Fallbacks
This scenario shows how to set up a fallback mechanism for RADIUS/TACACS+ through Telnet/SSH.
Test Authentication Fallback
Description
This scenario checks all the different combinations
of RADIUS/TACACS+ authentication with/without
fallback configuration through SSH and Telnet.
The user baduser is configured in the local
database, but it is not authorized in the remote
server. Therefore, if the server is reachable or
if local fallback is not specified, login should fail.
Scenario
Example 1
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set service ssh aaa authentication LIST set service telnet set system aaa group tacacs GROUP server SRV set system aaa list LIST method 1 group tacacs GROUP set system aaa list LIST method 2 local set system aaa server tacacs SRV address 10.215.168.1 set system aaa server tacacs SRV encrypted-key U2FsdGVkX1/W2Fq03x8yEBJVYg7vXNo+LxbbX3BhD+o= set system login aaa authentication LIST set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system login user baduser authentication encrypted-password '$6$cSslYJDYohFEEEI9$a7jwVDm9oq2qJrVdknOGgAxkLgiPYLzWpaS0f.4Ofdel7hkPUwNDsLbKm8l6LOPK37.ybcVNy03iwfm/O8elJ1' set system vrf test
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.497 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.497/0.497/0.497/0.000 ms
Note
In this case, SSH and Telnet connection will fail.
Step 3: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user baduser which is going to fail:
admin@DUT0$ ssh baduser@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Permission denied, please try again. baduser@127.0.0.1's password:
Step 4: Init a Telnet connection from DUT0 to IP address 127.0.0.1 which is going to fail:
admin@DUT0$ telnet 127.0.0.1Show output
' Login incorrect' contains 'Login incorrect'
Step 5: Run command system journal clear at DUT0 and expect this output:
Show output
Deleted archived journal /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4/system@b2a3ce0988494c3a886da4e49a31d2c5-0000000000001b1e-0006536b54e82be6.journal (132.0K). Vacuuming done, freed 132.0K of archived journals from /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4. Vacuuming done, freed 0B of archived journals from /var/log/journal. Vacuuming done, freed 0B of archived journals from /run/log/journal.
Example 2
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set service ssh aaa authentication LIST set service telnet set system aaa group tacacs GROUP server SRV set system aaa list LIST method 1 group tacacs GROUP set system aaa server tacacs SRV address 10.215.168.1 set system aaa server tacacs SRV encrypted-key U2FsdGVkX19y0JNHVuaUCwBJnPOIphYTcYfb20fn8Hs= set system login aaa authentication LIST set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system login user baduser authentication encrypted-password '$6$cSslYJDYohFEEEI9$a7jwVDm9oq2qJrVdknOGgAxkLgiPYLzWpaS0f.4Ofdel7hkPUwNDsLbKm8l6LOPK37.ybcVNy03iwfm/O8elJ1' set system vrf test
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.200 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.200/0.200/0.200/0.000 ms
Note
In this case, SSH and Telnet connection will fail.
Step 3: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user baduser which is going to fail:
admin@DUT0$ ssh baduser@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Permission denied, please try again. baduser@127.0.0.1's password:
Step 4: Init a Telnet connection from DUT0 to IP address 127.0.0.1 which is going to fail:
admin@DUT0$ telnet 127.0.0.1Show output
' Login incorrect' contains 'Login incorrect'
Step 5: Run command system journal clear at DUT0 and expect this output:
Show output
Deleted archived journal /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4/system@b2a3ce0988494c3a886da4e49a31d2c5-0000000000001b6c-0006536b568a36d1.journal (100.0K). Vacuuming done, freed 100.0K of archived journals from /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4. Vacuuming done, freed 0B of archived journals from /var/log/journal. Vacuuming done, freed 0B of archived journals from /run/log/journal.
