Enable
These scenarios show how to configure secure mode and which configuration is not allowed to be configured while this mode is set
Toggle Secure Mode
Description
Shows how to toggle secure mode (on and off)
Scenario
Step 1: Set the following configuration in DUT0 related to secure mode without committing:
set system login user admin authentication encrypted-password '$6$VVB.FnIu71jdN8t5$GD5V5Ofcnvy5ZSadk7r5OvMoZJL530pLYMjRl029z9.U6vq8TO/57KPnpFhtnSnXofAPK2eQevLdAtji/61f21' set system security medium
Note
The configuration is staged but not yet applied. The commit command will validate all pending changes against the security level requirements.
Step 2: Execute commit command. This will log out the device:
commit
Note
Changing the security level forces the device to log out all sessions. You must re-authenticate with credentials that meet the new security requirements.
Step 3: Login as admin with password 1!Teldatqqqq:
admin@osdx
Note
After a security level change, the device requires re-authentication with credentials that comply with the new security policy.
Step 4: Run the command show running on DUT0 and check whether the output contains the following tokens:
system security mediumShow output
# Teldat OSDx VM version v4.2.10.0 # Tue 19 May 2026 15:33:01 +00:00 # Warning: Configuration has not been saved set system login user admin authentication encrypted-password '$6$VVB.FnIu71jdN8t5$GD5V5Ofcnvy5ZSadk7r5OvMoZJL530pLYMjRl029z9.U6vq8TO/57KPnpFhtnSnXofAPK2eQevLdAtji/61f21' set system security medium
Step 5: Modify the following configuration lines in DUT0 :
delete system security
Step 6: Set the following configuration in DUT0 related to secure mode without committing:
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Note
The configuration is staged but not yet applied. The commit command will validate all pending changes against the security level requirements.
Step 7: Execute commit command. This will log out the device:
commit
Note
Changing the security level forces the device to log out all sessions. You must re-authenticate with credentials that meet the new security requirements.
Step 8: Login as admin with password admin:
admin@osdx
Note
After a security level change, the device requires re-authentication with credentials that comply with the new security policy.
Step 9: Run the command show running on DUT0 and check whether the output does not contain the following tokens:
system security mediumShow output
# Teldat OSDx VM version v4.2.10.0 # Tue 19 May 2026 15:33:04 +00:00 # Warning: Configuration has not been saved set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Multi-User
Description
Secure mode fails if there is more than one user configured
Scenario
Step 1: Set the following configuration in DUT0 :
set system login role role_level_10 level 10 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system login user test authentication encrypted-password '$6$w7LBAdSJ40jpbUKy$UG6CRAhpdPVIySr3cFAfle9t5tjoz24FTWQc0WYjUWpVRaQQpOUMOYKcXUb2jDE61sEPD6yihHa0V4lG90ZE50' set system login user test role role_level_10
Step 2: Set the following configuration in DUT0 related to secure mode without committing:
set system login user admin authentication encrypted-password '$6$3niQyNu/TCmSkjJo$ZvEhkgtuwI6i5hT9Y8.m4jth09juMOKf1br1UGSR4Cif3Lgv5l3hB2QIX5AzeRHvydOxWDX9ru10nxmQC4ELr1' set system security medium
Note
The configuration is staged but not yet applied. The commit command will validate all pending changes against the security level requirements.
Step 3: Run the command commit on DUT0 and check whether the output contains the following tokens:
You must delete all users except yours in the systemShow output
[ system security medium ] You must delete all users except yours in the system. If your user belongs to a tacacs or radius system, you must keep only local admin user Commit validation failed CLI Error: Command error
User Password
Description
New password for admin user fails if does not meet the password criteria or if a encrypted password is manually configured
Scenario
Step 1: Set the following configuration in DUT0 related to secure mode without committing:
set system login user admin authentication encrypted-password '$6$R5dxyxGcSmuImcTw$Q7yiO9NDeLtKHGWsgWYrM2xgyyv7hOta6x1xGlYSowwpjV1Yf11m2zLM7vMifL/yj2cjLuP2kwlL0CmFHTIm..' set system security medium
Note
The configuration is staged but not yet applied. The commit command will validate all pending changes against the security level requirements.
Step 2: Run the command commit on DUT0 and check whether the output contains the following tokens:
Password does not meet the criteria for secure modeShow output
[ system login user admin ] Password does not meet the criteria for secure mode. The criteria are: Must include uppercase, lowercase, numbers, one of these special characters !, @, #, $, %, ^, &, *, (, ) and must be at least 12 characters long. Commit validation failed CLI Error: Command error
Note
Exit configuration discarding all changes running “exit discard”
Step 3: Set the following configuration in DUT0 related to secure mode without committing:
set system security medium
Note
The configuration is staged but not yet applied. The commit command will validate all pending changes against the security level requirements.
