802.1X Tests

This document is intended to test the 802.1X based security feature for Terragraph. It is used to test the 802.1X based authentication. The intent of this test plan is to evaluate:

• Correctness of 802.1X authentication for max number of peers (either: 16 CNs, 15 CNs and 1 DN, or 14 CNs and 2 DNs).
• For Puma, correctness of 802.1X authentication for max number (4) of baseband cards.
• Robustness of initial association and re-association with 802.1X authentication enabled.
• Robustness of 802.1X authentication in the presence of link flaps.
• 802.1X authentication when igniting butterfly topology.
• Performance of P2P / P2MP links with different iPerf packet sizes and packet rates, for UDP and TCP traffic (the 802.1X authentication should not affect throughput on a link, and the throughput should match the throughput with WPA-PSK).

Preparation Notes

• Provision the EAP-TLS certificates on the nodes. This has to be done once per the lifetime of the node. Verify that these certificate files (ca.pem, client.csr, client.key, client.pem) exist at /data/secure/keys on each node.
• Configure the IP addresses and passphrases for the test CA and RADIUS server.
• To enable 802.1X based authentication, set wsecEnable to 2 in the config file. Note that firmware uses /etc/e2e_config/fw_cfg.json, but the E2E controller and other security scripts use /data/cfg/node_config.json. For now, do make the wsecEnable config change in both the config files.
• All tests assume that the certificates are already provisioned on each Terragraph radio, DN or CN, and the config files, node_config.json have been updated with the settings for the RADIUS server IP and the wsecParams.eapolParams.secrets.

Ignition Test Cases

PUMA_RF_8021x-1-2 1DN+16 CN Association with E2E Controller

Description: This test assumes that the certificates are already provisioned on each Terragraph radio, DN or CN, and the config files, node_config.json have been updated with the settings for the RADIUS server IP and the wsecParams.eapolParams.secrets. We assume that each DN-CN link is capable of supporting MCS 12.

Procedure:

• Enable security using the approach described in the Preparation Notes section.
• Sequentially associate 16 CNs.
• Ping on link using link local.
• Send 50Mbps bidirectional iPerf UDP traffic simultaneously on all interfaces from traffic generators.
• Dissociate each link from DN Initiator.

Validation:

• All Associations succeed.
• Ping success
• No packet loss.
• iPerf throughput of 50Mbps is achieved on each link.
• Disassociation success.

PUMA_RF_8021x-1-4 1DN+14CN+2DN Association

Procedure:

• Same as 8021x-1-2, but configure as DN responder two of the 16 peers.

PUMA_RF_8021x-1-6 Reassoc Stress Test

Procedure:

• Randomly select a peer
• Break the link using attenuator between initiator and peer.
• Set attenuation to 0, and allow the link to come back up.
• After linkup, ping the peer.

Validation:

• No crashes.
• All pings succeed.

Feature Verification

The following negative tests are to be added to verify the protocol functionality. These tests can be run with either the E2E controller or r2d2 or both.

PUMA_RF_8021x-2-0 Positive test

For a P2P scenario (DN-DN and DN-CN link) do the following:

1. Make sure nodes have the security credentials described in the runbook.
2. Associate the nodes with 802.1X auth enabled (wsecEnable set to 2).
3. Verify that association succeeds.

PUMA_RF_8021x-2-1 Missing CA certificate

For a P2P scenario (DN-DN and DN-CN link) do the following:

1. Delete the file /data/secure/keys/ca.pem file from the responder node.
2. Associate the nodes with 802.1X auth enabled (wsecEnable set to 2).
3. Verify that association fails.

PUMA_RF_8021x-2-2 Missing client key

For a P2P scenario (DN-DN and DN-CN link) do the following:

1. Delete the file /data/secure/keys/client.key file from the responder node.
2. Associate the nodes with 802.1X auth enabled (wsecEnable set to 2).
3. Verify that association fails.

PUMA_RF_8021x-2-3 Missing client certificate

For a P2P scenario (DN-DN and DN-CN link) do the following:

1. Delete the file /data/secure/keys/client.pem file from the responder node.
2. Associate the nodes with 802.1X auth enabled (wsecEnable set to 2).
3. Verify that association fails.

PUMA_RF_8021x-2-4 Invalid radius_server_shared_secret

For a P2P scenario (DN-DN and DN-CN link) do the following:

1. On the DN initiator node, change the value of radioParamsBase.wsecParams.eapolParams.secrets.radius_server_shared_secret in /data/cfg/node_config.json to "tgInvalidSercret".
2. Associate the nodes with 802.1X auth enabled (wsecEnable set to 2).
3. Verify that association fails.

PUMA_RF_8021x-2-5 Invalid radius_user_password

For a P2P scenario (DN-DN and DN-CN link) do the following:

1. On the CN responder node, change the value of radioParamsBase.wsecParams.eapolParams.secrets.radius_user_password in /data/cfg/node_config.json to "tgInvalidPasswd".
2. Associate the nodes with 802.1X auth enabled (wsecEnable set to 2).
3. Verify that association fails.

PUMA_RF_8021x-2-6 Invalid private_key_password

For a P2P scenario (DN-DN and DN-CN link) do the following:

1. On the CN responder node, change the value of radioParamsBase.wsecParams.eapolParams.secrets.private_key_password in /data/cfg/node_config.json to "tgInvalidkey".
2. Associate the nodes with 802.1X auth enabled (wsecEnable set to 2).
3. Verify that association fails.

