Services
These scenarios show the services limitations when secure mode is enabled. Also it illustrates how to configure other services that are limited due to this feature.
Insecure communication protocols are disabled
Description
Check insecure protocols (like http, ftp) are disabled
Scenario
Step 1: Run command image add http://madrid.storage.id.teldat.com/osdx_images/official_releases//v3.10.1.1/iso/os_iso.iso at DUT0 and check if output contains the following tokens:
Secure mode activated. ftp, tftp and http connections not allowedShow output
using firmware update url: http://madrid.storage.id.teldat.com/osdx_images/official_releases//v3.10.1.1/iso/os_iso.iso Secure mode activated. ftp, tftp and http connections not allowed CLI Error: Command error
Step 2: Run command file copy http://madrid.storage.id.teldat.com/osdx_images/official_releases//v3.10.1.1/iso/os_iso.iso running:// at DUT0 and check if output contains the following tokens:
Secure mode activated. ftp, tftp and http connections not allowedShow output
Secure mode activated. ftp, tftp and http connections not allowed CLI Error: Command error
Update software
Description
Check only admin users are allowed to update software
Scenario
Step 1: Set the following configuration in DUT0 :
set system login role cfg level 10 set system login user admin authentication encrypted-password '$6$bqkrmN.RjW1aTHUJ$k5YkXaDa4aBm.s3HC5l.TBbcq.ypAxmQ1pYeFkZ3xnxqih5jBGdRB2clwK7zm7qcUV6Gu413brdaguw7O192g/' set system login user test authentication encrypted-password '$6$K4jhWMcCp3ieejbK$yD/F7fL.BUXgWB9eCFAuveSgv8rc9P7zd1sw2zFZRjpzSLZDdhH0LCRyBkqjvByTnm96wYNGDK4VawKOl8eH./' set system login user test role cfg set system security medium
Step 2: Login as test with password tEst!2qqqqqq
Step 3: Run command image add http://madrid.storage.id.teldat.com/osdx_images/official_releases//v3.10.1.1/iso/os_iso.iso at DUT0 and check if output contains the following tokens:
Insufficient privilegesShow output
CLI Error: Insufficient privileges
Disabled Services
Description
Verify different services are disabled for both configuration and operation commands
Scenario
Example 1
Step 1: Set the following configuration in DUT0 related to secure mode without committing:
set service telnet
Step 2: Run command commit at DUT0 and check if output contains the following tokens:
Secure mode is activatedShow output
[ service telnet ] Secure mode is activated Commit validation failed CLI Error: Command error
Example 2
Step 1: Run command telnet 127.0.0.1 at DUT0 and check if output contains the following tokens:
Insufficient privilegesShow output
CLI Error: Insufficient privileges
Example 3
Step 1: Set the following configuration in DUT0 related to secure mode without committing:
set service snmp community PUBLIC
Step 2: Run command commit at DUT0 and check if output contains the following tokens:
Secure mode is activatedShow output
[ service snmp ] Secure mode is activated Commit validation failed CLI Error: Command error
Example 4
Step 1: Run command service snmp show mib at DUT0 and check if output contains the following tokens:
Insufficient privilegesShow output
CLI Error: Insufficient privileges
Example 5
Step 1: Set the following configuration in DUT0 related to secure mode without committing:
set system certificate scep csr CSR distinguished-names TEST set system certificate scep csr CSR url 127.0.0.1
Step 2: Run command commit at DUT0 and check if output contains the following tokens:
Secure mode is activatedShow output
[ system certificate scep ] Secure mode is activated Commit validation failed CLI Error: Command error
Example 6
Step 1: Set the following configuration in DUT0 related to secure mode without committing:
set system strong-password min-length 10
Step 2: Run command commit at DUT0 and check if output contains the following tokens:
Secure mode is activatedShow output