Example 3
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 vrf test set service ssh aaa authentication LIST set service telnet set system aaa group tacacs GROUP local-vrf test set system aaa group tacacs GROUP server SRV set system aaa list LIST method 1 group tacacs GROUP set system aaa list LIST method 2 local set system aaa server tacacs SRV address 10.215.168.1 set system aaa server tacacs SRV encrypted-key U2FsdGVkX18QiAQWo3ZWwwtFkc7VfgklDDbq6kp3OKg= set system login aaa authentication LIST set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system login user baduser authentication encrypted-password '$6$cSslYJDYohFEEEI9$a7jwVDm9oq2qJrVdknOGgAxkLgiPYLzWpaS0f.4Ofdel7hkPUwNDsLbKm8l6LOPK37.ybcVNy03iwfm/O8elJ1' set system vrf test
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 vrf test count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than: test PING 10.215.168.1 (10.215.168.1) from 10.215.168.64 test: 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.306 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.306/0.306/0.306/0.000 ms
Note
In this case, SSH and Telnet connection will fail.
Step 3: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user baduser which is going to fail:
admin@DUT0$ ssh baduser@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Permission denied, please try again. baduser@127.0.0.1's password:
Step 4: Init a Telnet connection from DUT0 to IP address 127.0.0.1 which is going to fail:
admin@DUT0$ telnet 127.0.0.1Show output
' Login incorrect' contains 'Login incorrect'
Step 5: Run command system journal clear at DUT0 and expect this output:
Show output
Deleted archived journal /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4/system@b2a3ce0988494c3a886da4e49a31d2c5-0000000000001b90-0006536b58011efc.journal (96.0K). Vacuuming done, freed 96.0K of archived journals from /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4. Vacuuming done, freed 0B of archived journals from /var/log/journal. Vacuuming done, freed 0B of archived journals from /run/log/journal.
Example 4
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 vrf test set service ssh aaa authentication LIST set service telnet set system aaa group tacacs GROUP local-vrf test set system aaa group tacacs GROUP server SRV set system aaa list LIST method 1 group tacacs GROUP set system aaa server tacacs SRV address 10.215.168.1 set system aaa server tacacs SRV encrypted-key U2FsdGVkX1/jXT93zaXKNJunTC7AKc0jwTePRNPqTU8= set system login aaa authentication LIST set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system login user baduser authentication encrypted-password '$6$cSslYJDYohFEEEI9$a7jwVDm9oq2qJrVdknOGgAxkLgiPYLzWpaS0f.4Ofdel7hkPUwNDsLbKm8l6LOPK37.ybcVNy03iwfm/O8elJ1' set system vrf test
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 vrf test count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than: test PING 10.215.168.1 (10.215.168.1) from 10.215.168.64 test: 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.153 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.153/0.153/0.153/0.000 ms
Note
In this case, SSH and Telnet connection will fail.
Step 3: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user baduser which is going to fail:
admin@DUT0$ ssh baduser@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Permission denied, please try again. baduser@127.0.0.1's password:
Step 4: Init a Telnet connection from DUT0 to IP address 127.0.0.1 which is going to fail:
admin@DUT0$ telnet 127.0.0.1Show output
' Login incorrect' contains 'Login incorrect'
Step 5: Run command system journal clear at DUT0 and expect this output:
Show output
Vacuuming done, freed 0B of archived journals from /var/log/journal. Deleted archived journal /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4/system@b2a3ce0988494c3a886da4e49a31d2c5-0000000000001bb2-0006536b59888697.journal (96.0K). Vacuuming done, freed 96.0K of archived journals from /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4. Vacuuming done, freed 0B of archived journals from /run/log/journal.
