Services
These scenarios show the services limitations when secure mode is enabled. Also it illustrates how to configure other services that are limited due to this feature.
Insecure communication protocols are disabled
Description
Check insecure protocols (like http, ftp) are disabled
Scenario
Step 1: Run the command image add http://madrid.storage.id.teldat.com/osdx_images/official_releases//v3.10.1.1/iso/os_iso.iso on DUT0 and check whether the output contains the following tokens:
Secure mode activated. ftp, tftp and http connections not allowedShow output
using firmware update url: http://madrid.storage.id.teldat.com/osdx_images/official_releases//v3.10.1.1/iso/os_iso.iso Secure mode activated. ftp, tftp and http connections not allowed CLI Error: Command error
Step 2: Run the command file copy http://madrid.storage.id.teldat.com/osdx_images/official_releases//v3.10.1.1/iso/os_iso.iso running:// on DUT0 and check whether the output contains the following tokens:
Secure mode activated. ftp, tftp and http connections not allowedShow output
Secure mode activated. ftp, tftp and http connections not allowed CLI Error: Command error
Update software
Description
Check only admin users are allowed to update software
Scenario
Step 1: Set the following configuration in DUT0 :
set system login role cfg level 10 set system login user admin authentication encrypted-password '$6$XWxHLwod0lqUr4f6$FUfzAJb7g3wql8Y7tlx0F41yVR22E60A3bcy.KQDc4qlLwgI95RSJFObS9CfKD6i2EQwDDZOtpi1VlAWzPC2Q/' set system login user test authentication encrypted-password '$6$QsVanjUOICF12mku$M9uod2d1LP.YfTbkWejonmfSkkgrDIoQEH9iIDVqCwkd.IQp5gi4dbLgISvNgDIBROQWAZoBWJoZKeyXSX0r00' set system login user test role cfg set system security medium
Step 2: Login as test with password tEst!2qqqqqq:
test@osdx
Note
After a security level change, the device requires re-authentication with credentials that comply with the new security policy.
Step 3: Run the command image add http://madrid.storage.id.teldat.com/osdx_images/official_releases//v3.10.1.1/iso/os_iso.iso on DUT0 and check whether the output contains the following tokens:
Insufficient privilegesShow output
CLI Error: Insufficient privileges
Disabled Services
Description
Verify different services are disabled for both configuration and operation commands
Scenario
Example 1
Step 1: Set the following configuration in DUT0 related to secure mode without committing:
set service telnet
Note
The configuration is staged but not yet applied. The commit command will validate all pending changes against the security level requirements.
Step 2: Run the command commit on DUT0 and check whether the output contains the following tokens:
Secure mode is activatedShow output
[ service telnet ] Secure mode is activated Commit validation failed CLI Error: Command error
Example 2
Step 1: Run the command telnet 127.0.0.1 on DUT0 and check whether the output contains the following tokens:
Insufficient privilegesShow output
CLI Error: Insufficient privileges
Example 3
Step 1: Set the following configuration in DUT0 related to secure mode without committing:
set service snmp community 'COMMUNITY2TEST!'
Note
The configuration is staged but not yet applied. The commit command will validate all pending changes against the security level requirements.
Step 2: Run the command commit on DUT0 and check whether the output contains the following tokens:
Secure mode is activatedShow output
[ service snmp ] Secure mode is activated Commit validation failed CLI Error: Command error
Example 4
Step 1: Run the command service snmp show mib on DUT0 and check whether the output contains the following tokens:
Insufficient privilegesShow output
CLI Error: Insufficient privileges
Example 5
Step 1: Set the following configuration in DUT0 related to secure mode without committing:
set system certificate scep csr CSR distinguished-names TEST set system certificate scep csr CSR url 127.0.0.1
Note
The configuration is staged but not yet applied. The commit command will validate all pending changes against the security level requirements.
Step 2: Run the command commit on DUT0 and check whether the output contains the following tokens:
Secure mode is activatedShow output
[ system certificate scep ] Secure mode is activated Commit validation failed CLI Error: Command error
Example 6
Step 1: Set the following configuration in DUT0 related to secure mode without committing:
set system strong-password min-length 10
Note
The configuration is staged but not yet applied. The commit command will validate all pending changes against the security level requirements.
