Telnet Configuration
Overview
Telnet is a TCP/IP protocol used on the Internet and local area networks to provide a bidirectional interactive text- oriented communications facility using a virtual terminal connection. The Telnet program runs, connects it to a server on the network. A user can then enter commands through the Telnet program and they will be executed as if the user were entering them directly on the server console.Telnet enables users to control the server and communicate with other servers on the network. The default port number for Telnet protocol is 23.Telnet offers users the capability of running programs remotely and facilitates remote administration.
Support for In-band Management Over Default VRF
OcNOS supports Telnet over the default and management VRFs via in-band management interface and OOB management interface, respectively.
By default, Telnet runs on the management VRF.
Topology
Telnet topology
Enable and Disable the Telnet Server
#configure terminal | Enter configure mode |
(config)#no feature telnet vrf management | Disable Telnet feature |
(config)#feature telnet vrf management | Enable Telnet feature |
(config)#exit | Exit configure mode |
Configure the Telnet Server Port
#configure terminal | Enter configure mode |
(config)#no feature telnet vrf management | Disable Telnet feature |
(config)#telnet server port 6112 vrf management | Set Telnet port to 61112 |
(config)#feature telnet vrf management | Enable Telnet feature |
(config)#exit | Exit configure mode |
Telnet Client Session
#telnet 10.10.10.1 vrf management | Log into remote machine using IPv4 address |
Validation Commands
#show telnet server
telnet server enabled port: 6112
#show running-config telnet server
feature telnet
In-band Management for User Defined VRF
From release 6.5.3, OcNOS supports Telnet over the user defined vrfs as well along with default and management VRFs via in-band interface.
By default, Telnet runs on the management VRF. If user wants to enable telnet feature over user defined vrfs which can be part of MPLS L3VPN/EVPN, it is possible to enable telnet feature over those user defined vrfs.
User must able to enable telnet feature over multiple user defined vrfs simultaneously with default/non default telnet ports.
Telnet Configuration with IPv4 Address for User Defined VRF
Topology
Telnet Configuration topology
Enable and Disable the Telnet Server on user defined vrf say vrf name is vrf_test
#configure terminal | Enter configure mode |
(config)#no feature telnet vrf vrf_test | Disable Telnet feature |
(config)#feature telnet vrf vrf_test | Enable Telnet feature |
(config)#commit | Commit the candidate configuration to the running configuration |
(config)#exit | Exit configure mode |
Configure the Telnet Server Port on user defined vrf say vrf name is vrf_test
#configure terminal | Enter configure mode |
(config)#ip vrf vrf_test | Configure User defined vrf |
(config)#no feature telnet vrf vrf_test | Disable Telnet feature |
(config)#telnet server port 6112 vrf vrf_test | Set Telnet port to 61112 |
(config)#feature telnet vrf vrf_test | Enable Telnet feature |
(config)#commit | Commit the candidate configuration to the running configuration |
(config)#exit | Exit configure mode |
Telnet Client Session
#telnet 10.10.10.1 | Log into remote machine using IPv4 address |
Validation
#show telnet server
VRF MANAGEMENT
telnet server enabled port: 23 VRF DEFAULT:
telnet server enabled port: 23
VRF vrf_test:
telnet server enabled port: 6112
#show running-config telnet server
feature telnet vrf vrf_test
feature telnet vrf management
feature telnet
TACACS Server Authentication for User Defined VRF
IPv4 Address Configuration
This section shows a TACACS+ server is configured with an IPv4 address. Authentication messages are transmitted to TACACS+ server from the device using an IPv4 address.
Topology
Figure 1-7 shows the sample configuration of TACACS+ server.
