Authentication
This scenario shows how to set up AAA authentication for login/Telnet using different AAA methods.
Local Method
Description
An AAA list with the local AAA method is created and assigned to the SSH service’s authentication. The device then starts an SSH session with itself to check that access is granted when the correct username and password are used.
Scenario
Step 1: Set the following configuration in DUT0:
set system aaa list list1 method 1 local set service ssh aaa authentication list1
Step 2: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user admin:
admin@DUT0$ ssh admin@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '127.0.0.1' (ED25519) to the list of known hosts. admin@127.0.0.1's password: Welcome to Teldat OSDx v3.10.1.5 This system includes free software. Contact Teldat for licenses information and source code. Last login: Thu Jun 20 18:28:21 2024 from 10.215.168.21 admin@osdx$
Radius Method
Description
A RADIUS server is added to a RADIUS group which is added to an AAA list. This list is assigned to the SSH service’s authentication. The device then starts an SSH session with itself to check that access is granted when the correct username and password are used.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 key enq88RORo0P5x3Wtyxfwerkj45sdLKJdnvdSASDi set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set service ssh aaa authentication list1
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.302 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.302/0.302/0.302/0.000 ms
Step 3: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user testing:
admin@DUT0$ ssh testing@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '127.0.0.1' (ED25519) to the list of known hosts. testing@127.0.0.1's password: Welcome to Teldat OSDx v3.10.1.5 This system includes free software. Contact Teldat for licenses information and source code. testing@osdx$
Tacacs Method
Description
A TACACS+ server is added to a TACACS+ group which is added to an AAA list. This list is assigned to the SSH service’s authentication. The device then starts an SSH session with itself to check that access is granted when the correct username and password are used.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set system aaa server tacacs serv1 address 10.215.168.1 set system aaa server tacacs serv1 key 1234 set system aaa group tacacs tacgroup1 server serv1 set system aaa list list1 method 1 group tacacs tacgroup1 set service ssh aaa authentication list1
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.319 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.319/0.319/0.319/0.000 ms
Step 3: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user testing:
admin@DUT0$ ssh testing@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '127.0.0.1' (ED25519) to the list of known hosts. testing@127.0.0.1's password: Welcome to Teldat OSDx v3.10.1.5 This system includes free software. Contact Teldat for licenses information and source code. testing@osdx$