Example 5
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set service ssh aaa authentication LIST set service telnet set system aaa group radius GROUP server SRV set system aaa list LIST method 1 group radius GROUP set system aaa list LIST method 2 local set system aaa server radius SRV address 10.215.168.1 set system aaa server radius SRV encrypted-key U2FsdGVkX19qlDoVIQFsR2INxpZsMCpbftr/qGLM46eoV3VC2AHjn0PbaCRVhoGTWPFb5y5StupYR8pL+Iig8w== set system login aaa authentication LIST set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system login user baduser authentication encrypted-password '$6$cSslYJDYohFEEEI9$a7jwVDm9oq2qJrVdknOGgAxkLgiPYLzWpaS0f.4Ofdel7hkPUwNDsLbKm8l6LOPK37.ybcVNy03iwfm/O8elJ1' set system vrf test
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.263 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.263/0.263/0.263/0.000 ms
Note
In this case, SSH and Telnet connection will fail.
Step 3: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user baduser which is going to fail:
admin@DUT0$ ssh baduser@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Permission denied, please try again. baduser@127.0.0.1's password:
Step 4: Init a Telnet connection from DUT0 to IP address 127.0.0.1 which is going to fail:
admin@DUT0$ telnet 127.0.0.1Show output
' Login incorrect' contains 'Login incorrect'
Step 5: Run command system journal clear at DUT0 and expect this output:
Show output
Vacuuming done, freed 0B of archived journals from /run/log/journal. Deleted archived journal /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4/system@b2a3ce0988494c3a886da4e49a31d2c5-0000000000001bd3-0006536b5b118acf.journal (92.0K). Vacuuming done, freed 92.0K of archived journals from /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4. Vacuuming done, freed 0B of archived journals from /var/log/journal.
Example 6
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set service ssh aaa authentication LIST set service telnet set system aaa group radius GROUP server SRV set system aaa list LIST method 1 group radius GROUP set system aaa server radius SRV address 10.215.168.1 set system aaa server radius SRV encrypted-key U2FsdGVkX18Ckp2xNa5XTlTjjhK4/X4c8iH4RaDoyvqy6O0NpzFLbmmo3fZlDKkT5254sjF9bF1Usz0YlYiBpQ== set system login aaa authentication LIST set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system login user baduser authentication encrypted-password '$6$cSslYJDYohFEEEI9$a7jwVDm9oq2qJrVdknOGgAxkLgiPYLzWpaS0f.4Ofdel7hkPUwNDsLbKm8l6LOPK37.ybcVNy03iwfm/O8elJ1' set system vrf test
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.201 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.201/0.201/0.201/0.000 ms
Note
In this case, SSH and Telnet connection will fail.
Step 3: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user baduser which is going to fail:
admin@DUT0$ ssh baduser@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Permission denied, please try again. baduser@127.0.0.1's password:
Step 4: Init a Telnet connection from DUT0 to IP address 127.0.0.1 which is going to fail:
admin@DUT0$ telnet 127.0.0.1Show output
' Login incorrect' contains 'Login incorrect'
Step 5: Run command system journal clear at DUT0 and expect this output:
Show output
Deleted archived journal /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4/system@b2a3ce0988494c3a886da4e49a31d2c5-0000000000001bf1-0006536b5cadfdb6.journal (92.0K). Vacuuming done, freed 92.0K of archived journals from /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4. Vacuuming done, freed 0B of archived journals from /run/log/journal. Vacuuming done, freed 0B of archived journals from /var/log/journal.
Example 7
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 vrf test set service ssh aaa authentication LIST set service telnet set system aaa group radius GROUP local-vrf test set system aaa group radius GROUP server SRV set system aaa list LIST method 1 group radius GROUP set system aaa list LIST method 2 local set system aaa server radius SRV address 10.215.168.1 set system aaa server radius SRV encrypted-key U2FsdGVkX19HB0eMNGDAQ+Iks8FMbRn8EcXwxdeKiuOR/N88aByymTrkwcdI/H1ufWeDppRmySPGmwfPFqaC0Q== set system login aaa authentication LIST set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system login user baduser authentication encrypted-password '$6$cSslYJDYohFEEEI9$a7jwVDm9oq2qJrVdknOGgAxkLgiPYLzWpaS0f.4Ofdel7hkPUwNDsLbKm8l6LOPK37.ybcVNy03iwfm/O8elJ1' set system vrf test
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 vrf test count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than: test PING 10.215.168.1 (10.215.168.1) from 10.215.168.64 test: 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.401 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.401/0.401/0.401/0.000 ms
Note
In this case, SSH and Telnet connection will fail.