[ system strong-password ] Secure mode is activated Commit validation failed CLI Error: Command error
Example 7
Step 1: Set the following configuration in DUT0 related to secure mode without committing:
set user-level 5 command 'file copy'
Step 2: Run command commit at DUT0 and check if output contains the following tokens:
Secure mode is activatedShow output
[ user-level 5 ] Secure mode is activated Commit validation failed CLI Error: Command error
Example 8
Step 1: Run command show history at DUT0 and check if output contains the following tokens:
This command is not available for secure modeShow output
This command is not available for secure mode
New Users Passwords
Description
New users must meet the password criteria when secure mode is enabled
Scenario
Step 1: Enter to configuration menu by typing configure
Step 2: Run command set system login user invalidUser authentication plaintext-password 1Test! at DUT0 and check if output contains the following tokens:
Password does not meet the criteria for secure mode. The criteria are: Must include uppercase, lowercase, numbers, one of these special characters '!, @, #, $, %, ^, &, *, (, )' and must be at least 12 characters long.Show output
Password does not meet the criteria for secure mode. The criteria are: Must include uppercase, lowercase, numbers, one of these special characters '!, @, #, $, %, ^, &, *, (, )' and must be at least 12 characters long. Value validation failed CLI Error: Command error
Step 3: Set the following configuration in DUT0 :
set system login role cfg level 10 set system login user admin authentication encrypted-password '$6$0hChIdWyYBuIYTPd$OQMPo5zPg/v7Ijd6aNDGE8DplgDlJSpNP4qG.szhrOSATqP8BeudCkW.r46DMNEw0Vpvco0UdyGUBaxmoWtDY.' set system login user test authentication encrypted-password '$6$MS7c5WbIJetD9xTH$5MwZyGyt1fa/thBTNgY5G07MIODo3unb6VXLM3ewATb34z5u4VsK8macT/SsSrXxd2qY8L0prV9TM/etYhg.f.' set system login user test role cfg set system security medium
Step 4: Run command show running at DUT0 and check if output contains the following tokens:
system login user testShow output
# Teldat OSDx VM version v4.2.2.1 # Fri 10 Jan 2025 13:59:56 +00:00 # Warning: Configuration has not been saved set system login role cfg level 10 set system login user admin authentication encrypted-password '$6$0hChIdWyYBuIYTPd$OQMPo5zPg/v7Ijd6aNDGE8DplgDlJSpNP4qG.szhrOSATqP8BeudCkW.r46DMNEw0Vpvco0UdyGUBaxmoWtDY.' set system login user test authentication encrypted-password '$6$MS7c5WbIJetD9xTH$5MwZyGyt1fa/thBTNgY5G07MIODo3unb6VXLM3ewATb34z5u4VsK8macT/SsSrXxd2qY8L0prV9TM/etYhg.f.' set system login user test role cfg set system security medium
Invalid Passwords
Description
This scenario will output an error message for each invalid password is tried to configured
Scenario
Example 1
Step 1: Set the following configuration in DUT0 related to secure mode without committing:
set system aaa server tacacs SERVER address 127.0.0.1 set system aaa server tacacs SERVER encrypted-key U2FsdGVkX1/Zwp1nEMKd8BJMBuZEWyiTAjT8b8yMoU8=
Step 2: Run command commit at DUT0 and expect this output:
Show output
[ system aaa server tacacs SERVER encrypted-key ] "U2FsdGVkX1/Zwp1nEMKd8BJMBuZEWyiTAjT8b8yMoU8=" strong-password: not long enough Commit validation failed CLI Error: Command error
Example 2
Step 1: Set the following configuration in DUT0 related to secure mode without committing:
set system aaa server tacacs SERVER address 127.0.0.1 set system aaa server tacacs SERVER encrypted-key U2FsdGVkX1/0XbuZ1m7BcTGg1FdbLtmZEyDu/69e9JI=
Step 2: Run command commit at DUT0 and expect this output:
Show output
[ system aaa server tacacs SERVER encrypted-key ] "U2FsdGVkX1/0XbuZ1m7BcTGg1FdbLtmZEyDu/69e9JI=" strong-password: doesnt have uppercase, lowercase, numbers and special characters Commit validation failed CLI Error: Command error
Example 3
Step 1: Set the following configuration in DUT0 related to secure mode without committing:
set system aaa server tacacs SERVER address 127.0.0.1 set system aaa server tacacs SERVER encrypted-key U2FsdGVkX18XMKtK4rTl3ZefFATi5e0Hgk9xhR8kG3U=
Step 2: Run command commit at DUT0 and expect this output:
Show output
[ system aaa server tacacs SERVER encrypted-key ] "U2FsdGVkX18XMKtK4rTl3ZefFATi5e0Hgk9xhR8kG3U=" strong-password: must contain at least one of these special characters: !, @, #, $, %, ^, &, *, (, ) Commit validation failed CLI Error: Command error
Syslog Feature
Description
This scenario shows how to configure syslog util with secure mode enabled
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set system login user admin authentication encrypted-password '$6$1jv3W3BFkRSYVPPY$2OlrLCQUQ8XGJXy1jruAyyyG1/sb4pFlRo2prMCin.iuRcCrMGQQioOZoYgCzTGkMVEdutqjKu7mx3JA3THp..' set system security medium set system syslog host 10.215.168.1 filter def app OSDxCLI set system syslog host 10.215.168.1 filter def level info set system syslog host 10.215.168.1 port 10514 set system syslog host 10.215.168.1 protocol tcp set system syslog host 10.215.168.1 tls ca 'running://ca.crt' set system syslog host 10.215.168.1 tls permitted-peer rsyslog.server.com
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.136 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.136/0.136/0.136/0.000 ms
Step 3: Run command show host name at DUT0 and expect this output:
Show output
osdx
Note
Check the server /var/log/10.215.168.64/.log file and read the
executed a new command: 'show host name' log message:
Show output
2025-01-10T12:34:37.658243+00:00 10.215.168.64 2025-01-10T12:34:36.785444+00:00 user-notice osdx nsmd: Notice: Starting NSM daemon 2025-01-10T12:34:37.704339+00:00 10.215.168.64 2025-01-10T12:34:36.786947+00:00 user-warning osdx nsmd: Warning: "A": Buffer size (0) is less than minimum buffer size (16) 2025-01-10T12:34:37.704339+00:00 10.215.168.64 2025-01-10T12:34:36.787210+00:00 user-info osdx nsmd: {"DstIP":"10.215.168.128","Jitter":0.0,"PacketLoss":0.0,"RTT":0.0,"SrcIP":"10.215.168.64","SrcIface":"eth0","Timestamp":1736512476} 2025-01-10T12:34:37.704339+00:00 10.215.168.64 2025-01-10T12:34:37.287279+00:00 user-info osdx nsmd: {"DstIP":"10.215.168.128","Jitter":0.0052784899999999994,"PacketLoss":0.0,"RTT":0.023272380000000002,"SrcIP":"10.215.168.64","SrcIface":"eth0","Timestamp":1736512477} 2025-01-10T12:34:37.841037+00:00 10.215.168.64 2025-01-10T12:34:37.787457+00:00 user-info osdx nsmd: {"DstIP":"10.215.168.128","Jitter":0.011831699999999999,"PacketLoss":0.0,"RTT":0.046172069999999996,"SrcIP":"10.215.168.64","SrcIface":"eth0","Timestamp":1736512477} 2025-01-10T12:34:38.341160+00:00 10.215.168.64 2025-01-10T12:34:38.287484+00:00 user-info osdx nsmd: {"DstIP":"10.215.168.128","Jitter":0.017760649999999996,"PacketLoss":0.0,"RTT":0.07080429000000002,"SrcIP":"10.215.168.64","SrcIface":"eth0","Timestamp":1736512478} 2025-01-10T12:34:38.841178+00:00 10.215.168.64 2025-01-10T12:34:38.787564+00:00 user-info osdx nsmd: {"DstIP":"10.215.168.128","Jitter":0.030951050000000004,"PacketLoss":0.0,"RTT":0.10045344000000002,"SrcIP":"10.215.168.64","SrcIface":"eth0","Timestamp":1736512478} 2025-01-10T12:34:39.159938+00:00 10.215.168.64 2025-01-10T12:34:39.106270+00:00 user-notice osdx nsmd: Notice: Stopping NSM daemon 2025-01-10T14:00:21.584531+00:00 10.215.168.64 2025-01-10T14:00:21.150621+00:00 auth-notice osdx OSDxCLI: User 'admin' committed the configuration. 2025-01-10T14:00:21.584574+00:00 10.215.168.64 2025-01-10T14:00:21.167372+00:00 auth-notice osdx OSDxCLI: User 'admin' left the configuration menu. 2025-01-10T14:00:21.584574+00:00 10.215.168.64 2025-01-10T14:00:21.287002+00:00 auth-notice osdx OSDxCLI: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. 2025-01-10T14:00:22.512268+00:00 10.215.168.64 2025-01-10T14:00:22.344482+00:00 auth-notice osdx OSDxCLI: User 'admin' executed a new command: 'show host name'.
