Tacacs
This scenario shows how to set up TACACS+ authentication and
per-command authorization. A TACACS+ server configured to deny
the show date command and allow everything else is added to
a TACACS+ group which is added to an AAA list. This list is used
to perform user authentication and authorization of CLI commands.
Local Login And Custom Authorization
Description
In this scenario, login is performed through a serial interface. The user is authenticated in the remote TACACS+ server. Commands are also sent to this remote server in order to be authorized/unauthorized.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set system aaa group tacacs tacgroup1 server serv1 set system aaa list authen_list method 1 group tacacs tacgroup1 set system aaa list authen_list method 2 local set system aaa list author_list method 1 group tacacs tacgroup1 set system aaa server tacacs serv1 address 10.215.168.1 set system aaa server tacacs serv1 encrypted-key U2FsdGVkX18QS4BtUOaxTmfmBaFfUA8/fKWyCoyGZMc= set system cli aaa authorization author_list set system login aaa authentication authen_list set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.121 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.121/0.121/0.121/0.000 ms
Step 3: Run command service cnm restart at DUT0 and expect this output:
Show output
CLI Error: Insufficient privileges
Step 4: Run command show running at DUT0 and expect this output:
Show output
CLI Error: Insufficient privileges
Step 5: Run command show date at DUT0 and expect this output:
Show output
CLI Error: Unauthorized
Step 6: Run command service cnm restart at DUT0 and expect this output:
Show output
service inactive. doing nothing.
Step 7: Run command show running at DUT0 and expect this output:
Show output
# Teldat OSDx VM version v4.2.8.4 # Thu 19 Feb 2026 12:44:09 +00:00 # Warning: Configuration has not been saved set interfaces ethernet eth0 address 10.215.168.64/24 set system aaa group tacacs tacgroup1 server serv1 set system aaa list authen_list method 1 group tacacs tacgroup1 set system aaa list authen_list method 2 local set system aaa list author_list method 1 group tacacs tacgroup1 set system aaa server tacacs serv1 address 10.215.168.1 set system aaa server tacacs serv1 encrypted-key U2FsdGVkX18QS4BtUOaxTmfmBaFfUA8/fKWyCoyGZMc= set system cli aaa authorization author_list set system login aaa authentication authen_list set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 8: Run command show date at DUT0 and expect this output:
Show output
CLI Error: Unauthorized
Telnet Login And Custom Authorization
Description
In this scenario, login is performed through a Telnet session. The user is authenticated in the remote TACACS+ server. Commands are also sent to this remote server in order to be authorized/unauthorized.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set service telnet set system aaa group tacacs tacgroup1 server serv1 set system aaa list authen_list method 1 group tacacs tacgroup1 set system aaa list authen_list method 2 local set system aaa list author_list method 1 group tacacs tacgroup1 set system aaa server tacacs serv1 address 10.215.168.1 set system aaa server tacacs serv1 encrypted-key U2FsdGVkX18CsPS0E3Lo0F4qj8olfvPyfOoRH5nkyAE= set system cli aaa authorization author_list set system login aaa authentication authen_list set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.190 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.190/0.190/0.190/0.000 ms
Step 3: Init a Telnet connection from DUT0 to IP address 127.0.0.1 :
admin@DUT0$ telnet 127.0.0.1Show output
Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. Linux 6.1.162 (osdx) (pts/1) osdx login: Password: Welcome to Teldat OSDx v4.2.8.4 This system includes free software. Contact Teldat for licenses information and source code. Last login: Thu Feb 19 12:44:06 UTC 2026 on ttyS0 testmonitor@osdx$
Step 4: Run command service cnm restart at DUT0 and expect this output:
Show output
CLI Error: Insufficient privileges
Step 5: Run command show running at DUT0 and expect this output:
Show output
CLI Error: Insufficient privileges
Step 6: Run command show date at DUT0 and expect this output:
Show output
CLI Error: Unauthorized
Step 7: Init a Telnet connection from DUT0 to IP address 127.0.0.1 :
admin@DUT0$ telnet 127.0.0.1Show output
Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. Linux 6.1.162 (osdx) (pts/1) osdx login: Password: Welcome to Teldat OSDx v4.2.8.4 This system includes free software. Contact Teldat for licenses information and source code. Last login: Thu Feb 19 12:44:08 UTC 2026 on ttyS0 testadmin@osdx$
Step 8: Run command service cnm restart at DUT0 and expect this output:
Show output
service inactive. doing nothing.