Step 3: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user baduser which is going to fail:
admin@DUT0$ ssh baduser@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Permission denied, please try again. baduser@127.0.0.1's password:
Step 4: Init a Telnet connection from DUT0 to IP address 127.0.0.1 which is going to fail:
admin@DUT0$ telnet 127.0.0.1Show output
' Login incorrect' contains 'Login incorrect'
Step 5: Run command system journal clear at DUT0 and expect this output:
Show output
Vacuuming done, freed 0B of archived journals from /run/log/journal. Vacuuming done, freed 0B of archived journals from /var/log/journal. Deleted archived journal /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4/system@b2a3ce0988494c3a886da4e49a31d2c5-0000000000001c0e-0006536b5e388ab6.journal (96.0K). Vacuuming done, freed 96.0K of archived journals from /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4.
Example 8
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 vrf test set service ssh aaa authentication LIST set service telnet set system aaa group radius GROUP local-vrf test set system aaa group radius GROUP server SRV set system aaa list LIST method 1 group radius GROUP set system aaa server radius SRV address 10.215.168.1 set system aaa server radius SRV encrypted-key U2FsdGVkX1+gVa86qaMmEiJ6suRNGBWbCepwC+8CuEmh5Kz6NPPsqwTk/cT3J0lJ72AkRN2Zrt5ASG9yMuB3hA== set system login aaa authentication LIST set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system login user baduser authentication encrypted-password '$6$cSslYJDYohFEEEI9$a7jwVDm9oq2qJrVdknOGgAxkLgiPYLzWpaS0f.4Ofdel7hkPUwNDsLbKm8l6LOPK37.ybcVNy03iwfm/O8elJ1' set system vrf test
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 vrf test count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than: test PING 10.215.168.1 (10.215.168.1) from 10.215.168.64 test: 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.922 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.922/0.922/0.922/0.000 ms
Note
In this case, SSH and Telnet connection will fail.
Step 3: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user baduser which is going to fail:
admin@DUT0$ ssh baduser@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Permission denied, please try again. baduser@127.0.0.1's password:
Step 4: Init a Telnet connection from DUT0 to IP address 127.0.0.1 which is going to fail:
admin@DUT0$ telnet 127.0.0.1Show output
' Login incorrect' contains 'Login incorrect'
Step 5: Run command system journal clear at DUT0 and expect this output:
Show output
Vacuuming done, freed 0B of archived journals from /var/log/journal. Deleted archived journal /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4/system@b2a3ce0988494c3a886da4e49a31d2c5-0000000000001c2e-0006536b5fd27487.journal (96.0K). Vacuuming done, freed 96.0K of archived journals from /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4. Vacuuming done, freed 0B of archived journals from /run/log/journal.
Example 9
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set service ssh aaa authentication LIST set service telnet set system aaa group tacacs GROUP server SRV set system aaa list LIST method 1 group tacacs GROUP set system aaa list LIST method 2 local set system aaa server tacacs SRV address 1.2.3.4 set system aaa server tacacs SRV encrypted-key U2FsdGVkX18ZKDgIhc+DYb/opok3k9F1/azAkKyymGI= set system login aaa authentication LIST set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system login user baduser authentication encrypted-password '$6$cSslYJDYohFEEEI9$a7jwVDm9oq2qJrVdknOGgAxkLgiPYLzWpaS0f.4Ofdel7hkPUwNDsLbKm8l6LOPK37.ybcVNy03iwfm/O8elJ1' set system vrf test
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.408 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.408/0.408/0.408/0.000 ms
Note
In this case, SSH and Telnet connection will be successful, because the tacacs server, i.e., method 1, is not reachable and; therefore, the next method will be attempted (local method) and it will allow the authentication.
