Authentication Dummy
These scenario shows how to set up AAA authentication for SSH using a dummy address as source IP.
Radius Method With Dummy Local Address
Description
In this scenario, dum0 address is being used as
source IP for RADIUS packets in SSH authentication.
Scenario
Step 1: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 10.0.0.1/24 set interfaces ethernet eth1 address 10.215.168.65/24 set interfaces ethernet eth1 traffic nat source rule 1 address masquerade set protocols static route 172.23.0.1/32 next-hop 10.0.0.2 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 172.23.0.1/32 set interfaces dummy dum0 traffic policy local-out LOC_OUT set interfaces dummy dum0 vrf LOC set interfaces ethernet eth0 address 10.0.0.2/24 set interfaces ethernet eth0 traffic policy in WAN_IN set interfaces ethernet eth0 vrf WAN set protocols vrf AP static route 0.0.0.0/0 next-hop 10.0.0.1 interface eth0 set protocols vrf LOC static route 0.0.0.0/0 interface dum0 set protocols vrf WAN static route 0.0.0.0/0 next-hop 10.0.0.1 set service ssh aaa authentication list1 set system aaa group radius radgroup1 local-vrf LOC set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/oOvPeAszC2tCltRAjJp2gUyRnXK1IwZ7cloYeBekGM8Jz3PpcCr7YG0P6AXTLaVfqurxg9uYpsA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system vrf AP set system vrf LOC set system vrf WAN set traffic policy LOC_OUT rule 1 set vrf AP connmark-cache set traffic policy WAN_IN rule 1 selector SEL_AP set traffic policy WAN_IN rule 1 set vrf LOC set traffic selector SEL_AP rule 1 vrf-connmark AP
Step 3: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 vrf LOC count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than: LOC PING 10.215.168.1 (10.215.168.1) from 172.23.0.1 LOC: 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=1.11 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.109/1.109/1.109/0.000 ms
Step 4: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user testing:
admin@DUT0$ ssh testing@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts. testing@127.0.0.1's password: Welcome to Teldat OSDx v4.2.2.2 This system includes free software. Contact Teldat for licenses information and source code. testing@osdx$
Step 5: Init an SSH connection from DUT1 to IP address 10.0.0.2 with the user testing:
admin@DUT1$ ssh testing@10.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '10.0.0.2' (ECDSA) to the list of known hosts. testing@10.0.0.2's password: Welcome to Teldat OSDx v4.2.2.2 This system includes free software. Contact Teldat for licenses information and source code. Last login: Wed Feb 19 20:56:17 2025 from 127.0.0.1 testing@osdx$
Tacacs Method With Dummy Local Address
Description
In this scenario, dum0 address is being used as
source IP for TACACS+ packets in SSH authentication.
Scenario
Step 1: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 10.0.0.1/24 set interfaces ethernet eth1 address 10.215.168.65/24 set interfaces ethernet eth1 traffic nat source rule 1 address masquerade set protocols static route 172.23.0.1/32 next-hop 10.0.0.2 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 172.23.0.1/32 set interfaces dummy dum0 traffic policy local-out LOC_OUT set interfaces dummy dum0 vrf LOC set interfaces ethernet eth0 address 10.0.0.2/24 set interfaces ethernet eth0 traffic policy in WAN_IN set interfaces ethernet eth0 vrf WAN set protocols vrf AP static route 0.0.0.0/0 next-hop 10.0.0.1 interface eth0 set protocols vrf LOC static route 0.0.0.0/0 interface dum0 set protocols vrf WAN static route 0.0.0.0/0 next-hop 10.0.0.1 set service ssh aaa authentication list1 set system aaa group tacacs tacgroup1 local-vrf LOC set system aaa group tacacs tacgroup1 server serv1 set system aaa list list1 method 1 group tacacs tacgroup1 set system aaa server tacacs serv1 address 10.215.168.1 set system aaa server tacacs serv1 encrypted-key U2FsdGVkX19KxfxIuKrzqojHqi2OqwupS2IdR/B/Gow= set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system vrf AP set system vrf LOC set system vrf WAN set traffic policy LOC_OUT rule 1 set vrf AP connmark-cache set traffic policy WAN_IN rule 1 selector SEL_AP set traffic policy WAN_IN rule 1 set vrf LOC set traffic selector SEL_AP rule 1 vrf-connmark AP
Step 3: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 vrf LOC count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than: LOC PING 10.215.168.1 (10.215.168.1) from 172.23.0.1 LOC: 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=0.660 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.660/0.660/0.660/0.000 ms
Step 4: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user testing:
admin@DUT0$ ssh testing@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts. testing@127.0.0.1's password: Welcome to Teldat OSDx v4.2.2.2 This system includes free software. Contact Teldat for licenses information and source code. testing@osdx$
Step 5: Init an SSH connection from DUT1 to IP address 10.0.0.2 with the user testing:
admin@DUT1$ ssh testing@10.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '10.0.0.2' (ECDSA) to the list of known hosts. testing@10.0.0.2's password: Welcome to Teldat OSDx v4.2.2.2 This system includes free software. Contact Teldat for licenses information and source code. Last login: Wed Feb 19 20:56:38 2025 from 127.0.0.1 testing@osdx$