Fallbacks
This scenario shows how to set up a fallback mechanism for RADIUS/TACACS+ through Telnet/SSH.
Test Authenticaction Fallback
Description
This scenario checks all the different combinations
of RADIUS/TACACS+ authentication with/without
fallback configuration through SSH and Telnet.
The user baduser is configured in the local
database, but it is not authorized in the remote
server. Therefore, if the server is reachable or
if local fallback is not specified, login should fail.
Scenario
Example 1
Step 1: Set the following configuration in DUT0:
del service del system aaa del interfaces ethernet eth0 vrf set service telnet set system login aaa authentication LIST set service ssh aaa authentication LIST set system aaa list LIST method 1 group tacacs GROUP set system aaa server tacacs SRV address 10.215.168.1 set system aaa server tacacs SRV key 1234 set system aaa group tacacs GROUP server SRV set system aaa list LIST method 2 local
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.402 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.402/0.402/0.402/0.000 ms
Note
In this case, SSH and Telnet connection will fail.
Step 3: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user baduser:
admin@DUT0$ ssh baduser@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '127.0.0.1' (ED25519) to the list of known hosts. baduser@127.0.0.1's password:
Step 4: Init a Telnet connection from DUT0 to IP address 127.0.0.1 :
admin@DUT0$ telnet 127.0.0.1Show output
Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. osdx login: Password: Login incorrect
Example 2
Step 1: Set the following configuration in DUT0:
del service del system aaa del interfaces ethernet eth0 vrf set service telnet set system login aaa authentication LIST set service ssh aaa authentication LIST set system aaa list LIST method 1 group tacacs GROUP set system aaa server tacacs SRV address 10.215.168.1 set system aaa server tacacs SRV key 1234 set system aaa group tacacs GROUP server SRV
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.162 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.162/0.162/0.162/0.000 ms
Note
In this case, SSH and Telnet connection will fail.
Step 3: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user baduser:
admin@DUT0$ ssh baduser@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '127.0.0.1' (ED25519) to the list of known hosts. baduser@127.0.0.1's password:
Step 4: Init a Telnet connection from DUT0 to IP address 127.0.0.1 :
admin@DUT0$ telnet 127.0.0.1Show output
Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. osdx login: Password: Login incorrect
Example 3
Step 1: Set the following configuration in DUT0:
del service del system aaa del interfaces ethernet eth0 vrf set service telnet set system login aaa authentication LIST set service ssh aaa authentication LIST set system aaa list LIST method 1 group tacacs GROUP set system aaa server tacacs SRV address 10.215.168.1 set system aaa server tacacs SRV key 1234 set system aaa group tacacs GROUP server SRV set system aaa group tacacs GROUP local-vrf test set interfaces ethernet eth0 vrf test set system aaa list LIST method 2 local
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 vrf test count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than test. PING 10.215.168.1 (10.215.168.1) from 10.215.168.64 test: 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.299 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.299/0.299/0.299/0.000 ms
Note
In this case, SSH and Telnet connection will fail.
Step 3: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user baduser:
admin@DUT0$ ssh baduser@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '127.0.0.1' (ED25519) to the list of known hosts. baduser@127.0.0.1's password:
Step 4: Init a Telnet connection from DUT0 to IP address 127.0.0.1 :
admin@DUT0$ telnet 127.0.0.1Show output
Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. osdx login: Password: Login incorrect
Example 4
Step 1: Set the following configuration in DUT0:
del service del system aaa del interfaces ethernet eth0 vrf set service telnet set system login aaa authentication LIST set service ssh aaa authentication LIST set system aaa list LIST method 1 group tacacs GROUP set system aaa server tacacs SRV address 10.215.168.1 set system aaa server tacacs SRV key 1234 set system aaa group tacacs GROUP server SRV set system aaa group tacacs GROUP local-vrf test set interfaces ethernet eth0 vrf test
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 vrf test count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than test. PING 10.215.168.1 (10.215.168.1) from 10.215.168.64 test: 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.174 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.174/0.174/0.174/0.000 ms
Note
In this case, SSH and Telnet connection will fail.
