Enable

These scenarios show how to configure secure mode and which configuration is not allowed to be configured while this mode is set

Toggle Secure Mode

Description

Shows how to toggle secure mode (on and off)

Scenario

Step 1: Set the following configuration in DUT0 related to secure mode without committing:

set system login user admin authentication encrypted-password '$6$S4Z6RA1qpjP600vX$djpHGCMcyOZwSW5uqxLjYCj2h2uturYA4ZWnQMMT3M2UYc8yOHI07EyciSWnDvooliTTEDvHohwJ6a.ZijrR8/'
set system security medium

Step 2: Execute commit command. This will log out the device

Step 3: Login as admin with password 1!Teldatqqqq

Step 4: Run command show running at DUT0 and check if output contains the following tokens:

system security medium

Show output

# Teldat OSDx VM version v4.2.1.0
# Mon 07 Oct 2024 10:34:04 +00:00
# Warning: Configuration has not been saved
set system login user admin authentication encrypted-password '$6$S4Z6RA1qpjP600vX$djpHGCMcyOZwSW5uqxLjYCj2h2uturYA4ZWnQMMT3M2UYc8yOHI07EyciSWnDvooliTTEDvHohwJ6a.ZijrR8/'
set system security medium

Step 5: Modify the following configuration lines in DUT0:

delete system security

Step 6: Set the following configuration in DUT0 related to secure mode without committing:

set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 7: Execute commit command. This will log out the device

Step 8: Login as admin with password admin

Step 9: Run command show running at DUT0 and check if output does not contain the following tokens:

system security medium

Show output

# Teldat OSDx VM version v4.2.1.0
# Mon 07 Oct 2024 10:34:06 +00:00
# Warning: Configuration has not been saved
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

---

Multi-User

Description

Secure mode fails if there is more than one user configured

Scenario

Step 1: Set the following configuration in DUT0:

set system login role role_level_10 level 10
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system login user test authentication encrypted-password '$6$kiAWoEppjoLg2LsW$zGLpWMyrVBsxCE15FV2zYOx8CehQ.znQHwzW5aHX7nMrReTMgUOO8ICspE5RWrwiU9yfGstffS3ZGtTdo6AHW1'
set system login user test role role_level_10

Step 2: Set the following configuration in DUT0 related to secure mode without committing:

set system login user admin authentication encrypted-password '$6$BYbtR0aK4UzSouSD$BKUn02/IUw8fKLnvAo/Qdzp/t0kEQduhY4UyDgWbORx1/Slfd2SrCoH6Q/I5bsNq9FD8DYI/8RjyEfaZP3Vio0'
set system security medium

Step 3: Run command commit at DUT0 and check if output contains the following tokens:

You must delete all users except yours in the system

Show output

[ system security medium ]
You must delete all users except yours in the system
Commit validation failed
CLI Error: Command error

---

User Password

Description

New password for admin user fails if does not meet the password criteria or if a encrypted password is manually configured

Scenario

Step 1: Set the following configuration in DUT0 related to secure mode without committing:

set system login user admin authentication encrypted-password '$6$ifVLvUnmH.jGB83H$H9rLjZcnNfwHRI0Cjb5VPywmNBk59850PLd3GC8.Ewwk2CqhoA/IhmhyHRP7i0AEV82RMOtHj9rWhrXzCilAv0'
set system security medium

Step 2: Run command commit at DUT0 and check if output contains the following tokens:

Password does not meet the criteria for secure mode

Show output

[ system login user admin ]
Password does not meet the criteria for secure mode. The criteria are: Must include uppercase, lowercase, numbers, one of these special characters !, @, #, $, %, ^, &, *, (, ) and must be at least 12 characters long.
Commit validation failed
CLI Error: Command error

Note

Exit configuration discarding all changes running “exit discard”

Step 3: Set the following configuration in DUT0 related to secure mode without committing:

set system security medium

Step 4: Run command set system login user admin authentication encrypted-password $6$/eFHGvwPTaHOPSIr$YIFZ4Oi./fbp.67T4y.76q9PRyhIP5.YO0NkPrgiE44JIkEWUs.MxjgXrD/QDHYRnyNQ/m5yf/KcWxQpDoS9a/ at DUT0 and check if output contains the following tokens:

Cannot be set manually in secure mode

Show output

Cannot be set manually in secure mode
CLI Error: Command error

---

Secure mode only available for admin roles

Description

Secure mode is only available to be configured or deleted if the user has an admin role

