected Result
ports placed in corresponding data
vlans
Vlan <data-vlan-1>
untag <destination-ixia-port1>
Vlan <data-vlan-2>
untag <destination-ixia-port2>

Send a Radius Disconnect Message


Step 7 to deauthenticate the 802.1x Client

Run the debug session in switch to Verify the debug logs, When DM is
Step 8 verify the DM ACK is sent sent from radius server , switch does
the following for the 802.1x client
1. DM ACK is received
2.* show aaa authentication port-
access interface all client-status
3. Verify only PC is
deauthenticated when port-bounce
is received and Phone remains in
authenticated state
000

1.1.1.1.1.1.2.47. Test: Test Name :


802.1x_01_CLI_Help_Text_Verification
Test: Test ID :166923
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 25/1/2019
Test: Type : MANUAL
Test: Description : Objective :
To Verify the help text and Tab options of the 802.1x CLIs
Requirement:
Switch
Reference:
https://code-nos.rose.rdlabs.hpecorp.net:8443/c/halon/+/51552/34/halon-src/hpe-
docs/Functionality_Guide_PortAccess_WIP.md

Test: Execution Status : No Run

Test: Automated : Dev Funnel


Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x

210 18/2/2019
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 1 - Low
Test: Test Suited for OSTL? : Y
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : IFD - PVOS
Test: Test Sub-Area : System Functional
Test: PVOS CR-ID : 244909
Test: BP Filter: HPE
Test: GUID: ALMTP157C166923

211 18/2/2019
Steps :
Step Name Description Expected Result
Verify the help text and CLI tab option of the below configuration CLIs
Step 1 Enable or disable 802.1X authentication on switch
#### Syntax
`aaa authentication port-access dot1x authenticator (enable | disable)`
#### Help
| Token | Help string |
|----------------|--------------------------------------------------|
| aaa | Authentication, Authorization and Accounting. |
| authentication | Configure the authentication feature. |
| port-access | Configure the port access authentication method. |
| dot1x | Configure the switch for 802.1X feature. |
| authenticator | Configure the switch as an 802.1X authenticator. |
| enable | Enable 802.1X authentication on switch. |
| disable | Disable 802.1X authentication on switch. |
#### Description
Enable or disable 802.1X authenticator feature globally.
Default: *disabled*
#### Authority
Admin
#### Parameters
No parameters.
#### Examples
Enable 802.1X authentication on the switch:
```
switch# configure terminal
switch(config)# aaa authentication port-access dot1x authenticator enable
switch(config)#
```
OR
```
switch# configure terminal
switch(config)# aaa authentication port-access dot1x authenticator
switch(config-dot1x-auth)# enable
switch(config-dot1x-auth)#
```
Disable 802.1X authentication on the switch:
```
switch# configure terminal
switch(config)# aaa authentication port-access dot1x authenticator disable
switch(config)#
```
OR
```
switch# configure terminal
switch(config)# aaa authentication port-access dot1x authenticator
switch(config-dot1x-auth)# disable
switch(config-dot1x-auth)#
```
### Delete global 802.1X authenticator configuration
#### Syntax
`no aaa authentication port-access dot1x authenticator`
#### Help
#### Description
Delete global 802.1X authenticator configuration.
This also disables 802.1X authentication on the switch if enabled.
#### Authority
Admin
#### Parameters
No parameters.
#### Examples
Delete global 802.1X authenticator configuration:
```
switch# configure terminal
switch(config)# no aaa authentication port-access dot1x authenticator

212 18/2/2019
Step Name Description Expected Result
switch(config)#
```
### Configure 802.1X authentication method
#### Syntax
`[no] aaa authentication port-access dot1x authenticator auth-method
<chap-radius|eap-radius>`
#### Help
| Token | Help string |
|----------------|----------------------------------------------------------------------------------
|
| auth-method | Configure the type of authentication method on switch.
Default is eap-radius. |
| *chap-radius* | Use CHAP (MD5) capable RADIUS
server. |
| *eap-radius* | Use EAP capable RADIUS
server. |
#### Description
Configure the authentication mechanism used to control access to the
network.
The configured authentication method will be used to authenticate 802.1X
clients.
The no form of the command resets it to default.
Default: *eap-radius*
#### Authority
Admin
#### Parameters
Choose one of the parameters from the following table to configure the
authentication method to use.
| Parameter | Status | Syntax | Description |
|----------------|----------|-------------|--------------------------------------------|
| *chap-radius* | Required | chap-radius | Use CHAP (MD5) capable
RADIUS server |
| *eap-radius* | Required | eap-radius | Use EAP capable RADIUS
server |
#### Examples
Configure 802.1X authentication method as chap-radius:
```
switch# configure terminal
switch(config)# aaa authentication port-access dot1x authenticator auth-
method chap-radius
switch(config)#
```
OR
```
switch# configure terminal
switch(config)# aaa authentication port-access dot1x authenticator
switch(config-dot1x-auth)# auth-method chap-radius
switch(config-dot1x-auth)#
```
Reset 802.1X authentication method to default:
```
switch# configure terminal
switch(config)# no aaa authentication port-access dot1x authenticator
auth-method
switch(config)#
```
OR
```
switch# configure terminal
switch(config)# aaa authentication port-access dot1x authenticator
switch(config-dot1x-auth)# no auth-method
switch(config-dot1x-auth)#
```
### Configure RADIUS server group for 802.1X
#### Syntax
`[no] aaa authentication port-access dot1x authenticator radius server-

213 18/2/2019
Step Name Description Expected Result
group <group-name>`
#### Help
| Token | Help string |
|----------------|--------------------------------------------------------------------------|
| radius | Configure the RADIUS specific
information. |
| server-group | Specify the server group to use.
|
| *group-name* | Enter an ASCII string. |
#### Description
Configure an existing RADIUS server group to be used for 802.1X
authentication.
The no form of the command resets it to default.
Default: *radius*
#### Authority
Admin
#### Parameters
| Parameter | Status | Syntax |
Description |
|----------------|----------|-------------|---------------------------------------------------------
-------------------------|
| *group-name* | Required | group-name | The name of the RADIUS
server group to associate with 802.1X authentication. |
#### Examples
Configure 802.1X to use RADIUS server group 'employee':
```
switch# configure terminal
switch(config)# aaa authentication port-access dot1x authenticator radius
server-group employee
switch(config)#
```
OR
```
switch# configure terminal
switch(config)# aaa authentication port-access dot1x authenticator
switch(config-dot1x-auth)# radius server-group employee
switch(config-dot1x-auth)#
```
Reset 802.1X RADIUS server group configuration to default:
```
switch# configure terminal
switch(config)# no aaa authentication port-access dot1x authenticator
radius server-group
switch(config)#
```
OR
```
switch# configure terminal
switch(config)# aaa authentication port-access dot1x authenticator
switch(config-dot1x-auth)# no radius server-group
switch(config-dot1x-auth)#
```
### Enable 802.1X authentication on a port
#### Syntax
`aaa authentication port-access dot1x authenticator enable`
#### Help
| Token | Help string |
|----------------|-----------------------------------------|
| enable | Enable 802.1X authentication on a port. |
#### Description
Enable 802.1X authentication on a port.
#### Authority
Admin
#### Parameters
No parameters.
#### Examples

214 18/2/2019
Step Name Description Expected Result
Enable 802.1X authentication on a port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa authentication port-access dot1x authenticator
enable
switch(config-if)#
```
OR
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa authentication port-access dot1x authenticator
switch(config-if-dot1x-auth)# enable
switch(config-if-dot1x-auth)#
```
### Disable 802.1X authentication on a port
#### Syntax
`aaa authentication port-access dot1x authenticator disable`
#### Help
| Token | Help string |
|----------------|------------------------------------------|
| disable | Disable 802.1X authentication on a port. |
#### Description
Disable 802.1X authentication on a port.
#### Authority
Admin
#### Parameters
No parameters.
#### Examples
Disable 802.1X authentication on a port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa authentication port-access dot1x authenticator
disable
switch(config-if)#
```
OR
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa authentication port-access dot1x authenticator
switch(config-if-dot1x-auth)# disable
switch(config-if-dot1x-auth)#
```
### Delete 802.1X authentication configuration on a port
#### Syntax
`no aaa authentication port-access dot1x authenticator`
#### Help
#### Description
Delete 802.1X authentication configuration on a port.
This also disables 802.1X authentication on the port if enabled.
#### Authority
Admin
#### Parameters
No parameters.
#### Examples
Delete 802.1X authentication configuration on a port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# no aaa authentication port-access dot1x authenticator
switch(config-if)#
```
### Enable cached re-authentication on a port

215 18/2/2019
Step Name Description Expected Result
#### Syntax
`[no] aaa authentication port-access dot1x authenticator cached-reauth`
#### Help
| Token | Help string |
|----------------|------------------------------------------------|
| cached-reauth | Configure cached re-authentication of clients. |
#### Description
Enable cached re-authentication of clients.
The no form of the command disables cached re-authentication.
Default: *disabled*
#### Authority
Admin
#### Parameters
No parameters.
#### Examples
Enable cached re-authentication on a port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa authentication port-access dot1x authenticator
cached-reauth
switch(config-if)#
```
OR
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa authentication port-access dot1x authenticator
switch(config-if-dot1x-auth)# cached-reauth
switch(config-if-dot1x-auth)#
```
Disable cached re-authentication on a port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# no aaa authentication port-access dot1x authenticator
cached-reauth
switch(config-if)#
```
OR
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa authentication port-access dot1x authenticator
switch(config-if-dot1x-auth)# no cached-reauth
switch(config-if-dot1x-auth)#
```
### Configure cached re-authentication period on a port
#### Syntax
`[no] aaa authentication port-access dot1x authenticator cached-reauth-
period <cached-reauth-period>`
#### Help
| Token | Help
string |
|------------------------|--------------------------------------------------------------------------
------------------------------|
| cached-reauth-period | Time in seconds, during which cached re-
authentication is allowed on the port. Default is 30 seconds. |
| *cached-reauth-period* | Specify the cached-reauth-period in
seconds. |
#### Description
Configure the period of time during which an authenticated client that fails
re-authentication due to RADIUS server being unreachable will continue in
authenticated state.
The no form of the command resets it to default.
Default: *30 seconds*

216 18/2/2019
Step Name Description Expected Result
#### Authority
Admin
#### Parameters
| Parameter | Status | Syntax | Description |
|------------------------|----------|-----------|---------------------|
| *cached-reauth-period* | Required | Integer | A value in seconds. |
#### Examples
Configure cached re-auth period on a port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa authentication port-access dot1x authenticator
cached-reauth-period 300
switch(config-if)#
```
OR
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa authentication port-access dot1x authenticator
switch(config-if-dot1x-auth)# cached-reauth-period 300
switch(config-if-dot1x-auth)#
```
Reset cached re-auth period to default on a port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# no aaa authentication port-access dot1x authenticator
cached-reauth-period
switch(config-if)#
```
OR
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa authentication port-access dot1x
switch(config-if-dot1x)# no authenticator cached-reauth-period
switch(config-if-dot1x)#
```
### Configure maximum authentication attempts on a port
#### Syntax
`[no] aaa authentication port-access dot1x authenticator max-retries <max-
retries>`
#### Help
| Token | Help
string |
|----------------|----------------------------------------------------------------------------------
----------------------------------|
| max-retries | Configure the number of attempts to authenticate a client
before failing authentication. Default is 2 retries. |
| *max-retries* | Maximum number of
retries. |
#### Description
Configure the number of authentication attempts that must time-out before
authentication fails and the authentication session ends.
The no form of the command resets it to default.
Default: *2*
#### Authority
Admin
#### Parameters
| Parameter | Status | Syntax |
Description |
|-----------------|----------|-----------|----------------------------------------------------------
-|
| *max-retries* | Required | Integer | A value indicating the number of
authentication attempts. |

217 18/2/2019
Step Name Description Expected Result
#### Examples
Configure maximum authentication attempts on a port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa authentication port-access dot1x authenticator max-
retries 5
switch(config-if)#
```
OR
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa authentication port-access dot1x authenticator
switch(config-if-dot1x-auth)# max-retries 5
switch(config-if-dot1x-auth)#
```
Reset the maximum authentication attempts on a port to default:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# no aaa authentication port-access dot1x authenticator
max-retries
switch(config-if)#
```
OR
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa authentication port-access dot1x authenticator
switch(config-if-dot1x-auth)# no max-retries
switch(config-if-dot1x-auth)#
```
### Configure quiet period on a port
#### Syntax
`[no] aaa authentication port-access dot1x authenticator quiet-period
<quiet-period>`
#### Help
| Token | Help
string |
|----------------|----------------------------------------------------------------------------------
-------------------------|
| quiet-period | Configure the period during which the port does not try to
acquire a supplicant. Default is 60 seconds. |
| *quiet-period* | Specify the quite-period in
seconds. |
#### Description
Configure the period during which the port does not try to acquire a
supplicant.
The period begins after the last attempt authorized by the max-requests
parameter fails.
The no form of the command resets it to default.
Default: *60 seconds*
#### Authority
Admin
#### Parameters
| Parameter | Status | Syntax | Description |
|-----------------|----------|-----------|--------------------------------|
| *quiet-period* | Required | Integer | A value in seconds. |
#### Examples
Configure quiet period on a port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa authentication port-access dot1x authenticator quiet-
period 100

218 18/2/2019
Step Name Description Expected Result
switch(config-if)#
```
OR
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa authentication port-access dot1x authenticator
switch(config-if-dot1x-auth)# quiet-period 100
switch(config-if-dot1x-auth)#
```
Reset the quiet period on a port to default:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# no aaa authentication port-access dot1x authenticator
quiet-period
switch(config-if)#
```
OR
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa authentication port-access dot1x authenticator
switch(config-if-dot1x-auth)# no quiet-period
switch(config-if-dot1x-auth)#
```
### Enable periodic re-authentication on a port
#### Syntax
`[no] aaa authentication port-access dot1x authenticator reauth`
#### Help
| Token | Help string |
|----------------|------------------------------------------------|
| reauth | Enable periodic re-authentication on the port. |
#### Description
Enable periodic re-authentication of clients.
The no form of the command disabled periodic re-authentication.
Default: *disabled*
#### Authority
Admin
#### Parameters
No parameters.
#### Examples
Enable periodic re-authentication on the port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa authentication port-access dot1x authenticator
reauth
switch(config-if)#
```
OR
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa authentication port-access dot1x authenticator
switch(config-if-dot1x-auth)# reauth
switch(config-if-dot1x-auth)#
```
Disable periodic re-authentication on the port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# no aaa authentication port-access dot1x authenticator
reauth
switch(config-if)#
```