Step 3: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user baduser:
admin@DUT0$ ssh baduser@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '127.0.0.1' (ED25519) to the list of known hosts. baduser@127.0.0.1's password:
Step 4: Init a Telnet connection from DUT0 to IP address 127.0.0.1 :
admin@DUT0$ telnet 127.0.0.1Show output
Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. osdx login: Password: Login incorrect
Example 5
Step 1: Set the following configuration in DUT0:
del service del system aaa del interfaces ethernet eth0 vrf set service telnet set system login aaa authentication LIST set service ssh aaa authentication LIST set system aaa list LIST method 1 group radius GROUP set system aaa server radius SRV address 10.215.168.1 set system aaa server radius SRV key enq88RORo0P5x3Wtyxfwerkj45sdLKJdnvdSASDi set system aaa group radius GROUP server SRV set system aaa list LIST method 2 local
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.262 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.262/0.262/0.262/0.000 ms
Note
In this case, SSH and Telnet connection will fail.
Step 3: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user baduser:
admin@DUT0$ ssh baduser@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '127.0.0.1' (ED25519) to the list of known hosts. baduser@127.0.0.1's password:
Step 4: Init a Telnet connection from DUT0 to IP address 127.0.0.1 :
admin@DUT0$ telnet 127.0.0.1Show output
Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. osdx login: Password: Login incorrect
Example 6
Step 1: Set the following configuration in DUT0:
del service del system aaa del interfaces ethernet eth0 vrf set service telnet set system login aaa authentication LIST set service ssh aaa authentication LIST set system aaa list LIST method 1 group radius GROUP set system aaa server radius SRV address 10.215.168.1 set system aaa server radius SRV key enq88RORo0P5x3Wtyxfwerkj45sdLKJdnvdSASDi set system aaa group radius GROUP server SRV
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.213 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.213/0.213/0.213/0.000 ms
Note
In this case, SSH and Telnet connection will fail.
Step 3: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user baduser:
admin@DUT0$ ssh baduser@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '127.0.0.1' (ED25519) to the list of known hosts. baduser@127.0.0.1's password:
Step 4: Init a Telnet connection from DUT0 to IP address 127.0.0.1 :
admin@DUT0$ telnet 127.0.0.1Show output
Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. osdx login: Password: Login incorrect
Example 7
Step 1: Set the following configuration in DUT0:
del service del system aaa del interfaces ethernet eth0 vrf set service telnet set system login aaa authentication LIST set service ssh aaa authentication LIST set system aaa list LIST method 1 group radius GROUP set system aaa server radius SRV address 10.215.168.1 set system aaa server radius SRV key enq88RORo0P5x3Wtyxfwerkj45sdLKJdnvdSASDi set system aaa group radius GROUP server SRV set system aaa group radius GROUP local-vrf test set interfaces ethernet eth0 vrf test set system aaa list LIST method 2 local
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 vrf test count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than test. PING 10.215.168.1 (10.215.168.1) from 10.215.168.64 test: 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.342 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.342/0.342/0.342/0.000 ms
Note
In this case, SSH and Telnet connection will fail.
Step 3: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user baduser:
admin@DUT0$ ssh baduser@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '127.0.0.1' (ED25519) to the list of known hosts. baduser@127.0.0.1's password:
Step 4: Init a Telnet connection from DUT0 to IP address 127.0.0.1 :
admin@DUT0$ telnet 127.0.0.1Show output
Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. osdx login: Password: Login incorrect
Example 8
Step 1: Set the following configuration in DUT0:
del service del system aaa del interfaces ethernet eth0 vrf set service telnet set system login aaa authentication LIST set service ssh aaa authentication LIST set system aaa list LIST method 1 group radius GROUP set system aaa server radius SRV address 10.215.168.1 set system aaa server radius SRV key enq88RORo0P5x3Wtyxfwerkj45sdLKJdnvdSASDi set system aaa group radius GROUP server SRV set system aaa group radius GROUP local-vrf test set interfaces ethernet eth0 vrf test
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 vrf test count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than test. PING 10.215.168.1 (10.215.168.1) from 10.215.168.64 test: 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.204 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.204/0.204/0.204/0.000 ms
Note
In this case, SSH and Telnet connection will fail.