Step 3: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user baduser:
admin@DUT0$ ssh baduser@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts. baduser@127.0.0.1's password: Welcome to Teldat OSDx v4.2.9.4 This system includes free software. Contact Teldat for licenses information and source code. baduser@osdx$
Step 4: Init a Telnet connection from DUT0 to IP address 127.0.0.1 :
admin@DUT0$ telnet 127.0.0.1Show output
Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. Linux 6.12.90 (osdx) (pts/1) osdx login: Password: Welcome to Teldat OSDx v4.2.9.4 This system includes free software. Contact Teldat for licenses information and source code. Last login: Thu Jun 4 10:55:24 UTC 2026 from 127.0.0.1 on pts/1 baduser@osdx$
Step 5: Run command system journal clear at DUT0 and expect this output:
Show output
Vacuuming done, freed 0B of archived journals from /run/log/journal. Deleted archived journal /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4/system@b2a3ce0988494c3a886da4e49a31d2c5-0000000000001c4d-0006536b61747ee9.journal (104.0K). Vacuuming done, freed 104.0K of archived journals from /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4. Vacuuming done, freed 0B of archived journals from /var/log/journal.
Example 10
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set service ssh aaa authentication LIST set service telnet set system aaa group tacacs GROUP server SRV set system aaa list LIST method 1 group tacacs GROUP set system aaa server tacacs SRV address 1.2.3.4 set system aaa server tacacs SRV encrypted-key U2FsdGVkX18VaFY/BdsvWfQDnHU5KsL9iXGZmiSPIVQ= set system login aaa authentication LIST set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system login user baduser authentication encrypted-password '$6$cSslYJDYohFEEEI9$a7jwVDm9oq2qJrVdknOGgAxkLgiPYLzWpaS0f.4Ofdel7hkPUwNDsLbKm8l6LOPK37.ybcVNy03iwfm/O8elJ1' set system vrf test
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.202 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.202/0.202/0.202/0.000 ms
Note
In this case, SSH and Telnet connection will fail.
Step 3: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user baduser which is going to fail:
admin@DUT0$ ssh baduser@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Permission denied, please try again. baduser@127.0.0.1's password:
Step 4: Init a Telnet connection from DUT0 to IP address 127.0.0.1 which is going to fail:
admin@DUT0$ telnet 127.0.0.1Show output
' Login incorrect' contains 'Login incorrect'
Step 5: Run command system journal clear at DUT0 and expect this output:
Show output
Vacuuming done, freed 0B of archived journals from /run/log/journal. Deleted archived journal /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4/system@b2a3ce0988494c3a886da4e49a31d2c5-0000000000001c7b-0006536b619fb4a0.journal (96.0K). Vacuuming done, freed 96.0K of archived journals from /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4. Vacuuming done, freed 0B of archived journals from /var/log/journal.
Example 11
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 vrf test set service ssh aaa authentication LIST set service telnet set system aaa group tacacs GROUP local-vrf test set system aaa group tacacs GROUP server SRV set system aaa list LIST method 1 group tacacs GROUP set system aaa list LIST method 2 local set system aaa server tacacs SRV address 1.2.3.4 set system aaa server tacacs SRV encrypted-key U2FsdGVkX1+SumPCAm/VZaGiSNlPih8+RpSw6cWvbck= set system login aaa authentication LIST set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system login user baduser authentication encrypted-password '$6$cSslYJDYohFEEEI9$a7jwVDm9oq2qJrVdknOGgAxkLgiPYLzWpaS0f.4Ofdel7hkPUwNDsLbKm8l6LOPK37.ybcVNy03iwfm/O8elJ1' set system vrf test
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 vrf test count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than: test PING 10.215.168.1 (10.215.168.1) from 10.215.168.64 test: 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.441 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.441/0.441/0.441/0.000 ms
Note
In this case, SSH and Telnet connection will be successful, because the tacacs server, i.e., method 1, is not reachable and; therefore, the next method will be attempted (local method) and it will allow the authentication.