PUMA_RF_8021x-2-7 Invalid radius_user_identity

For a P2P scenario (DN-DN and DN-CN link) do the following:

1. On the CN responder node, change the value of radioParamsBase.wsecParams.eapolParams.radius_user_identity in /data/cfg/node_config.json to "tgInvaliduser".
2. Associate the nodes with 802.1X auth enabled (wsecEnable set to 2).
3. Verify that association fails.

PUMA_RF_8021x-2-8 Invalid NAS_IDENTIFIER

For a P2P scenario (DN-DN and DN-CN link) do the following:

1. On the DN initiator node, change the value of nas_identifier in /etc/hostapd-8021x.template to "invalidnas".
2. Associate the nodes with 802.1X auth enabled (wsecEnable set to 2).
3. Verify that association fails.

WSEC Settings Mismatch Test Cases

PUMA_RF_8021x-3-1 wsecEnable 2 and 1

For a P2P scenario (DN-DN and DN-CN link) do the following:

1. On the DN initiator node, set the value of wsecEnable to 2.
2. On the CN responder node, set the value of wsecEnable to 1.
3. Associate the nodes.
4. Verify that association fails.

PUMA_RF_8021x-3-3 wsecEnable 0 and 2

For a P2P scenario (DN-DN and DN-CN link) do the following:

1. On the DN initiator node, set the value of wsecEnable to 0.
2. On the CN responder node, set the value of wsecEnable to 2.
3. Associate the nodes.
4. Verify that association succeeds.
5. Ping on link using link local, and verify that ping succeeds.
6. Send 50Mbps bidirectional iPerf UDP traffic simultaneously on all interfaces from traffic generators.

PUMA_RF_8021x-3-5 wsecEnable 0 and 2 for P2MP

For a P2MP scenario ( DN-CN1 and DN-CN2 link) do the following:

1. On the DN initiator node, set the value of wsecEnable to 0.
2. On the CN1 responder node, set the value of wsecEnable to 2.
3. On the CN2 responder node, set the value of wsecEnable to 2.
4. Associate the nodes.
5. Verify that association succeeds.
6. Ping on link using link local, and verify that ping succeeds.

Multiple Baseband Card Test Cases

The multiple baseband card test cases are only applicable to Puma with multiple baseband cards inserted.

PUMA_RF_8021x-4-2 DN-DN Ignition with 2,3,4 basebands with E2E Controller

This test is the same as 8021x-1-2, with the topology file including a single DN-DN P2P link for each baseband card. This test is to be repeated with 2, 3, and 4 baseband cards attached to the Puma digital board.

Validation:

• Verify that link comes up for all the basebands.

PUMA_RF_8021x-4-4 P2MP DN-DN and DN-CN Ignition with 2,3,4 basebands with E2E Controller

This test is the same as 8021x-1-2, with the topology file including a P2MP DN-DN and a DN-CN link for each baseband card. This test is to be repeated with 2, 3, and 4 baseband cards attached to the Puma digital board.

Validation:

• Verify that link comes up for all the basebands.

Throughput Test cases

The throughput test cases will be the same as the one's from Over-The-Air Security Test Plan for WPA-PSK. Do refer to the Throughput Test cases in this test plan. The only difference will be that wsecEnable is set to 2 to enable 802.1X authentication. There should be no degradation of throughput due to 802.1X authentication.

Description: These test cases are purposed to evaluate the performance impact of enabling OTA security in topological scenarios.

Test ID	Topology	Packet Size (bytes)	UDP Push Rate (Mbps) - laMaxMcs = 9	UDP Expected Throughput (Mbps)	UDP Push Rate (Mbps) - laMaxMcs = 12	UDP Expected Throughput (Mbps)
PUMA_RF_8021x-5	P2P (DN-DN, DN-CN)	1500	720	720*	720	720*
PUMA_RF_8021x-6	P2MP (2DN, 3CNs)	5602(MCS9)/ 5469(MCS12)	850(serial)/ 250(parallel)	832.44(serial)/ 225.67(parallel)	1400(serial)/ 390(parallel)	1381.67(serial)/ 374.57(parallel)
PUMA_RF_8021x-7	Butterfly (2DNs, 2 CNs per DN)	5602(MCS9)/ 5469(MCS12)	900(serial)/ 320(parallel)	891.90(serial)/ 302.59(parallel)	900(serial)/ 320(parallel)	891.90(serial)/ 302.59(parallel)
PUMA_RF_8021x-8	Y-street (3 DNs only)	5602(MCS9)/ 5469(MCS12)	900(serial)/ 450(parallel)	891.90(serial)/ 441(parallel)	1420(serial)/ 770(parallel)	1405.84(serial)/ 765.16(parallel)
PUMA_RF_8021x-9	Figure of U	5602(MCS9)/ 5469(MCS12)	1050	1000	1650	1610

* These throughput numbers don't have to be adjusted to account for additional overhead from CCMP security headers, etc.

Procedure:

• Ignite topology for the test ID shown in the table above.
• Ping each link using link local.
• Send iPerf UDP traffic serially on each link from traffic generators, using the push rate provided in the table above.
• Send iPerf UDP traffic simultaneously on all links from traffic generators (if applicable), using the push rate provided in the table above.

Validation:

• All associations succeed for the ignited topology.
• Ping success on all links.
• iPerf throughput is within 95% expected throughput, as shown in the table above.