Step 3: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user baduser:
admin@DUT0$ ssh baduser@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '127.0.0.1' (ED25519) to the list of known hosts. baduser@127.0.0.1's password:
Step 4: Init a Telnet connection from DUT0 to IP address 127.0.0.1 :
admin@DUT0$ telnet 127.0.0.1Show output
Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. osdx login: Password: Login incorrect
Example 9
Step 1: Set the following configuration in DUT0:
del service del system aaa del interfaces ethernet eth0 vrf set service telnet set system login aaa authentication LIST set service ssh aaa authentication LIST set system aaa list LIST method 1 group tacacs GROUP set system aaa server tacacs SRV address 1.2.3.4 set system aaa server tacacs SRV key 1234 set system aaa group tacacs GROUP server SRV set system aaa list LIST method 2 local
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.279 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.279/0.279/0.279/0.000 ms
Note
In this case, SSH and Telnet connection will be successful, because the tacacs server, i.e., method 1, is not reachable and; therefore, the next method will be attempted (local method) and it will allow the authentication.
Step 3: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user baduser:
admin@DUT0$ ssh baduser@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '127.0.0.1' (ED25519) to the list of known hosts. baduser@127.0.0.1's password: Welcome to Teldat OSDx 202312121141.f6f83ac-v3.9.1.1-snapshot This system includes free software. Contact Teldat for licenses information and source code. baduser@osdx$
Step 4: Init a Telnet connection from DUT0 to IP address 127.0.0.1 :
admin@DUT0$ telnet 127.0.0.1Show output
Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. osdx login: Password: Last login: Wed Dec 13 01:59:49 UTC 2023 from 127.0.0.1 on pts/0 Welcome to Teldat OSDx 202312121141.f6f83ac-v3.9.1.1-snapshot This system includes free software. Contact Teldat for licenses information and source code. baduser@osdx$
Example 10
Step 1: Set the following configuration in DUT0:
del service del system aaa del interfaces ethernet eth0 vrf set service telnet set system login aaa authentication LIST set service ssh aaa authentication LIST set system aaa list LIST method 1 group tacacs GROUP set system aaa server tacacs SRV address 1.2.3.4 set system aaa server tacacs SRV key 1234 set system aaa group tacacs GROUP server SRV
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.182 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.182/0.182/0.182/0.000 ms
Note
In this case, SSH and Telnet connection will fail.
Step 3: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user baduser:
admin@DUT0$ ssh baduser@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '127.0.0.1' (ED25519) to the list of known hosts. baduser@127.0.0.1's password:
Step 4: Init a Telnet connection from DUT0 to IP address 127.0.0.1 :
admin@DUT0$ telnet 127.0.0.1Show output
Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. osdx login: Password: Login incorrect
Example 11
Step 1: Set the following configuration in DUT0:
del service del system aaa del interfaces ethernet eth0 vrf set service telnet set system login aaa authentication LIST set service ssh aaa authentication LIST set system aaa list LIST method 1 group tacacs GROUP set system aaa server tacacs SRV address 1.2.3.4 set system aaa server tacacs SRV key 1234 set system aaa group tacacs GROUP server SRV set system aaa group tacacs GROUP local-vrf test set interfaces ethernet eth0 vrf test set system aaa list LIST method 2 local
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 vrf test count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than test. PING 10.215.168.1 (10.215.168.1) from 10.215.168.64 test: 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.351 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.351/0.351/0.351/0.000 ms
Note
In this case, SSH and Telnet connection will be successful, because the tacacs server, i.e., method 1, is not reachable and; therefore, the next method will be attempted (local method) and it will allow the authentication.