219 18/2/2019
Step Name Description Expected Result
OR
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa authentication port-access dot1x authenticator
switch(config-if-dot1x-auth)# no reauth
switch(config-if-dot1x-auth)#
```
### Configure re-authentication period on a port
#### Syntax
`[no] aaa authentication port-access dot1x authenticator reauth-period
<reauth-period>`
#### Help
| Token | Help string |
|-----------------|------------------------------------------------------------------------------|
| reauth-period | Configure the re-authentication timeout in seconds.
Default is 30 seconds. |
| *reauth-period* | Specify reauth-period in
seconds. |
#### Description
Configure the period of time after which clients connected must be
re-authenticated. User needs to enable re-authentication on the interface.
The no form of the command resets it to default.
Default: *30*
#### Authority
Admin
#### Parameters
| Parameter | Status | Syntax | Description |
|-----------------|----------|-----------|----------------------|
| *reauth-period* | Required | Integer | A value in seconds. |
#### Examples
Configure re-authentication period on a port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa authentication port-access dot1x authenticator
reauth-period 100
switch(config-if)#
```
OR
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa authentication port-access dot1x authenticator
switch(config-if-dot1x-auth)# reauth-period 100
switch(config-if-dot1x-auth)#
```
Reset re-authentication period on a port to default:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# no aaa authentication port-access dot1x authenticator
reauth-period
switch(config-if)#
```
OR
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa authentication port-access dot1x authenticator
switch(config-if-dot1x-auth)# no reauth-period
switch(config-if-dot1x-auth)#
```
### Configure discovery period on a port
#### Syntax
`[no] aaa authentication port-access dot1x authenticator discovery-period

220 18/2/2019
Step Name Description Expected Result
<discovery-period>`
#### Help
| Token | Help
string |
|---------------------|-----------------------------------------------------------------------------
------------------------------------|
| discovery-period | Configure the EAPOL Request Identity packet re-
transmission period. Default is 30 seconds. |
| *discovery-period* | Specify discovery-period in
seconds. |
#### Description
Configure the period the port waits to retransmit the next EAPOL request
identity frame on an 802.1X enabled port with no authenticated client.
The no form of the command resets it to default.
Default: *30 seconds*
#### Authority
Admin
#### Parameters
| Parameter | Status | Syntax | Description |
|------------------------|----------|-----------|--------------------------------|
| *discovery-period* | Required | Integer | A value in seconds. |
#### Examples
Configure discovery period on a port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa authentication port-access dot1x authenticator
discovery-period 120
switch(config-if)#
```
OR
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa authentication port-access dot1x authenticator
switch(config-if-dot1x-auth)# discovery-period 140
switch(config-if-dot1x-auth)#
```
Reset discovery period on a port to default:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# no aaa authentication port-access dot1x authenticator
discovery-period
switch(config-if)#
```
OR
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa authentication port-access dot1x authenticator
switch(config-if-dot1x-auth)# no discovery-period
switch(config-if-dot1x-auth)#
```
### Configure EAPOL timeout on a port
#### Syntax
`[no] aaa authentication port-access dot1x authenticator eapol-timeout
<eapol-timeout>`
#### Help
| Token | Help
string |
|---------------------|-----------------------------------------------------------------------------
------------------------------------|
| eapol-timeout | Configure the time period to wait for client's response
before retransmitting an EAPOL PDU. |
| *eapol-timeout* | Specify eapol-timeout in

221 18/2/2019
Step Name Description Expected Result
seconds. |
#### Description
Configure the period of time the switch waits for a response from a client
before retransmitting an EAPOL PDU.
If the value is 0, the time period is calculated as per RFC 2988.
```
RFC 2988 2.1: Before RTT measurement, set RTO to 3 seconds for initial
retransmission and then double the RTO to provide back off per 5.5.
Limit the maximum RTO to 20 seconds per RFC 3748, 4.3 modified
RTOmax.
```
Default: *0*
#### Authority
Admin.
#### Parameters
| Parameter | Status | Syntax | Description |
|----------------------|----------|-----------|---------------------|
| *eapol-timeout* | Required | Integer | A value in seconds. |
#### Examples
Configure EAPOL timeout on a port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa authentication port-access dot1x authenticator eapol-
timeout 120
switch(config-if)#
```
OR
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa authentication port-access dot1x authenticator
switch(config-if-dot1x-auth)# eapol-timeout 140
switch(config-if-dot1x-auth)#
```
Reset EAPOL timeout on a port to default:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# no aaa authentication port-access dot1x authenticator
eapol-timeout
switch(config-if)#
```
OR
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa authentication port-access dot1x authenticator
switch(config-if-dot1x-auth)# no eapol-timeout
switch(config-if-dot1x-auth)#
```
### Configure maximum EAPOL requests on a port
#### Syntax
`[no] aaa authentication port-access dot1x authenticator max-eapol-
requests <max-eapol-requests>`
#### Help
| Token | Help
string
|
|-----------------------|---------------------------------------------------------------------------
-------------------------------------------------|
| max-eapol-requests | Configure the maximum number of EAPOL
requests to send to a supplicant before authentication fails. Default is 5
requests. |
| *max-eapol-requests* | Specify the maximum number of EAPOL
requests. |

222 18/2/2019
Step Name Description Expected Result
#### Description
Configure the number of EAPOL requests to send to a supplicant that must
time-out before authentication fails and the authentication session ends.
The no form of the command resets it to default.
Default: *5*
#### Authority
Admin
#### Parameters
| Parameter | Status | Syntax |
Description |
|-----------------------|----------|-----------|----------------------------------------------------
-------|
| *max-eapol-requests* | Required | Integer | A value indicating the
number of EAPOL requests. |
#### Examples
Configure maximum EAPOL requests on a port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa authentication port-access dot1x authenticator max-
eapol-requests 3
switch(config-if)#
```
OR
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa authentication port-access dot1x authenticator
switch(config-if-dot1x-auth)# max-eapol-requests 3
switch(config-if-dot1x-auth)#
```
Reset the maximum EAPOL requests on a port to default:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# no aaa authentication port-access dot1x authenticator
max-eapol-requests
switch(config-if)#
```
OR
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa authentication port-access dot1x authenticator
switch(config-if-dot1x-auth)# no max-eapol-requests
switch(config-if-dot1x-auth)#
```
### Configure force authorized on a port
#### Syntax
`[no] aaa authentication port-access dot1x authenticator authorized`
#### Help
| Token | Help
string |
|-----------------|---------------------------------------------------------------------------------
----------------------------------|
| authorized | Enable an authenticated client to stay in the same state if
server reachability fails during re-authentication. |
#### Description
Configure authenticated clients to continue in authenticated state if the
re-authentication of the client fails due to RADIUS server being
unreachable.
#### Authority
Admin
#### Parameters
No parameters.
#### Examples

223 18/2/2019
Step Name Description Expected Result
Enable force authorized on a port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa authentication port-access dot1x authenticator
authorized
switch(config-if)#
```
OR
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa authentication port-access dot1x authenticator
switch(config-if-dot1x-auth)# authorized
switch(config-if-dot1x-auth)#
```
Disable force authorized on a port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# no aaa authentication port-access dot1x authenticator
authorized
switch(config-if)#
```
OR
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa authentication port-access dot1x authenticator
switch(config-if-dot1x-auth)# no authorized
switch(config-if-dot1x-auth)#
```

Verify the help text and tab options of show commands


Step 2 * show aaa authentication port-access dot1x authenticator interface
all port-statistics
* show aaa authentication port-access dot1x authenticator interface
all client-status
* show aaa authentication port-access interface all client-status

Verify the help text and tab options of clear commands/ diag-dump
Step 3 commands
clear dot1x authenticator statistics
diag-dump dot1x-authenticator basic [local-file] [timeout]
debug port-access dot1x authenticator

1.1.1.1.1.1.2.48. Test: Test Name : 802.1x_02_SNMP_Read


Test: Test ID :167092
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 28/1/2019

224 18/2/2019
Test: Type : MANUAL
Test: Description : Objective :
To Verify readability of 802.1x paramters through SNMP
Requirement:
Switch---------Work station
Reference:
https://code-nos.rose.rdlabs.hpecorp.net:8443/c/halon/+/51552/34/halon-src/hpe-
docs/Functionality_Guide_PortAccess_WIP.md

Test: Execution Status : No Run

Test: Automated : Dev Funnel


Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 1 - Low
Test: Test Suited for OSTL? : Y
Test: Test Area : SW Dev Feature
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C167092

225 18/2/2019
Steps :
Step Description Expected Result
Name
Connect the DUT to Verify the configuration using "show run"
Step the workstation with switch# show running-config
1 SNMP Packages
installed. Configure
Current configuration:
!
the DUT and SNMP !Version ArubaOS-CX as5712.01.01.000X
Workstation to have session-timeout 0
reachability via user admin group administrators password ciphertext
management AQBapQNxLspI0FrTCUG3+w/RgE2+FEXWsYW+35LzZkb4ZLGlagAAADunzoexRUazV8oF5LWAXQEwRpmXa
interface !
!
!
snmp-server vrf default
snmp-server community public
snmp-server community vrf_default_community
snmpv3 user test1 auth md5 auth-pass ciphertext AQBapVuqYeTJuT8/BoIlC2z4MxtBXG0p1+fa1R7oFTgPrbYH
snmpv3 context vrf_default_context vrf default community vrf_default_community
snmpv3 user test1 context vrf_default_context
ssh server vrf default

Do a following SNMP- Verify the 802.1x parameters value is displayed correctly


Step Walk of the 802.1x
2 parameters value
from the workstation
1.Only Auth:
=============
switch(config)#
snmpv3 user
password222 auth
md5 auth-pass
plaintext password
[root@Ubuntu.44.250
~]# snmpwalk -v3 -u
password222 -l
authNoPriv -a md5 -A
password 10.0.0.1 .1.
2.authpriv:
===========
snmpv3 user
password3 auth md5
auth-pass plai
password priv des
priv-pass pla
password
[root@Ubuntu.44.250
~]# snmpwalk -v3 -u
password3 -l authpriv
-a md5 -A password -
x des -X password
10.0.0.1 .1.3
3. NoauthNopriv:
=================
snmpwalk -v3 -u
password333 -l
NoAuthNoPriv
10.0.0.1 .1.3

226 18/2/2019
1.1.1.1.1.1.2.49. Test: Test Name : 802.1x_03_REST_Read
Test: Test ID :167093
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 28/1/2019
Test: Type : MANUAL
Test: Description : Objective :
To Verify the readability of 802.1x parameters through REST Curl request
Requirement:
Switch-------Workstation
Reference:
https://code-nos.rose.rdlabs.hpecorp.net:8443/c/halon/+/51552/34/halon-src/hpe-
docs/Functionality_Guide_PortAccess_WIP.md

Test: Execution Status : No Run

Test: Automated : Dev Funnel


Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 1 - Low
Test: Test Suited for OSTL? : Y
Test: Test Area : SW Dev Feature
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C167093

227 18/2/2019
Steps :
Step Name Description Expected Result
Connect the DUT to the workstation Verify the configuration using "show
Step 1 with CURL Packages installed. run"
Configure the DUT and Workstation
to have reachability via management
interface

Try to read the values of the following


Step 2 802.1x Parameters through REST
- Read [Enable or disable
802.1X authentication on
switch](#enable-or-disable-8021x-
authentication-on-switch)
- [Read global 802.1X
authenticator enabled
configuration](#delete-global-8021x-
authenticator-configuration)
- [Read 802.1X
authentication method](#configure-
8021x-authentication-method)
- [Read RADIUS server
group for 802.1X](#configure-radius-
server-group-for-8021x)
- [Read 802.1X
authentication on a port](#enable-
8021x-authentication-on-a-port)
- [ Red cached re-
authentication on a port](#enable-
cached-re-authentication-on-a-port)
- [Read cached re-
authentication period on a
port](#configure-cached-re-
authentication-period-on-a-port)
- [Read maximum
authentication attempts on a
port](#configure-maximum-
authentication-attempts-on-a-port)
- [Read quiet period on a
port](#configure-quiet-period-on-a-
port)
- [Read periodic re-
authentication on a port](Read-
periodic-re-authentication-on-a-port)
- [Read re-authentication
period on a port](#configure-re-
authentication-period-on-a-port)
- [Read discovery period
on a port](#configure-discovery-
period-on-a-port)
- [Read EAPOL timeout
on a port](#configure-eapol-timeout-
on-a-port)
- [Read maximum EAPOL
requests on a port](#configure-
maximum-eapol-requests-on-a-port)
- [Read force authorized
on a port](#configure-force-
authorized-on-a-port)

228 18/2/2019
1.1.1.1.1.1.2.50. Test: Test Name : 802.1x_04_REST_Write
Test: Test ID :167148
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 28/1/2019
Test: Type : MANUAL
Test: Description : Objective :
To Verify the configurability of 802.1x parameters through REST Curl request
Requirement:
Switch-------Workstation
Reference:
https://code-nos.rose.rdlabs.hpecorp.net:8443/c/halon/+/51552/34/halon-src/hpe-
docs/Functionality_Guide_PortAccess_WIP.md

Test: Execution Status : No Run

Test: Automated : Dev Funnel


Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 1 - Low
Test: Test Suited for OSTL? : Y
Test: Test Area : SW Dev Feature
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C167148

229 18/2/2019
Steps :
Step Name Description Expected Result
Connect the DUT to the workstation Verify the configuration using "show
Step 1 with CURL Packages installed. run"
Configure the DUT and Workstation
to have reachability via management
interface

Try to configure the values of the Verify the configuration changes


Step 2 following 802.1x Parameters through using "show run"
REST
- [Enable or disable
802.1X authentication on
switch](#enable-or-disable-8021x-
authentication-on-switch)
- [Delete global 802.1X
authenticator configuration](#delete-
global-8021x-authenticator-
configuration)
- [Configure 802.1X
authentication method](#configure-
8021x-authentication-method)
- [Configure RADIUS
server group for 802.1X](#configure-
radius-server-group-for-8021x)
- [Enable 802.1X
authentication on a port](#enable-
8021x-authentication-on-a-port)
- [Disable 802.1X
authentication on a port](#disable-
8021x-authentication-on-a-port)
- [Delete 802.1X
authentication configuration on a
port](#delete-8021x-authentication-
configuration-on-a-port)
- [Enable cached re-
authentication on a port](#enable-
cached-re-authentication-on-a-port)
- [Configure cached re-
authentication period on a
port](#configure-cached-re-
authentication-period-on-a-port)
- [Configure maximum
authentication attempts on a
port](#configure-maximum-
authentication-attempts-on-a-port)
- [Configure quiet period
on a port](#configure-quiet-period-on-
a-port)
- [Enable periodic re-
authentication on a port](#enable-
periodic-re-authentication-on-a-port)
- [Configure re-
authentication period on a
port](#configure-re-authentication-
period-on-a-port)
- [Configure discovery
period on a port](#configure-
discovery-period-on-a-port)
- [Configure EAPOL
timeout on a port](#configure-eapol-
timeout-on-a-port)
- [Configure maximum
EAPOL requests on a
port](#configure-maximum-eapol-

230 18/2/2019
Step Name Description Expected Result
requests-on-a-port)
- [Configure force
authorized on a port](#configure-
force-authorized-on-a-port)

1.1.1.1.1.1.2.51. Test: Test Name : 802.1x_EAP_Retries_Timeout


Test: Test ID :167149
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 28/1/2019
Test: Type : MANUAL
Test: Description : Objective :
To Verify the eap retries/timeout in both the precedence
Topology:
ixia Port2
|
DUT----Ixia port 1
Attachment : Steps to configure supplicant in ubuntu is attached in "Auth_Order_Feature_Testing" folder
Description:
Existing authentication feature does not allow the prioritization of Authentication methods (8021x and mac-auth). This
feature enhancement is to support prioritization concept, where a user can specify the preference of authentication
methods.
‘none’ is the default option, and preference is not provided.
A new CLI will be introduced for prioritization of the authentication methods. This new feature provides configuration
command to add a authentication prioritization per port.

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 10/01/2019: Test Case migrated from PVOS Test ID:
155516

Test: Automated : Dev Funnel


Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4

231 18/2/2019
Test: Platform Independent : Y
Test: Plan Priority : 4 - Urgent
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 9/1/2019
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : IFD - PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: PVOS CR-ID : 177268
Test: BP Filter: HPE
Test: GUID: ALMTP157C167149

232 18/2/2019
Steps :
Step Name Description Expected Result
Verify the DUT is in the default Verify using "show run"
Step 1 configuration

Configure IP in the vlan having radius Verify the configuration using "show
Step 2 server connectivity run"
vlan 1
ip address 20.1.1.1/24
exit

Configure the radius-server Verify the configuration using "show


Step 3 radius-server host <ip-address> run" and "show radius"
key <key>

Verify the configuration changes


Step 4 using
1.Show run

Configure the following in the


ixia connected ports

DUT(config)# aaa
authentication port-access
dot1x authenticator
auth-method eap-radius

Enable 802.1X and Mac


authentication on a port:

233 18/2/2019
Step Name Description Expected Result
```

switch# configure terminal

switch(config)# interface 1/1/1

switch(config-if)# aaa
authentication port-access
dot1x
authenticator enable

switch(config-if)#aaa
authentication port-access
mac-auth

DUT(config)# aaa port-


access dot1x authenticator
enable

Configure following order in the ixia Verify the configuration changes


Step 5 connected ports using "show run"
Ixia port 1
aaa authentication port-access
auth-precedence dot1x mac-auth
Ixia port 2
aaa authentication port-access

234 18/2/2019
Step Name Description Expected Result
auth-precedence dot1x mac-auth

Start sending mac traffic from both


Step 6 the ixia ports

Configure EAP Retries and Timeout Verify the configuration using "show
Step 7 using the below CLIs run"
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa authentication
port-access dot1x authenticator
switch(config-if-dot1x-auth)# eapol-
timeout 140
switch(config-if-dot1x-auth)#max-
eapol-requests 5

Verify the following for ixia port 1


Step 8 1. After 5 eap-retries switch starts
mac authentication for ixia port 1
mac-address with each eapol timeout
as 140 seconds

Verify the following for ixia port 2


Step 9 1. Since mac authentication of the
mac will fail since no radius servers
are configured. It will fall to 802.1x
2.Switch tries 5 eap-retries with each
140seconds timeout for the ixia mac
traffic

1.1.1.1.1.1.2.52. Test: Test Name :


802.1x_Quiet_Discovery_Authentication_Attempts
Test: Test ID :167368
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 29/1/2019
Test: Type : MANUAL
Test: Description : Objective :
To Verify the behaviour of the following 802.1x parameters
1. Quiet-Period
2.Discovery-Period
3.Authentication Attempts
Topology:
DUT-----Radius Server
|

235 18/2/2019
Supplicant

Quiet-period parameter sets the amount of time that the switch will refrain from attempting to authenticate a client, after a
failed attempt, with the client constantly attempting to access the network.
The purpose of this test is to verify:
a) The Quiet Period feature of the switch correctly performs its intended function.
b) The Quiet Period can be set within the range of values specified in the CLI options
### Configure maximum authentication attempts on a port
#### Syntax
`[no] aaa authentication port-access dot1x authenticator max-retries <max-retries>`
#### Help
| Token | Help string |
|----------------|--------------------------------------------------------------------------------------------------------------------|
| max-retries | Configure the number of attempts to authenticate a client before failing authentication. Default is 2
retries. |
| *max-retries* | Maximum number of retries.
#### Syntax
`[no] aaa authentication port-access dot1x authenticator discovery-period <discovery-period>`
#### Help
| Token | Help string |
|---------------------|-----------------------------------------------------------------------------------------------------------------|
| discovery-period | Configure the EAPOL Request Identity packet re-transmission period. Default is 30
seconds. |
| *discovery-period* | Specify discovery-period in seconds. |
#### Description
Configure the period the port waits to retransmit the next EAPOL request
identity frame on an 802.1X enabled port with no authenticated client.
The no form of the command resets it to default.

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
36649

Test: Automated : Yes


Test: Automated Test Name : scripts\testSuite\networkSecurity\Mac
Authentication\Timing\macAuthQuietPeriod.tcl
Test: Automation Progress : 4 - Released to Production
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 2 - Medium
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0

236 18/2/2019
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C167368

237 18/2/2019
Steps :
Step Name Description Expected Result
Step 1 Configuration 1. Configure the DUT as follows:
1. Dut is configured without
errors
(config)# radius-server host
23.0.0.218 key go4gold18 2. Configuration remains
DUT(config)# aaa authentication constant - see Stepnotes
port-access dot1x authenticator
auth-method eap-radius

aaa authentication port-access


auth-mode device-mode

Enable 802.1X authentication on a


port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa
authentication port-access dot1x
authenticator enable
switch(config-if)#
DUT(config)# aaa port-access
dot1x authenticator enable

Configure the following timers and Verify the configuration changes


Step 2 authentication attempts using "show run"
interface 1/1/1
aaa authentication port-access
dot1x authenticator discovery-
period 120
aaa authentication port-access
dot1x authenticator queit-period
100
aaa authentication port-access
dot1x authenticator max-retries 4

Verify the discovery period


Step 3 functionality before connecting a
supplicant

Verify Switch sends eap


request messages only after
120 seconds once

Do not configure the supplicant Verify switch retries the


Step 4 credentials in the radius server and authentication attempts for the client
start the supplicant service 4 retries and stops the retries for 100
seconds of quiet period before

238 18/2/2019
Step Name Description Expected Result
starting the authentication process
again

1.1.1.1.1.1.2.53. Test: Test Name : 802.1x_4.01_HA_-


_Redundancy_Switchover
Test: Test ID :167823
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 31/1/2019
Test: Type : MANUAL
Test: Description : Objective:
Verify 802.1x authentication port states are maintained across a failover.

Requirements:
DUT Switch which supports 802.1x authentication and supports HA.
PC with supplicant software or Switch supplicant.
Radius Server.
Client PC

Setup:
Topology:
Supplicant--------------DUT----------------Radius Server

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
104482

Test: Automated : Yes


Test: Automated Test Name :
scripts/testSuite/networkSecurity/802dot1x/802dot1xBasicFunctionality/802dot1x_HA_redundanc
ySwitchover.tcl
Test: Automation Progress : 4 - Released to Production
Test: Content Last Modified Date : 7/12/2018

239 18/2/2019
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 3 - High
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : IFD - PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: PVOS CR-ID : 247188
Test: BP Filter: HPE
Test: GUID: ALMTP157C167823

240 18/2/2019
Steps :
Step Name Description Expected Result
Call Call <802.1x 1.01
Basic_Port_Based>
Step-2 Enable non-stop Enable nonstop forwarding DUT configured for nonstop-
(chassis based) or configure switching or stack is fully
forwarding for stacking (stack based). formed and all members
joined.
redundancy management-
module nonstop-switching verify using
show running-config
show stacking

Step-3 Authenticate Authenticatet supplicant using Supplicant is authenticated


correct credentials. successfully.
supplicant Verify using "show port-
Verify using show port-access access authenticator "
authenticator.
Traffic from client PC reaches
Start sending continuous supplicant.
traffic from client PC to
supplicant.
Verify ping is successful

Step-4 Redundancy switch Ensure the ping from client Standby MM takes over as
Pc is continuously running Acitve MM.
over failover and reaches supplicant.
Verify there is no traffic loss
Do Fail-over using the during failover on client.
command No re-authentication required
for supplicant.
redundancy switchover

No re-authentication required
for supplicant.

