Authentication
This scenario shows how to set up AAA authentication for login/Telnet using different AAA methods.
Local Method
Description
An AAA list with the local AAA method is created and assigned to the login system’s authentication. The device then starts a Telnet session with itself to check that access is granted when the correct username and password are used.
Scenario
Step 1: Set the following configuration in DUT0 :
set service telnet set system aaa list list1 method 1 local set system login aaa authentication list1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Init a Telnet connection from DUT0 to IP address 127.0.0.1 :
admin@DUT0$ telnet 127.0.0.1Show output
Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. Linux 6.12.73 (osdx) (pts/1) osdx login: Password: Welcome to Teldat OSDx v4.2.9.2 This system includes free software. Contact Teldat for licenses information and source code. Last login: Thu Apr 16 16:40:38 UTC 2026 on ttyS0 admin@osdx$
Radius Method
Description
A RADIUS server is added to a RADIUS group, which is added to an AAA list. This list is assigned to the login system’s authentication. The device then starts a Telnet session with itself to check that access is granted when the correct username and password are used.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set service telnet set system aaa group radius radgroup1 server serv1 set system aaa list list1 method 1 group radius radgroup1 set system aaa server radius serv1 address 10.215.168.1 set system aaa server radius serv1 encrypted-key U2FsdGVkX1/4eg3+dkUWlY2/WdlpKKe0QYBVqRolSvjPXiyS0jJDRhVn0o9OoNRGT5lDU3X2zlt67ZMxbSkF0A== set system login aaa authentication list1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.299 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.299/0.299/0.299/0.000 ms
Step 3: Init a Telnet connection from DUT0 to IP address 127.0.0.1 :
admin@DUT0$ telnet 127.0.0.1Show output
Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. Linux 6.12.73 (osdx) (pts/1) osdx login: Password: Welcome to Teldat OSDx v4.2.9.2 This system includes free software. Contact Teldat for licenses information and source code. Last login: Thu Apr 16 16:40:48 UTC 2026 from ::ffff:10.0.0.1 on pts/0 testing@osdx$
Tacacs Method
Description
A TACACS+ server is added to a TACACS+ group, which is added to an AAA list. This list is assigned to the login system’s authentication. The device then starts a Telnet session with itself to check that access is granted when the correct username and password are used.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set service telnet set system aaa group tacacs tacgroup1 server serv1 set system aaa list list1 method 1 group tacacs tacgroup1 set system aaa server tacacs serv1 address 10.215.168.1 set system aaa server tacacs serv1 encrypted-key U2FsdGVkX18Q8/20P49dGiYJgvHnZK/A41O832ARUEI= set system login aaa authentication list1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.291 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.291/0.291/0.291/0.000 ms
Step 3: Init a Telnet connection from DUT0 to IP address 127.0.0.1 :
admin@DUT0$ telnet 127.0.0.1Show output
Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. Linux 6.12.73 (osdx) (pts/1) osdx login: Password: Welcome to Teldat OSDx v4.2.9.2 This system includes free software. Contact Teldat for licenses information and source code. Last login: Thu Apr 16 16:41:00 UTC 2026 from ::ffff:10.0.0.1 on pts/0 testing@osdx$
Tacacs Method With Wrong Secret
Description
A TACACS+ server is added to a TACACS+ group, but said server is configured with a wrong secret key. The TACACS+ group is added to an AAA list, with local method as fallback. After assigning this list to the login system’s authentication, the device starts a Telnet session with itself to check that access is granted using the local method.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set service telnet set system aaa group tacacs tacgroup1 server serv1 set system aaa list list1 method 1 group tacacs tacgroup1 set system aaa list list1 method 2 local set system aaa server tacacs serv1 address 10.215.168.1 set system aaa server tacacs serv1 encrypted-key U2FsdGVkX1/vj5AZZ6yfPcU1XXvkuZW0zxlN1kBo/Qc= set system cli aaa authorization list1 set system login aaa authentication list1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system login user localuser authentication encrypted-password '$6$Bs2g9VkkD6pe..b6$LpjiwEGdluZXqs0MoydMaHOEkqIaBxdqAKrFmZF54vwa/C4yjo20TPd3lDhPJ3w7nfqGzm57lMNIh2ptrz42E1'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.136 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.136/0.136/0.136/0.000 ms
Step 3: Init a Telnet connection from DUT0 to IP address 127.0.0.1 which is going to fail:
admin@DUT0$ telnet 127.0.0.1Show output
' Login incorrect' contains 'Login incorrect'
Step 4: Modify the following configuration lines in DUT0 :
set system aaa server tacacs serv1 encrypted-key U2FsdGVkX1+q3pkNFbdBmNVTqYfpNWyWlOzNKNCvq48=
Step 5: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.230 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.230/0.230/0.230/0.000 ms
Step 6: Init a Telnet connection from DUT0 to IP address 127.0.0.1 :
admin@DUT0$ telnet 127.0.0.1Show output
Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. Linux 6.12.73 (osdx) (pts/1) osdx login: Password: Welcome to Teldat OSDx v4.2.9.2 This system includes free software. Contact Teldat for licenses information and source code. localuser@osdx$
Step 7: Run command show version at DUT0 and expect this output:
Show output
OS vendor: Teldat OS name: OSDx OS version: v4.2.9.2 OS Linux kernel: 6.12.73 OS built by: jenkins@diana OS build date: Thu Apr 16 14:07:02 UTC 2026 OS installation: physical OS boot mode: user License: VM_BASE Firewall eth-Rate-Permit-Full Hardware vendor: QEMU Hardware model: VM Hardware OEM model: Standard PC (i440FX + PIIX, 1996) Hardware version: pc-i440fx-7.2 Hardware UUID: 26ca32bf-75db-51c5-9ab7-fc6bb330c2f3 Hardware architecture: amd64 Hardware fwid: iso Hardware base MAC: de:ad:be:ef:6c:00 Hardware cpu: 1 x QEMU Virtual CPU version 2.5+ (4 cores) Last reboot reason: Panic Date: Thu 16 Apr 2026 16:42:35 +00:00 Uptime: 1:58:05 CPU load (1m, 5m, 15m): 0.19 0.17 0.14 CPU usage % (1m): 5.53 Storage usage (kB): 418672/8144384 Memory usage (kB): 403740/1572696 Users logged in: 1 Mode (current/next boot): user/user Hostname: osdx