Step 3: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user baduser:
admin@DUT0$ ssh baduser@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '127.0.0.1' (ED25519) to the list of known hosts. baduser@127.0.0.1's password: Welcome to Teldat OSDx 202312121141.f6f83ac-v3.9.1.1-snapshot This system includes free software. Contact Teldat for licenses information and source code. Last login: Wed Dec 13 01:59:49 2023 from osdx baduser@osdx$
Step 4: Init a Telnet connection from DUT0 to IP address 127.0.0.1 :
admin@DUT0$ telnet 127.0.0.1Show output
Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. osdx login: Password: Last login: Wed Dec 13 02:00:07 UTC 2023 from 127.0.0.1 on pts/0 Welcome to Teldat OSDx 202312121141.f6f83ac-v3.9.1.1-snapshot This system includes free software. Contact Teldat for licenses information and source code. baduser@osdx$
Example 12
Step 1: Set the following configuration in DUT0:
del service del system aaa del interfaces ethernet eth0 vrf set service telnet set system login aaa authentication LIST set service ssh aaa authentication LIST set system aaa list LIST method 1 group tacacs GROUP set system aaa server tacacs SRV address 1.2.3.4 set system aaa server tacacs SRV key 1234 set system aaa group tacacs GROUP server SRV set system aaa group tacacs GROUP local-vrf test set interfaces ethernet eth0 vrf test
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 vrf test count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than test. PING 10.215.168.1 (10.215.168.1) from 10.215.168.64 test: 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.180 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.180/0.180/0.180/0.000 ms
Note
In this case, SSH and Telnet connection will fail.
Step 3: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user baduser:
admin@DUT0$ ssh baduser@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '127.0.0.1' (ED25519) to the list of known hosts. baduser@127.0.0.1's password:
Step 4: Init a Telnet connection from DUT0 to IP address 127.0.0.1 :
admin@DUT0$ telnet 127.0.0.1Show output
Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. osdx login: Password: Login incorrect
Example 13
Step 1: Set the following configuration in DUT0:
del service del system aaa del interfaces ethernet eth0 vrf set service telnet set system login aaa authentication LIST set service ssh aaa authentication LIST set system aaa list LIST method 1 group radius GROUP set system aaa server radius SRV address 1.2.3.4 set system aaa server radius SRV key enq88RORo0P5x3Wtyxfwerkj45sdLKJdnvdSASDi set system aaa group radius GROUP server SRV set system aaa list LIST method 2 local
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.361 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.361/0.361/0.361/0.000 ms
Note
In this case, SSH and Telnet connection will be successful, because the radius server, i.e., method 1, is not reachable and; therefore, the next method will be attempted (local method) and it will allow the authentication.
Step 3: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user baduser:
admin@DUT0$ ssh baduser@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '127.0.0.1' (ED25519) to the list of known hosts. baduser@127.0.0.1's password: Welcome to Teldat OSDx 202312121141.f6f83ac-v3.9.1.1-snapshot This system includes free software. Contact Teldat for licenses information and source code. Last login: Wed Dec 13 02:00:08 2023 from osdx baduser@osdx$
Step 4: Init a Telnet connection from DUT0 to IP address 127.0.0.1 :
admin@DUT0$ telnet 127.0.0.1Show output
Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. osdx login: Password: Last login: Wed Dec 13 02:00:26 UTC 2023 from 127.0.0.1 on pts/0 Welcome to Teldat OSDx 202312121141.f6f83ac-v3.9.1.1-snapshot This system includes free software. Contact Teldat for licenses information and source code. baduser@osdx$
Example 14
Step 1: Set the following configuration in DUT0:
del service del system aaa del interfaces ethernet eth0 vrf set service telnet set system login aaa authentication LIST set service ssh aaa authentication LIST set system aaa list LIST method 1 group radius GROUP set system aaa server radius SRV address 1.2.3.4 set system aaa server radius SRV key enq88RORo0P5x3Wtyxfwerkj45sdLKJdnvdSASDi set system aaa group radius GROUP server SRV
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.177 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.177/0.177/0.177/0.000 ms
Note
In this case, SSH and Telnet connection will fail.
