Radius

Contents

Telnet Default Authorization

Description

A RADIUS server is added to a RADIUS group which is added to an AAA list. This list is assigned to the login system’s authentication. In this scenario, the default authorization mapping is used, which maps the standard level to monitor and the privileged level to admin. The device then starts a Telnet session with itself to check that it can only run the commands that role is authorized to run.

Scenario

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set system aaa server radius serv1 address 10.215.168.1
set system aaa server radius serv1 key enq88RORo0P5x3Wtyxfwerkj45sdLKJdnvdSASDi
set system aaa group radius radgroup1 server serv1
set system aaa list list1 method 1 group radius radgroup1
set system login aaa authentication list1
set service telnet

Step 2: Ping IP address 10.215.168.1 from DUT0:

admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1

Show output

PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data.
64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.262 ms

--- 10.215.168.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.262/0.262/0.262/0.000 ms

Step 3: Init a Telnet connection from DUT0 to IP address 127.0.0.1 :

admin@DUT0$ telnet 127.0.0.1

Show output

Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
osdx login:
Password:

Welcome to Teldat OSDx v3.10.1.5

This system includes free software.
Contact Teldat for licenses information and source code.

testing@osdx$

Step 4: Run command service cnm restart at DUT0 and expect this output:

Show output

CLI Error: Insufficient privileges

Step 5: Run command show running at DUT0 and expect this output:

Show output

CLI Error: Insufficient privileges

Step 6: Run command show date at DUT0 and expect this output:

Show output

Thu 20 Jun 2024 19:18:31 UTC +00:00

Step 7: Init a Telnet connection from DUT0 to IP address 127.0.0.1 :

admin@DUT0$ telnet 127.0.0.1

Show output

Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
osdx login:
Password:

Welcome to Teldat OSDx v3.10.1.5

This system includes free software.
Contact Teldat for licenses information and source code.

testadmin@osdx$

Step 8: Run command service cnm restart at DUT0 and expect this output:

Show output

service inactive. doing nothing.

Step 9: Run command show running at DUT0 and expect this output:

Show output

# Teldat OSDx VM version v3.10.1.5
# Thu 20 Jun 2024 19:18:32 UTC +00:00
# Warning: Configuration has not been saved
set interfaces ethernet eth0 address 10.215.168.64/24
set service telnet
set system aaa group radius radgroup1 server serv1
set system aaa list list1 method 1 group radius radgroup1
set system aaa server radius serv1 address 10.215.168.1
set system aaa server radius serv1 encrypted-key U2FsdGVkX1+Zn2f6k3x/osD3sxNiSiGu1Bu+3osJ16/TI3NKj6o6JouqG1sbjcP0oPW/nzV6dEtxJTSShEiwNg==
set system login aaa authentication list1
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 10: Run command show date at DUT0 and expect this output:

Show output

Thu 20 Jun 2024 19:18:32 UTC +00:00

---

Telnet Privilege Map

Description

A RADIUS server is added to a RADIUS group which is added to an AAA list. This list is assigned to login system’s authentication. Finally, the RADIUS privilege levels are mapped to locally defined roles. The device then starts a Telnet session with itself to check that it can only run the commands that role is authorized to run.

Scenario

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set system aaa server radius serv1 address 10.215.168.1
set system aaa server radius serv1 key enq88RORo0P5x3Wtyxfwerkj45sdLKJdnvdSASDi
set system aaa group radius radgroup1 server serv1
set system aaa list list1 method 1 group radius radgroup1
set system aaa authorization privilege-map radius privileged role monitor
set system aaa authorization privilege-map radius standard role admin
set system login aaa authentication list1
set service telnet

Step 2: Ping IP address 10.215.168.1 from DUT0:

admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1

Show output

PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data.
64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.248 ms

--- 10.215.168.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.248/0.248/0.248/0.000 ms

Step 3: Init a Telnet connection from DUT0 to IP address 127.0.0.1 :

admin@DUT0$ telnet 127.0.0.1

Show output

Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
osdx login:
Password:

Welcome to Teldat OSDx v3.10.1.5

This system includes free software.
Contact Teldat for licenses information and source code.

testing@osdx$

Step 4: Run command service cnm restart at DUT0 and expect this output:

Show output

service inactive. doing nothing.