Scenario

Step 1: Set the following configuration in DUT0:

set system login role role_level_10 level 10
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system login user test authentication encrypted-password '$6$7NOykWSIKcCv2ue0$A71HvXBjB24WaQ.I77yWvK/WoSRbtOx6/Bqq1oEle/BbXq7c1Gjq1.9IEEjO1S.CLdZWgdD1pdFZOPSFPw.rh1'
set system login user test role role_level_10

Step 2: Login as test with password test

Step 3: Enter to configuration menu by typing configure

Step 4: Run command set system security medium at DUT0 and check if output contains the following tokens:

Only max level users can enable this mode

Show output

Only max level users can enable this mode
CLI Error: Command error

---

Incompatible configuration with secure mode

Description

If there are any active configuration specific to different services on a device and an attempt to enable secure mode is made, an incompatibility error is displayed.

Scenario

Example 1

Step 1: Set the following configuration in DUT0:

set service ssh keepalive-count-max 5
set service ssh keepalive-interval 10
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Set the following configuration in DUT0 related to secure mode without committing:

set system login user admin authentication encrypted-password '$6$aOyrZMTfhzNfTMHU$f.Z/Wft8lUJIJGDswwOOz9OcH4YOg.MZ0v7JEX./u36o0Uwpuofc2vh2x5TqLX7GiaPwVhzVHht2X.3fYyjmt1'
set system security medium

Step 3: Run command commit at DUT0 and check if output contains the following tokens:

ssh keepalive-interval or keepalive-count-max must be deleted first

Show output

[ system security medium ]
ssh keepalive-interval or keepalive-count-max must be deleted first
Commit validation failed
CLI Error: Command error

Example 2

Step 1: Set the following configuration in DUT0:

set service ssh cipher aes128-cbc
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Set the following configuration in DUT0 related to secure mode without committing:

set system login user admin authentication encrypted-password '$6$I2QLXCLyHqsG7Zwd$IPo3JiTr9be1tFzeVZBD7aJkb2954.5S6USU0sVc82kiW9RhaHSTg4BEJV9rq19G6992/EjVy/GWzEMB78V7d0'
set system security medium

Step 3: Run command commit at DUT0 and check if output contains the following tokens:

ssh cipher must be deleted first

Show output

[ system security medium ]
ssh cipher must be deleted first
Commit validation failed
CLI Error: Command error

Example 3

Step 1: Set the following configuration in DUT0:

set service ssh mac hmac-md5
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Set the following configuration in DUT0 related to secure mode without committing:

set system login user admin authentication encrypted-password '$6$krxrd3szm5nv8/Sm$TwQr6zaDCatt5FZFpFS/oPcBQM7pEXzed9/wq8HSL/Jqpi7qVWWW6TLtED3iArt/rOXU2rd..Py/FZXK4cpBr1'
set system security medium

Step 3: Run command commit at DUT0 and check if output contains the following tokens:

ssh mac must be deleted first

Show output

[ system security medium ]
ssh mac must be deleted first
Commit validation failed
CLI Error: Command error

Example 4

Step 1: Set the following configuration in DUT0:

set service ssh key-exchange curve25519-sha256
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Set the following configuration in DUT0 related to secure mode without committing:

set system login user admin authentication encrypted-password '$6$s8BM88MmVLxi4miZ$vQhx7.drmb5okK0pjCt95pTuw8VQCL2zf4F0d1NMePntcKgu.f1g6wBX.XhRUBpbt0mFGAlsEkN2Obm4fI9tE/'
set system security medium

Step 3: Run command commit at DUT0 and check if output contains the following tokens:

ssh key-exchange must be deleted first

Show output

[ system security medium ]
ssh key-exchange must be deleted first
Commit validation failed
CLI Error: Command error

Example 5

Step 1: Set the following configuration in DUT0:

set service ssh pubkey-accepted-algorithms ecdsa-sha2-nistp256
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Set the following configuration in DUT0 related to secure mode without committing:

set system login user admin authentication encrypted-password '$6$tlPxDfel2XwJF2Qj$dlgxBQsIAULVrUjOo2oFS90iI9LlhHPs31fGY.wWA6sKb1c/MHSdWmuD/YfelKXuNZVwFH7VOiAPof48VpY11.'
set system security medium

Step 3: Run command commit at DUT0 and check if output contains the following tokens:

ssh pubkey-accepted-algorithms must be deleted first

Show output

[ system security medium ]
ssh pubkey-accepted-algorithms must be deleted first
Commit validation failed
CLI Error: Command error