Step 3: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user baduser:
admin@DUT0$ ssh baduser@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '127.0.0.1' (ED25519) to the list of known hosts. baduser@127.0.0.1's password:
Step 4: Init a Telnet connection from DUT0 to IP address 127.0.0.1 :
admin@DUT0$ telnet 127.0.0.1Show output
Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. osdx login: Password: Login incorrect
Example 15
Step 1: Set the following configuration in DUT0:
del service del system aaa del interfaces ethernet eth0 vrf set service telnet set system login aaa authentication LIST set service ssh aaa authentication LIST set system aaa list LIST method 1 group radius GROUP set system aaa server radius SRV address 1.2.3.4 set system aaa server radius SRV key enq88RORo0P5x3Wtyxfwerkj45sdLKJdnvdSASDi set system aaa group radius GROUP server SRV set system aaa group radius GROUP local-vrf test set interfaces ethernet eth0 vrf test set system aaa list LIST method 2 local
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 vrf test count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than test. PING 10.215.168.1 (10.215.168.1) from 10.215.168.64 test: 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.346 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.346/0.346/0.346/0.000 ms
Note
In this case, SSH and Telnet connection will be successful, because the radius server, i.e., method 1, is not reachable and; therefore, the next method will be attempted (local method) and it will allow the authentication.
Step 3: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user baduser:
admin@DUT0$ ssh baduser@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '127.0.0.1' (ED25519) to the list of known hosts. baduser@127.0.0.1's password: Welcome to Teldat OSDx 202312121141.f6f83ac-v3.9.1.1-snapshot This system includes free software. Contact Teldat for licenses information and source code. Last login: Wed Dec 13 02:00:26 2023 from osdx baduser@osdx$
Step 4: Init a Telnet connection from DUT0 to IP address 127.0.0.1 :
admin@DUT0$ telnet 127.0.0.1Show output
Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. osdx login: Password: Last login: Wed Dec 13 02:00:44 UTC 2023 from 127.0.0.1 on pts/0 Welcome to Teldat OSDx 202312121141.f6f83ac-v3.9.1.1-snapshot This system includes free software. Contact Teldat for licenses information and source code. baduser@osdx$
Example 16
Step 1: Set the following configuration in DUT0:
del service del system aaa del interfaces ethernet eth0 vrf set service telnet set system login aaa authentication LIST set service ssh aaa authentication LIST set system aaa list LIST method 1 group radius GROUP set system aaa server radius SRV address 1.2.3.4 set system aaa server radius SRV key enq88RORo0P5x3Wtyxfwerkj45sdLKJdnvdSASDi set system aaa group radius GROUP server SRV set system aaa group radius GROUP local-vrf test set interfaces ethernet eth0 vrf test
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 vrf test count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than test. PING 10.215.168.1 (10.215.168.1) from 10.215.168.64 test: 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.158 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.158/0.158/0.158/0.000 ms
Note
In this case, SSH and Telnet connection will fail.
Step 3: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user baduser:
admin@DUT0$ ssh baduser@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '127.0.0.1' (ED25519) to the list of known hosts. baduser@127.0.0.1's password:
Step 4: Init a Telnet connection from DUT0 to IP address 127.0.0.1 :
admin@DUT0$ telnet 127.0.0.1Show output
Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. osdx login: Password: Login incorrect