Step-5 Redundancy switch Former active MM will be


acitve again
over failback Once the active MM boots as
standby MM do a fail-back by Verify there is no traffic loss
running during failback on client.
No re-authentication required
redundancy switchover for supplicant.

For stacking switches repeat the


Step-6-Stacking Switches above steps by connecting the
supplicant to standby

241 18/2/2019
1.1.1.1.1.1.2.54. Test: Test Name :
802.1x_Force_Authorized_Reauthentication
Test: Test ID :168523
Test: Subject : Functionality_Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/2/2019
Test: Type : MANUAL
Test: Description : Objective :
To Verify the functionality of force authorized in PC
Topology:
Radius Server 2
|
|
DUT-----------Radius Server 1
|
|
PC

Feature Description:
Existing authentication feature does not differentiate between an authentication failure due to a “radius-reject” and “radius-
not-being-reachable. This feature enhancement is to support a “Critical VLAN” concept, where in when a remote
authentication (mac-auth or 802.1x) starts for a client but the authentication server is not reachable, the client will be
placed in “Critical VLAN” instead of blocking the client.
Critical VLAN can be configured as tagged (voice) or untagged (data) VLAN. It can also be configured within a user-role,
in which case, we call that user-role as “Critical Role”. Therefore, when Critical-Role is configured, any client which fails
authentication due to authentication server not being reachable, will be applied with the Critical-Role.
This feature is configurable per-port and only applies to mac-based and 802.1x authentication.
Platforms being supported are 3810, 5400R, 2930F and 2930M

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 09/12/2018: Test Case migrated from PVOS Test ID:
149894

Test: Automated : Dev Funnel


Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4

242 18/2/2019
Test: Platform Independent : Y
Test: Plan Priority : 3 - High
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C168523

243 18/2/2019
Steps :
Step Name Description Expected Result
Configure Vlan with ip-address Verify the configuration changes
Step 1 Aruba-Stack-3810M(config)# vlan 1 using "show run"
Aruba-Stack-3810M(vlan-1)# ip
address 20.1.1.1/24
Aruba-Stack-3810M(vlan-1)# exit

Configure two radius servers on the Verify the configuration changes


Step 2 same subnet as the vlan ip address using "show run" and "show
configured on Step1 radius"
radius-server host <ip-address>
key <key> tracking
radius-server host <ip-address>
key <key> tracking
radius-server tracking interval 60

Configure two vlans in the DUT Verify the configuration changes


Step 3 vlan <id> using "show run"
exit
vlan <id>
exit
Configure user-role
switch(config)# port-access role auth
switch(config-pa-role)# vlan access
<vid>
switch(config-pa-role)# vlan trunk
allowed <vid>
switch(config-pa-role)# exit
switch(config)#

Configure 802.1x authentication on Verify the configuration changes


Step 4 the port where pc is connected using "show run"
DUT(config)# aaa authentication
port-access dot1x authenticator
auth-method eap-radius

aaa authentication port-access


auth-mode device-mode

Enable 802.1X authentication on a


port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa
authentication port-access dot1x
authenticator enable
switch(config-if)#
DUT(config)# aaa port-access
dot1x authenticator enable
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa
authentication port-access dot1x
authenticator authorized
switch(config-if)#

Configure auth user-role with data- Verify the configuration changes


Step 5 vlans on the port configured for using "show run"
802.1x
switch# configure terminal

244 18/2/2019
Step Name Description Expected Result
switch(config-if)#aaa
authentication port-access auth-
role auth

Make both the radius server Verify using "show radius"


Step 6 unreachable before starting the
authentication and radius tracking
should have learnt the servers are
unreachable also

Start supplicant in 802.1x configured Verify the clients are placed in auth
Step 7 PC role with force authorized state using
* show aaa authentication port-
access dot1x authenticator
interface all port-statistics
* show aaa authentication port-
access dot1x authenticator
interface all client-status
* show aaa authentication port-
access interface all client-status

245 18/2/2019
1.1.1.1.1.1.3. Subject\Production\SW Development\Feature Test
Plans - Dev Handoff\802.1x\IFD_Analysis

Test List :

1.1.1.1.1.1.3.1. Test: Test Name : 802.1x_Trunk_Port


Test: Test ID :168389
Test: Subject : IFD_Analysis
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 1/2/2019
Test: Type : MANUAL
Test: Description : Objective :
To Verify the 802.1x feature is mutually exclusive with trunk ports
Requirement:
DUT---PC
|
Radius server

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 10/01/2019: Test Case migrated from PVOS Test ID:
154465

Test: Automated : Dev Funnel


Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 3 - High
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0

246 18/2/2019
Test: Scripted Date : 9/1/2019
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : IFD - PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: PVOS CR-ID : 173699
Test: BP Filter: HPE
Test: GUID: ALMTP157C168389

247 18/2/2019
Steps :
Step Name Description Expected Result
Reserve Switch from POD manager. Build should be installed sucessfully
Step 1 Install required build using "Install without any errors.
buid" option.

Configure IP in the vlan having radius Verify the configuration using "show
Step 2 server connectivity run"
vlan 1
ip address 20.1.1.1/24
exit

Configure radius-server using Verify the configuration using "show


Step 3 radius-server host <ip-address> run" and "show radius"
key <key>
Ensure 8021x credentials of PC is
avaible in radius server

Configure following CLIs on switch Configuration should be applied


Step 4 from configuration mode, properly. Validate the same using
DUT(config)# aaa authentication "show run" CLI.
port-access dot1x authenticator
auth-method eap-radius

aaa authentication port-access


auth-mode device-mode

Enable 802.1X authentication on a


port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa
authentication port-access dot1x
authenticator enable
switch(config-if)#
DUT(config)# aaa port-access
dot1x authenticator enable
HP-Switch(config)# interface 1/1/1

Configure all type of trunk on the Verify switch throws error


Step 5 interface configured with 802.1x.

Disable 802.1x authentication on the Verify the trunk port configuration


Step 6 port and enable trunk on the port using "show run"

Repeat Step 4 Verify the switch throws error


Step 7

1.1.1.1.1.1.3.2. Test: Test Name :


Radius_F_35._Attributes_Dynamic_Xauthmode

248 18/2/2019
Test: Test ID :168404
Test: Subject : IFD_Analysis
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 1/2/2019
Test: Type : MANUAL
Test: Description : Objective:
The purpose of this test is to verify that RADIUS assigned VSAs effectively sets the 802.1x mode to either client mode or
port mode, and that the
related show command outputs are correct.

Requirements:
DUT switch that supports Dynamic RADIUS Attributes.
A RADIUS server with user accounts configured with the necessary VSAs.
A hub (multiport repeater) with at least 5 ports.
DUT switch that supports Dynamic Port Access Auth via RADIUS.
4 PCs with 802.1x supplicant software (for 802.1X authentication)

Setup:
Connect a hub (multiport repeater) to port 1 of the DUT, and a RADIUS server to port 20 or the DUT
Connect 4 pcs with 802.1x supplicant software to the hub.

Attachments:
VSA 4clients 1port.jpg (network diagram)

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
74337

Test: Automated : Yes


Test: Automated Test Name :
scripts/testSuite/networkSecurity/Radius/featureTesting/RADIUS_F_AttributesDynamicXauthMod
e.tcl
Test: Automation Progress : 4 - Released to Production
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y

249 18/2/2019
Test: Plan Priority : 3 - High
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : IFD - PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: PVOS CR-ID : 192610
Test: BP Filter: HPE
Test: GUID: ALMTP157C168404

250 18/2/2019
Steps :
Step Name Description Expected Result
Note: the setup commands shown The DUT should accept the
Step 1 - Configure and here serve as examples only, the configuration and reflect this in the
connect the network addresses, port numbers, etc.
should be adjusted to conform to the
output of the appropriate show
commands
specific test environment.

Connect 3 client PCs to port 1 of the


DUT via a multiport repeater (hub)
Connect a RADIUS server to the
DUT.
Connect a DHCP server to the DUT.

Start config from default values


(erase startup).
Set an ip address on VLAN 1
(e.g. vlan 1 ip address
10.1.100.106/24)
(config)# radius-server host
23.0.0.218 key go4gold18
DUT(config)# aaa authentication
port-access dot1x authenticator
auth-method eap-radius

Enable 802.1X authentication on a


port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa
authentication port-access dot1x
authenticator enable
switch(config-if)#
DUT(config)# aaa port-access
dot1x authenticator enable

Step 2 - Port to User mode Set X to Port-based via CLI The first (vsa) client should
aaa authentication port-access authenticate successfully.
auth-mode device-mode
X auth with VSA that sets X to Client
The show command should
-based indicate that the VSA values
aruba-port-authentication-mode = are in place.
0 (if 1 is used to enable client mode The second (non vsa) client
and 0 is used to enable port-mode)
should successfully X
Run the command:
show aaa authentication port- authenticate.
access interface all client-status
X authenticate a second user without
a VSA.

Set X to Port-based via CLI


Step 3 - Port to Port mode aaa authentication port-access
The first (vsa) client should
auth-mode device-mode
authenticate successfully.
The show command should
X auth with VSA that sets X to Port- indicate that the VSA values
based.
are in place.
Both clients should have
aruba-port-authentication-mode =
0 (if 1 is used to enable client mode
network access.
and 0 is used to enable port-mode)

Run the command:

251 18/2/2019
Step Name Description Expected Result
show aaa authentication port-
access interface all client-status

Ping the DUT from the authenticated


user.
Ping the DUT from a second user
connected to port 1.

Step 4 - User to User mode The first client should


authenticate successfully.
The show command should
indicate that the VSA values
are in place.
Set X to Client-based via CLI The second client should
successfully X authenticate.
Both of the clients should
have network access
aaa authentication port-
access auth-mode client-
mode

X auth with VSA that sets X


to Client -based

aruba-port-authentication-
mode = 1 (if 1 is used to
enable client
mode and 0 is used to enable
port-mode)

252 18/2/2019
Step Name Description Expected Result

Run the command:

show aaa authentication port-


access interface all client-
status

X authenticate a second user


without a VSA.
Ping the DUT with each of the
clients

Set X to Client-based via CLI


Step 5 - User to Port mode aaa authentication port-access
The first client should
auth-mode client-mode
authenticate successfully.
X auth with VSA that sets X to Port- The show command should
based indicate that the VSA values
aruba-port-authentication-mode = are in place.
0 (if 1 is used to enable client mode
The second client should
and 0 is used to enable port-mode)
have network access without
Run the command: authenticating.

show aaa authentication port-


access interface all client-status
Ping the DUT from a second user
connected to port 1.

253 18/2/2019
1.1.1.1.1.1.3.3. Test: Test Name :
802.1x_Subsequent_Users_Radius_Assigned_Attributes
Test: Test ID :168412
Test: Subject : IFD_Analysis
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 1/2/2019
Test: Type : MANUAL
Test: Description : Objective :
To Verify the 802.1x feature in device-mode with radius applied attributes/user-role
Requirement:
DUT---Hub---Two PCs
|
Radius server

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 10/01/2019: Test Case migrated from PVOS Test ID:
154465

Test: Automated : Dev Funnel


Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 3 - High
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 9/1/2019
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : IFD - PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: PVOS CR-ID : 199523,200603

254 18/2/2019
Test: BP Filter: HPE
Test: GUID: ALMTP157C168412

255 18/2/2019
Steps :
Step Name Description Expected Result
Reserve Switch from POD manager. Build should be installed sucessfully
Step 1 Install required build using "Install without any errors.
buid" option.

Configure IP in the vlan having radius Verify the configuration using "show
Step 2 server connectivity run"
vlan 1
ip address 20.1.1.1/24
exit

Configure radius-server using


Step 3 radius-server host <ip-address> Verify the configuration using
key <key>
Ensure 8021x credentials of PC1
"show run" and "show radius"
is available in radius server with
following radius attributes
1.Tunnel-Private-Group Id
2.NAS-Filter-Rule
3.CoS
4.Rate Limit Ingress and Egress

Configure following CLIs on switch Configuration should be applied


Step 4 from configuration mode, properly. Validate the same using
DUT(config)# aaa authentication "show run" CLI.
port-access dot1x authenticator
auth-method eap-radius

aaa authentication port-access


auth-mode device-mode

Enable 802.1X authentication on a


port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa
authentication port-access dot1x
authenticator enable
switch(config-if)#
DUT(config)# aaa port-access
dot1x authenticator enable
HP-Switch(config)# interface 1/1/1

Verify if PC2 mac is learnt in the


Step 5 switch port and PC2 follows the
same attributes as PC1

Repeat Step 3 and 5 with Radius


Step 6 Assigned User-role containing Vlan
and Access Policy

256 18/2/2019
1.1.1.1.1.1.3.4. Test: Test Name : 802.1x_Idle_Session_Timeout
Test: Test ID :168433
Test: Subject : IFD_Analysis
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 1/2/2019
Test: Type : MANUAL
Test: Description : Objective :
To Verify the 802.1x feature with idle and session timeout
Requirement:
DUT---Hub---Two PCs
|
Radius server

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 10/01/2019: Test Case migrated from PVOS Test ID:
154465

Test: Automated : Dev Funnel


Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 3 - High
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 9/1/2019
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : IFD - PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: PVOS CR-ID : 219026,171215,200198
Test: BP Filter: HPE

257 18/2/2019
Test: GUID: ALMTP157C168433

258 18/2/2019
Steps :
Step Name Description Expected Result
Reserve Switch from POD manager. Build should be installed sucessfully
Step 1 Install required build using "Install without any errors.
buid" option.

Configure IP in the vlan having radius Verify the configuration using "show
Step 2 server connectivity run"
vlan 1
ip address 20.1.1.1/24
exit

Configure radius-server using Verify the configuration using "show


Step 3 radius-server host <ip-address> run" and "show radius"
key <key>
Ensure 8021x credentials of PC1
and PC2 is available in radius
server with following radius
attributes
PC1 : User-Role - role1
PC2: User-Role - role2

Configure following CLIs on switch Configuration should be applied


Step 4 from configuration mode, properly. Validate the same using
DUT(config)# aaa authentication "show run" CLI.
port-access dot1x authenticator
auth-method eap-radius

aaa authentication port-access


auth-mode client-mode

Enable 802.1X authentication on a


port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa
authentication port-access dot1x
authenticator enable
switch(config-if)#
DUT(config)# aaa port-access
dot1x authenticator enable
HP-Switch(config)# interface 1/1/1
switch(config)# port-access role
role1
switch(config-pa-role)# vlan
access <vid>
switch(config-pa-role)# vlan trunk
allowed <vid>
switch(config-pa-role)#idle-
timeout 60
switch(config-pa-role)#session-
timeout 120
switch(config-pa-role)# exit
switch(config)#
switch(config)# port-access role
role2
switch(config-pa-role)# vlan
access <vid>
switch(config-pa-role)# vlan trunk
allowed <vid>
switch(config-pa-role)#idle-
timeout 90

259 18/2/2019
Step Name Description Expected Result
switch(config-pa-role)#session-
timeout 180
switch(config-pa-role)# exit
switch(config)#

Configure following CLIs on switch


Step 5 from configuration mode,
DUT(config)# aaa authentication
port-access dot1x authenticator
auth-method eap-radius

aaa authentication port-access


auth-mode client-mode

Enable 802.1X authentication on a


port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa
authentication port-access dot1x
authenticator enable
switch(config-if)#
DUT(config)# aaa port-access
dot1x authenticator enable
HP-Switch(config)# interface 1/1/1
switch(config)# port-access role
role1
switch(config-pa-role)# vlan
access <vid>
switch(config-pa-role)# vlan trunk
allowed <vid>
switch(config-pa-role)#idle-
timeout 60
switch(config-pa-role)#session-
timeout 120
switch(config-pa-role)# exit
switch(config)#
switch(config)# port-access role
role2
switch(config-pa-role)# vlan
access <vid>
switch(config-pa-role)# vlan trunk
allowed <vid>
switch(config-pa-role)#idle-
timeout 90
switch(config-pa-role)#session-
timeout 180
switch(config-pa-role)# exit
switch(config)#

Repeat the same steps with idle Verify the clients never logsoff even
Step 6 timout as none there is no traffic from it

1.1.1.1.1.1.3.5. Test: Test Name : 802.1x_EAP-ID-Compliance

260 18/2/2019
Test: Test ID :168448
Test: Subject : IFD_Analysis
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 1/2/2019
Test: Type : MANUAL
Test: Description : Objective:
Verify that 802.1x authentication is successful when radius server sends decremental EAP-ID and wrong sequence of
EAP-ID

Setup:
Supplicant<==========>DUT<=========>Radius Server

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 10/12/2018: Test Case migrated from PVOS Test ID:
152510

Test: Automated : Not Feasible


Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 3 - High
Test: Test Suited for OSTL? : N
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : IFD - PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: PVOS CR-ID : 240682,247261

261 18/2/2019
Test: BP Filter: HPE
Test: GUID: ALMTP157C168448

262 18/2/2019
Steps :
Step Name Description Expected Result
Topology is setup .
Step 1 - Topology Setup Connect the devices according the
topology shown. PC should be
EAP-TLS Setup

Step 2 - Setup Radius and Use the command "Show running-


Dot1x config" to verify the
commandnfiguration is present in
switch.