Step 2: Run the command commit on DUT0 and check whether the output contains the following tokens:
Secure mode is activatedShow output
[ system strong-password ] Secure mode is activated Commit validation failed CLI Error: Command error
Example 7
Step 1: Set the following configuration in DUT0 related to secure mode without committing:
set user-level 5 command 'file copy'
Note
The configuration is staged but not yet applied. The commit command will validate all pending changes against the security level requirements.
Step 2: Run the command commit on DUT0 and check whether the output contains the following tokens:
Secure mode is activatedShow output
[ user-level 5 ] Secure mode is activated Commit validation failed CLI Error: Command error
Example 8
Step 1: Run the command show history on DUT0 and check whether the output contains the following tokens:
This command is not available for secure modeShow output
This command is not available for secure mode
New Users Passwords
Description
New users must meet the password criteria when secure mode is enabled
Scenario
Step 1: Enter to configuration menu at DUT0:
configure
Step 2: Run the command set system login user invalidUser authentication plaintext-password 1Test! on DUT0 and check whether the output contains the following tokens:
Password does not meet the criteria for secure mode. The criteria are: Must include uppercase, lowercase, numbers, one of these special characters '!, @, #, $, %, ^, &, *, (, )' and must be at least 12 characters long.Show output
Password does not meet the criteria for secure mode. The criteria are: Must include uppercase, lowercase, numbers, one of these special characters '!, @, #, $, %, ^, &, *, (, )' and must be at least 12 characters long. Value validation failed CLI Error: Command error
Step 3: Set the following configuration in DUT0 :
set system login role cfg level 10 set system login user admin authentication encrypted-password '$6$2yItq/DaAe4GuwEr$bLRsyniwZ1kTuH7488zvKkS9/h2G2CFAUxMBO1TMwP6huohGfFEOjtVewzko7XJuqMhcnzAwV9vtQpuEi3efb/' set system login user test authentication encrypted-password '$6$QlyZYUAZowb17Qce$ZtU7jGKCxUCB8V3Jbc1Jly.yJfYyu67.f9.IbHzLAnnXmrLV7a1y1HP4Zda5J1XG41DHbdB5Ys5rkIwN797ww0' set system login user test role cfg set system security medium
Step 4: Run the command show running on DUT0 and check whether the output contains the following tokens:
system login user testShow output
# Teldat OSDx VM version v4.2.10.0 # Tue 19 May 2026 15:34:41 +00:00 # Warning: Configuration has not been saved set system login role cfg level 10 set system login user admin authentication encrypted-password '$6$2yItq/DaAe4GuwEr$bLRsyniwZ1kTuH7488zvKkS9/h2G2CFAUxMBO1TMwP6huohGfFEOjtVewzko7XJuqMhcnzAwV9vtQpuEi3efb/' set system login user test authentication encrypted-password '$6$QlyZYUAZowb17Qce$ZtU7jGKCxUCB8V3Jbc1Jly.yJfYyu67.f9.IbHzLAnnXmrLV7a1y1HP4Zda5J1XG41DHbdB5Ys5rkIwN797ww0' set system login user test role cfg set system security medium
Syslog Feature
Description
This scenario shows how to configure syslog util with secure mode enabled
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set system login user admin authentication encrypted-password '$6$yxMV4qhBtBrfzZ99$x0fNy9d4mDoH9rHUXn6/6jqqUIiujF3xUCfl6.DoHFZAnt9H768Tnk/ASnL3Pv1nulZW18v6DJyZlM8w57bGA.' set system security medium set system syslog host 10.215.168.1 filter def app OSDxCLI set system syslog host 10.215.168.1 filter def level info set system syslog host 10.215.168.1 port 10514 set system syslog host 10.215.168.1 protocol tcp set system syslog host 10.215.168.1 x509 ca-certificate 'running://ca.crt' set system syslog host 10.215.168.1 x509 permitted-peer rsyslog.server.com
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.150 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.150/0.150/0.150/0.000 ms
Step 3: Run the command show host name on DUT0 and expect the following output:
Show output
osdx
Note
Check the server /var/log/10.215.168.64/.log file and read the
executed a new command: 'show host name' log message:
Show output
2026-05-19T15:34:56.231361+00:00 10.215.168.64 2026-05-19T15:34:55.754643+00:00 auth-notice osdx OSDxCLI: User 'admin' committed the configuration. 2026-05-19T15:34:56.242709+00:00 10.215.168.64 2026-05-19T15:34:55.769542+00:00 auth-notice osdx OSDxCLI: User 'admin' left the configuration menu. 2026-05-19T15:34:56.242709+00:00 10.215.168.64 2026-05-19T15:34:55.886016+00:00 auth-notice osdx OSDxCLI: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. 2026-05-19T15:34:57.129140+00:00 10.215.168.64 2026-05-19T15:34:56.933486+00:00 auth-notice osdx OSDxCLI: User 'admin' executed a new command: 'show host name'.