Step 3: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user baduser:
admin@DUT0$ ssh baduser@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts. baduser@127.0.0.1's password: Welcome to Teldat OSDx v4.2.9.4 This system includes free software. Contact Teldat for licenses information and source code. Last login: Thu Jun 4 10:55:24 2026 from ::ffff:127.0.0.1 baduser@osdx$
Step 4: Init a Telnet connection from DUT0 to IP address 127.0.0.1 :
admin@DUT0$ telnet 127.0.0.1Show output
Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. Linux 6.12.90 (osdx) (pts/1) osdx login: Password: Welcome to Teldat OSDx v4.2.9.4 This system includes free software. Contact Teldat for licenses information and source code. Last login: Thu Jun 4 10:55:52 UTC 2026 from 127.0.0.1 on pts/1 baduser@osdx$
Step 5: Run command system journal clear at DUT0 and expect this output:
Show output
Deleted archived journal /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4/system@b2a3ce0988494c3a886da4e49a31d2c5-0000000000001c9c-0006536b6329ba20.journal (104.0K). Vacuuming done, freed 104.0K of archived journals from /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4. Vacuuming done, freed 0B of archived journals from /run/log/journal. Vacuuming done, freed 0B of archived journals from /var/log/journal.
Example 12
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 vrf test set service ssh aaa authentication LIST set service telnet set system aaa group tacacs GROUP local-vrf test set system aaa group tacacs GROUP server SRV set system aaa list LIST method 1 group tacacs GROUP set system aaa server tacacs SRV address 1.2.3.4 set system aaa server tacacs SRV encrypted-key U2FsdGVkX19OvUSKOW8phvuYdtODi3oIUIfovBeC+es= set system login aaa authentication LIST set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system login user baduser authentication encrypted-password '$6$cSslYJDYohFEEEI9$a7jwVDm9oq2qJrVdknOGgAxkLgiPYLzWpaS0f.4Ofdel7hkPUwNDsLbKm8l6LOPK37.ybcVNy03iwfm/O8elJ1' set system vrf test
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 vrf test count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than: test PING 10.215.168.1 (10.215.168.1) from 10.215.168.64 test: 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=1.17 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.167/1.167/1.167/0.000 ms
Note
In this case, SSH and Telnet connection will fail.
Step 3: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user baduser which is going to fail:
admin@DUT0$ ssh baduser@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Permission denied, please try again. baduser@127.0.0.1's password:
Step 4: Init a Telnet connection from DUT0 to IP address 127.0.0.1 which is going to fail:
admin@DUT0$ telnet 127.0.0.1Show output
' Login incorrect' contains 'Login incorrect'
Step 5: Run command system journal clear at DUT0 and expect this output:
Show output
Deleted archived journal /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4/system@b2a3ce0988494c3a886da4e49a31d2c5-0000000000001ccc-0006536b6357b47e.journal (96.0K). Vacuuming done, freed 96.0K of archived journals from /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4. Vacuuming done, freed 0B of archived journals from /run/log/journal. Vacuuming done, freed 0B of archived journals from /var/log/journal.
Example 13
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set service ssh aaa authentication LIST set service telnet set system aaa group radius GROUP server SRV set system aaa list LIST method 1 group radius GROUP set system aaa list LIST method 2 local set system aaa server radius SRV address 1.2.3.4 set system aaa server radius SRV encrypted-key U2FsdGVkX1/kV4IyGjNP4TrD0tGgR6fSHhfIDh7XWNA5YHVVasuUd5w+qS679+0KSMXQsEqRPPo2nrz4Iv4ywg== set system login aaa authentication LIST set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system login user baduser authentication encrypted-password '$6$cSslYJDYohFEEEI9$a7jwVDm9oq2qJrVdknOGgAxkLgiPYLzWpaS0f.4Ofdel7hkPUwNDsLbKm8l6LOPK37.ybcVNy03iwfm/O8elJ1' set system vrf test
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.258 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.258/0.258/0.258/0.000 ms
Note
In this case, SSH and Telnet connection will be successful, because the radius server, i.e., method 1, is not reachable and; therefore, the next method will be attempted (local method) and it will allow the authentication.