(config)# radius-server host


23.0.0.218 key go4gold18

DUT(config)# aaa
authentication port-access
dot1x authenticator
auth-method eap-radius

aaa authentication
port-access auth-mode
device-mode

Enable 802.1X authentication


on
a port:

```

263 18/2/2019
Step Name Description Expected Result

switch# configure terminal

switch(config)# interface 1/1/1

switch(config-if)# aaa
authentication port-access
dot1x authenticator enable

switch(config-if)#

DUT(config)# aaa port-


access
dot1x authenticator enable

HP-Switch(config)#
interface 1/1/1

HP-Switch(config-if)# aaa
authentication port-access
client-limit 2

264 18/2/2019
Step Name Description Expected Result

Verify during authentication when the


Step 3 server sends decremental EAP ID
the client authentication is
successfull

1.1.1.1.1.1.3.6. Test: Test Name :


802.1x_Machine_User_Auth_Mac_Auth
Test: Test ID :168449
Test: Subject : IFD_Analysis
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 1/2/2019
Test: Type : MANUAL
Test: Description : Objective:
Verify that 802.1x authentication is successful when radius server sends decremental EAP-ID and wrong sequence of
EAP-ID

Setup:
Supplicant<==========>DUT<=========>Radius Server

Description:

The Customer uses Windows 7 and Windows 10 PCs using 802.1x with PEAP/MSCHAPv2. The have User and Machine
Auth cofigured and are using Identity Privacy to obscure the username in the Outer PEAP request.
When a PC is booted up, it will first authenticate with Machine Auth, then when the user logs on, it will reAuthenticate with
User Auth. If the PC is logged off or shut down, the reverse happens. The User is logged off and the PC re-attempts
Machine Auth.
On almost all iterations, the first attempted auth will fail. Most of the time, the next auth will succeed and the User will
simply see a slightly longer login time. In Some circumstances though, it will fail 3 times in a row at which point the Client
gives up...Then after 20-30 minutes it will try again an succeed.
THis doesn't just happen with User+ Machine Auth, but also on ports where both Mac Auth and 802.1X are configured.
In the case where MAC Auth occurs first, the 802.1x will regularly fail on the first attempt. and sometimes all 3 attempts as
noted above.
Customer has Machine Auth+User Auth + Mac Auth and All of them fail open. In some cases, where th 802.1x fails all 3
times, the client will be stuck in Mac Auth. This is how the Customer noticed the failure

265 18/2/2019
Test: Execution Status : No Run
Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 10/12/2018: Test Case migrated from PVOS Test ID:
152510

Test: Automated : Not Feasible


Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 3 - High
Test: Test Suited for OSTL? : N
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : IFD - PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: PVOS CR-ID : 244651
Test: BP Filter: HPE
Test: GUID: ALMTP157C168449

266 18/2/2019
Steps :
Step Name Description Expected Result
Topology is setup .
Step 1 - Topology Setup Connect the devices according the
topology shown. PC should be
EAP-TLS Setup

(config)# radius-server host


Step 2 - Setup Radius and 23.0.0.218 key go4gold18 Use the command "Show running-
Dot1x DUT(config)# aaa authentication
port-access dot1x authenticator
config" to verify the
commandnfiguration is present in
auth-method eap-radius switch.
aaa authentication port-access
auth-mode device-mode

Enable 802.1X authentication on a


port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa
authentication port-access dot1x
authenticator enable
switch(config-if)#
DUT(config)# aaa port-access
dot1x authenticator enable
DUT(config)# aaa port-access mac-
auth enable
HP-Switch(config)# interface 1/1/1
HP-Switch(config-if)# aaa
authentication port-access client-
limit 2

Verify the machine and user * show aaa authentication port-


Step 3 authentication of 802.1x enabled PC access dot1x authenticator interface
is successfull, even though mac-auth all port-statistics
kicks in between * show aaa authentication port-
access dot1x authenticator interface
all client-status
* show aaa authentication port-
access interface all client-status

1.1.1.1.1.1.3.7. Test: Test Name :


802.1x_Deauthentication_of_Guest_Clients

267 18/2/2019
Test: Test ID :173414
Test: Subject : IFD_Analysis
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 8/2/2019
Test: Type : MANUAL
Test: Description : Objective :
To Verify the 802.1x feature with idle and session timeout with Guest clients
Requirement:
DUT---Hub---Two PCs
|
Radius server

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 10/01/2019: Test Case migrated from PVOS Test ID:
154465

Test: Automated : Dev Funnel


Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 3 - High
Test: Test Suited for OSTL? : Y
Test: Automation Release Cycle : 169157
Test: Estimated Run Time : 0
Test: Scripted Date : 9/1/2019
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : IFD - PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: PVOS CR-ID : 219026,240140,242943
Test: BP Filter: HPE
Test: GUID: ALMTP157C173414

268 18/2/2019
Steps :
Step Name Description Expected Result
Reserve Switch from POD manager. Build should be installed sucessfully
Step 1 Install required build using "Install without any errors.
buid" option.

Configure IP in the vlan having radius


Step 2 server connectivity Verify the configuration using
vlan 1
ip address 20.1.1.1/24
"show run"
exit

Configure radius-server using Verify the configuration using "show


Step 3 radius-server host <ip-address> run" and "show radius"
key <key>
Ensure 8021x credentials of PC1
and PC2 is not available in radius
server

Configure following CLIs on switch Configuration should be applied


Step 4 from configuration mode, properly. Validate the same using
DUT(config)# aaa authentication "show run" CLI.
port-access dot1x authenticator
auth-method eap-radius

aaa authentication port-access


auth-mode client-mode

Enable 802.1X authentication on a


port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa
authentication port-access dot1x
authenticator enable
switch(config-if)#
DUT(config)# aaa port-access
dot1x authenticator enable
HP-Switch(config)# interface 1/1/1
switch(config)# port-access role
role1
switch(config-pa-role)# vlan
access <vid>
switch(config-pa-role)# vlan trunk
allowed <vid>
switch(config-pa-role)#idle-
timeout 60
switch(config-pa-role)#session-
timeout 120
switch(config-pa-role)# exit
switch(config)#
Assign the following role as reject
role in port 1/1/1

Verify PCs are deauthenticated in


Step 5 their respective idle-timeout if there is
no traffic from the PCs and if not
deauthenticated by default session-
timout

269 18/2/2019
270 18/2/2019
1.1.1.1.1.1.4. Subject\Production\SW Development\Feature Test
Plans - Dev Handoff\802.1x\Interop Testing

Test List :

1.1.1.1.1.1.4.1. Test: Test Name :


802.1x_3.02_Loopback_BPDU_protection
Test: Test ID :158542
Test: Subject : Interop Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019
Test: Type : MANUAL
Test: Description :
Summary
Test case to verify interoperability with BPDU protection and 802.1x authentication

Overview
A Switch (Device Under Test) can be configured to use 8201.x/WMA* to authenticate clients on its ports,with Loop
protection and BPDU protection enabled.
This test only verifies the correct cuntionality when using 802.1x port-access.

REFERENCES:

RFC 3580 - IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines
http://www.faqs.org/rfcs/rfc3580.html

Requirements
PC w/supplicant software
DUT
RADIUS server

Test Setups
Radius Server
|
Switch1----------Switch2
|
Supplicant

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
69192

271 18/2/2019
Test: Automated : Yes
Test: Automated Test Name :
scripts/testSuite/networkSecurity/802dot1x/802dot1xInteroperability/802dot1xLoopbackBpduProt
ection.tcl
Test: Automation Progress : 3 - Released for AT
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 2 - Medium
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: Automation/Product CR : 227157
Test: BP Filter: HPE
Test: GUID: ALMTP157C158542

272 18/2/2019
Steps :
Step Name Description Expected Result
Enable authenticator ports On switch 1 enable two ports The switch should accept
as 8021.x authentciators. configuratino and the show
commands should show the
correct resutls.

Connect single link 2.) Connect Switch2 to port is blocked due to non-
Switch1 on one port only authenticated client/user

Enable spanning tree 3.) Enable Spanning tree on Spanning Tree should start
no problem.
Switch1

Enable Loop Protection 4.) Enable Loop Protection on Loop Protection should start
ports on Switch1 with no problem

Connect second link 5.) Connect 2nd link between Port on Switch1 is receving
Switch1 and Switch2 BPDUs and one port is
Note: may have to disable blocking
Spanning Tree on Switch2 to
create loop

Repeat with BPDU protection Repeat steps above with


BPDU protection

1.1.1.1.1.1.4.2. Test: Test Name :


802.1x_2.47_RADIUS_Accounting_Enable_Disable
Test: Test ID :158594
Test: Subject : Interop Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019
Test: Type : MANUAL
Test: Description :
Objective:

This test verifies the accounting request packet is generated when accounting is enabled on the
DUT and not generated when disabled.

Requirements:

273 18/2/2019
DUT Switch which supports 802.1x authentication.
PC with supplicant software or Switch supplicant.
Radius Server.

Test Setup:

Supplicant--------DUT---------Radius Server

The example commands refer to the topology diagram in the file


802_1X_BASIC_TESTTOPOLOGY.jpg. However, only one supplicant and a radius servers need
to be connected to the DUT (Device Under Test).

Description:

The test verifies that accounting records are generated for ports which are enabled for 802.1x
authentication and not generated when accounting is disabled.

References:

Procurve Manual: Access Security Guide (ProCurve 8200zl, 6200yl, 5400zl, 3500yl)
www.procurve.com

www.microsoft.com

www.freeradius.org

Attachments:

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
69248

Test: Automated : Yes


Test: Automated Test Name :
scripts/testSuite/networkSecurity/802dot1x/802dot1xBasicFunctionality/802dot1xRadiusAccEnabl
eDisable.tcl
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y

274 18/2/2019
Test: Plan Priority : 2 - Medium
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C158594

275 18/2/2019
Steps :
Step Name Description Expected Result
Call Call <802.1x 1.01
Basic_Port_Based>
Configure accounting on the switch This configuration should be visible
STEP 1 - Enable accounting with the following commands
Example:
show running-config
DUT(config)# aaa accounting port- show aaa accounting
access start-stop radius show aaa accounting port-access

Configure accounting on Radius


server Accounting should be successfully
This would typically depend on the configured on the radius server
flavor of radius which is being
deployed. The configuration details
would be available in the respective
websites.

STEP 2- Supplicant Configure a packet analyzer The supplicant should


on the radius server or mirror succesfully authenticate and
Authentication the port on the DUT on which accounting-request with start
the radius server is record packets should be
connected. generated from the DUT to
the radius server. The start
Authenticate the supplicant value is observed in the Acct-
on the port configured for Status-type in the accounting
802.1x authentication. The request AVP.
supplicant can be a
workstation with supplicant Example:
software or it can be a switch
with the supplicant feature Accounting-Request packet
available from host 10.1.1.51 port
1813, id=94, length=136

Acct-Session-Id =
"012900000052"
Acct-Status-Type = Start
Service-Type = Framed-User
Acct-Authentic = RADIUS
NAS-Port = 1
Calling-Station-Id = "00-1B-
78-AB-9F-90"
NAS-IP-Address = 10.1.1.51
NAS-Identifier = "ProCurve
Switch 3500yl-24G"
User-Name = "steve"
MS-RAS-Vendor = 11

Disable accounting on the switch Accounting information should be


STEP 3 - Disable accounting removed from the DUT configuration.
Example: This can be verified by the following
commands
DUT(config) # no aaa accounting
port-access show running-config

276 18/2/2019
Step Name Description Expected Result
show aaa accounting
show aaa accounting port-access

Example:

ProCurve Switch 3500yl-


24G(config)# show accounting

Status and Counters - Accounting


Information

Interval(min) : 0
Suppress Empty User : No

Type | Method Mode Server Group


-------- + ------ ---------- ------------
Network | None
Exec | None
System | None
Commands | None

STEP 4 - Disconnect Disconnect and reconnect the The supplicant should


supplicant and authenticate successfully authenticate but
supplicant no accounting packets should
be generated from the DUT to
the radius server

1.1.1.1.1.1.4.3. Test: Test Name :


802.1x_2.48_RADIUS_Accounting_Interim_Update_Record
Test: Test ID :158595
Test: Subject : Interop Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019
Test: Type : MANUAL
Test: Description :
Objective:

This test verifies the accounting interim_update_records are generated for the DUT.

Requirements:

DUT Switch which supports 802.1x authentication.


PC with supplicant software or Switch supplicant.
Radius Server.

277 18/2/2019
Test Setup:

Supplicant--------DUT---------Radius Server

The example commands refer to the topology diagram in the file


802_1X_BASIC_TESTTOPOLOGY.jpg. However, only one supplicant and a radius servers need
to be connected to the DUT (Device Under Test).

Description:

The test verifies that accounting interim_update_records are generated by the DUT. It also
verifies the functionality when the update interval is assigned via radius attribute.

References:

Procurve Manual: Access Security Guide (ProCurve 8200zl, 6200yl, 5400zl, 3500yl)
www.procurve.com

www.microsoft.com

www.freeradius.org

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
69249

Test: Automated : Yes


Test: Automated Test Name :
scripts/testSuite/networkSecurity/802dot1x/802dot1xBasicFunctionality/802dot1xRadiusAccIntUp
dateRec.tcl
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 2 - Medium
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018

278 18/2/2019
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C158595

279 18/2/2019
Steps :
Step Name Description Expected Result
Call Call <802.1x 1.01
Basic_Port_Based>
Configure accounting on DUT The configuration should be visible
STEP 1 - Configure with the following commands
accounting on DUT Example:
show aaa accounting
DUT(config) # aaa accounting show aaa accounting port-access
port-access start-stop radius show running-config
Accounting should be successfully
Configure accounting on Radius configured on the radius server
server
This would typically depend on the
flavor of radius which is being
deployed. The configuration details
would be available in the respective
websites.

Configure interim update on the DUT. The value should be visible with the
STEP 2 - Configure interim- following command
update Example:
aaa accounting port-access start- show running-config
stop interim 60 group radius show aaa accounting
<radius-server-group>

STEP 3 - Supplicant Configure a packet analyzer Supplicant should succesfully


authentication on the radius server or mirror authenticate and accounting
the port on the DUT on which request packets with start
the radius server is records should be generated.
connected. Authenticate the The start value should be
supplicant. The supplicant observed in Acct-Status-Type
can be a workstation with attribute in accounting
supplicant software installed request packet.
or switch with the supplicant
feature Example:

Accounting-Request packet
from host 10.1.1.51 port
1813, id=94, length=136

Acct-Session-Id =
"01290000005E"
Acct-Status-Type = Start
Service-Type = Framed-User

280 18/2/2019
Step Name Description Expected Result
Acct-Authentic = RADIUS
NAS-Port = 1
Calling-Station-Id = "00-1B-
78-AB-9F-90"
NAS-IP-Address = 10.1.1.51
NAS-Identifier = "ProCurve
Switch 3500yl-24G"
User-Name = "steve"
MS-RAS-Vendor = 11
STEP 4 - Interim update After successful supplicant After the expiry, accounting
authentication wait for a request packets for
expires period till the interim-update Interim_Update_Records for
timer expires. the existing session should
be generated. This can be
observed in the Acct-Status-
Type attribute in the
accounting request packet
AVP.

Example:

Accounting-Request packet
from host 10.1.1.51 port
1813, id=137, length=166

Acct-Session-Id =
"01290000005E"
Acct-Status-Type = Interim-
Update
Service-Type = Framed-User
Acct-Authentic = RADIUS
NAS-Port = 1
Calling-Station-Id = "00-1B-
78-AB-9F-90"
NAS-IP-Address = 10.1.1.51
NAS-Identifier = "ProCurve
Switch 3500yl-24G"
User-Name = "steve"
Acct-Session-Time = 60
Acct-Input-Octets = 1408
Acct-Output-Octets =
73704958
Acct-Input-Packets = 4
Acct-Output-Packets =
323485
MS-RAS-Vendor = 11
Acct-Delay-Time = 0

281 18/2/2019
Step Name Description Expected Result

1.1.1.1.1.1.4.4. Test: Test Name :


802.1x_2.49_RADIUS_Accounting_Requests_Retransmitted
Test: Test ID :158596
Test: Subject : Interop Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019
Test: Type : MANUAL
Test: Description : Objective:

This test verifies that accounting request packet is retransmitted when there is no response from
the radius server.

Requirements:

DUT Switch which supports 802.1x authentication.


PC with supplicant software or Switch supplicant.
Radius Server.

Test Setup:

Supplicant--------DUT---------Radius Server

The example commands refer to the topology diagram in the file


802_1X_BASIC_TESTTOPOLOGY.jpg. However, only one supplicant and a radius servers need
to be connected to the DUT (Device Under Test).

The test case is failing on Lager.

Description:

The test verifies that accounting packets are retransmitted when there is no response from the
radius server. The retransmission halts when the radius server resumes and response is
recieved.

References:

Procurve Manual: Access Security Guide (ProCurve 8200zl, 6200yl, 5400zl, 3500yl)
www.procurve.com
www.microsoft.com
www.freeradius.org

282 18/2/2019
Attachments:

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
69250

Test: Automated : Yes


Test: Automated Test Name :
scripts/testSuite/networkSecurity/802dot1x/802dot1xBasicFunctionality/802dot1xRadiusAccReqR
etransmitted.tcl
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 2 - Medium
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C158596

283 18/2/2019
Steps :
Step Name Description Expected Result
Call Call <802.1x 1.01
Basic_Port_Based>
Enable accounting on the switch This should be visible with the
STEP 1 - Enable accounting following commands
Example:
show running-config
DUT(config) #aaa accounting port- show aaa accounting
access start-stop radius

Configure accounting on the radius Accounting should be successfully


server configured on the radius servers.

This would typically be dependent on


the flavor of radius which is being
deployed. The configuration details
would be available in the respective
websites

STEP 2 - Supplicant Stop the radius service on the Once the supplicant is
radius server system. authenticated, the DUT
authentication Configure a packet analyzer transmits radius-accounting
on the radius server or mirror request packets to the server.
the port on the switch on Since the server does not
which the radius server is respond , the DUT should
connected. Authenticate the retransmit accounting request
supplicant. The supplicant packets to the server and this
can be a workstation with the should be observed in the
supplicant software or it can packet analyzer.
be a switch with the
supplicant feature

STEP 3 - Resume Radius Restart the radius service on The switch should now get a
the radius server system accounting response packet
Service from the radius server and
this should be observed in the
packet analyzer. After the
response is received, the
DUT should stop
retransmitting the accounting
packets to the server

1.1.1.1.1.1.4.5. Test: Test Name :


802.1x_2.50_RADIUS_Accounting_Start_Stop_Record
Test: Test ID :158597

284 18/2/2019
Test: Subject : Interop Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019
Test: Type : MANUAL
Test: Description :
Objective:

This test verifies that accounting start-stop records are generated for the associated type of
events.

Requirements:

DUT Switch which supports 802.1x authentication.


PC with supplicant software or Switch supplicant.
Radius Server.

Test Setup:

Supplicant--------DUT---------Radius Server

The example commands refer to the topology diagram in the file


802_1X_BASIC_TESTTOPOLOGY.jpg. However, only one supplicant and a radius servers need
to be connected to the DUT (Device Under Test).

Description:

The test verifies that accounting start and stop records are generated for the events which
triggers on the port configured for 802.1x. The events includes cdifferent control modes for the
port, Disconnect/reconnect the supplicant, disable/enable the port. The test also confirms that the
records are generated when a new user is authenticated on the port.

References:

www.procurve.com
www.microsoft.com
www.freeradius.org

Attachments:

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
69251

Test: Automated : Yes

285 18/2/2019
Test: Automated Test Name :
scripts/testSuite/networkSecurity/802dot1x/802dot1xBasicFunctionality/802dot1xRadiusAccStart
StopRec.tcl
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 2 - Medium
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C158597

286 18/2/2019
Steps :
Step Name Description Expected Result
Call Call <802.1x 1.01
Basic_Port_Based>
Configure accounting on the DUT The configuration should be visible
Step 2 - Configure accounting with the following commands.
on the DUT Example:
show running-config
DUT(config)# aaa accounting port- show aaa accounting
access start-stop radius

Configure accounting on the radius Accounting should be successfully


server configured on the radius servers
This would typically dependent on
the flavor of radius which is being
deployed. The configuration details
would be available on the respective
websites.

Step 3 - Supplicant Configure a packet analyzer Accounting request packets


on the radius server or mirror for start record should be
Authentication the port on the switch on generated from the switch to
which the radius server is the radius server with a
connected. Authenticate the unique session ID . The start
supplicant. The supplicant and session id value would
can be a workstation with the be associated respectively
supplicant software or it can with the Acct-Status-Type
be a switch with the and the Acct-Session- ID
supplicant feature attributes.

Example:

Accounting-Request packet
from host 10.1.1.51 port
1813, id=94, length=136

Acct-Session-Id =
"012900000052"
Acct-Status-Type = Start
Service-Type = Framed-User
Acct-Authentic = RADIUS
NAS-Port = 1
Calling-Station-Id = "00-1B-
78-AB-9F-90"
NAS-IP-Address = 10.1.1.51
NAS-Identifier = "ProCurve
Switch 3500yl-24G"
User-Name = "steve"
MS-RAS-Vendor = 11
Acct-Delay-Time = 0

Step 4 - Disconnect Disconnect the supplicant Accounting request packets


for stop record should be
Supplicant generated from the DUT to

287 18/2/2019
Step Name Description Expected Result
the radius server. The
session ID should be the
same as the one observed in
the previous step. The stop
record and session id value
would be associated
respectively with the Acct-
Status-Type and Acct-
Session-ID attribute.

Example:

Accounting-Request packet
from host 10.1.1.51 port
1813, id=95, length=172

Acct-Session-Id =
"012900000052"
Acct-Status-Type = Stop
Service-Type = Framed-User
Acct-Authentic = RADIUS
NAS-Port = 1
Calling-Station-Id = "00-1B-
78-AB-9F-90"
NAS-IP-Address = 10.1.1.51
NAS-Identifier = "ProCurve
Switch 3500yl-24G"
Uer-Name = "steve"
Acct-Terminate-Cause = Port-
Disabled
Acct-Session-Time = 263
Acct-Input-Octets = 1670
Acct-Output-Octets =
359802590
Acct-Input-Packets = 5
Acct-Output-Packets =
1158172
MS-RAS-Vendor = 11
Acct-Delay-Time = 0

Step 5 - Supplicant reconnect Reconnect the supplicant and Accounting request packets
authenticate. for the start record should be
generated with a different
session ID . The start and
session ID values would be
associated respectively with
the Acct-Status-Type and
Acct-Session-ID attributes.

Example:

Accounting-Request packet

288 18/2/2019
Step Name Description Expected Result
from host 10.1.1.51 port
1813, id=94, length=136

Acct-Session-Id =
"012900000053"
Acct-Status-Type = Start
Service-Type = Framed-User
Acct-Authentic = RADIUS
NAS-Port = 1
Calling-Station-Id = "00-1B-
78-AB-9F-90"
NAS-IP-Address = 10.1.1.51
NAS-Identifier = "ProCurve
Switch 3500yl-24G"
User-Name = "steve"
MS-RAS-Vendor = 11

Step 6 - Disable interface Disable the interface on Accounting request packets


which the supplicant is for the stop record should be
connected. generated for the existing
session. The stop and
Example: session ID values would be
associated respectively with
DUT(config) # interface 1 Acct-Status-Type and Acct-
disable Session-ID attributes.

Example:

Accounting-Request packet
from host 10.1.1.51 port
1813, id=95, length=172

Acct-Session-Id =
"012900000053"
Acct-Status-Type = Stop
Service-Type = Framed-User
Acct-Authentic = RADIUS
NAS-Port = 1
Calling-Station-Id = "00-1B-
78-AB-9F-90"
NAS-IP-Address = 10.1.1.51
NAS-Identifier = "ProCurve
Switch 3500yl-24G"
Uer-Name = "steve"
Acct-Terminate-Cause = Port-
Disabled
Acct-Session-Time = 263
Acct-Input-Octets = 1670
Acct-Output-Octets =
359802590
Acct-Input-Packets = 5
Acct-Output-Packets =

289 18/2/2019
Step Name Description Expected Result
1158172
MS-RAS-Vendor = 11