TACACS Server Host Configuration
Authenticating Client
#configure terminal | Enter configure mode |
(config)#ip vrf vrf1 | Configure the user-defined VRF |
(config)#feature tacacs+ vrf vrf1 | Enable the feature TACACS+ for user-defined vrf |
(config)#tacacs-server login key 0 testing123 vrf vrf1 | Specify the global key for tacacs servers that are not configured with their respective keys for user-defined vrf This key should match the one present in the config file of tacacs server |
(config)#tacacs-server login host 20.20.20.2 vrf vrf1 seq-num 1 key 0 testing123 | Specify the tacacs server ipv4 address to be configured with shared key. The same key should be present on the server config file |
(config)#tacacs-server login host 30.30.30.2 vrf vrf1 seq-num 4 port1045 | Specify the tacacs server ipv4 address to be configured with the sequence and port number.The tacacs server should be started with same port number |
(config)#tacacs-server login host 40.40.40.2 vrf vrf1 seq-num 8 key 7 65535 port 65535 | Specify the tacacs server ipv4 address to be configured with the sequence, key and port number for user-defined vrf. The tacacs server should be started with same port number. |
(config)#tacacs-server login host Tacacs- Server-1 vrf vrf1 seq-num 7 key 7 65535 port 65535 | Specify the tacacs server configured with host-name sequence number key and port number for user-defined vrf. The tacacs server should be started with same port number |
(config)#aaa authentication login default vrf vrf1 group tacacs+ | Enable authentication for TACACS+ server configured for user-defined vrf. Authorization is also enabled by default |
(config)#aaa authentication login default vrf vrf1 group tacacs+ local | Enable authentication for TACACS+ and fall-back to local configured for user-defined vrf. Authorization is also enabled by default |
(config)#aaa authentication login default vrf vrf1 group tacacs+ local none | Enable authentication for TACACS+ fall-back to local followed by fall-back to none configured for user-defined vrf. Authorization is also enabled by default |
(config)#aaa group server tacacs+ G1 vrf vrf1 | Create aaa group G1 for user-defined vrf |
(config-tacacs)#server 20.20.20.2 | Make the tacacs-server 20.20.20.2 a part of this group G1 for user-defined vrf |
(config-tacacs)#server 30.30.30.2 | Make the tacacs-server 30.30.30.2 a part of this group G1 for user-defined vrf |
(config-tacacs)#server 40.40.40.2 | Make the tacacs-server 40.40.40.2 a part of this group G1 for user-defined vrf |
(config-tacacs)#server Tacacs- Server-1 | Make the tacacs-server Tacacs- Server-1a part of this group G1 for user-defined vrf |
(config-tacas)#exit | Exit the tacacs-config |
(config)#commit | Commit the configuration |
(config)#aaa authentication login default vrf vrf1 group G1 | Authenticate the tacacs+ group G1 with aaa authentication for user-defined vrf |
(config)#commit | Commit the configuration |
Users are mapped as shown as shown in
Table P‑1-11:
Table 1-11: Role/privilege level mapping
Role | Privilege level |
---|
Network administrator | 15 |
Network engineer | 14 |
Network operator | 1 to 12 |
RBAC-customized-role | 13 |
Network user | 0 or any other values (>15 or negative values or any character) |
Validation
OcNOS#sh tacacs-server vrf vrf1
VRF: vrf1
total number of servers:4
Tacacs+ Server : 20.20.20.2/49
Sequence Number : 1
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
Tacacs+ Server : 30.30.30.2/1045
Sequence Number : 4
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
Tacacs+ Server : Tacacs-server-1/65535
Sequence Number : 7
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
Tacacs+ Server : 40.40.40.2/65535
Sequence Number : 8
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
(*) indicates last active.
OcNOS#sh tacacs-server vrf all
VRF: management
total number of servers:0
VRF: vrf1
total number of servers:4
Tacacs+ Server : 20.20.20.2/49
Sequence Number : 1
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
Tacacs+ Server : 30.30.30.2/1045
Sequence Number : 4
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
Tacacs+ Server : Tacacs-server-1/65535
Sequence Number : 7
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
Tacacs+ Server : 40.40.40.2/65535
Sequence Number : 8
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
(*) indicates last active.
