Authentication
This scenario shows how to set up AAA authentication for login/Telnet using different AAA methods.
Local Method
Description
A AAA list with the local AAA method is created and assigned to the SSH service’s authentication. The device then starts an SSH session with itself to check that access is granted when the correct username and password are used.
Scenario
Step 1: Set the following configuration in DUT0:
set system aaa list list1 method 1 local set service ssh aaa authentication list1
Step 2: Init an SSH connection from DUT0 to IP address 127.0.0.1:
admin@DUT0$ ssh admin@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '127.0.0.1' (ED25519) to the list of known hosts. admin@127.0.0.1's password: Welcome to Teldat OSDx v3.8.1.7-beta3 This system includes free software. Contact Teldat for licenses information and source code. Last login: Thu Nov 23 23:15:33 2023 from 127.0.0.1 admin@osdx$
Radius Method
Description
A RADIUS server is added to a RADIUS group which is added to a AAA list. This list is assigned to the SSH service’s authentication. The device then starts an SSH session with itself to check that access is granted when the correct username and password are used.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.20/24 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 key enq88RORo0P5x3Wtyxfwerkj45sdLKJdnvdSASDi set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set service ssh aaa authentication list1
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.257 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.257/0.257/0.257/0.000 ms
Step 3: Init an SSH connection from DUT0 to IP address 127.0.0.1:
admin@DUT0$ ssh testing@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '127.0.0.1' (ED25519) to the list of known hosts. testing@127.0.0.1's password: Welcome to Teldat OSDx v3.8.1.7-beta3 This system includes free software. Contact Teldat for licenses information and source code. testing@osdx$
Tacacs Method
Description
A TACACS+ server is added to a TACACS+ group which is added to a AAA list. This list is assigned to the SSH service’s authentication. The device then starts an SSH session with itself to check that access is granted when the correct username and password are used.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.20/24 set system aaa server tacacs serv1 address 10.215.168.1 set system aaa server tacacs serv1 key 1234 set system aaa group tacacs tacgroup1 server serv1 set system aaa list list1 method 1 group tacacs tacgroup1 set service ssh aaa authentication list1
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.278 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.278/0.278/0.278/0.000 ms
Step 3: Init an SSH connection from DUT0 to IP address 127.0.0.1:
admin@DUT0$ ssh testing@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '127.0.0.1' (ED25519) to the list of known hosts. testing@127.0.0.1's password: Welcome to Teldat OSDx v3.8.1.7-beta3 This system includes free software. Contact Teldat for licenses information and source code. testing@osdx$