SSH Algorithms Restrictions
Description
These scenario shows the restrictions when trying to configure ssh ciphers or algorithms considered as invalid when secure mode is enabled, but not when the device is in normal mode. Despite this example is only for ssh server mode, the functionality for a ssh client will be the same.
Scenario
Example 1
Step 1: Enter to configuration menu by typing configure
Step 2: Run command set service ssh cipher 3des-cbc at DUT0 and expect this output:
Show output
Unknown cipher "********" Value validation failed CLI Error: Command error
Example 2
Step 1: Enter to configuration menu by typing configure
Step 2: Run command set service ssh mac hmac-sha1 at DUT0 and expect this output:
Show output
Unknown MAC "*********" Value validation failed CLI Error: Command error
Example 3
Step 1: Enter to configuration menu by typing configure
Step 2: Run command set service ssh key-exchange diffie-hellman-group1-sha1 at DUT0 and expect this output:
Show output
Unknown KEX "**************************" Value validation failed CLI Error: Command error
Example 4
Step 1: Enter to configuration menu by typing configure
Step 2: Run command set service ssh host-key-algorithms ssh-ed25519 at DUT0 and expect this output:
Show output
Unknown key "***********" Value validation failed CLI Error: Command error
Example 5
Step 1: Enter to configuration menu by typing configure
Step 2: Run command set service ssh pubkey-accepted-algorithms ssh-rsa at DUT0 and expect this output:
Show output
Unknown key "*******" Value validation failed CLI Error: Command error
SSH Connections Failures
Description
These scenario illustrates a failed attempt of DUT1 to connect to DUT0 via ssh due to the selected algorithms or ciphers are considered invalid when this last device (DUT0) has secure mode enabled.