Step 4: Run the command set system login user admin authentication encrypted-password $6$/eFHGvwPTaHOPSIr$YIFZ4Oi./fbp.67T4y.76q9PRyhIP5.YO0NkPrgiE44JIkEWUs.MxjgXrD/QDHYRnyNQ/m5yf/KcWxQpDoS9a/ on DUT0 and check whether the output contains the following tokens:
Cannot be set manually in secure modeShow output
Cannot be set manually in secure mode CLI Error: Command error
Secure mode only available for admin roles
Description
Secure mode is only available to be configured or deleted if the user has an admin role
Scenario
Step 1: Set the following configuration in DUT0 :
set system login role role_level_10 level 10 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system login user test authentication encrypted-password '$6$Pf2E0jtLMP/dxP7C$/PDi9O3XWDNKVFsyi/bfxWZf78Vw1VJA4jj2TrP/R20PO/MuBZ4zAA8EJ8Sk82hiPoeACy26IwyFxm4H1low30' set system login user test role role_level_10
Step 2: Login as test with password test:
test@osdx
Note
After a security level change, the device requires re-authentication with credentials that comply with the new security policy.
Step 3: Enter to configuration menu at DUT0:
configure
Step 4: Run the command set system security medium on DUT0 and check whether the output contains the following tokens:
Only max level users can enable this modeShow output
Only max level users can enable this mode CLI Error: Command error
Incompatible configuration with secure mode
Description
If there are any active configuration specific to different services on a device and an attempt to enable secure mode is made, an incompatibility error is displayed.
Scenario
Example 1
Step 1: Set the following configuration in DUT0 :
set service ssh cipher aes128-cbc set service ssh host-key 'running://host.key' set service ssh host-key-algorithms ssh-rsa set service ssh keepalive-count-max 3 set service ssh keepalive-interval 59 set service ssh key-exchange curve25519-sha256 set service ssh login-grace-time 31 set service ssh mac hmac-md5 set service ssh pubkey-accepted-algorithms ssh-rsa set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT0 related to secure mode without committing:
set system login user admin authentication encrypted-password '$6$RcHheqhGs5pZVRCa$t.EB4rXxvVs217Nr44kj5FU0bjjfqPJt7Wub7qKkZt/f7cqNZ4eUAGpRWWlTiuQ7w22uWw75PU6ine/u/JIvV.' set system security medium
Note
The configuration is staged but not yet applied. The commit command will validate all pending changes against the security level requirements.
Step 3: Run the command commit on DUT0 and check whether the output contains the following tokens:
is/are not found in the following list: must be greater than or equal to must be less than or equal to must correspond to one of the following elliptic curves (ECDSA):Show output
[ system security medium ] service ssh cipher [aes128-cbc] is/are not found in the following list: [aes128-ctr, aes192-ctr, aes256-ctr] [ system security medium ] service ssh mac [hmac-md5] is/are not found in the following list: [hmac-sha2-256, hmac-sha2-512] [ system security medium ] service ssh key-exchange [curve25519-sha256] is/are not found in the following list: [diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521] [ system security medium ] service ssh host-key [running://host.key] must correspond to one of the following elliptic curves (ECDSA): [ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521]. [ system security medium ] service ssh pubkey-accepted-algorithms [ssh-rsa] is/are not found in the following list: [ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521] [ system security medium ] service ssh host-key-algorithms [ssh-rsa] is/are not found in the following list: [ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521] [ system security medium ] service ssh login-grace-time [31] must be less than or equal to 30 [ system security medium ] service ssh keepalive-interval [59] must be greater than or equal to 60 [ system security medium ] service ssh keepalive-count-max [3] must be greater than or equal to 5 [ system security medium ] Commit validation failed CLI Error: Command error
Example 2
Step 1: Set the following configuration in DUT0 :
set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy server-name SERVER set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT0 related to secure mode without committing:
set system login user admin authentication encrypted-password '$6$O9TMogWmyluRgWon$Drvdgfcr3oEBzLAoZCGXfzh1PVm4VcQEv2XevMZ.6OBjZPE67Ca1heAx1LLtIAwxZ.2sS1XM4FTPyjO9Ogcx4/' set system security medium
Note
The configuration is staged but not yet applied. The commit command will validate all pending changes against the security level requirements.