OcNOS# sh tacacs-server vrf vrf1 groups G1
VRF: vrf1
group G1:
server 20.20.20.2:
seq-num 1
port is 49
key is ********
server 30.30.30.2:
seq-num 4
port is 1045
server Tacacs-server-1:
seq-num 7
port is 65535
key is ********
server 40.40.40.2:
seq-num 8
port is 65535
key is ********
OcNOS# sh tacacs-server vrf all groups G1
VRF: management
No such group exists.
VRF: vrf1
group G1:
server 20.20.20.2:
seq-num 1
port is 49
key is ********
server 30.30.30.2:
seq-num 4
port is 1045
server Tacacs-server-1:
seq-num 7
port is 65535
key is ********
server 40.40.40.2:
seq-num 8
port is 65535
key is ********
OcNOS#sh tacacs vrf vrf1
VRF: vrf1
total number of servers:4
Tacacs+ Server : 20.20.20.2/49
Sequence Number : 1
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
Tacacs+ Server : 30.30.30.2/1045
Sequence Number : 4
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
Tacacs+ Server : Tacacs-server-1/65535
Sequence Number : 7
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
Tacacs+ Server : 40.40.40.2/65535
Sequence Number : 8
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
(*) indicates last active.
OcNOS# sh tacacs vrf all
VRF: management
total number of servers:0
VRF: vrf1
total number of servers:4
Tacacs+ Server : 20.20.20.2/49
Sequence Number : 1
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
Tacacs+ Server : 30.30.30.2/1045
Sequence Number : 4
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
Tacacs+ Server : Tacacs-server-1/65535
Sequence Number : 7
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
Tacacs+ Server : 40.40.40.2/65535
Sequence Number : 8
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
(*) indicates last active.
OcNOS#sh tacacs vrf vrf1
VRF: vrf1
total number of servers:4
Tacacs+ Server : 20.20.20.2/49
Sequence Number : 1
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
Tacacs+ Server : 30.30.30.2/1045
Sequence Number : 4
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
Tacacs+ Server : Tacacs-server-1/65535
Sequence Number : 7
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
Tacacs+ Server : 40.40.40.2/65535
Sequence Number : 8
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
(*) indicates last active.
OcNOS#sh tacacs vrf all
VRF: management
total number of servers:0
VRF: vrf1
total number of servers:4
Tacacs+ Server : 20.20.20.2/49
Sequence Number : 1
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
Tacacs+ Server : 30.30.30.2/1045
Sequence Number : 4
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
Tacacs+ Server : Tacacs-server-1/65535
Sequence Number : 7
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
Tacacs+ Server : 40.40.40.2/65535
Sequence Number : 8
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
(*) indicates last active.
OcNOS# sh aaa authentication vrf vrf1
VRF: vrf1
default: group G1
OcNOS# sh aaa authentication vrf all
VRF: vrf1
default: group G1
OcNOS# sh aaa authentication
% AAA Entry not found
OcNOS# sh aaa groups vrf vrf1
VRF: vrf1
radius
tacacs+
G1
OcNOS# sh aaa groups vrf all
VRF: management
radius
VRF: vrf1
radius
tacacs+
G1
OcNOS#sh running-config tacacs+
feature tacacs+ vrf vrf1
tacacs-server login key 7 0x67efdb4ad9d771c3ed8312b2bc74cedb vrf vrf1
tacacs-server login host 20.20.20.2 vrf vrf1 seq-num 1 key 7 0x67efdb4ad9d771c3ed8312b2bc74cedb
tacacs-server login host 30.30.30.2 vrf vrf1 seq-num 4 port 1045
tacacs-server login host Tacacs-server-1 vrf vrf1 seq-num 7 key 7 0x67efdb4ad9d771c3ed8312b2bc74cedb po rt 65535
tacacs-server login host 40.40.40.2 vrf vrf1 seq-num 8 key 7 0x9f4a8983e0216052 port 65535
OcNOS#sh running-config aaa
aaa group server tacacs+ G1 vrf vrf1
server 20.20.20.2
server 30.30.30.2
server Tacacs-server-1
server 40.40.40.2