Step 5: Run command show running at DUT0 and expect this output:

Show output

# Teldat OSDx VM version v3.10.1.5
# Thu 20 Jun 2024 19:18:41 UTC +00:00
# Warning: Configuration has not been saved
set interfaces ethernet eth0 address 10.215.168.64/24
set service telnet
set system aaa authorization privilege-map radius privileged role monitor
set system aaa authorization privilege-map radius standard role admin
set system aaa group radius radgroup1 server serv1
set system aaa list list1 method 1 group radius radgroup1
set system aaa server radius serv1 address 10.215.168.1
set system aaa server radius serv1 encrypted-key U2FsdGVkX19Sqkcdia0pwn4IQJ2ltvW74ZlYJDY05PXvow7DuVTs9QeoYPrTmti5L5OESslFPM1K2GQUo7qnEg==
set system login aaa authentication list1
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 6: Run command show date at DUT0 and expect this output:

Show output

Thu 20 Jun 2024 19:18:42 UTC +00:00

Step 7: Init a Telnet connection from DUT0 to IP address 127.0.0.1 :

admin@DUT0$ telnet 127.0.0.1

Show output

Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
osdx login:
Password:

Welcome to Teldat OSDx v3.10.1.5

This system includes free software.
Contact Teldat for licenses information and source code.

testadmin@osdx$

Step 8: Run command service cnm restart at DUT0 and expect this output:

Show output

CLI Error: Insufficient privileges

Step 9: Run command show running at DUT0 and expect this output:

Show output

CLI Error: Insufficient privileges

Step 10: Run command show date at DUT0 and expect this output:

Show output

Thu 20 Jun 2024 19:18:42 UTC +00:00

---

SSH Default Authorization

Description

A RADIUS server is added to a RADIUS group which is added to an AAA list. This list is assigned to the SSH service’s authentication. In this scenario, the default authorization mapping is used, which maps the standard level to monitor and the privileged level to admin. The device then starts an SSH session with itself to check that it can only run the commands that role is authorized to run.

Scenario

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set system aaa server radius serv1 address 10.215.168.1
set system aaa server radius serv1 key enq88RORo0P5x3Wtyxfwerkj45sdLKJdnvdSASDi
set system aaa group radius radgroup1 server serv1
set system aaa list list1 method 1 group radius radgroup1
set service ssh aaa authentication list1

Step 2: Ping IP address 10.215.168.1 from DUT0:

admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1

Show output

PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data.
64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.316 ms

--- 10.215.168.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.316/0.316/0.316/0.000 ms

Step 3: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user testing:

admin@DUT0$ ssh testing@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null

Show output

Warning: Permanently added '127.0.0.1' (ED25519) to the list of known hosts.
testing@127.0.0.1's password:
Welcome to Teldat OSDx v3.10.1.5

This system includes free software.
Contact Teldat for licenses information and source code.

testing@osdx$

Step 4: Run command service cnm restart at DUT0 and expect this output:

Show output

CLI Error: Insufficient privileges

Step 5: Run command show running at DUT0 and expect this output:

Show output

CLI Error: Insufficient privileges

Step 6: Run command show date at DUT0 and expect this output:

Show output

Thu 20 Jun 2024 19:18:52 UTC +00:00

Step 7: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user testadmin:

admin@DUT0$ ssh testadmin@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null

Show output

Warning: Permanently added '127.0.0.1' (ED25519) to the list of known hosts.
testadmin@127.0.0.1's password:
Welcome to Teldat OSDx v3.10.1.5

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Thu Jun 20 19:18:51 2024 from 127.0.0.1
testadmin@osdx$

Step 8: Run command service cnm restart at DUT0 and expect this output:

Show output

service inactive. doing nothing.