Scenario
Example 1
Step 1: Init an SSH connection from DUT1 to IP address 10.0.0.1 with the user admin:
admin@DUT1$ ssh admin@10.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null cipher aes128-cbc
Example 2
Step 1: Init an SSH connection from DUT1 to IP address 10.0.0.1 with the user admin:
admin@DUT1$ ssh admin@10.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null mac hmac-md5
Example 3
Step 1: Init an SSH connection from DUT1 to IP address 10.0.0.1 with the user admin:
admin@DUT1$ ssh admin@10.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null key-exchange diffie-hellman-group14-sha256
IPSEC Algorithms Restrictions
Description
These scenario shows the restrictions related to ipsec ciphers and authentications methods when secure mode is enabled
Scenario
Example 1
Step 1: Enter to configuration menu by typing configure
Step 2: Run command set vpn ipsec esp-group ESP proposal 1 pfs dh-group14 at DUT0 and check if output contains the following tokens:
Invalid dh-groupShow output
Invalid dh-group Value validation failed CLI Error: Command error
Example 2
Step 1: Enter to configuration menu by typing configure
Step 2: Run command set vpn ipsec esp-group ESP proposal 1 encryption aes128 at DUT0 and check if output contains the following tokens:
must be a valid encryption algorithmShow output
must be a valid encryption algorithm Value validation failed CLI Error: Command error
Example 3
Step 1: Enter to configuration menu by typing configure
Step 2: Run command set vpn ipsec esp-group ESP proposal 1 hash sha1 at DUT0 and check if output contains the following tokens:
Invalid hashShow output
Invalid hash Value validation failed CLI Error: Command error
Example 4
Step 1: Enter to configuration menu by typing configure
Step 2: Run command set vpn ipsec esp-group ESP mode transport at DUT0 and check if output contains the following tokens:
Invalid modeShow output
Invalid mode Value validation failed CLI Error: Command error
Example 5
Step 1: Enter to configuration menu by typing configure
Step 2: Run command set vpn ipsec ike-group IKE proposal 1 dh-group 22 at DUT0 and check if output contains the following tokens:
Invalid dh-groupShow output
Invalid dh-group Value validation failed CLI Error: Command error
Example 6
Step 1: Enter to configuration menu by typing configure
Step 2: Run command set vpn ipsec ike-group IKE proposal 1 encryption aes192 at DUT0 and check if output contains the following tokens:
must be a valid encryption algorithmShow output
must be a valid encryption algorithm Value validation failed CLI Error: Command error
Example 7
Step 1: Enter to configuration menu by typing configure
Step 2: Run command set vpn ipsec ike-group IKE proposal 1 hash md5 at DUT0 and check if output contains the following tokens:
Invalid hashShow output
Invalid hash Value validation failed CLI Error: Command error
IPSEC Invalid Configurations
Description
These scenario shows which configurations in vpn ipsec are considered
as invalid when secure mode is enabled
Scenario
Example 1
Step 1: Enter to configuration menu by typing configure
Step 2: Set the following configuration in DUT0 related to secure mode without committing:
set vpn ipsec auth-profile AUTH local auth eap DUT0 type md5
Step 3: Run command commit at DUT0 and check if output contains the following tokens:
PSK, RADIUS, MD5 and MSCHAPV2 methods are not available in secure modeShow output
[ vpn ipsec ] PSK, RADIUS, MD5 and MSCHAPV2 methods are not available in secure mode Commit failed CLI Error: Command error
Example 2
Step 1: Enter to configuration menu by typing configure
Step 2: Set the following configuration in DUT0 related to secure mode without committing:
set vpn ipsec auth-profile AUTH local auth eap DUT0 type mschapv2
Step 3: Run command commit at DUT0 and check if output contains the following tokens:
PSK, RADIUS, MD5 and MSCHAPV2 methods are not available in secure modeShow output
[ vpn ipsec ] PSK, RADIUS, MD5 and MSCHAPV2 methods are not available in secure mode Commit failed CLI Error: Command error
Example 3
Step 1: Enter to configuration menu by typing configure
Step 2: Set the following configuration in DUT0 related to secure mode without committing:
set vpn ipsec auth-profile AUTH local auth radius
Step 3: Run command commit at DUT0 and check if output contains the following tokens:
PSK, RADIUS, MD5 and MSCHAPV2 methods are not available in secure modeShow output
[ vpn ipsec ] PSK, RADIUS, MD5 and MSCHAPV2 methods are not available in secure mode Commit failed CLI Error: Command error
Example 4
Step 1: Enter to configuration menu by typing configure
Step 2: Set the following configuration in DUT0 related to secure mode without committing:
set vpn ipsec esp-group ESP proposal 1 encryption aes128gcm128
Step 3: Run command commit at DUT0 and check if output contains the following tokens:
pfs and hash must be configured in esp-group ESP proposal 1 when secure mode is enabledShow output
[ vpn ipsec esp-group ESP proposal 1 ] pfs and hash must be configured in esp-group ESP proposal 1 when secure mode is enabled Commit validation failed CLI Error: Command error