Step 7 - Control Mode to Disconnect the supplicant After the supplicant is


and enable the interface authenticated the accounting
Force Authorized request packet will contain a
Example: new session id . When the
control mode is changed to
DUT(config) # interface 1 authorized the accounting
enable request packet would contain
the stop record s for the
Reconnect and authenticate existing session further to
the supplicant. Change the which a accounting request
control mode to Force packet with start record with a
Authorized new session ID will be
generated
Example:

DUT(config) # aaa port-


access authenticator 1
control authorized

Step 8 - Supplicant Reauthenticate the supplicant Accounting request packets


with a different username. with stop records for the
reauthenticate for new user existing session should
The reauthentication should generated and accounting
be trigerred from the request packets with start
supplicant records for a new session
with the user name info
should be generated.

Example:

rad_recv: Accounting-
Request packet from host
10.1.1.51 port 1813, id=131,
length=173

Acct-Session-Id =
"01290000005C"
Acct-Status-Type = Stop
Service-Type = Framed-User
Acct-Authentic = RADIUS
NAS-Port = 1
Calling-Station-Id = "00-1B-
78-AB-9F-90"
NAS-IP-Address = 10.1.1.51
NAS-Identifier = "ProCurve
Switch 3500yl-24G"
User-Name = "steve2"
Acct-Terminate-Cause =

290 18/2/2019
Step Name Description Expected Result
Supplicant-Restart
Acct-Session-Time = 70
Acct-Input-Octets = 1600
Acct-Output-Octets =
93538638
Acct-Input-Packets = 7
Acct-Output-Packets =
363199
MS-RAS-Vendor = 11

Accounting-Request packet
from host 10.1.1.51 port
1813, id=132, length=137

Acct-Session-Id =
"01290000005D"
Acct-Status-Type = Start
Service-Type = Framed-User
Acct-Authentic = RADIUS
NAS-Port = 1
Calling-Station-Id = "00-1B-
78-AB-9F-90"
NAS-IP-Address = 10.1.1.51
NAS-Identifier = "ProCurve
Switch 3500yl-24G"
User-Name = "steve2"
MS-RAS-Vendor = 11

1.1.1.1.1.1.4.6. Test: Test Name :


802.1x_2.51_RADIUS_Accouting_Unique_Session_ID
Test: Test ID :158598
Test: Subject : Interop Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 3/1/2019
Test: Type : MANUAL
Test: Description : Objective:

This test verifies that accounting session ID's are unique after DUT reboot.

Requirements:

291 18/2/2019
DUT Switch which supports 802.1x authentication.
PC with supplicant software or Switch supplicant.
Radius Server.

Test Setup:

Supplicant--------DUT---------Radius Server
The example commands refer to the topology diagram in the file
802_1X_BASIC_TESTTOPOLOGY.jpg. However, only one supplicant and a radius servers need
to be connected to the DUT (Device Under Test).

Description:

The test verifies that the accounting session id's for the user changes after DUT reboot. The DUT
configured for accounting sends accounting request packet to the radius server with a unique
session ID. After DUT reboot , the accounting request packets are send with a different session
ID.

References:

www.procurve.com
www.microsoft.com
www.freeradius.org

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 08/12/2018: Test Case migrated from PVOS Test ID:
69252

Test: Automated : Yes


Test: Automated Test Name :
scripts/testSuite/networkSecurity/802dot1x/802dot1xBasicFunctionality/802dot1xRadiusAccUniqu
eSessId.tcl
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 2 - Medium
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0

292 18/2/2019
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C158598

293 18/2/2019
Steps :
Step Name Description Expected Result
Call Call <802.1x 1.01
Basic_Port_Based>
Configure accounting on the DUT The above configuration can be
STEP 1 - Configure viewed by the following commands
accounting Example: show running-config
show aaa accounting
DUT(config) # aaa accounting
port-access start-stop radius

STEP - 2 Supplicant Configure a packet analyzer Accounting request packets


on the radius server or mirror for start record should be
authentication the port on the switch on generated from the switch to
which the radius server is the radius server with a
connected. Authenticate the unique session ID . The start
supplicant. The supplicant and session id value would
can be a workstation with the be associated respectively
supplicant software or it can with the Acct-Status-Type
be a switch with the and the Acct-Session- ID
supplicant feature. attributes.

Example:

Accounting-Request packet
from host 10.1.1.51 port
1813, id=94, length=136

Acct-Session-Id =
"012900000052"
Acct-Status-Type = Start
Service-Type = Framed-User
Acct-Authentic = RADIUS
NAS-Port = 1
Calling-Station-Id = "00-1B-
78-AB-9F-90"
NAS-IP-Address = 10.1.1.51
NAS-Identifier = "ProCurve
Switch 3500yl-24G"
User-Name = "steve"
MS-RAS-Vendor = 11
Acct-Delay-Time = 0

STEP 3 - DUT Reload Save the configuration to the The configuration should be
flash with the command write persistent after reboot. This
memory should be verified by the
following command
Reboot the DUT using reload

294 18/2/2019
Step Name Description Expected Result
command show running-config

Example

DUT(config)# reload

Device will be rebooted, do


you want to continue [y/n]?
ySave the configuration to the
flash with the command write
memory
STEP 4 - Supplicant After the DUT reloads Accounting request packets
reauthenticate the supplicant for start record should be
reauthentication generated from the switch to
the radius server with a
unique session ID which
should be different from the
one observed before the
reload . The start and session
id value would be associated
respectively with the Acct-
Status-Type and the Acct-
Session- ID attributes.

Example:

Accounting-Request packet
from host 10.1.1.51 port
1813, id=94, length=136

Acct-Session-Id =
"012900000053"
Acct-Status-Type = Start
Service-Type = Framed-User
Acct-Authentic = RADIUS
NAS-Port = 1
Calling-Station-Id = "00-1B-
78-AB-9F-90"
NAS-IP-Address = 10.1.1.51
NAS-Identifier = "ProCurve
Switch 3500yl-24G"
User-Name = "steve"
MS-RAS-Vendor = 11

295 18/2/2019
1.1.1.1.1.1.4.7. Test: Test Name :
Radius_Tracking_I_01_Radius_Server_Groups
Test: Test ID :167154
Test: Subject : Interop Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 28/1/2019
Test: Type : MANUAL
Test: Description : Objective:
To Verify the tracking of radius tracker with radius server groups
Topology:
Radius Server 3
|
Supplicant-----DUT---------Radius Server1
|
|
Radius Server 2
Feature Description:
RADIUS Server Dead Time Processed based on RADIUS Tracking

RADIUS tracking feature already provides periodic information on whether radius server is reachable or not, we
can use this information on which radius server among the ones configured is to be contacted. If radius-tracking
says none of the servers are reachable, we can completely bypass the retry mechanism and apply the back-up
authentication method if configured. This saves the client times to get access on the network.

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 10/12/2018: Test Case migrated from PVOS Test ID:
149919

Test: Automated : Dev Funnel


Test: Automation Progress : 1 - Coding
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y

296 18/2/2019
Test: Plan Priority : 2 - Medium
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : IFD - PVOS;Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: PVOS CR-ID : 239875
Test: BP Filter: HPE
Test: GUID: ALMTP157C167154

297 18/2/2019
Steps :
Step Name Description Expected Result
Setup the topology as present in
Step 1 details tab

Configure ip address to the DUT Verify the configuration using "show


Step 2 vlan 1 run"
ip address <ip-address>
exit

Configure 3 radius-server in the Verify the configuration using "show


Step 3 same vlan 1 network in DUT run" and "show radius"
radius-server host <ip-address>
key <key>
radius-server host <ip-address>
key <key>
radius-server host <ip-address>
key <key>
Add them to three different server
groups
aaa server-group radius r1 host
20.1.1.100
aaa server-group radius r2 host
20.1.1.129
aaa server-group radius r3 host
20.1.1.130

Configure radius-server tracking Verify the configuration changes


Step 4 interval as 60 seconds ,enable using "show run" and "show
tracking radius"
radius-server tracking interval 60
radius-server host <ip-address>
tracking enable
radius-server host <ip-address>
tracking enable
radius-server host <ip-address>
tracking enable

Verify DUT send 60 seconds periodic


Step 5 radius request with username as
'radius-tracking-user' to all the
configured radius servers

Make all the radius servers service Verify the "show radius" shows all the
Step 6 unavailable radius servers as dead

DUT(config)# aaa authentication Verify the configuration changes


Step 10 port-access dot1x authenticator auth- using "show run"
method eap-radius

aaa authentication port-access auth-


mode device-mode

Enable 802.1X authentication on a


port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa authentication
port-access dot1x authenticator

298 18/2/2019
Step Name Description Expected Result
enable
switch(config-if)#
DUT(config)# aaa port-access dot1x
authenticator enable
configure 802.1x on any other port

Make all the radius servers


Step 11 unavailable

Configure 802.1x in supplicant and Verify the radius access-request is


Step 12 start the supplicant service not triggered for any radius server
and client will be placed in reject role.
Verify using
* show aaa authentication port-
access dot1x authenticator interface
all port-statistics
* show aaa authentication port-
access dot1x authenticator interface
all client-status
* show aaa authentication port-
access interface all client-status

Make the second radius server Verify radius service tracking learns
Step 13 available the server as up using "show
radius"
Verify only 802.1x client is
reauthenticated and access request
is triggered to second radius server

Make the first radius service


Step 1 available

Verify radius service tracking


learns the server as up using
"show
radius"

Verify none of the clients are


deauthenticated using

299 18/2/2019
Step Name Description Expected Result
* show aaa authentication
port-access dot1x
authenticator
interface all port-statistics

* show aaa authentication


port-access dot1x
authenticator
interface all client-status

* show aaa authentication


port-access interface all
client-status

1.1.1.1.1.1.4.8. Test: Test Name :


Critical_VLAN_F_22_PC_Critical_Role
Test: Test ID :167777
Test: Subject : Interop Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 30/1/2019

300 18/2/2019
Test: Type : MANUAL
Test: Description : Objective :
To Verify the functionality of Critical Role in PC
Topology:
Radius Server 2
|
|
DUT-----------Radius Server 1
|
|
PC (EAP-TLS)

Feature Description:
Existing authentication feature does not differentiate between an authentication failure due to a “radius-reject” and “radius-
not-being-reachable. This feature enhancement is to support a “Critical VLAN” concept, where in when a remote
authentication (mac-auth or 802.1x) starts for a client but the authentication server is not reachable, the client will be
placed in “Critical VLAN” instead of blocking the client.
Critical VLAN can be configured as tagged (voice) or untagged (data) VLAN. It can also be configured within a user-role,
in which case, we call that user-role as “Critical Role”. Therefore, when Critical-Role is configured, any client which fails
authentication due to authentication server not being reachable, will be applied with the Critical-Role.
This feature is configurable per-port and only applies to mac-based and 802.1x authentication.
Platforms being supported are 3810, 5400R, 2930F and 2930M

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 09/12/2018: Test Case migrated from PVOS Test ID:
149894

Test: Automated : Dev Funnel


Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 2 - Medium
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : IFD - PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: PVOS CR-ID : 238255,239680,239916

301 18/2/2019
Test: BP Filter: HPE
Test: GUID: ALMTP157C167777

302 18/2/2019
Steps :
Step Name Description Expected Result
Configure Vlan with ip-address Verify the configuration changes
Step 1 Aruba-Stack-3810M(config)# vlan 1 using "show run"
Aruba-Stack-3810M(vlan-1)# ip
address 20.1.1.1/24
Aruba-Stack-3810M(vlan-1)# exit

Configure two radius servers on the Verify the configuration changes


Step 2 same subnet as the vlan ip address using "show run" and "show
configured on Step1 radius"
radius-server host <ip-address>
key <key> tracking
radius-server host <ip-address>
key <key> tracking
radius-server tracking interval 60

Configure two vlans in the DUT Verify the configuration changes


Step 3 vlan <id> using "show run"
exit
vlan <id>
exit
Configure user-role
switch(config)# port-access role
critical
switch(config-pa-role)# vlan access
<vid>
switch(config-pa-role)# vlan trunk
allowed <vid>
switch(config-pa-role)# reauth-period
120
switch(config)#

Configure 802.1x authentication on Verify the configuration changes


Step 4 the port where pc is connected using "show run"
DUT(config)# aaa authentication
port-access dot1x authenticator
auth-method eap-radius

aaa authentication port-access


auth-mode device-mode

Enable 802.1X authentication on a


port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa
authentication port-access dot1x
authenticator enable
switch(config-if)#reauth
DUT(config)# aaa port-access
dot1x authenticator enable

Configure Critical auth user-role with Verify the configuration changes


Step 5 data-vlans and reauth-period as 120 using "show run"
seconds on the port configured for
802.1x
switch# configure terminal
switch(config-if)#aaa
authentication port-access critical-
role critical

303 18/2/2019
Step Name Description Expected Result

Make both the radius server Verify using "show radius"


Step 6 unreachable before starting the
authentication and radius tracking
should have learnt the servers are
unreachable also

Start supplicant in 802.1x configured Verify the clients are placed in critical
Step 7 PC role and reauthenticating every 120
seconds
* show aaa authentication port-
access dot1x authenticator
interface all port-statistics
* show aaa authentication port-
access dot1x authenticator
interface all client-status
* show aaa authentication port-
access interface all client-status

1.1.1.1.1.1.4.9. Test: Test Name : 802.1x_Preauth_Role


Test: Test ID :167778
Test: Subject : Interop Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 30/1/2019
Test: Type : MANUAL
Test: Description : Objective :
To Verify the functionality of Preauth-Role
Topology:
Radius Server 2
|
|
DUT-----------Radius Server 1
|
|
|
PC

Test Case Description:


1. Configure Mac Authentication for Port connected to IP Phone 1
2.Configure 802.1x authentication for Port connected to IP Phone 2
3. configure two vlans without voice
4. Configure the vlans as critical voice vlan for ports connected to IP Phone1 and IP Phone 2 respectively, Verify switch
throws warning message
5. Makes both the radius server unreachable
6. Verify that Critical vlans will not be assigned to the port, since they are not voice vlans
7.Make both the vlans as voice vlans
8.Verify that critical vlans will be applied to the IP Phones
9. Verify the vlan switch is advertising for LLDP/CDP packets
10.Verify the vlan ip Ip Phones are advertising.

304 18/2/2019
Feature Description:
Existing authentication feature does not differentiate between an authentication failure due to a “radius-reject” and “radius-
not-being-reachable. This feature enhancement is to support a “Critical VLAN” concept, where in when a remote
authentication (mac-auth or 802.1x) starts for a client but the authentication server is not reachable, the client will be
placed in “Critical VLAN” instead of blocking the client.
Critical VLAN can be configured as tagged (voice) or untagged (data) VLAN. It can also be configured within a user-role,
in which case, we call that user-role as “Critical Role”. Therefore, when Critical-Role is configured, any client which fails
authentication due to authentication server not being reachable, will be applied with the Critical-Role.
This feature is configurable per-port and only applies to mac-based and 802.1x authentication.
Platforms being supported are 3810, 5400R, 2930F and 2930M

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 09/12/2018: Test Case migrated from PVOS Test ID:
149894

Test: Automated : Dev Funnel


Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 2 - Medium
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : IFD - PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: PVOS CR-ID : 238195,238235,240136
Test: BP Filter: HPE
Test: GUID: ALMTP157C167778

305 18/2/2019
Steps :
Step Name Description Expected Result
Configure Vlan with ip-address Verify the configuration changes
Step 1 Aruba-Stack-3810M(config)# vlan 1 using "show run"
Aruba-Stack-3810M(vlan-1)# ip
address 20.1.1.1/24
Aruba-Stack-3810M(vlan-1)# exit

Configure two radius servers on the Verify the configuration changes


Step 2 same subnet as the vlan ip address using "show run" and "show
configured on Step1 radius"
radius-server host <ip-address>
key <key> tracking
radius-server host <ip-address>
key <key> tracking
radius-server tracking interval 60

Configure two vlans in the DUT Verify the configuration changes


Step 3 vlan <id> using "show run"
exit
vlan <id>
exit
Configure user-role
switch(config)# port-access role
preauth
switch(config-pa-role)# vlan access
<vid>
switch(config-pa-role)# vlan trunk
allowed <vid>
switch(config-pa-role)# exit
switch(config)#
switch(config)# port-access role
reject
switch(config-pa-role)# vlan access
<vid>
switch(config-pa-role)# vlan trunk
allowed <vid>
switch(config-pa-role)# exit
switch(config)#

Configure 802.1x authentication on


Step 4 the port where pc is connected Verify the configuration
DUT(config)# aaa authentication
port-access dot1x authenticator
changes using "show run"
auth-method eap-radius

aaa authentication port-access


auth-mode device-mode

Enable 802.1X authentication on a


port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa
authentication port-access dot1x
authenticator enable
switch(config-if)#
DUT(config)# aaa port-access
dot1x authenticator enable

306 18/2/2019
Step Name Description Expected Result
Configure PreAuth and Reject user- Verify the configuration changes
Step 5 role with data-vlans on the port using "show run"
configured for 802.1x
switch# configure terminal
switch(config-if)#aaa
authentication port-access
preauth-role preauth
switch# configure terminal
switch(config-if)#aaa
authentication port-access reject-
role reject

Make both the radius server Verify using "show radius"


Step 6 unreachable before starting the
authentication and radius tracking
should have learnt the servers are
unreachable also

Start supplicant in 802.1x configured


Step 7 PC

Verify the clients are placed


in reject role directly instead
of preauth-role
using

* show aaa authentication


port-access dot1x
authenticator
interface all port-statistics

* show aaa authentication


port-access dot1x
authenticator
interface all client-status

307 18/2/2019
Step Name Description Expected Result

* show aaa authentication


port-access interface all
client-status

1.1.1.1.1.1.4.10. Test: Test Name : 802.1x_Reject_Role


Test: Test ID :167805
Test: Subject : Interop Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 31/1/2019
Test: Type : MANUAL
Test: Description : Objective :
To Verify the functionality of Reject Role in PC
Topology:
Radius Server 2
|
|
DUT-----------Radius Server 1
|
|
|
PC

Test Case Description:


1. Configure Mac Authentication for Port connected to IP Phone 1
2.Configure 802.1x authentication for Port connected to IP Phone 2
3. configure two vlans without voice

308 18/2/2019
4. Configure the vlans as critical voice vlan for ports connected to IP Phone1 and IP Phone 2 respectively, Verify switch
throws warning message
5. Makes both the radius server unreachable
6. Verify that Critical vlans will not be assigned to the port, since they are not voice vlans
7.Make both the vlans as voice vlans
8.Verify that critical vlans will be applied to the IP Phones
9. Verify the vlan switch is advertising for LLDP/CDP packets
10.Verify the vlan ip Ip Phones are advertising.
Feature Description:
Existing authentication feature does not differentiate between an authentication failure due to a “radius-reject” and “radius-
not-being-reachable. This feature enhancement is to support a “Critical VLAN” concept, where in when a remote
authentication (mac-auth or 802.1x) starts for a client but the authentication server is not reachable, the client will be
placed in “Critical VLAN” instead of blocking the client.
Critical VLAN can be configured as tagged (voice) or untagged (data) VLAN. It can also be configured within a user-role,
in which case, we call that user-role as “Critical Role”. Therefore, when Critical-Role is configured, any client which fails
authentication due to authentication server not being reachable, will be applied with the Critical-Role.
This feature is configurable per-port and only applies to mac-based and 802.1x authentication.
Platforms being supported are 3810, 5400R, 2930F and 2930M

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 09/12/2018: Test Case migrated from PVOS Test ID:
149894

Test: Automated : Dev Funnel


Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 2 - Medium
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : IFD - PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: PVOS CR-ID : 244450
Test: BP Filter: HPE
Test: GUID: ALMTP157C167805

309 18/2/2019
Steps :
Step Name Description Expected Result
Configure Vlan with ip-address Verify the configuration changes
Step 1 Aruba-Stack-3810M(config)# vlan 1 using "show run"
Aruba-Stack-3810M(vlan-1)# ip
address 20.1.1.1/24
Aruba-Stack-3810M(vlan-1)# exit

Configure two radius servers on the Verify the configuration changes


Step 2 same subnet as the vlan ip address using "show run" and "show
configured on Step1 radius"
radius-server host <ip-address>
key <key> tracking
radius-server host <ip-address>
key <key> tracking
radius-server tracking interval 60

Configure two vlans in the DUT Verify the configuration changes


Step 3 vlan <id> using "show run"
exit
vlan <id>
exit
Configure user-role
switch(config)# port-access role
reject
switch(config-pa-role)# vlan access
<vid>
switch(config-pa-role)# vlan trunk
allowed <vid>
switch(config-pa-role)# exit
switch(config)#

Configure 802.1x authentication on Verify the configuration changes


Step 4 the port where pc is connected using "show run"
DUT(config)# aaa authentication
port-access dot1x authenticator
auth-method eap-radius

aaa authentication port-access


auth-mode device-mode

Enable 802.1X authentication on a


port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa
authentication port-access dot1x
authenticator enable
switch(config-if)#
DUT(config)# aaa port-access
dot1x authenticator enable

Configure Reject user-role with data- Verify the configuration changes


Step 5 vlans on the port configured for using "show run"
802.1x
switch# configure terminal
switch(config-if)#aaa
authentication port-access reject-
role reject

310 18/2/2019
Step Name Description Expected Result
Make both the radius server Verify using "show radius"
Step 6 unreachable before starting the
authentication and radius tracking
should have learnt the servers are
unreachable also

Start supplicant in 802.1x configured Verify the clients are placed in reject
Step 7 PC role using
* show aaa authentication port-
access dot1x authenticator
interface all port-statistics
* show aaa authentication port-
access dot1x authenticator
interface all client-status
* show aaa authentication port-
access interface all client-status

1.1.1.1.1.1.4.11. Test: Test Name : 802.1x_cdp_lldp_bypass


Test: Test ID :167806
Test: Subject : Interop Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 31/1/2019
Test: Type : MANUAL
Test: Description : Objective :
To Verify the 802.1x feature in interop with CDP/LLDP bypass functionality.
Requirement:
DUT---PC Behind IP Phone (Cisco)
|
Radius server
When CDP Bypass is successfull then 802.1x authentication should not triggered for the phone

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 10/01/2019: Test Case migrated from PVOS Test ID:
154465

Test: Automated : Not Feasible


Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj

311 18/2/2019
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 2 - Medium
Test: Test Suited for OSTL? : N
Test: Estimated Run Time : 0
Test: Scripted Date : 9/1/2019
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : IFD - PVOS;Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: PVOS CR-ID : 213799
Test: BP Filter: HPE
Test: GUID: ALMTP157C167806

312 18/2/2019
Steps :
Step Name Description Expected Result
Build should be installed sucessfully
Step 1 Reserve Switch from POD without any errors.
manager. Install required
build using "Install buid"
option.

Configure IP in the vlan having radius Verify the configuration using "show
Step 2 server connectivity run"
vlan 1
ip address 20.1.1.1/24
exit

Verify the configuration using "show


Step 3 Configure radius-server using run" and "show radius"
radius-server host <ip-
address> key <key>
Ensure 8021x credentials of
PC is avaible in radius server

Configuration should be applied


Step 4 properly. Validate the same using
"show run" CLI.

Configure following CLIs on


switch from configuration
mode,

DUT(config)# aaa
authentication port-access
dot1x
authenticator auth-method
eap-radius

313 18/2/2019
Step Name Description Expected Result

aaa authentication port-


access auth-mode device-
mode

Enable 802.1X authentication


on a port:

