Authentication
This scenario shows how to set up AAA authentication for login/Telnet using different AAA methods.
Local Method
Description
An AAA list with the local AAA method is created and assigned to SSH’s service authentication. The device then starts an SSH session with itself to check that access is granted when the correct username and password are used.
Scenario
Step 1: Set the following configuration in DUT0:
set service ssh aaa authentication list1 set system aaa list list1 method 1 local set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user admin:
admin@DUT0$ ssh admin@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts. admin@127.0.0.1's password: Welcome to Teldat OSDx v4.2.1.0 This system includes free software. Contact Teldat for licenses information and source code. Last login: Mon Oct 7 12:13:01 2024 admin@osdx$
Radius Method
Description
A RADIUS server is added to a RADIUS group, which is added to an AAA list. This list is assigned to SSH’s service authentication. The device then starts an SSH session with itself to check that access is granted when the correct username and password are used.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set service ssh aaa authentication list1 set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/mIulkQxEQ0/zpAXXH2C0Xptx+0aotu0deMfJKtHGrMhVIcUrOfo8huOjjW+z27fnJNDdm0kivgQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.234 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.234/0.234/0.234/0.000 ms
Step 3: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user testing:
admin@DUT0$ ssh testing@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts. testing@127.0.0.1's password: Welcome to Teldat OSDx v4.2.1.0 This system includes free software. Contact Teldat for licenses information and source code. testing@osdx$
Tacacs Method
Description
A TACACS+ server is added to a TACACS+ group, which is added to an AAA list. This list is assigned to SSH’s service authentication. The device then starts an SSH session with itself to check that access is granted when the correct username and password are used.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set service ssh aaa authentication list1 set system aaa group tacacs tacgroup1 server serv1 set system aaa list list1 method 1 group tacacs tacgroup1 set system aaa server tacacs serv1 address 10.215.168.1 set system aaa server tacacs serv1 encrypted-key U2FsdGVkX19vDrp+Ffynpy/iniNoFY+QQ12NQlwhxJE= set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.213 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.213/0.213/0.213/0.000 ms
Step 3: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user testing:
admin@DUT0$ ssh testing@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts. testing@127.0.0.1's password: Welcome to Teldat OSDx v4.2.1.0 This system includes free software. Contact Teldat for licenses information and source code. testing@osdx$