Step 3: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user baduser:
admin@DUT0$ ssh baduser@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts. baduser@127.0.0.1's password: Welcome to Teldat OSDx v4.2.9.4 This system includes free software. Contact Teldat for licenses information and source code. Last login: Thu Jun 4 10:55:53 2026 from ::ffff:127.0.0.1 baduser@osdx$
Step 4: Init a Telnet connection from DUT0 to IP address 127.0.0.1 :
admin@DUT0$ telnet 127.0.0.1Show output
Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. Linux 6.12.90 (osdx) (pts/1) osdx login: Password: Welcome to Teldat OSDx v4.2.9.4 This system includes free software. Contact Teldat for licenses information and source code. Last login: Thu Jun 4 10:56:22 UTC 2026 from 127.0.0.1 on pts/1 baduser@osdx$
Step 5: Run command system journal clear at DUT0 and expect this output:
Show output
Vacuuming done, freed 0B of archived journals from /var/log/journal. Vacuuming done, freed 0B of archived journals from /run/log/journal. Deleted archived journal /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4/system@b2a3ce0988494c3a886da4e49a31d2c5-0000000000001cef-0006536b64ee6e9a.journal (104.0K). Vacuuming done, freed 104.0K of archived journals from /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4.
Example 14
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set service ssh aaa authentication LIST set service telnet set system aaa group radius GROUP server SRV set system aaa list LIST method 1 group radius GROUP set system aaa server radius SRV address 1.2.3.4 set system aaa server radius SRV encrypted-key U2FsdGVkX19GQba42qoDjPAVMtqXIyeX9nmrqGKaS0Ys9AQA2+tuUvv6DNzZl2CTmNwfxqn4IR/m3b9eCogzAQ== set system login aaa authentication LIST set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system login user baduser authentication encrypted-password '$6$cSslYJDYohFEEEI9$a7jwVDm9oq2qJrVdknOGgAxkLgiPYLzWpaS0f.4Ofdel7hkPUwNDsLbKm8l6LOPK37.ybcVNy03iwfm/O8elJ1' set system vrf test
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.279 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.279/0.279/0.279/0.000 ms
Note
In this case, SSH and Telnet connection will fail.
Step 3: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user baduser which is going to fail:
admin@DUT0$ ssh baduser@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Permission denied, please try again. baduser@127.0.0.1's password:
Step 4: Init a Telnet connection from DUT0 to IP address 127.0.0.1 which is going to fail:
admin@DUT0$ telnet 127.0.0.1Show output
' Login incorrect' contains 'Login incorrect'
Step 5: Run command system journal clear at DUT0 and expect this output:
Show output
Vacuuming done, freed 0B of archived journals from /var/log/journal. Vacuuming done, freed 0B of archived journals from /run/log/journal. Deleted archived journal /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4/system@b2a3ce0988494c3a886da4e49a31d2c5-0000000000001d18-0006536b65194eb5.journal (96.0K). Vacuuming done, freed 96.0K of archived journals from /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4.