SSH Algorithms Restrictions
Description
These scenario shows the restrictions when trying to configure ssh ciphers or algorithms considered as invalid when secure mode is enabled, but not when the device is in normal mode. Despite this example is only for ssh server mode, the functionality for a ssh client will be the same.
Scenario
Example 1
Step 1: Enter to configuration menu at DUT0:
configure
Step 2: Run the command set service ssh cipher 3des-cbc on DUT0 and expect the following output:
Show output
Unknown cipher "********" Value validation failed CLI Error: Command error
Example 2
Step 1: Enter to configuration menu at DUT0:
configure
Step 2: Run the command set service ssh mac hmac-sha1 on DUT0 and expect the following output:
Show output
Unknown MAC "*********" Value validation failed CLI Error: Command error
Example 3
Step 1: Enter to configuration menu at DUT0:
configure
Step 2: Run the command set service ssh key-exchange diffie-hellman-group1-sha1 on DUT0 and expect the following output:
Show output
Unknown KEX "**************************" Value validation failed CLI Error: Command error
Example 4
Step 1: Enter to configuration menu at DUT0:
configure
Step 2: Run the command set service ssh host-key-algorithms ssh-ed25519 on DUT0 and expect the following output:
Show output
Unknown key "***********" Value validation failed CLI Error: Command error
Example 5
Step 1: Enter to configuration menu at DUT0:
configure
Step 2: Run the command set service ssh pubkey-accepted-algorithms ssh-rsa on DUT0 and expect the following output:
Show output
Unknown key "*******" Value validation failed CLI Error: Command error
SSH Connections Failures
Description
These scenario illustrates a failed attempt of DUT1 to connect to DUT0 via ssh due to the selected algorithms or ciphers are considered invalid when this last device (DUT0) has secure mode enabled.
Scenario
Example 1
Step 1: Initiate an SSH connection from DUT1 to IP address 10.0.0.1 using user admin which is expected to fail:
admin@DUT1$ ssh admin@10.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null cipher aes128-cbcShow output
'Unable to negotiate with 10.0.0.1 port 22: no matching cipher found. Their offer: aes256-ctr,aes192-ctr,aes128-ctr CLI Error: Invalid token [option] CLI Error: Command error admin@osdx$' contains 'CLI Error'
Example 2
Step 1: Initiate an SSH connection from DUT1 to IP address 10.0.0.1 using user admin which is expected to fail:
admin@DUT1$ ssh admin@10.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null mac hmac-md5Show output
'Unable to negotiate with 10.0.0.1 port 22: no matching MAC found. Their offer: hmac-sha2-512,hmac-sha2-256 CLI Error: Invalid token [option] CLI Error: Command error admin@osdx$' contains 'CLI Error'
Example 3
Step 1: Initiate an SSH connection from DUT1 to IP address 10.0.0.1 using user admin which is expected to fail:
admin@DUT1$ ssh admin@10.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null key-exchange diffie-hellman-group14-sha256Show output
'Unable to negotiate with 10.0.0.1 port 22: no matching key exchange method found. Their offer: ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,kex-strict-s-v00@openssh.com CLI Error: Invalid token [option] CLI Error: Command error admin@osdx$' contains 'CLI Error'
IPSEC Algorithms Restrictions
Description
These scenario shows the restrictions related to ipsec ciphers and authentications methods when secure mode is enabled
Scenario
Example 1
Step 1: Enter to configuration menu at DUT0:
configure
Step 2: Run the command set vpn ipsec esp-group ESP proposal 1 pfs dh-group14 on DUT0 and check whether the output contains the following tokens:
Invalid dh-groupShow output
Invalid dh-group Value validation failed CLI Error: Command error
Example 2
Step 1: Enter to configuration menu at DUT0:
configure
Step 2: Run the command set vpn ipsec esp-group ESP proposal 1 encryption aes128 on DUT0 and check whether the output contains the following tokens:
must be a valid encryption algorithmShow output
must be a valid encryption algorithm Value validation failed CLI Error: Command error
Example 3
Step 1: Enter to configuration menu at DUT0:
configure
Step 2: Run the command set vpn ipsec esp-group ESP proposal 1 hash sha1 on DUT0 and check whether the output contains the following tokens:
Invalid hashShow output