aaa authentication login default vrf vrf1 group G1
aaa accounting default vrf vrf1 group tacacs+
OcNOS#sh running-config aaa all
aaa local authentication attempts max-fail 3
aaa local authentication unlock-timeout 1200
aaa local authentication password expire 0 role network-admin
aaa local authentication password expire 0 role network-engineer
aaa local authentication password expire 0 role network-operator
aaa local authentication password expire 0 role network-user
aaa authentication login default vrf management local
aaa authentication login console local
aaa accounting default vrf management local
aaa accounting console local
no aaa authentication login default fallback error local vrf management
no aaa authentication login console fallback error local
no aaa authentication login error-enable vrf management
aaa authentication login default vrf vrf1 group G1
aaa authentication login console local
aaa accounting default vrf vrf1 group tacacs+
aaa accounting console local
no aaa authentication login default fallback error local vrf vrf1
no aaa authentication login console fallback error local
no aaa authentication login error-enable vrf vrf1
aaa group server tacacs+ G1 vrf vrf1
server 20.20.20.2
server 30.30.30.2
server Tacacs-server-1
server 40.40.40.2
IPv6 Address Configuration
This section shows a TACACS+ server is configured with an IPv6 address. Authentication messages are transmitted to TACACS+ server from the device using an IPv6 address.
Topology
Figure 1-8 shows the sample configuration of TACACS+ server.
TACACS+ server topology
Authenticating Client
R1#configure terminal | Enter configure mode. |
R1(config)# ip vrf vrf1 | Configure the user-defined VRF |
R1(config)#tacacs-server login 2001::2 vrf vrf1 key 0 seq-num 1 testing123 | Configure TACACS+ server with IPv6 address |
R1(config)# aaa authentication login default vrf vrf1 group tacacs+ | Configure AAA authentication |
R1(config)#tacacs-server login 2001:2 vrf vrf1 Hostseq-num 1 | Config for IPv6 TACACS server with seq-num |
R1(config)# ip host vrf vrf1 Server1 2001::2 | Config for assigning hostname to valid IPv6 address |
R1(config)#feature tacacs+ vrf Vrf1 | Config for enabling the TACACS+ server |
R1(config)#tacacs-server login 2002::2 vrf vrf1 seq-num def_abc port 65535 timeout 60 | Config for IPv6 TACACS+ server address with key, port and timeout |
R1(config)#tacacs-server login timeout 60 | Config timeout for TACACS server |
R1(config)#tacacs-server login key 7 65535 | Config login key for TACACS server |
R1(config)# interface eth0 | Navigate to the interface mode |
R1(config-if)#ipv6 address 2001::5/64 | Configure IPv6 address on the eth0 interface |
R1(config-if)# exit | Exit interface configure mode |
R1(config)#commit | Commit the configuration |
R1(config)# exit | Exit configure mode |
Validation
Perform TELNET to the Router. Provide the username mentioned in the TACACS+ server "users" file as telnet username. Check that Router sends TACACS request to the TACACS server using IPv6 address.
#show running-config tacacas+
tacacs-server login host 2002::5 vrf vrf1 seq-num 1 key 7 0x6f32ba3f9e05a3db
#sh tacacs-server vrf vrf1
VRF: vrf1
total number of servers:1
Tacacs+ Server : 2002::5/49
Sequence Number : 1
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
(*) indicates last active. #show running-config aaa
aaa authentication login default vrf management group tacacs+ aaa authentication login error-enable vrf management
#show ipv6 interface eth0 brief
Interface IPv6-Address Admin-Sta tus
eth0 2001:db8:100::5
fe80::218:23ff:fe30:e6ba [up/up]
TACACS Server Accounting
After authentication, the user can configure accounting to measure the resources that the user consumes during access.