Example 15
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 vrf test set service ssh aaa authentication LIST set service telnet set system aaa group radius GROUP local-vrf test set system aaa group radius GROUP server SRV set system aaa list LIST method 1 group radius GROUP set system aaa list LIST method 2 local set system aaa server radius SRV address 1.2.3.4 set system aaa server radius SRV encrypted-key U2FsdGVkX18iwlTEB0XS56Zm+BQTuuMH202MYef72aFo9Zhb8LRKheY6CgFSbHEK6X74RyCQLMI0uNAf+skayw== set system login aaa authentication LIST set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system login user baduser authentication encrypted-password '$6$cSslYJDYohFEEEI9$a7jwVDm9oq2qJrVdknOGgAxkLgiPYLzWpaS0f.4Ofdel7hkPUwNDsLbKm8l6LOPK37.ybcVNy03iwfm/O8elJ1' set system vrf test
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 vrf test count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than: test PING 10.215.168.1 (10.215.168.1) from 10.215.168.64 test: 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.303 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.303/0.303/0.303/0.000 ms
Note
In this case, SSH and Telnet connection will be successful, because the radius server, i.e., method 1, is not reachable and; therefore, the next method will be attempted (local method) and it will allow the authentication.
Step 3: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user baduser:
admin@DUT0$ ssh baduser@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts. baduser@127.0.0.1's password: Welcome to Teldat OSDx v4.2.9.4 This system includes free software. Contact Teldat for licenses information and source code. Last login: Thu Jun 4 10:56:22 2026 from ::ffff:127.0.0.1 baduser@osdx$
Step 4: Init a Telnet connection from DUT0 to IP address 127.0.0.1 :
admin@DUT0$ telnet 127.0.0.1Show output
Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. Linux 6.12.90 (osdx) (pts/1) osdx login: Password: Welcome to Teldat OSDx v4.2.9.4 This system includes free software. Contact Teldat for licenses information and source code. Last login: Thu Jun 4 10:56:51 UTC 2026 from 127.0.0.1 on pts/1 baduser@osdx$
Step 5: Run command system journal clear at DUT0 and expect this output:
Show output
Deleted archived journal /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4/system@b2a3ce0988494c3a886da4e49a31d2c5-0000000000001d39-0006536b66a760f6.journal (104.0K). Vacuuming done, freed 104.0K of archived journals from /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4. Vacuuming done, freed 0B of archived journals from /run/log/journal. Vacuuming done, freed 0B of archived journals from /var/log/journal.
Example 16
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 vrf test set service ssh aaa authentication LIST set service telnet set system aaa group radius GROUP local-vrf test set system aaa group radius GROUP server SRV set system aaa list LIST method 1 group radius GROUP set system aaa server radius SRV address 1.2.3.4 set system aaa server radius SRV encrypted-key U2FsdGVkX187HhFJdPKHuzJZycGu2+fhZPXUo+nuz/y7ksDMUx67mwfyCCDZtSdDMTOfOKS73jVCMZaUMC+pyA== set system login aaa authentication LIST set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system login user baduser authentication encrypted-password '$6$cSslYJDYohFEEEI9$a7jwVDm9oq2qJrVdknOGgAxkLgiPYLzWpaS0f.4Ofdel7hkPUwNDsLbKm8l6LOPK37.ybcVNy03iwfm/O8elJ1' set system vrf test
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 vrf test count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than: test PING 10.215.168.1 (10.215.168.1) from 10.215.168.64 test: 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.301 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.301/0.301/0.301/0.000 ms
Note
In this case, SSH and Telnet connection will fail.
Step 3: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user baduser which is going to fail:
admin@DUT0$ ssh baduser@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Permission denied, please try again. baduser@127.0.0.1's password:
Step 4: Init a Telnet connection from DUT0 to IP address 127.0.0.1 which is going to fail:
admin@DUT0$ telnet 127.0.0.1Show output
' Login incorrect' contains 'Login incorrect'
Step 5: Run command system journal clear at DUT0 and expect this output:
Show output
Vacuuming done, freed 0B of archived journals from /var/log/journal. Deleted archived journal /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4/system@b2a3ce0988494c3a886da4e49a31d2c5-0000000000001d64-0006536b66d80c18.journal (96.0K). Vacuuming done, freed 96.0K of archived journals from /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4. Vacuuming done, freed 0B of archived journals from /run/log/journal.