Invalid hash Value validation failed CLI Error: Command error
Example 4
Step 1: Enter to configuration menu at DUT0:
configure
Step 2: Run the command set vpn ipsec esp-group ESP mode transport on DUT0 and check whether the output contains the following tokens:
Invalid modeShow output
Invalid mode Value validation failed CLI Error: Command error
Example 5
Step 1: Enter to configuration menu at DUT0:
configure
Step 2: Run the command set vpn ipsec ike-group IKE proposal 1 dh-group 22 on DUT0 and check whether the output contains the following tokens:
Invalid dh-groupShow output
Invalid dh-group Value validation failed CLI Error: Command error
Example 6
Step 1: Enter to configuration menu at DUT0:
configure
Step 2: Run the command set vpn ipsec ike-group IKE proposal 1 encryption aes192 on DUT0 and check whether the output contains the following tokens:
must be a valid encryption algorithmShow output
must be a valid encryption algorithm Value validation failed CLI Error: Command error
Example 7
Step 1: Enter to configuration menu at DUT0:
configure
Step 2: Run the command set vpn ipsec ike-group IKE proposal 1 hash md5 on DUT0 and check whether the output contains the following tokens:
Invalid hashShow output
Invalid hash Value validation failed CLI Error: Command error
IPSEC Invalid Configurations
Description
These scenario shows which configurations in vpn ipsec are considered
as invalid when secure mode is enabled
Scenario
Example 1
Step 1: Enter to configuration menu at DUT0:
configure
Step 2: Set the following configuration in DUT0 related to secure mode without committing:
set vpn ipsec auth-profile AUTH local auth eap DUT0 type md5
Note
The configuration is staged but not yet applied. The commit command will validate all pending changes against the security level requirements.
Step 3: Run the command commit on DUT0 and check whether the output contains the following tokens:
is/are not found in the following list:Show output
[ vpn ipsec auth-profile AUTH ] vpn ipsec auth-profile AUTH local [auth] is/are not found in the following list: [id, pkcs12, crl] [ vpn ipsec auth-profile AUTH ] Commit validation failed CLI Error: Command error
Example 2
Step 1: Enter to configuration menu at DUT0:
configure
Step 2: Set the following configuration in DUT0 related to secure mode without committing:
set vpn ipsec auth-profile AUTH local auth eap DUT0 type mschapv2
Note
The configuration is staged but not yet applied. The commit command will validate all pending changes against the security level requirements.
Step 3: Run the command commit on DUT0 and check whether the output contains the following tokens:
is/are not found in the following list:Show output
[ vpn ipsec auth-profile AUTH ] vpn ipsec auth-profile AUTH local [auth] is/are not found in the following list: [id, pkcs12, crl] [ vpn ipsec auth-profile AUTH ] Commit validation failed CLI Error: Command error
Example 3
Step 1: Enter to configuration menu at DUT0:
configure
Step 2: Set the following configuration in DUT0 related to secure mode without committing:
set vpn ipsec auth-profile AUTH local auth radius
Note
The configuration is staged but not yet applied. The commit command will validate all pending changes against the security level requirements.
Step 3: Run the command commit on DUT0 and check whether the output contains the following tokens:
is/are not found in the following list:Show output
[ vpn ipsec auth-profile AUTH ] vpn ipsec auth-profile AUTH local [auth] is/are not found in the following list: [id, pkcs12, crl] [ vpn ipsec auth-profile AUTH ] Commit validation failed CLI Error: Command error
Example 4
Step 1: Enter to configuration menu at DUT0:
configure
Step 2: Set the following configuration in DUT0 related to secure mode without committing:
set vpn ipsec esp-group ESP proposal 1 encryption aes128gcm128
Note
The configuration is staged but not yet applied. The commit command will validate all pending changes against the security level requirements.
Step 3: Run the command commit on DUT0 and check whether the output contains the following tokens:
pfs and hash must be configured in esp-group ESP proposal 1 when secure mode is enabledShow output
[ vpn ipsec esp-group ESP proposal 1 ] pfs and hash must be configured in esp-group ESP proposal 1 when secure mode is enabled Commit validation failed CLI Error: Command error