Step 9: Run command show running at DUT0 and expect this output:

Show output

# Teldat OSDx VM version v3.10.1.5
# Thu 20 Jun 2024 19:18:52 UTC +00:00
# Warning: Configuration has not been saved
set interfaces ethernet eth0 address 10.215.168.64/24
set service ssh aaa authentication list1
set system aaa group radius radgroup1 server serv1
set system aaa list list1 method 1 group radius radgroup1
set system aaa server radius serv1 address 10.215.168.1
set system aaa server radius serv1 encrypted-key U2FsdGVkX1/WuR78DgFqLtVybUFQrOwGOx4K2bLkY0uVXDTMeqp0SzIRruMSUvmtNXrg3nb/B5ovMugZwAy1Xg==
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 10: Run command show date at DUT0 and expect this output:

Show output

Thu 20 Jun 2024 19:18:52 UTC +00:00

---

SSH Privilege Map

Description

A RADIUS server is added to a RADIUS group which is added to an AAA list. This list is assigned to SSH service’s authentication. Finally, the RADIUS privilege levels are mapped to locally defined roles. The device then starts an SSH session with itself to check that it can only run the commands that role is authorized to run.

Scenario

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set system aaa server radius serv1 address 10.215.168.1
set system aaa server radius serv1 key enq88RORo0P5x3Wtyxfwerkj45sdLKJdnvdSASDi
set system aaa group radius radgroup1 server serv1
set system aaa list list1 method 1 group radius radgroup1
set system aaa authorization privilege-map radius privileged role monitor
set system aaa authorization privilege-map radius standard role admin
set service ssh aaa authentication list1

Step 2: Ping IP address 10.215.168.1 from DUT0:

admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1

Show output

PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data.
64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.343 ms

--- 10.215.168.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.343/0.343/0.343/0.000 ms

Step 3: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user testing:

admin@DUT0$ ssh testing@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null

Show output

Warning: Permanently added '127.0.0.1' (ED25519) to the list of known hosts.
testing@127.0.0.1's password:
Welcome to Teldat OSDx v3.10.1.5

This system includes free software.
Contact Teldat for licenses information and source code.

testing@osdx$

Step 4: Run command service cnm restart at DUT0 and expect this output:

Show output

service inactive. doing nothing.

Step 5: Run command show running at DUT0 and expect this output:

Show output

# Teldat OSDx VM version v3.10.1.5
# Thu 20 Jun 2024 19:19:02 UTC +00:00
# Warning: Configuration has not been saved
set interfaces ethernet eth0 address 10.215.168.64/24
set service ssh aaa authentication list1
set system aaa authorization privilege-map radius privileged role monitor
set system aaa authorization privilege-map radius standard role admin
set system aaa group radius radgroup1 server serv1
set system aaa list list1 method 1 group radius radgroup1
set system aaa server radius serv1 address 10.215.168.1
set system aaa server radius serv1 encrypted-key U2FsdGVkX189uiMPHYvMYdF+4HwhBdYx0mXWXm5jRUztq/h74GlfiIvonHETmlQ8HqjLWdDjtj6NNPL/7C9Srg==
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 6: Run command show date at DUT0 and expect this output:

Show output

Thu 20 Jun 2024 19:19:02 UTC +00:00

Step 7: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user testadmin:

admin@DUT0$ ssh testadmin@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null

Show output

Warning: Permanently added '127.0.0.1' (ED25519) to the list of known hosts.
testadmin@127.0.0.1's password:
Welcome to Teldat OSDx v3.10.1.5

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Thu Jun 20 19:19:02 2024 from 127.0.0.1
testadmin@osdx$

Step 8: Run command service cnm restart at DUT0 and expect this output:

Show output

CLI Error: Insufficient privileges

Step 9: Run command show running at DUT0 and expect this output:

Show output

CLI Error: Insufficient privileges

Step 10: Run command show date at DUT0 and expect this output:

Show output

Thu 20 Jun 2024 19:19:03 UTC +00:00

---