```

switch# configure terminal

switch(config)# interface 1/1/1

switch(config-if)# aaa
authentication port-access
dot1x
authenticator enable

switch(config-if)#

DUT(config)# aaa port-


access dot1x authenticator
enable

314 18/2/2019
Step Name Description Expected Result

HP-Switch(config)# interface
1/1/1

HP-Switch(config-if)# aaa
authentication port-access
lldp-bypass

HP-Switch(config-if)# aaa
authentication port-access
cdp-bypass

Verify the CDP/LLDP bypass in two Verify using * show aaa


Step 5 cases authentication port-access interface
1. When 802.1x Authentication of the all client-status
phone is successful first and later
special TLV Packet comes from
Phone
2. When first Special TLV packet

315 18/2/2019
Step Name Description Expected Result
comes from the phone as first packet
before 802.1x authentication is
triggered

1.1.1.1.1.1.4.12. Test: Test Name :


802.1x_Port_Security_Mac_Lockdown_Lockout
Test: Test ID :167817
Test: Subject : Interop Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 31/1/2019
Test: Type : MANUAL
Test: Description : Objective :
To Verify the 802.1x feature in interop with port-security/mac lockdown/lockout
Requirement:
DUT---PC
|
Radius server

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 10/01/2019: Test Case migrated from PVOS Test ID:
154465

Test: Automated : Dev Funnel


Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 2 - Medium
Test: Test Suited for OSTL? : Y

316 18/2/2019
Test: Estimated Run Time : 0
Test: Scripted Date : 9/1/2019
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C167817

317 18/2/2019
Steps :
Step Name Description Expected Result
Reserve Switch from POD manager. Build should be installed sucessfully
Step 1 Install required build using "Install without any errors.
buid" option.

Configure IP in the vlan having radius Verify the configuration using "show
Step 2 server connectivity run"
vlan 1
ip address 20.1.1.1/24
exit

Configure radius-server using Verify the configuration using "show


Step 3 radius-server host <ip-address> run" and "show radius"
key <key>
Ensure 8021x credentials of PC is
avaible in radius server

Configuration should be applied


Step 4 properly. Validate the same using
"show run" CLI.

Configure following CLIs on


switch from configuration
mode,

DUT(config)# aaa
authentication port-access
dot1x
authenticator auth-method
eap-radius

aaa authentication port-


access auth-mode device-
mode

318 18/2/2019
Step Name Description Expected Result

Enable 802.1X authentication


on a port:

```

switch# configure terminal

switch(config)# interface 1/1/1

switch(config-if)# aaa
authentication port-access
dot1x
authenticator enable

switch(config-if)#

DUT(config)# aaa port-


access dot1x authenticator
enable

HP-Switch(config)# interface
1/1/1

319 18/2/2019
Step Name Description Expected Result

HP-Switch(config-if)# aaa
authentication port-access
lldp-bypass

HP-Switch(config-if)# aaa
authentication port-access
cdp-bypass

Verify mac lockdown and port-


Step 5 security features are mutually
exclusive

Configure port-security and


mac lockdown on the port
configured with 802.1x

320 18/2/2019
Step Name Description Expected Result
Configure mac lock out to deny the Verify the client is deauthenticated
Step 6 traffic from 802.1x authenticated immediately
client

1.1.1.1.1.1.4.13. Test: Test Name : 802.1x_Radius_Over_IPSec


Test: Test ID :169196
Test: Subject : Interop Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 7/2/2019
Test: Type : MANUAL
Test: Description : Objective:
Verify that 802.1x authentication is successful with radius over IPSec

Setup:
Supplicant<==========>DUT<=========>Radius Server

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 10/12/2018: Test Case migrated from PVOS Test ID:
152510

Test: Automated : Not Feasible


Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 3 - High

321 18/2/2019
Test: Test Suited for OSTL? : N
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C169196

322 18/2/2019
Steps :
Step Description Expecte
Name Result
Topology
Step 1 - Connect the devices according the topology shown.
Topology
Setup

radius-server host 40.1.1.2 port 1900 timeout 5 key ciphertext


Step 2 - AQBapUwNK5Uf+r1vmhBIncQPw1YPVH0V1nYr7Yjm/bPn3bBVCgAAAHFKt8mcSv/A/g8= auth-type chap retries Use the c
Setup 2 secure ipsec encryption spi 256 sha1 ciphertext
AQBapUwNK5Uf+r1vmhBIncQPw1YPVH0V1nYr7Yjm/bPn3bBVCgAAAHFKt8mcSv/A/g8= 3des ciphertext
"Show ru
config" to
Radius AQBapa+LPzRXmXHLce/Ouu5nmMeTYmsSvrdVwGXgVjpgsA+cGAAAAOi9D+jgnahil7myFa2YYDwatJl2cl0+iQ== command
is presen
and DUT(config)# aaa authentication port-access dot1x authenticator auth-method eap-radius
aaa authentication port-access auth-mode device-mode
Dot1x
Enable 802.1X authentication on a port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa authentication port-access dot1x authenticator enable
switch(config-if)#
DUT(config)# aaa port-access dot1x authenticator enable
HP-Switch(config)# interface 1/1/1
HP-Switch(config-if)# aaa authentication port-access client-limit 2

Register certificate used for EAP-TLS authentication with more than 5000 bytes and ensure the same is used while Clients an
Step 3 authenticating clients. should us
configure
certificate

Authentication shouldn't suceed as radius access request it will be more than 1512 bytes
Step 4

Enabled jumbo in the VRF used for radius requests


Step 5

Trigger Authentication of the client again with certificate size more than 5000 bytes Verify the
Step 6 authentica
be succes
with EAP
being frag
since the
certificate
shouldnt b
than 4096

323 18/2/2019
1.1.1.1.1.1.4.14. Test: Test Name : 802.1x_Non_Default_VRF
Test: Test ID :176375
Test: Subject : Interop Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 10/2/2019
Test: Type : MANUAL
Test: Description : Objective :
To Verify the functionality of 802.1x when ports/radius-servers are from different VRF
Topology:
Radius Server 2 (VRF1)
|
|
PC2(Default)---- DUT-----------Radius Server 1 (Default)
|
|
|
PC 1 - VRF1

Test Case Description:


1. Configure Mac Authentication for Port connected to IP Phone 1
2.Configure 802.1x authentication for Port connected to IP Phone 2
3. configure two vlans without voice
4. Configure the vlans as critical voice vlan for ports connected to IP Phone1 and IP Phone 2 respectively, Verify switch
throws warning message
5. Makes both the radius server unreachable
6. Verify that Critical vlans will not be assigned to the port, since they are not voice vlans
7.Make both the vlans as voice vlans
8.Verify that critical vlans will be applied to the IP Phones
9. Verify the vlan switch is advertising for LLDP/CDP packets
10.Verify the vlan ip Ip Phones are advertising.
Feature Description:
Existing authentication feature does not differentiate between an authentication failure due to a “radius-reject” and “radius-
not-being-reachable. This feature enhancement is to support a “Critical VLAN” concept, where in when a remote
authentication (mac-auth or 802.1x) starts for a client but the authentication server is not reachable, the client will be
placed in “Critical VLAN” instead of blocking the client.
Critical VLAN can be configured as tagged (voice) or untagged (data) VLAN. It can also be configured within a user-role,
in which case, we call that user-role as “Critical Role”. Therefore, when Critical-Role is configured, any client which fails
authentication due to authentication server not being reachable, will be applied with the Critical-Role.
This feature is configurable per-port and only applies to mac-based and 802.1x authentication.
Platforms being supported are 3810, 5400R, 2930F and 2930M

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 09/12/2018: Test Case migrated from PVOS Test ID:
149894

Test: Automated : Dev Funnel


Test: Content Last Modified Date : 7/12/2018

324 18/2/2019
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 2 - Medium
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : IFD - PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: PVOS CR-ID : 238195,238235,240136
Test: BP Filter: HPE
Test: GUID: ALMTP157C176375

325 18/2/2019
Steps :
Step Name Description Expected Result
Configure Vlan with ip-address Verify the configuration changes
Step 1 Aruba-Stack-3810M(config)# vlan 1 using "show run"
Aruba-Stack-3810M(vlan-1)# ip
address 20.1.1.1/24
Aruba-Stack-3810M(vlan-1)# exit

Configure two radius servers on the Verify the configuration changes


Step 2 same subnet as the vlan ip address using "show run" and "show
configured on Step1. Radius 1 radius"
should be part of default VRF and
Radius 2 should be part of VRF1
radius-server host <ip-address>
key <key> vrf default
radius-server host <ip-address>
key <key> vrf vrf1

Configure two vlans in the DUT Verify the configuration changes


Step 3 vlan <id> using "show run"
exit
vlan <id>
exit
Configure user-role
switch(config)# port-access role auth
switch(config-pa-role)# vlan access
<vid>
switch(config-pa-role)# vlan trunk
allowed <vid>
switch(config-pa-role)# exit
switch(config)#

Add the PC ports to different VRFs Verify the configuration using "show
Step 4 PC1 in VRF1 run"
PC2 in Default VRF

Configure 802.1x authentication on Verify the configuration changes


Step 5 the ports where PCs are connected using "show run"
DUT(config)# aaa authentication
port-access dot1x authenticator
auth-method eap-radius

aaa authentication port-access


auth-mode device-mode

Enable 802.1X authentication on a


port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa
authentication port-access dot1x
authenticator enable
switch(config-if)#
DUT(config)# aaa port-access
dot1x authenticator enable

Configure Auth user-role with data- Verify the configuration changes


Step 6 vlans on the ports configured for using "show run"
802.1x
switch# configure terminal

326 18/2/2019
Step Name Description Expected Result
switch(config-if)#aaa
authentication port-access auth-
role auth

Make both the radius server Verify using "show radius"


Step 7 reachable before starting the
authentication

Start supplicant in 802.1x configured Verify the following


Step 8 PCs 1. PC1 radius request even though
from different VRF, it will going to
default VRF- server 1
2.PC2 radius request it will be going
to default VRF radius server - server
1
* show aaa authentication port-
access dot1x authenticator
interface all port-statistics
* show aaa authentication port-
access dot1x authenticator
interface all client-status
* show aaa authentication port-
access interface all client-status

Verify traffic from PC1 will not reach


Step 9 PC2 since both are in different VRFs

1.1.1.1.1.1.4.15. Test: Test Name : 802.1x_DSNOOP


Test: Test ID :176381
Test: Subject : Interop Testing
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 11/2/2019
Test: Type : MANUAL
Test: Description : Objective :
To Verify the 802.1x feature in interop with DHCP V4 Snooping
Requirement:
DHCP Server
|
DUT---PC
|
Radius server

Test: Execution Status : No Run


Test: Comments :

327 18/2/2019
_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 10/01/2019: Test Case migrated from PVOS Test ID:
154465

Test: Automated : Not Feasible


Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 2 - Medium
Test: Test Suited for OSTL? : N
Test: Estimated Run Time : 0
Test: Scripted Date : 9/1/2019
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : Leveraged from PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C176381

328 18/2/2019
Steps :
Step Name Description Expected Result
Reserve Switch from POD manager. Build should be installed sucessfully
Step 1 Install required build using "Install without any errors.
buid" option.

Configure IP in the vlan having radius Verify the configuration using "show
Step 2 server connectivity run"
vlan 1
ip address 20.1.1.1/24
exit

Configure radius-server using Verify the configuration using "show


Step 3 radius-server host <ip-address> run" and "show radius"
key <key>
Ensure 8021x credentials of PC is
avaible in radius server

Configure following CLIs on switch Configuration should be applied


Step 4 from configuration mode, properly. Validate the same using
DUT(config)# aaa authentication "show run" CLI.
port-access dot1x authenticator
auth-method eap-radius

aaa authentication port-access


auth-mode device-mode

Enable 802.1X authentication on a


port:
```
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# aaa
authentication port-access dot1x
authenticator enable
switch(config-if)#
DUT(config)# aaa port-access
dot1x authenticator enable
HP-Switch(config)# interface 1/1/1
HP-Switch(config-if)# aaa
authentication port-access lldp-
bypass
HP-Switch(config-if)# aaa
authentication port-access cdp-
bypass