Step 3: Run the command commit on DUT0 and check whether the output contains the following tokens:
is/are not found in the following list:Show output
[ system security medium ] service dns proxy cipher 1 algorithm [TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA] is/are not found in the following list: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256] [ system security medium ] Commit validation failed CLI Error: Command error
Example 3
Step 1: Set the following configuration in DUT0 :
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn ipsec auth-profile AUTH global-secrets ike-psk test encrypted-secret U2FsdGVkX1/XEm9wnGNp7fH3p6EAX98QqNd/HbaW8rw= set vpn ipsec auth-profile AUTH local auth ike-psk id test set vpn ipsec esp-group ESP proposal 1 encryption null set vpn ipsec esp-group ESP proposal 1 hash md5 set vpn ipsec esp-group ESP proposal 1 pfs dh-group14 set vpn ipsec ike-group IKE proposal 1 dh-group 14 set vpn ipsec ike-group IKE proposal 1 encryption 3des set vpn ipsec ike-group IKE proposal 1 hash md5
Step 2: Set the following configuration in DUT0 related to secure mode without committing:
set system login user admin authentication encrypted-password '$6$HFW.nNqzvV9j1lI/$sM.Vl0YaSaIGp6hJ8Jgl6oroOFBB8za4fyV0pdMabuIL2zdBuJlOPTkDK999ASaJ0z8TbrdHHh6ucHCSjzHEI.' set system security medium
Note
The configuration is staged but not yet applied. The commit command will validate all pending changes against the security level requirements.
Step 3: Run the command commit on DUT0 and check whether the output contains the following tokens:
is/are not found in the following list:Show output
[ system security medium ] vpn ipsec auth-profile AUTH local [auth] is/are not found in the following list: [id, pkcs12, crl] [ system security medium ] vpn ipsec esp-group ESP proposal 1 pfs [dh-group14] is/are not found in the following list: [dh-group15, dh-group16, dh-group17, dh-group18, dh-group19, dh-group20, dh-group21] [ system security medium ] vpn ipsec esp-group ESP proposal 1 encryption [null] is/are not found in the following list: [aes128gcm128, aes192gcm128, aes256gcm128, chacha20poly1305] [ system security medium ] vpn ipsec esp-group ESP proposal 1 hash [md5] is/are not found in the following list: [sha256, sha384, sha512] [ system security medium ] vpn ipsec ike-group IKE key-exchange [ikev1] is/are not found in the following list: [ikev2] [ system security medium ] vpn ipsec ike-group IKE proposal 1 dh-group [14] is/are not found in the following list: [15, 16, 17, 18, 19, 20, 21] [ system security medium ] vpn ipsec ike-group IKE proposal 1 encryption [3des] is/are not found in the following list: [aes128gcm128, aes192gcm128, aes256gcm128, chacha20poly1305] [ system security medium ] vpn ipsec ike-group IKE proposal 1 hash [md5] is/are not found in the following list: [sha256, sha384, sha512] [ system security medium ] Commit validation failed CLI Error: Command error
Example 4
Step 1: Set the following configuration in DUT0 :
set system login parameters max-sessions 6 set system login parameters password-prompt-delay 9 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT0 related to secure mode without committing:
set system login user admin authentication encrypted-password '$6$C3IVKgGJMocdAlfv$V5RMNKUm1lyoFiF56ehN4DI1sMc77EX4/DOb0cTZFtcMtvuEggiulpxT2k56lDphKHbFtjJcol8n2n.YDHVwU0' set system security medium
Note
The configuration is staged but not yet applied. The commit command will validate all pending changes against the security level requirements.
Step 3: Run the command commit on DUT0 and check whether the output contains the following tokens:
must be greater than or equal to must be less than or equal toShow output
[ system security medium ] system login parameters max-sessions [6] must be less than or equal to 5 [ system security medium ] system login parameters password-prompt-delay [9] must be greater than or equal to 10 [ system security medium ] Commit validation failed CLI Error: Command error
Example 5
Step 1: Set the following configuration in DUT0 :
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system ntp authentication-key 1 algorithm md5 set system ntp authentication-key 1 encrypted-key U2FsdGVkX1/mW8fApAh42sLxZUfbuAH+2Cb+TRWWsq4= set system ntp server address 10.215.168.1
Step 2: Set the following configuration in DUT0 related to secure mode without committing:
set system login user admin authentication encrypted-password '$6$QAcXALtshpovG63W$sYDpYkgZ2NgkzwJJjtmh0uLkjdJG/GxSXky/D333.yKpqbca5gOTTaVPuBfzfqekSbs9Cqlxli582J8W0vnnk/' set system security medium
Note
The configuration is staged but not yet applied. The commit command will validate all pending changes against the security level requirements.
Step 3: Run the command commit on DUT0 and check whether the output contains the following tokens:
is/are not found in the following list:Show output
[ system security medium ] system ntp authentication-key 1 algorithm [md5] is/are not found in the following list: [sha256, sha384, sha512] [ system security medium ] Commit validation failed CLI Error: Command error