Example 6

Step 1: Set the following configuration in DUT0:

set service ssh host-key-algorithms ecdsa-sha2-nistp256
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Set the following configuration in DUT0 related to secure mode without committing:

set system login user admin authentication encrypted-password '$6$k42WC35KzwKxIQ1V$3/xL1FNCzOPbgmGIY15UAO9DgzNRDh9uatgXO553jT51wj1VRPtWSYzszZSnM4yklVxrIW/K3GMDtYY24y176.'
set system security medium

Step 3: Run command commit at DUT0 and check if output contains the following tokens:

ssh host-key-algorithms must be deleted first

Show output

[ system security medium ]
ssh host-key-algorithms must be deleted first
Commit validation failed
CLI Error: Command error

Example 7

Step 1: Set the following configuration in DUT0:

set service ssh host-key 'running://host.key'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Set the following configuration in DUT0 related to secure mode without committing:

set system login user admin authentication encrypted-password '$6$.8MYNlK938/GxNLz$LPPEQ92dSN.etw.HIp4oxbbJmpKMGTt7CnqpvCBj3iHko8YATirnT9mRmqToGXmiFzSBZE6BaToWJa8wCTEGF0'
set system security medium

Step 3: Run command commit at DUT0 and check if output contains the following tokens:

ssh host-key must be deleted first

Show output

[ system security medium ]
ssh host-key must be deleted first
Commit validation failed
CLI Error: Command error

Example 8

Step 1: Set the following configuration in DUT0:

set service ssh login-grace-time 10
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Set the following configuration in DUT0 related to secure mode without committing:

set system login user admin authentication encrypted-password '$6$YCxMh6jwplW0PVjK$ZoBNjmecmEa1XopxZ/F/BC2CXwONxmdDDGkOsCtcVmJEHQALr8caFu2ii8TSUC1Vw/emIdul9cMkbjG31VQ8a.'
set system security medium

Step 3: Run command commit at DUT0 and check if output contains the following tokens:

ssh login-grace-time must be deleted first

Show output

[ system security medium ]
ssh login-grace-time must be deleted first
Commit validation failed
CLI Error: Command error

Example 9

Step 1: Set the following configuration in DUT0:

set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
set service dns proxy server-name SERVER
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Set the following configuration in DUT0 related to secure mode without committing:

set system login user admin authentication encrypted-password '$6$4tSjXTJqZ1LE7eYH$n/9e7lzWzlRQzAxk.JPfoHT3d8WtekCwa97pAqEpLNRQ3NDNcQY8.ltDgvP7oFT4i4qD.3K4BKhwJeQMxCTN9.'
set system security medium

Step 3: Run command commit at DUT0 and check if output contains the following tokens:

dns cipher must be deleted first

Show output

[ system security medium ]
dns cipher must be deleted first
Commit validation failed
CLI Error: Command error

Example 10

Step 1: Set the following configuration in DUT0:

set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set vpn ipsec auth-profile AUTH local auth encrypted-pre-shared-secret U2FsdGVkX1+QBcI7/9JIyWq7nAKY7fQktUBUi3P1o/M=

Step 2: Set the following configuration in DUT0 related to secure mode without committing:

set system login user admin authentication encrypted-password '$6$lWRnQDuxY//pde2r$KiERRE9ZaFLx9P4/.5EhUDgY4HWN1K6Owj.HrP.8zcEc442BodbY/NkXC.SqHuUUlIzechv5DPSZ265qbH7xT.'
set system security medium

Step 3: Run command commit at DUT0 and check if output contains the following tokens:

ipsec auth-profile must be deleted first

Show output

[ system security medium ]
ipsec auth-profile must be deleted first
Commit validation failed
CLI Error: Command error

Example 11

Step 1: Set the following configuration in DUT0:

set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set vpn ipsec esp-group ESP proposal 1 encryption null
set vpn ipsec esp-group ESP proposal 1 hash md5
set vpn ipsec esp-group ESP proposal 1 pfs dh-group14

Step 2: Set the following configuration in DUT0 related to secure mode without committing:

set system login user admin authentication encrypted-password '$6$GgV1gHj4XoO6dGTy$sMqvK.0bfqr1nMEXhMNpRwtnOpY8kZoOzwKITLqBOol8d8.mXfkzBX5zHiGp5SQKcm6HWm5GRmHd10ZqXxqaj.'
set system security medium

Step 3: Run command commit at DUT0 and check if output contains the following tokens:

ipsec esp-group must be deleted first

Show output

[ system security medium ]
ipsec esp-group must be deleted first
Commit validation failed
CLI Error: Command error