Configure DHCPv4 Snooping in the Verify using "show run"


Step 5 Switch
switch# configure terminal
switch(config)# dhcpv4-snooping
Configure an authorized server:
switch# configure terminal
switch(config)# dhcpv4-snooping
authorized-server 192.168.10.1

Enable DHCP Snooping trusted on Verify using "show run"


Step 6 the port connected to DHCP Server
switch# configure terminal
switch(config)# interface 1/1/1
switch(config-if)# dhcpv4-

329 18/2/2019
Step Name Description Expected Result
snooping trust

Start the supplicant and DHCP Verify the Supplicant authentication


Step 7 Request from the PC is successfull and DHCP Request is
success using
show aaa authentication port-
access interface all client-status
show dhcpv4-snooping binding

330 18/2/2019
1.1.1.1.1.1.5. Subject\Production\SW Development\Feature Test
Plans - Dev Handoff\802.1x\Supportability

Test List :

1.1.1.1.1.1.5.1. Test: Test Name : 802.1x_S_01._CopySupportFiles


Test: Test ID :168588
Test: Subject : Supportability
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 4/2/2019
Test: Type : MANUAL

Test: Description : OBJECTIVE:


The objective of the testcase is to verify supportability logs are captured properly using 'copy support-files.....' CLI

Requirements:
1. Switch (DUT) - Device under Test
2. Console/Telnet/SSH connection to the Switch (DUT)
3. Supplicant
4. Radius Server

SETUP:
Supplicant<---->DUT<------>Radius Server

Description:

Copy supportability files should capture required output.

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 09/12/2018: Test Case migrated from PVOS Test ID:
106764

331 18/2/2019
Test: Automated : Dev Funnel
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 1 - Low
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C168588

332 18/2/2019
Steps :
Step Name Description Expected Result
Prepare DUT 1. Erase the DUT 1. DUTs will boot to a default
configuration to start with a config.
clean configuration
(config)# erase startup-config

1. Verify show running-config shows


Enable base Configuration the radius, mac auth CLIs configured
in this step.
show run
show aaa authentication port-
access dot1x interface
(config)# interface 1/1/1 <all|interface> client-status [mac
(connect <mac-address>]

radius server to this port)


Check above CLI output to verify
mac-based configurations and mac-
password.

(config-if)#VRF attach
<default_vrf>

(config-if)#ip address
1.1.1.1/24)

config# radius-server host


<ip-address> key <shared-
key>

Enable 802.1x authneticator


on the
interface connected to
supplicant

333 18/2/2019
Step Name Description Expected Result

switch(config)# interface 1/1/1

switch(config-if)# aaa
authentication port-access
dot1x
authenticator enable

Enable auth method to eap


radius

switch(config)# aaa
authentication
port-access dot1x
authenticator

switch(config-dot1x-auth)#
auth-method eao-radius

Enable 802.1x globally

334 18/2/2019
Step Name Description Expected Result

switch(config)# aaa
authentication
port-access dot1x
authenticator

switch(config-dot1x-auth)#
enable

Start 802.1x supplicant on VM On DUT verify that the cient is


Trigger Supplicant authenticated

Verify using below CLIs,


show aaa authentication port-
access dot1x interface
<all|interface> client-status [mac
<mac-address>]

Copy support-files using 'copy Support-files specific to mac


Copy support-files support-files feature <dot1x> tftp ....... authentication feature should be
copied properly without any errors.

Validate support-files with sftp Support-files specific to mac


Repeat the step for SFTP and backup and checkpoint. authentication feature should be
Checkpoint copied properly without any errors.

1.1.1.1.1.1.5.2. Test: Test Name : 802.1x_S_02._DiagDump


Test: Test ID :168589
Test: Subject : Supportability
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 4/2/2019

335 18/2/2019
Test: Type : MANUAL

Test: Description : OBJECTIVE:


The objective of the testcase is to verify supportability logs are captured properly using 'diag-dump' CLI

Requirements:
1. Switch (DUT) - Device under Test
2. Console/Telnet/SSH connection to the Switch (DUT)
3. Supplicant
4. Radius Server

SETUP:
Supplicant<---->DUT<------>Radius Server

Description:

Purpose: Primary goal of diagnostic module is to capture internal diagnostic information about features from related
daemons. Diagnostic infrastructure is responsible for capturing information from one or more daemon for a feature.
Check diag-dump captured all sufficient DB level and daemon internal state collected for particular feature and captured
info will be helpful for troubleshooting.

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 09/12/2018: Test Case migrated from PVOS Test ID:
106764

Test: Automated : Dev Funnel


Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 1 - Low
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Topology Name : None
Test: Test Sub-Area : System Functional

336 18/2/2019
Test: BP Filter: HPE
Test: GUID: ALMTP157C168589

337 18/2/2019
Steps :
Step Name Description Expected Result
Prepare DUT 1. Erase the DUT 1. DUTs will boot to a default
configuration to start with a
clean configuration config.
(config)# erase startup-config

(config)# interface 1/1/1 (connect 1. Verify show running-config shows


Enable base Configuration radius server to this port) the radius, mac auth CLIs configured
(config-if)#VRF attach in this step.
<default_vrf> show run
(config-if)#ip address 1.1.1.1/24)
config# radius-server host <ip- show aaa authentication port-
address> key <shared-key> access dot1x interface
Enable 802.1x authneticator on the <all|interface> client-status [mac
interface connected to supplicant <mac-address>]
switch(config)# interface 1/1/1
switch(config-if)# aaa Check above CLI output to verify
authentication port-access dot1x mac-based configurations and mac-
authenticator enable password.
Enable auth method to eap radius
switch(config)# aaa authentication
port-access dot1x authenticator
switch(config-dot1x-auth)# auth-
method eao-radius
Enable 802.1x globally
switch(config)# aaa authentication
port-access dot1x authenticator
switch(config-dot1x-auth)# enable

On DUT verify that the cient is


Trigger Supplicant authenticated

Verify using below CLIs,


show aaa authentication port-
access dot1x interface
<all|interface> client-status [mac
<mac-address>]

Start 802.1x supplicant on


VM

Purpose of this CLI - diagnostic Check diag-dump output to see if it


Execute 'diag-dump' module is to capture internal has captured all sufficient DB level
command diagnostic information about features
from related daemons
and daemon internal state collected
for particular feature and captured
switch# diagnostics info will be helpful for
switch# diag-dump <CLI TBD> basic troubleshooting.

338 18/2/2019
Step Name Description Expected Result

1.1.1.1.1.1.5.3. Test: Test Name : 802.1x_S_03._EventLogs


Test: Test ID :168590
Test: Subject : Supportability
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 4/2/2019
Test: Type : MANUAL

Test: Description : OBJECTIVE:


The objective of the testcase is to verify supportability logs are captured properly using 'show events' CLI

Requirements:
1. Switch (DUT) - Device under Test
2. Console/Telnet/SSH connection to the Switch (DUT)
3. Supplicant
4. Radius Server

SETUP:
Supplicant<---->DUT<------>Radius Server

Description:

Purpose: This facilities provides user to easily obtain information on the problem that occur and provide an appropriate
solution to the problem. The Event logging Infrastructure is responsible to generate and capture event logs from different
Features/Daemons.
System should capture only system related events (like daemon/feature enable/disable, interface up/down,
feature/daemon restart and etc.) in the events infra.
Logs are persistent over boot and HA sync. Each event logs has a fixed format containing time stamp, daemon
name, unique event ID, severity and message

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 09/12/2018: Test Case migrated from PVOS Test ID:
106764

Test: Automated : Dev Funnel

339 18/2/2019
Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 1 - Low
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Test Case Attributes : IFD - PVOS
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: PVOS CR-ID : 180366
Test: BP Filter: HPE
Test: GUID: ALMTP157C168590

340 18/2/2019
Steps :
Step Name Description Expected Result
Prepare DUT 1. Erase the DUT 1. DUTs will boot to a default
configuration to start with a config.
clean configuration
(config)# erase startup-config

(config)# interface 1/1/1 (connect 1. Verify show running-config shows


Enable base Configuration radius server to this port) the radius, mac auth CLIs configured
(config-if)#VRF attach in this step.
<default_vrf> show run
(config-if)#ip address 1.1.1.1/24)
config# radius-server host <ip- show aaa authentication port-
address> key <shared-key> access dot1x interface
Enable 802.1x authneticator on the <all|interface> client-status [mac
interface connected to supplicant <mac-address>]
switch(config)# interface 1/1/1
switch(config-if)# aaa
authentication port-access dot1x Check above CLI output to verify
authenticator enable mac-based configurations and mac-
Enable auth method to eap radius password.
switch(config)# aaa authentication
port-access dot1x authenticator
switch(config-dot1x-auth)# auth-
method eao-radius
Enable 802.1x globally
switch(config)# aaa authentication
port-access dot1x authenticator
switch(config-dot1x-auth)# enable

Start 802.1x supplicant on VM On DUT verify that the cient is


Trigger Supplicant authenticated

Verify using below CLIs,


show aaa authentication port-
access dot1x interface
<all|interface> client-status [mac
<mac-address>]

System should capture only system


Execute 'show events' related events (like daemon/feature
command enable/disable, interface up/down,
feature/daemon restart and etc.) in
the events infra.
Logs are persistent over boot and
This facilities provides user to HA sync. Each event logs has a
fixed format containing time
easily obtain stamp, daemon name, unique
event ID, severity and message
information on the problem
that occur and
provide an appropriate
solution to the
problem. The Event logging
Infrastructure is
responsible to generate and

341 18/2/2019
Step Name Description Expected Result
capture event
logs from different
Features/Daemons.

switch# show events

1.1.1.1.1.1.5.4. Test: Test Name : 802.1x_S_04._ShowTech


Test: Test ID :168591
Test: Subject : Supportability
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 4/2/2019
Test: Type : MANUAL

Test: Description : OBJECTIVE:


The objective of the testcase is to verify supportability logs are captured properly using 'show tech <802.1x>' CLI

Requirements:
1. Switch (DUT) - Device under Test
2. Console/Telnet/SSH connection to the Switch (DUT)
3. Supplicant
4. Radius Server

SETUP:
Supplicant<---->DUT<------>Radius Server

Description:

Purpose: Show Tech Infrastructure helps to execute multiple show commands grouped under various feature and
produce the output of those commands. This provides user to analysis the system behavior from remote.
As tester, please check only required CLIs are added into show tech infra. After required CLIs added into tech infra,
execute “show tech” CLIs and validate display output.

342 18/2/2019
Validate below
Show tech <feature> - Check output displayed properly and sufficient info available on the output
show tech <feature> localfile <file name> - Check show tech output copied into file and it has sufficient info

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 09/12/2018: Test Case migrated from PVOS Test ID:
106764

Test: Automated : Dev Funnel


Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 1 - Low
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C168591

343 18/2/2019
Steps :
Step Name Description Expected Result
Prepare DUT 1. Erase the DUT 1. DUTs will boot to a default
configuration to start with a config.
clean configuration
(config)# erase startup-config

(config)# interface 1/1/1 (connect 1. Verify show running-config shows


Enable base Configuration radius server to this port) the radius, mac auth CLIs configured
(config-if)#VRF attach in this step.
<default_vrf> show run
(config-if)#ip address 1.1.1.1/24)
config# radius-server host <ip- show aaa authentication port-
address> key <shared-key> access dot1x interface
Enable 802.1x authneticator on the <all|interface> client-status [mac
interface connected to supplicant <mac-address>]
switch(config)# interface 1/1/1
switch(config-if)# aaa Check above CLI output to verify
authentication port-access dot1x mac-based configurations and mac-
authenticator enable password.
Enable auth method to eap radius
switch(config)# aaa authentication
port-access dot1x authenticator
switch(config-dot1x-auth)# auth-
method eao-radius
Enable 802.1x globally
switch(config)# aaa authentication
port-access dot1x authenticator
switch(config-dot1x-auth)# enable

Start 802.1x supplicant on VM On DUT verify that the cient is


Trigger Supplicant authenticated

Verify using below CLIs,


show aaa authentication port-
access dot1x interface
<all|interface> client-status [mac
<mac-address>]

Show Tech Infrastructure helps to Show tech <feature> - Check output


Execute 'show tech' execute multiple show commands displayed properly and sufficient
command grouped under various feature and
produce the output of those
info available on the output
show tech <feature> localfile <file
commands. This provides user to name> - Check show tech output
analysis the system behavior from copied into file and it has
remote. sufficient info
Show tech <feature>
show tech <feature> localfile <file
name>

1.1.1.1.1.1.5.5. Test: Test Name : 802.1x_S_05._Checkpoint


Test: Test ID :168592

344 18/2/2019
Test: Subject : Supportability
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 4/2/2019
Test: Type : MANUAL

Test: Description : OBJECTIVE:


The objective of the testcase is to verify migration of config using checkpoints

Requirements:
1. Switch (DUT) - Device under Test
2. Console/Telnet/SSH connection to the Switch (DUT)
3. Supplicant
4. Radius Server

SETUP:
Supplicant<---->DUT<------>Radius Server

Description:

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 09/12/2018: Test Case migrated from PVOS Test ID:
106764

Test: Automated : Dev Funnel


Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 1 - Low
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Topology Name : None
Test: Test Sub-Area : System Functional

345 18/2/2019
Test: BP Filter: HPE
Test: GUID: ALMTP157C168592

346 18/2/2019
Steps :
Step Name Description Expected Result
Prepare DUT 1. Erase the DUT 1. DUTs will boot to a default
configuration to start with a config.
clean configuration
(config)# erase startup-config

(config)# interface 1/1/1 (connect 1. Verify show running-config shows


Enable base Configuration radius server to this port) the radius, mac auth CLIs configured
(config-if)#VRF attach in this step.
<default_vrf> show run
(config-if)#ip address 1.1.1.1/24)
config# radius-server host <ip- show aaa authentication port-
address> key <shared-key> access dot1x interface
Enable 802.1x authneticator on the <all|interface> client-status [mac
interface connected to supplicant <mac-address>]
switch(config)# interface 1/1/1
switch(config-if)# aaa
authentication port-access dot1x Check above CLI output to verify
authenticator enable mac-based configurations and mac-
Enable auth method to eap radius password.
switch(config)# aaa authentication
port-access dot1x authenticator
switch(config-dot1x-auth)# auth-
method eap-radius
Enable 802.1x globally
switch(config)# aaa authentication
port-access dot1x authenticator
switch(config-dot1x-auth)# enable

On DUT verify that the cient is


Trigger Supplicant authenticated

Verify using below CLIs,


show aaa authentication port-
access dot1x interface
<all|interface> client-status [mac
<mac-address>]

Start 802.1x supplicant on


VM

Copy the running config to


Copy Checkpoint checkpoint using below CLIs
copy running-config checkpoint
<checkpoint-name>

347 18/2/2019
Step Name Description Expected Result
Verify the configuration is
saved correctly in checkpoint

Disable the authenticator on the Verify the configuration changes


Step 5 switch using "show run"
aaa port-access authenticator
disable

Restore the running-config back from Verify the configuration changes


Step 6 checkpoint using "show run"
copy checkpoint <checkpoint-
name> running-config

Repeat the supplicant client


Step 7 authentication - Step 3

1.1.1.1.1.1.5.6. Test: Test Name :


802.1x_S_06_Config_Migration_CLI
Test: Test ID :168593
Test: Subject : Supportability
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 4/2/2019
Test: Type : MANUAL
Test: Description : OBJECTIVE:
The objective of the testcase is to verify migration of config CLI using TFTP/SFTP

Requirements:
1. Switch (DUT) - Device under Test
2. Console/Telnet/SSH connection to the Switch (DUT)
3. Supplicant
4. Radius Server

SETUP:
Supplicant<---->DUT<------>Radius Server

348 18/2/2019
Test: Execution Status : No Run
Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 09/12/2018: Test Case migrated from PVOS Test ID:
106764

Test: Automated : Dev Funnel


Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 1 - Low
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C168593

349 18/2/2019
Steps :
Step Name Description Expected Result
Prepare DUT 1. Erase the DUT 1. DUTs will boot to a default
configuration to start with a config.
clean configuration
(config)# erase startup-config

(config)# interface 1/1/1 (connect 1. Verify show running-config shows


Enable base Configuration radius server to this port) the radius, mac auth CLIs configured
(config-if)#VRF attach in this step.
<default_vrf> show run
(config-if)#ip address 1.1.1.1/24)
config# radius-server host <ip- show aaa authentication port-
address> key <shared-key> access dot1x interface
Enable 802.1x authneticator on the <all|interface> client-status [mac
interface connected to supplicant <mac-address>]
switch(config)# interface 1/1/1
switch(config-if)# aaa
authentication port-access dot1x Check above CLI output to verify
authenticator enable mac-based configurations and mac-
Enable auth method to eap radius password.
switch(config)# aaa authentication
port-access dot1x authenticator
switch(config-dot1x-auth)# auth-
method eap-radius
Enable 802.1x globally
switch(config)# aaa authentication
port-access dot1x authenticator
switch(config-dot1x-auth)# enable

Start 802.1x supplicant on VM On DUT verify that the cient is


Trigger Supplicant authenticated

Verify using below CLIs,


show aaa authentication port-
access dot1x interface
<all|interface> client-status [mac
<mac-address>]

Copy the running config to Verify the configuration is saved


Copy TFTP checkpoint using below CLIs correctly in TFTP
copy running-config
tftp://15.212.178.133/file cli

