Authentication
These scenarios show how to configure OpenVPN tunnel authentication using the different methods supported by the AAA system
Local
Description
This scenario shows how to set up authentication using the local user database
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces openvpn ovpn1 local-endpoint 10.0.0.0/29 set interfaces openvpn ovpn1 mode server tls-profile TLS set vpn openvpn tls-profile TLS ca running://ca.crt set vpn openvpn tls-profile TLS certificate running://server.crt set vpn openvpn tls-profile TLS private-key running://server.priv.pem set vpn openvpn tls-profile TLS dhparam running://dh.pem set interfaces openvpn ovpn1 mode server server-profile SRV set vpn openvpn server-profile SRV authentication auth set system aaa list auth method 1 local
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 192.168.100.2/24 set interfaces openvpn ovpn1 peer 1 address 192.168.100.1 set interfaces openvpn ovpn1 mode client tls-profile TLS set vpn openvpn tls-profile TLS ca running://ca.crt set vpn openvpn tls-profile TLS certificate running://client.crt set vpn openvpn tls-profile TLS private-key running://client.priv.pem set interfaces openvpn ovpn1 mode client client-profile CNT set vpn openvpn client-profile CNT authentication username admin set vpn openvpn client-profile CNT authentication password admin
Step 3: Ping IP address 192.168.100.2 from DUT0:
admin@DUT0$ ping 192.168.100.2 count 1 size 56 timeout 1Show output
PING 192.168.100.2 (192.168.100.2) 56(84) bytes of data. 64 bytes from 192.168.100.2: icmp_seq=1 ttl=64 time=0.303 ms --- 192.168.100.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.303/0.303/0.303/0.000 ms
Step 4: Run command interfaces openvpn ovpn1 status at DUT1 and check if output contains the following tokens:
CONNECTEDShow output
OpenVPN interface ovpn1 State: CONNECTED (SUCCESS) Local endpoint: 10.0.0.6:1194 Remote: 192.168.100.1
Step 5: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.546 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.546/0.546/0.546/0.000 ms
Radius
Description
This scenario shows how to set up authentication using a remote RADIUS server
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces openvpn ovpn1 local-endpoint 10.0.0.0/29 set interfaces openvpn ovpn1 mode server tls-profile TLS set vpn openvpn tls-profile TLS ca running://ca.crt set vpn openvpn tls-profile TLS certificate running://server.crt set vpn openvpn tls-profile TLS private-key running://server.priv.pem set vpn openvpn tls-profile TLS dhparam running://dh.pem set interfaces openvpn ovpn1 mode server server-profile SRV set vpn openvpn server-profile SRV authentication auth set interfaces ethernet eth1 address 10.215.168.64/24 set system aaa list auth method 1 group radius radgroup set system aaa group radius radgroup server radserver set system aaa server radius radserver address 10.215.168.1 set system aaa server radius radserver key enq88RORo0P5x3Wtyxfwerkj45sdLKJdnvdSASDi
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 192.168.100.2/24 set interfaces openvpn ovpn1 peer 1 address 192.168.100.1 set interfaces openvpn ovpn1 mode client tls-profile TLS set vpn openvpn tls-profile TLS ca running://ca.crt set vpn openvpn tls-profile TLS certificate running://client.crt set vpn openvpn tls-profile TLS private-key running://client.priv.pem set interfaces openvpn ovpn1 mode client client-profile CNT set vpn openvpn client-profile CNT authentication username testing set vpn openvpn client-profile CNT authentication password password
Step 3: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.214 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.214/0.214/0.214/0.000 ms
Step 4: Ping IP address 192.168.100.2 from DUT0:
admin@DUT0$ ping 192.168.100.2 count 1 size 56 timeout 1Show output
PING 192.168.100.2 (192.168.100.2) 56(84) bytes of data. 64 bytes from 192.168.100.2: icmp_seq=1 ttl=64 time=0.318 ms --- 192.168.100.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.318/0.318/0.318/0.000 ms
Step 5: Run command interfaces openvpn ovpn1 status at DUT1 and check if output contains the following tokens:
CONNECTEDShow output
OpenVPN interface ovpn1 State: CONNECTED (SUCCESS) Local endpoint: 10.0.0.6:1194 Remote: 192.168.100.1
Step 6: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.539 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.539/0.539/0.539/0.000 ms
Tacacs
Description
This scenario shows how to set up authentication using a remote TACACS+ server
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces openvpn ovpn1 local-endpoint 10.0.0.0/29 set interfaces openvpn ovpn1 mode server tls-profile TLS set vpn openvpn tls-profile TLS ca running://ca.crt set vpn openvpn tls-profile TLS certificate running://server.crt set vpn openvpn tls-profile TLS private-key running://server.priv.pem set vpn openvpn tls-profile TLS dhparam running://dh.pem set interfaces openvpn ovpn1 mode server server-profile SRV set vpn openvpn server-profile SRV authentication auth set interfaces ethernet eth1 address 10.215.168.64/24 set system aaa list auth method 1 group tacacs tacgroup set system aaa group tacacs tacgroup server tacserver set system aaa server tacacs tacserver address 10.215.168.1 set system aaa server tacacs tacserver key 1234
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 192.168.100.2/24 set interfaces openvpn ovpn1 peer 1 address 192.168.100.1 set interfaces openvpn ovpn1 mode client tls-profile TLS set vpn openvpn tls-profile TLS ca running://ca.crt set vpn openvpn tls-profile TLS certificate running://client.crt set vpn openvpn tls-profile TLS private-key running://client.priv.pem set interfaces openvpn ovpn1 mode client client-profile CNT set vpn openvpn client-profile CNT authentication username testing set vpn openvpn client-profile CNT authentication password password
Step 3: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.212 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.212/0.212/0.212/0.000 ms
Step 4: Ping IP address 192.168.100.2 from DUT0:
admin@DUT0$ ping 192.168.100.2 count 1 size 56 timeout 1Show output
PING 192.168.100.2 (192.168.100.2) 56(84) bytes of data. 64 bytes from 192.168.100.2: icmp_seq=1 ttl=64 time=0.279 ms --- 192.168.100.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.279/0.279/0.279/0.000 ms
Step 5: Run command interfaces openvpn ovpn1 status at DUT1 and check if output contains the following tokens:
CONNECTEDShow output
OpenVPN interface ovpn1 State: CONNECTED (SUCCESS) Local endpoint: 10.0.0.6:1194 Remote: 192.168.100.1
Step 6: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.475 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.475/0.475/0.475/0.000 ms