Step 9: Run command show running at DUT0 and expect this output:
Show output
# Teldat OSDx VM version v4.2.8.4 # Thu 19 Feb 2026 12:44:20 +00:00 # Warning: Configuration has not been saved set interfaces ethernet eth0 address 10.215.168.64/24 set service telnet set system aaa group tacacs tacgroup1 server serv1 set system aaa list authen_list method 1 group tacacs tacgroup1 set system aaa list authen_list method 2 local set system aaa list author_list method 1 group tacacs tacgroup1 set system aaa server tacacs serv1 address 10.215.168.1 set system aaa server tacacs serv1 encrypted-key U2FsdGVkX18CsPS0E3Lo0F4qj8olfvPyfOoRH5nkyAE= set system cli aaa authorization author_list set system login aaa authentication authen_list set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 10: Run command show date at DUT0 and expect this output:
Show output
CLI Error: Unauthorized
SSH Login And Custom Authorization
Description
In this scenario, login is performed through a SSH session. The user is authenticated in the remote TACACS+ server. Commands are also sent to this remote server in order to be authorized/unauthorized.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set service ssh aaa authentication authen_list set system aaa group tacacs tacgroup1 server serv1 set system aaa list authen_list method 1 group tacacs tacgroup1 set system aaa list authen_list method 2 local set system aaa list author_list method 1 group tacacs tacgroup1 set system aaa server tacacs serv1 address 10.215.168.1 set system aaa server tacacs serv1 encrypted-key U2FsdGVkX1/5SlgwHz/aBKAl0JKOSp/Mm3+wkR2o3R0= set system cli aaa authorization author_list set system login aaa authentication authen_list set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.132 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.132/0.132/0.132/0.000 ms
Step 3: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user testmonitor:
admin@DUT0$ ssh testmonitor@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts. testmonitor@127.0.0.1's password: Welcome to Teldat OSDx v4.2.8.4 This system includes free software. Contact Teldat for licenses information and source code. Last login: Thu Feb 19 12:44:18 2026 from ::ffff:127.0.0.1 testmonitor@osdx$
Step 4: Run command service cnm restart at DUT0 and expect this output:
Show output
CLI Error: Insufficient privileges
Step 5: Run command show running at DUT0 and expect this output:
Show output
CLI Error: Insufficient privileges
Step 6: Run command show date at DUT0 and expect this output:
Show output
CLI Error: Unauthorized
Step 7: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user testadmin:
admin@DUT0$ ssh testadmin@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts. testadmin@127.0.0.1's password: Welcome to Teldat OSDx v4.2.8.4 This system includes free software. Contact Teldat for licenses information and source code. Last login: Thu Feb 19 12:44:20 2026 from ::ffff:127.0.0.1 testadmin@osdx$
Step 8: Run command service cnm restart at DUT0 and expect this output:
Show output
service inactive. doing nothing.
Step 9: Run command show running at DUT0 and expect this output:
Show output
# Teldat OSDx VM version v4.2.8.4 # Thu 19 Feb 2026 12:44:30 +00:00 # Warning: Configuration has not been saved set interfaces ethernet eth0 address 10.215.168.64/24 set service ssh aaa authentication authen_list set system aaa group tacacs tacgroup1 server serv1 set system aaa list authen_list method 1 group tacacs tacgroup1 set system aaa list authen_list method 2 local set system aaa list author_list method 1 group tacacs tacgroup1 set system aaa server tacacs serv1 address 10.215.168.1 set system aaa server tacacs serv1 encrypted-key U2FsdGVkX1/5SlgwHz/aBKAl0JKOSp/Mm3+wkR2o3R0= set system cli aaa authorization author_list set system login aaa authentication authen_list set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 10: Run command show date at DUT0 and expect this output:
Show output
CLI Error: Unauthorized