Authentication Dummy
These scenario shows how to set up AAA authentication for login/Telnet using a dummy address as source IP.
Radius Method With Dummy Local Address
Description
In this scenario, dum0 address is being used as
source IP for RADIUS packets in Telnet authentication.
Scenario
Step 1: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 10.0.0.1/24 set interfaces ethernet eth1 address 10.215.168.65/24 set interfaces ethernet eth1 traffic nat source rule 1 address masquerade set protocols static route 172.23.0.1/32 next-hop 10.0.0.2 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 172.23.0.1/32 set interfaces dummy dum0 traffic policy local-out LOC_OUT set interfaces dummy dum0 vrf LOC set interfaces ethernet eth0 address 10.0.0.2/24 set interfaces ethernet eth0 traffic policy in WAN_IN set interfaces ethernet eth0 vrf WAN set protocols vrf AP static route 0.0.0.0/0 next-hop 10.0.0.1 interface eth0 set protocols vrf LOC static route 0.0.0.0/0 interface dum0 set protocols vrf WAN static route 0.0.0.0/0 next-hop 10.0.0.1 set service telnet set system aaa group radius radgroup1 local-vrf LOC set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1+ZiJm8NUwovxa3yHLgo09T4P7rRFlAeQ9obiXX+OpvDPuSNeDzr/KPN7Ux52k9T6U6tq6mcP3czA== set system login aaa authentication list1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system vrf AP set system vrf LOC set system vrf WAN set traffic policy LOC_OUT rule 1 set vrf AP connmark-cache set traffic policy WAN_IN rule 1 selector SEL_AP set traffic policy WAN_IN rule 1 set vrf LOC set traffic selector SEL_AP rule 1 vrf-connmark AP
Step 3: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 vrf LOC count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than: LOC PING 10.215.168.1 (10.215.168.1) from 172.23.0.1 LOC: 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=20.3 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 20.295/20.295/20.295/0.000 ms
Step 4: Init a Telnet connection from DUT0 to IP address 127.0.0.1 :
admin@DUT0$ telnet 127.0.0.1Show output
Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. Linux 6.1.119 (osdx) (pts/1) osdx login: Password: Welcome to Teldat OSDx v4.2.2.2 This system includes free software. Contact Teldat for licenses information and source code. testing@osdx$
Step 5: Init a Telnet connection from DUT1 to IP address 10.0.0.2 :
admin@DUT1$ telnet 10.0.0.2Show output
Trying 10.0.0.2... Connected to 10.0.0.2. Escape character is '^]'. Linux 6.1.119 (osdx) (pts/0) osdx login: Password: Last login: Wed Feb 19 16:48:50 UTC 2025 from ::ffff:127.0.0.1 on pts/1 Welcome to Teldat OSDx v4.2.2.2 This system includes free software. Contact Teldat for licenses information and source code. testing@osdx$
Tacacs Method With Dummy Local Address
Description
In this scenario, dum0 address is being used as
source IP for TACACS+ packets in Telnet authentication.
Scenario
Step 1: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 10.0.0.1/24 set interfaces ethernet eth1 address 10.215.168.65/24 set interfaces ethernet eth1 traffic nat source rule 1 address masquerade set protocols static route 172.23.0.1/32 next-hop 10.0.0.2 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT0 :
set interfaces dummy dum0 address 172.23.0.1/32 set interfaces dummy dum0 traffic policy local-out LOC_OUT set interfaces dummy dum0 vrf LOC set interfaces ethernet eth0 address 10.0.0.2/24 set interfaces ethernet eth0 traffic policy in WAN_IN set interfaces ethernet eth0 vrf WAN set protocols vrf AP static route 0.0.0.0/0 next-hop 10.0.0.1 interface eth0 set protocols vrf LOC static route 0.0.0.0/0 interface dum0 set protocols vrf WAN static route 0.0.0.0/0 next-hop 10.0.0.1 set service telnet set system aaa group tacacs tacgroup1 local-vrf LOC set system aaa group tacacs tacgroup1 server serv1 set system aaa list list1 method 1 group tacacs tacgroup1 set system aaa server tacacs serv1 address 10.215.168.1 set system aaa server tacacs serv1 encrypted-key U2FsdGVkX18u9X1YLLwe5p6pddEFPOJgM7+NB0hjpe0= set system login aaa authentication list1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system vrf AP set system vrf LOC set system vrf WAN set traffic policy LOC_OUT rule 1 set vrf AP connmark-cache set traffic policy WAN_IN rule 1 selector SEL_AP set traffic policy WAN_IN rule 1 set vrf LOC set traffic selector SEL_AP rule 1 vrf-connmark AP
Step 3: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 vrf LOC count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than: LOC PING 10.215.168.1 (10.215.168.1) from 172.23.0.1 LOC: 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=63 time=7.13 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 7.128/7.128/7.128/0.000 ms
Step 4: Init a Telnet connection from DUT0 to IP address 127.0.0.1 :
admin@DUT0$ telnet 127.0.0.1Show output
Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. Linux 6.1.119 (osdx) (pts/1) osdx login: Password: Welcome to Teldat OSDx v4.2.2.2 This system includes free software. Contact Teldat for licenses information and source code. testing@osdx$
Step 5: Init a Telnet connection from DUT1 to IP address 10.0.0.2 :
admin@DUT1$ telnet 10.0.0.2Show output
Trying 10.0.0.2... Connected to 10.0.0.2. Escape character is '^]'. Linux 6.1.119 (osdx) (pts/0) osdx login: Password: Last login: Wed Feb 19 16:49:11 UTC 2025 from ::ffff:127.0.0.1 on pts/1 Welcome to Teldat OSDx v4.2.2.2 This system includes free software. Contact Teldat for licenses information and source code. testing@osdx$