Disable the authenticator on the Verify the configuration changes


Step 5 switch using "show run"
aaa port-access authenticator
disable

Verify the configuration changes


Step 6 using "show run"

Restore the running-config


back from TFTP

350 18/2/2019
Step Name Description Expected Result

copy <tft-URL> running-


config

Repeat the supplicant client


Step 7 authentication - Step 3

Repeat Steps 4 to 6 with SFTP


Step 4

1.1.1.1.1.1.5.7. Test: Test Name :


802.1x_S_07_Config_Migration_JSON
Test: Test ID :168594
Test: Subject : Supportability
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 4/2/2019
Test: Type : MANUAL
Test: Description : OBJECTIVE:
The objective of the testcase is to verify migration of config JSON using TFTP/SFTP
Requirements:
1. Switch (DUT) - Device under Test
2. Console/Telnet/SSH connection to the Switch (DUT)
3. Supplicant
4. Radius Server

SETUP:
Supplicant<---->DUT<------>Radius Server

Test: Execution Status : No Run


Test: Comments :

351 18/2/2019
_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 09/12/2018: Test Case migrated from PVOS Test ID:
106764

Test: Automated : Dev Funnel


Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 1 - Low
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C168594

352 18/2/2019
Steps :
Step Name Description Expected Result
Prepare DUT 1. Erase the DUT 1. DUTs will boot to a default
configuration to start with a config.
clean configuration
(config)# erase startup-config

(config)# interface 1/1/1 (connect 1. Verify show running-config shows


Enable base Configuration radius server to this port) the radius, mac auth CLIs configured
(config-if)#VRF attach in this step.
<default_vrf> show run
(config-if)#ip address 1.1.1.1/24)
config# radius-server host <ip- show aaa authentication port-
address> key <shared-key> access dot1x interface
Enable 802.1x authneticator on the <all|interface> client-status [mac
interface connected to supplicant <mac-address>]
switch(config)# interface 1/1/1
switch(config-if)# aaa
authentication port-access dot1x Check above CLI output to verify
authenticator enable mac-based configurations and mac-
Enable auth method to eap radius password.
switch(config)# aaa authentication
port-access dot1x authenticator
switch(config-dot1x-auth)# auth-
method eap-radius
Enable 802.1x globally
switch(config)# aaa authentication
port-access dot1x authenticator
switch(config-dot1x-auth)# enable

Trigger Supplicant

On DUT verify that the cient


is authenticated
Start 802.1x supplicant on
VM

Verify using below CLIs,

show aaa authentication port-


access dot1x interface
<all|interface> client-status
[mac <mac-address>]

353 18/2/2019
Step Name Description Expected Result

Copy the running config to Verify the configuration is saved


Copy TFTP checkpoint using below CLIs correctly in TFTP
copy running-config
tftp://15.212.178.133/file JSON

Disable the authenticator and MAC Verify the configuration changes


Step 5 auth on the switch using "show run"
aaa port-access authenticator
disable

Restore the running-config back from


Step 6 TFTP
copy <tft-URL> running-config

Verify the configuration


changes using "show run"

Repeat the supplicant client


Step 7 authentication - Step 3

Repeat Steps 4 to 6 with SFTP


Step 4

1.1.1.1.1.1.5.8. Test: Test Name : 802.1x_S_08_Core_Dump


Test: Test ID :168595
Test: Subject : Supportability
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 4/2/2019
Test: Type : MANUAL

354 18/2/2019
Test: Description : OBJECTIVE:
The objective of the testcase is to verify core dump generation is correct

Requirements:
1. Switch (DUT) - Device under Test
2. Console/Telnet/SSH connection to the Switch (DUT)
3. Supplicant
4. Radius Server

SETUP:
Supplicant<---->DUT<------>Radius Server

Test: Execution Status : No Run


Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 09/12/2018: Test Case migrated from PVOS Test ID:
106764

Test: Automated : Dev Funnel


Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 1 - Low
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C168595

355 18/2/2019
Steps :
Step Name Description Expected Result
Prepare DUT 1. Erase the DUT 1. DUTs will boot to a default
configuration to start with a config.
clean configuration
(config)# erase startup-config

(config)# interface 1/1/1 (connect


Enable base Configuration radius server to this port)
(config-if)#VRF attach
<default_vrf>
(config-if)#ip address 1.1.1.1/24)
config# radius-server host <ip-
address> key <shared-key> 1. Verify show running-config
Enable 802.1x authneticator on the
interface connected to supplicant shows the radius, mac auth
switch(config)# interface 1/1/1
switch(config-if)# aaa CLIs configured in this step.
authentication port-access dot1x
authenticator enable
Enable auth method to eap radius
switch(config)# aaa authentication
port-access dot1x authenticator
switch(config-dot1x-auth)# auth-
method eap-radius
Enable 802.1x globally
switch(config)# aaa authentication
port-access dot1x authenticator
show run
switch(config-dot1x-auth)# enable

show aaa authentication port-


access dot1x interface
<all|interface> client-status
[mac <mac-address>]

Check above CLI output to


verify mac-based
configurations and mac-
password.

356 18/2/2019
Step Name Description Expected Result

Start 802.1x supplicant on VM On DUT verify that the cient is


Trigger Supplicant authenticated

Verify using below CLIs,


show aaa authentication port-
access dot1x interface
<all|interface> client-status [mac
<mac-address>]

Abruptly stop the the 802.1x daemon Verify the core dump is generated
Step 4 process correctly
show core-dump all

1.1.1.1.1.1.5.9. Test: Test Name : 802.1x_S_09_Memory_leak


Test: Test ID :168596
Test: Subject : Supportability
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 4/2/2019
Test: Type : MANUAL

Test: Description : OBJECTIVE:


The objective of the testcase is to verify if there is any memory leak observed with tools like valgrind

Requirements:
1. Switch (DUT) - Device under Test
2. Console/Telnet/SSH connection to the Switch (DUT)
3. Supplicant
4. Radius Server

SETUP:
Supplicant<---->DUT<------>Radius Server

Valgrind

357 18/2/2019
Test: Execution Status : No Run
Test: Comments :

_______________________________________
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 09/12/2018: Test Case migrated from PVOS Test ID:
106764

Test: Automated : Dev Funnel


Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 1 - Low
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C168596

358 18/2/2019
Steps :
Step Name Description Expected Result
Prepare DUT 1. Erase the DUT 1. DUTs will boot to a default
configuration to start with a config.
clean configuration
(config)# erase startup-config

(config)# interface 1/1/1 (connect


Enable base Configuration radius server to this port)
(config-if)#VRF attach
<default_vrf>
(config-if)#ip address 1.1.1.1/24)
config# radius-server host <ip-
address> key <shared-key> 1. Verify show running-config
Enable 802.1x authneticator on the
interface connected to supplicant shows the radius, mac auth
switch(config)# interface 1/1/1
switch(config-if)# aaa CLIs configured in this step.
authentication port-access dot1x
authenticator enable
Enable auth method to eap radius
switch(config)# aaa authentication
port-access dot1x authenticator
switch(config-dot1x-auth)# auth-
method eap-radius
Enable 802.1x globally
switch(config)# aaa authentication
port-access dot1x authenticator
show run
switch(config-dot1x-auth)# enable

show aaa authentication port-


access dot1x interface
<all|interface> client-status
[mac <mac-address>]

Check above CLI output to


verify mac-based
configurations and mac-
password.

359 18/2/2019
Step Name Description Expected Result

Start 802.1x supplicant on VM On DUT verify that the cient is


Trigger Supplicant authenticated

Verify using below CLIs,


show aaa authentication port-
access dot1x interface
<all|interface> client-status [mac
<mac-address>]

Perform memory leak testing with Verify no memory leak observed


Step 4 tools like valgrind

1.1.1.1.1.1.5.10. Test: Test Name : 802.1x_S_10_Debug_Logs


Test: Test ID :169197
Test: Subject : Supportability
Test: Status : Active
Test: Designer : shobana.nandakumar
Test: Creation Date : 7/2/2019
Test: Type : MANUAL

Test: Description : OBJECTIVE:


The objective of the testcase is to verify debug logs associated with 802.1x Authentication

Requirements:
1. Switch (DUT) - Device under Test
2. Console/Telnet/SSH connection to the Switch (DUT)
3. Supplicant
4. Radius Server

SETUP:
Supplicant<---->DUT<------>Radius Server

Test: Execution Status : No Run


Test: Comments :

_______________________________________

360 18/2/2019
HPN RnD Tools and BI Team <cr.tools@hpe.com>, 09/12/2018: Test Case migrated from PVOS Test ID:
106764

Test: Automated : Dev Funnel


Test: Content Last Modified Date : 7/12/2018
Test: Content Last Modified Owner : ramesh.muthuraj
Test: Supported Platforms : 6300;6400
Test: Feature : 802.1x
Test: NPI Program : Halon 10.4
Test: Platform Independent : Y
Test: Plan Priority : 1 - Low
Test: Test Suited for OSTL? : Y
Test: Estimated Run Time : 0
Test: Scripted Date : 7/12/2018
Test: Test Area : SW Dev Feature
Test: Topology Name : None
Test: Test Sub-Area : System Functional
Test: BP Filter: HPE
Test: GUID: ALMTP157C169197

361 18/2/2019
Steps :
Step Name Description Expected Result
Prepare DUT 1. Erase the DUT 1. DUTs will boot to a default
configuration to start with a config.
clean configuration
(config)# erase startup-config

(config)# interface 1/1/1 (connect 1. Verify show running-config shows


Enable base Configuration radius server to this port) the radius, mac auth CLIs configured
(config-if)#VRF attach in this step.
<default_vrf> show run
(config-if)#ip address 1.1.1.1/24)
config# radius-server host <ip- show aaa authentication port-
address> key <shared-key> access dot1x interface
Enable 802.1x authneticator on the <all|interface> client-status [mac
interface connected to supplicant <mac-address>]
switch(config)# interface 1/1/1
switch(config-if)# aaa
authentication port-access dot1x Check above CLI output to verify
authenticator enable mac-based configurations and mac-
Enable auth method to eap radius password.
switch(config)# aaa authentication
port-access dot1x authenticator
switch(config-dot1x-auth)# auth-
method eap-radius
Enable 802.1x globally
switch(config)# aaa authentication
port-access dot1x authenticator
switch(config-dot1x-auth)# enable

Enable Debug Logs


Enable Debug Logs debug port-access dot1x
authenticator

Start 802.1x supplicant on VM On DUT verify that the client is


Trigger Supplicant authenticated

Verify using below CLIs,


show aaa authentication port-
access dot1x interface
<all|interface> client-status [mac
<mac-address>]

Verify debug logs are correct Verify debug logs


Verify Debug Logs

362 18/2/2019
Index
8 802.1x_2.64_RADIUS_Server__Redundan
802.1x_01_CLI_Help_Text_Verification, cy, 123
215 802.1x_2.65_RADIUS_Server_Interoperab
802.1x_02_SNMP_Read, 229 ility, 128
802.1x_03_REST_Read, 232 802.1x_2.69_Authenticator_Port_Hoping_
802.1x_04_REST_Write, 234 With_NO_Link_Down, 125
802.1x_1.01_Basic_Port_Based, 63 802.1x_2.70_RADIUS_AVPs_in_Access-
802.1x_1.02_Basic_User_Mode, 66 Request_during_supplicant_auth, 131
802.1x_1.21_Config- 802.1x_2.76_RADIUS_Unique_Session_I
CLI_Boundary_Values, 99 D, 104
802.1x_2.03_Authenticator_Values_Held_ 802.1x_2.81_Cached_Re-
Over_Reboot, 70 Authentication_Basic_Functionality,
802.1x_2.04_Authenticator_Statistics, 72 147
802.1x_2.05_Authenticator_EAP_Messag 802.1x_2.82_Cached_Re-
es, 76 Authentication_Persistant_Configurati
802.1x_2.06_Authenticator_Mode_Auto- on, 102
Failed_Reauthentication, 79 802.1x_3.02_Loopback_BPDU_protection
802.1x_2.09_Authenticator_Mode_Auto_ , 276
Successful_Re-authentication, 82 802.1x_4.01_HA_-
802.1x_2.12_Authenticator_Supported_E _Redundancy_Switchover, 244
AP_Types, 85 802.1x_6.1_Multiple_Vendor_Supplicant_
802.1x_2.13_Authenticator_User_Mode_P Authentication, 61
ort_Hopping, 88 802.1x_6.3 Phone_PC_Authentication, 58
802.1x_2.14_RADIUS_Assigned_CoS, 137 802.1x_6.4 Phone_PC_Hoping_Move, 134
802.1x_2.15_RADIUS_Assigned_Egress- 802.1x_Auth_Failure_CLCA_236982_Auth
VLAN-Name, 139 entication failure with Aastra phone
802.1x_2.16_RADIUS_Assigned_Egress- that is doing both 802.1x and mac
VLANID, 144 authentication, 33
802.1x_2.17_RADIUS_Assigned_Rate_Li 802.1x_Cached_Reauth_F_09_Reachable
mit-Egress, 91 _Radius_Cached_Reauth_Period, 152
802.1x_2.18_RADIUS_Assigned_Rate_Li 802.1x_Cached_Reauth_F_11_Reachable
mit-Ingress, 95 _Radius_Different_Credentials, 155
802.1x_2.46_Port_Based_Mode_Values_ 802.1x_Cached_Reauth_F_16_UnReacha
Held_Over_Reboot, 108 ble_Radius_Different_User_Credentials
802.1x_2.47_RADIUS_Accounting_Enabl , 158
e_Disable, 278 802.1x_cdp_lldp_bypass, 316
802.1x_2.48_RADIUS_Accounting_Interi 802.1x_CLCA_106214_Disabling_port_wh
m_Update_Record, 282 en_allowed_RADIUS_GVRP_VLANS, 22
802.1x_2.49_RADIUS_Accounting_Reque 802.1x_CLCA_108818_IOP_with_STP, 10
sts_Retransmitted, 287 802.1x_CLCA_122837_Verifying_settings
802.1x_2.50_RADIUS_Accounting_Start_ _after_re-enabled, 13
Stop_Record, 289 802.1x_CLCA_134114_MAC-
802.1x_2.51_RADIUS_Accouting_Unique auth_with_mixed_mode, 18
_Session_ID, 296 802.1x_CLCA_170012_AP connected
802.1x_2.55_NAS_Attributes_MS-RAS- through 2610 switch are not 802.1x
Vendor_Attribute, 110 authenticated, 29
802.1x_2.61_RADIUS_Access- 802.1x_CLCA_199478_connection to port
Accept_with_Reply-Message, 114 using PEAP can erase existing ACL for
802.1x_2.62_RADIUS_Message_Authenti other MAC address, 26
cator_in_packet, 116 802.1x_CLCA_211376_EAPOL_Logoff, 51
802.1x_2.63_RADIUS_Proxy_Server, 120

363 18/2/2019
802.1x_CLCA_243452_EAP_TLS_Fragme after successful 802.1x authentication,
ntation, 54 31
802.1x_CLCA_245042_EAP_TLS_Jumbo, C
48 Critical_VLAN_F_22_PC_Critical_Role,
802.1x_CLCA_CR244438_Any 305
configuration change done at port level D
that causes de-authentication of all the Disconnect_Message_PC_Behind_IP_Ph
clients_User_Role, 39 one, 212
802.1x_CLCA_CR244438_Any P
configuration change done at port level Port_Bounce_Host_PC_Behind_IP_Phon
that causes de-authentication of all the e, 185
clients_Vlan, 42 R
802.1x_CLCA_CR245547_Macq Bank Radius_F_35._Attributes_Dynamic_Xauth
Cisco VoIP phones seem to drop out of mode, 253
MAC address table on 5412 switch, 45 Radius_F_53._RFC_4675_On_User_Priori
802.1x_Deauthentication_of_Guest_Clien ty_Table, 204
ts, 272 Radius_Tracking_I_01_Radius_Server_G
802.1x_DSNOOP, 332 roups, 301
802.1x_EAP_Retries_Timeout, 236 Radius-Filter-
802.1x_EAP-ID-Compliance, 265 ID_F_01_ipv4_Functionality_802.1x,
802.1x_Force_Authorized_Reauthenticati 195
on, 247 Radius-Filter-
802.1x_Idle_Session_Timeout, 262 ID_F_04_ipv6_Functionality_8021x, 191
802.1x_mac-auth_CLCA_235976_Cisco Radius-Filter-
phones will NOT authenticate to ID_I_02_Interop_Radius_Assigned_AC
correct VLAN, 36 L, 199
802.1x_Machine_User_Auth_Mac_Auth, RFC_4675_on_2510_B_01.
270 VLAN_ID_tagged, 161
802.1x_Non_Default_VRF, 329 RFC_4675_on_2510_B_02. VLAN
802.1x_Port_Security_Mac_Lockdown_L _Name_tagged, 166
ockout, 321 RFC_4675_on_2510_B_03.
802.1x_Preauth_Role, 309 VLAN_ID_untagged, 171
802.1x_Quiet_Discovery_Authentication_ RFC_4675_on_2510_B_04.
Attempts, 240 VLAN_Name_untagged, 176
802.1x_RADIUS Assigned VLAN, 209 S
802.1x_Radius_Over_IPSec, 326 Session_Timeout_CoA_F_08_PC_Behind
802.1x_Reject_Role, 313 _IP_Phone, 181
802.1x_S_01._CopySupportFiles, 336 Special_488_02_PortSpeedVSA_with_Diff
802.1x_S_02._DiagDump, 340 erent_Port_Speed, 188
802.1x_S_03._EventLogs, 344 Subject, 6
802.1x_S_04._ShowTech, 347 Subject\Production, 6
802.1x_S_05._Checkpoint, 349 Subject\Production\SW Development, 7
802.1x_S_06_Config_Migration_CLI, 353 Subject\Production\SW
802.1x_S_07_Config_Migration_JSON, Development\Feature Test Plans - Dev
356 Handoff, 8
802.1x_S_08_Core_Dump, 359 Subject\Production\SW
802.1x_S_09_Memory_leak, 362 Development\Feature Test Plans - Dev
802.1x_S_10_Debug_Logs, 365 Handoff\802.1x, 9
802.1x_Subsequent_Users_Radius_Assi Subject\Production\SW
gned_Attributes, 259 Development\Feature Test Plans - Dev
802.1x_Trunk_Port, 251 Handoff\802.1x\CFD_Analysis, 10
8021x_CLCA_241399_Radius accounting Subject\Production\SW
start packets are sometimes delayed Development\Feature Test Plans - Dev

364 18/2/2019
Handoff\802.1x\Functionality_Testing, Subject\Production\SW
58 Development\Feature Test Plans - Dev
Subject\Production\SW Handoff\802.1x\Interop Testing, 276
Development\Feature Test Plans - Dev Subject\Production\SW
Handoff\802.1x\IFD_Analysis, 251 Development\Feature Test Plans - Dev
Handoff\802.1x\Supportability, 336

365 18/2/2019

You might also like