Example 12

Step 1: Set the following configuration in DUT0:

set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set vpn ipsec ike-group IKE proposal 1 dh-group 14
set vpn ipsec ike-group IKE proposal 1 encryption 3des
set vpn ipsec ike-group IKE proposal 1 hash md5

Step 2: Set the following configuration in DUT0 related to secure mode without committing:

set system login user admin authentication encrypted-password '$6$NGERNC8fO/5wgZOy$EXA51MnDCwTvdqonBMDuGUR8Tt5DqbS8YfrrcNdzvEtzro/eCGSmUffGYatNHUqMDYdoySZJKdgOnyThOaClW/'
set system security medium

Step 3: Run command commit at DUT0 and check if output contains the following tokens:

ipsec ike-group must be deleted first

Show output

[ system security medium ]
ipsec ike-group must be deleted first
Commit validation failed
CLI Error: Command error

Example 13

Step 1: Set the following configuration in DUT0:

set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set vpn ipsec logging log-types any

Step 2: Set the following configuration in DUT0 related to secure mode without committing:

set system login user admin authentication encrypted-password '$6$EKMaoA1bJyydP67b$Bp2XC3//WHob7k78D8pVF/d53XITsyFabCuXsxNi1sa6BFFroKK0o4Qj2UCHJBXoZpHB0zZ67xmqdiadqoPEJ.'
set system security medium

Step 3: Run command commit at DUT0 and check if output contains the following tokens:

ipsec logging must be deleted first

Show output

[ system security medium ]
ipsec logging must be deleted first
Commit validation failed
CLI Error: Command error

Example 14

Step 1: Set the following configuration in DUT0:

set system login max-sessions 3
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Set the following configuration in DUT0 related to secure mode without committing:

set system login user admin authentication encrypted-password '$6$ZaIZEaUGyqVs/Yzi$JE8fCU0VY/u9GTsh.165pFuAJhQfhViLn4yJXjkhlhkr1hPpOcQFk6XrnvHF7oy2XzmYYFljUhMDw5FMgLAd6/'
set system security medium

Step 3: Run command commit at DUT0 and check if output contains the following tokens:

login max-sessions must be deleted first

Show output

[ system security medium ]
login max-sessions must be deleted first
Commit validation failed
CLI Error: Command error

Example 15

Step 1: Set the following configuration in DUT0:

set system login password-prompt-delay 3
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Set the following configuration in DUT0 related to secure mode without committing:

set system login user admin authentication encrypted-password '$6$3uR.TEp/wL3m9BR1$995qV5aWDu5nxdAQhlMgFvJ34ZbLsw/R/Hdd3vLpnwoPzhw3iaJ7k6RMS.xyw7D1ylVCH3Ndme8DE5TYPvmBO1'
set system security medium

Step 3: Run command commit at DUT0 and check if output contains the following tokens:

login password-prompt-delay must be deleted first

Show output

[ system security medium ]
login password-prompt-delay must be deleted first
Commit validation failed
CLI Error: Command error

Example 16

Step 1: Set the following configuration in DUT0:

set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system syslog host 10.0.0.1 filter def level info

Step 2: Set the following configuration in DUT0 related to secure mode without committing:

set system login user admin authentication encrypted-password '$6$vKLSGRMl1GWo6VE8$adTAygJh9gORoiuaEU0JjulsFUz8nLpMXP2znh6ldVdf526d2gk8e79IiEu1ud2mydBJrs24MF1FgBj5YZU3S0'
set system security medium

Step 3: Run command commit at DUT0 and check if output contains the following tokens:

syslog host must be deleted first

Show output

[ system security medium ]
syslog host must be deleted first
Commit validation failed
CLI Error: Command error

Example 17

Step 1: Set the following configuration in DUT0:

set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system ntp authentication-key 1 encrypted-key U2FsdGVkX19/ALnIszM3M1AXFYE1fUn2e1jl+CpBnvg=
set system ntp server address 10.215.168.1

Step 2: Set the following configuration in DUT0 related to secure mode without committing:

set system login user admin authentication encrypted-password '$6$yi8JRJUiutuyIXWy$keCX2df5jLeJEltFkcrVsV.FBXxme6MuelN464uMHsR/ECsixB0ytlkLuEep6/mKmThr9i0IN8KBOu4KNhBPQ0'
set system security medium

Step 3: Run command commit at DUT0 and check if output contains the following tokens:

ntp authentication-key must be deleted first

Show output

[ system security medium ]
ntp authentication-key must be deleted first
Commit validation failed
CLI Error: Command error

---