Authenticating Device
#configure terminal | Enter configure mode. |
(config)#feature tacacs+ vrf vrf1 | Enable the feature TACACS+ for user defined vrf |
(config)#tacacs-server login host 10.16.19.2 vrf vrf1 seq-num 1 key 0 testing123 | Specify the TACACS server IPv4 address to be configured with shared key for vrf management. The same key should be present in the server configuration file. |
(config)#aaa accounting default group tacacs+ | Enable accounting for TACACS server configured for default vrf |
(config)#commit | Commit the configuration |
(config)#exit | Exit configure mode |
#clear tacacs-server counters vrf vrf1 | Clear tacacs server counters for user-defined vrf |
#clear tacacs-server counters vrf all | Clear tacacs server counters for management and default vrf |
To verify the TACACS accounting process, connect using SSH or Telnet from the host to the client with the user created and provided TACACS server password, and check whether the client validates the user with corresponding username and password.
Validation Commands
show tacacs-server, show aaa accounting, show aaa accounting
#show aaa accounting VRF: vrf1
VRF: vrf1
default: group tacacs+
#
#show aaa accounting vrf all
VRF: management
default:
VRF: vrf1
default: group tacacs+
#show running-config aaa
aaa authentication login default vrf vrf1 group G1
aaa accounting default vrf vrf1 group tacacs+
aaa group server tacacs+ G1 vrf management server Tacacs-Server-1 vrf management server 10.12.17.11 vrf management
Sample TACACS Config File Contents
#tacacs configuration file
#set the key
key = "testing123"
accounting file = /var/log/tac_acc.log
user = test1 {
default service = permit
login = cleartext "12345"
}
group = netadmin {
service = ppp protocol = ip {
priv-lvl = 1
}
}
user = test2 {
default service = permit
login = cleartext "12345"
member = netadmin
}
user = test3 {
default service = permit
login = cleartext "12345"
service = ppp protocol = ip {
priv-lvl = 15
}
}
TACACS Server Authorization
Authorization is realized by mapping the authenticated users to one of the existing predefined roles as shown in
Table P‑1-8.
The privilege information from the TACACS+ server is retrieved for the authenticated users and is mapped onto one of the roles as shown in
Table P‑1-11.
Each authenticated user is mapped to one of the pre-defined privilege level.
Users with priv-level <=0 and priv-level > 15 are treated as read-only user mapped onto the pre-defined network-user role.
There is no command to enable authorization. Authorization functionality is enabled by default when remote authentication is enabled with TACACS+.
Authorization is “auto-enabled”. After successful authentication, a user can enter into privilege exec mode, irrespective of its privilege level and such user is not prompted with enable mode password, if configured. However based on their role, commands are rejected if not allowed to perform certain operations.
Example
A network-user has read-only access and can only execute show commands. A network-user cannot enter configure mode. An error message is displayed upon executing any command which is not allowed.
#write
% Access restricted for user %
#configure terminal
% Access restricted for user %
The following attribute value pair in TACACS+ server is used to fetch user privilege information.
service = ppp protocol = ip {
priv-lvl = <0…15>
}
Sample TACACS+ Configuration File
#tacacs configuration file from “tac_plus version F4.0.3.alpha “
#set the key
key = "testing123"
accounting file = /var/log/tac_acc.log
#Read only user “test1”, without any priv-lvl, mapped to role “network-user”
user = test1 {
default service = permit
login = cleartext "12345"
}
#We can create a group of users mapped to a privilege
group = netadmin {
service = ppp protocol = ip {
priv-lvl = 15
}
}
#User “test2” with highest priv-lvl=15, mapped to role “network-admin”
user = test2 {
default service = permit
login = cleartext "12345"
member = netadmin
}
#User “test3” with priv-lvl= 1…13, mapped to role “network-operator”
user = test3 {
default service = permit
login = cleartext "12345"
service = ppp protocol = ip {
priv-lvl = 10
}
}
#User “test4” with priv-lvl=14, mapped to role “network-engineer” user = test4 {
default service = permit
login = cleartext "12345"
service = ppp protocol = ip {
priv-lvl = 14
}
}