Tacacs

Contents

Telnet Default Authorization

Description

A TACACS+ server is added to a TACACS+ group which is added to a AAA list. This list is assigned to the login system’s authentication. In this scenario, the default authorization mapping is used, which maps the privilege level 0 to monitor, 5 to operator, and 15 to admin. The device then starts a Telnet session with itself to check that it can only run the commands that role is authorized to run.

Scenario

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.20/24
set system aaa server tacacs serv1 address 10.215.168.1
set system aaa server tacacs serv1 key 1234
set system aaa group tacacs tacgroup1 server serv1
set system aaa list list1 method 1 group tacacs tacgroup1
set system login aaa authentication list1
set service telnet

Step 2: Ping IP address 10.215.168.1 from DUT0:

admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1

Show output

PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data.
64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.264 ms

--- 10.215.168.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.264/0.264/0.264/0.000 ms

Step 3: Init a Telnet connection from DUT0 to IP address 127.0.0.1:

admin@DUT0$ telnet 127.0.0.1

Show output

\nTrying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
osdx login:\nPassword:\n
Welcome to Teldat OSDx v3.8.1.7-beta3

This system includes free software.
Contact Teldat for licenses information and source code.

testing@osdx$

Step 4: Run command service cnm restart at DUT0 and expect this output:

Show output

CLI Error: Insufficient privileges

Step 5: Run command show running at DUT0 and expect this output:

Show output

CLI Error: Insufficient privileges

Step 6: Run command show date at DUT0 and expect this output:

Show output

Thu Nov 23 23:48:34 UTC 2023

Step 7: Init a Telnet connection from DUT0 to IP address 127.0.0.1:

admin@DUT0$ telnet 127.0.0.1

Show output

\nTrying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
osdx login:\nPassword:\n
Welcome to Teldat OSDx v3.8.1.7-beta3

This system includes free software.
Contact Teldat for licenses information and source code.

testadmin@osdx$

Step 8: Run command service cnm restart at DUT0 and expect this output:

Show output

service inactive. doing nothing.

Step 9: Run command show running at DUT0 and expect this output:

Show output

# Teldat OSDx VM version v3.8.1.7-beta3
# Thu 23 Nov 2023 11:48:35 PM UTC
# Warning: Configuration has not been saved
set interfaces ethernet eth0 address 10.215.168.20/24
set service telnet
set system aaa group tacacs tacgroup1 server serv1
set system aaa list list1 method 1 group tacacs tacgroup1
set system aaa server tacacs serv1 address 10.215.168.1
set system aaa server tacacs serv1 encrypted-key U2FsdGVkX1+jcO29dcb+Go+l+Z/XsnMOB+j9l72agRo=
set system login aaa authentication list1
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 10: Run command show date at DUT0 and expect this output:

Show output

Thu Nov 23 23:48:35 UTC 2023

---

Telnet Privilege Map

Description

A TACACS+ server is added to a TACACS+ group which is added to a AAA list. This list is assigned to the login system’s authentication. Finally, the TACACS+ 0 and 15 privilege levels are mapped to locally defined roles. The device then starts a Telnet session with itself to check that it can only run the commands that role is authorized to run.

Scenario

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.20/24
set system aaa server tacacs serv1 address 10.215.168.1
set system aaa server tacacs serv1 key 1234
set system aaa group tacacs tacgroup1 server serv1
set system aaa list list1 method 1 group tacacs tacgroup1
set system aaa authorization privilege-map tacacs 15 role monitor
set system aaa authorization privilege-map tacacs 0 role admin
set system login aaa authentication list1
set service telnet

Step 2: Ping IP address 10.215.168.1 from DUT0:

admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1

Show output

PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data.
64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.318 ms

--- 10.215.168.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.318/0.318/0.318/0.000 ms

Step 3: Init a Telnet connection from DUT0 to IP address 127.0.0.1:

admin@DUT0$ telnet 127.0.0.1

Show output

\nTrying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
osdx login:\nPassword:\n
Welcome to Teldat OSDx v3.8.1.7-beta3

This system includes free software.
Contact Teldat for licenses information and source code.

testing@osdx$

Step 4: Run command service cnm restart at DUT0 and expect this output:

Show output

service inactive. doing nothing.

Step 5: Run command show running at DUT0 and expect this output:

Show output

# Teldat OSDx VM version v3.8.1.7-beta3
# Thu 23 Nov 2023 11:48:43 PM UTC
# Warning: Configuration has not been saved
set interfaces ethernet eth0 address 10.215.168.20/24
set service telnet
set system aaa authorization privilege-map tacacs 0 role admin
set system aaa authorization privilege-map tacacs 15 role monitor
set system aaa group tacacs tacgroup1 server serv1
set system aaa list list1 method 1 group tacacs tacgroup1
set system aaa server tacacs serv1 address 10.215.168.1
set system aaa server tacacs serv1 encrypted-key U2FsdGVkX1+5vt8x+DBMgNaj3Emhr5bdC6ekhwKdxeU=
set system login aaa authentication list1
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 6: Run command show date at DUT0 and expect this output:

Show output

Thu Nov 23 23:48:44 UTC 2023

Step 7: Init a Telnet connection from DUT0 to IP address 127.0.0.1:

admin@DUT0$ telnet 127.0.0.1

Show output

\nTrying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
osdx login:\nPassword:\n
Welcome to Teldat OSDx v3.8.1.7-beta3

This system includes free software.
Contact Teldat for licenses information and source code.

testadmin@osdx$

Step 8: Run command service cnm restart at DUT0 and expect this output:

Show output

CLI Error: Insufficient privileges

Step 9: Run command show running at DUT0 and expect this output:

Show output

CLI Error: Insufficient privileges

Step 10: Run command show date at DUT0 and expect this output:

Show output

Thu Nov 23 23:48:44 UTC 2023

---

SSH Default Authorization

Description

A TACACS+ server is added to a TACACS+ group which is added to a AAA list. This list is assigned to the SSH service’s authentication. In this scenario, the default authorization mapping is used, which maps the privilege level 0 to monitor, 5 to operator, and 15 to admin. The device then starts an SSH session with itself to check that it can only run the commands that role is authorized to run.

Scenario

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.20/24
set system aaa server tacacs serv1 address 10.215.168.1
set system aaa server tacacs serv1 key 1234
set system aaa group tacacs tacgroup1 server serv1
set system aaa list list1 method 1 group tacacs tacgroup1
set service ssh aaa authentication list1

Step 2: Ping IP address 10.215.168.1 from DUT0:

admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1

Show output

PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data.
64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.251 ms

--- 10.215.168.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.251/0.251/0.251/0.000 ms

Step 3: Init an SSH connection from DUT0 to IP address 127.0.0.1:

admin@DUT0$ ssh testing@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null

Show output

Warning: Permanently added '127.0.0.1' (ED25519) to the list of known hosts.
testing@127.0.0.1's password:
Welcome to Teldat OSDx v3.8.1.7-beta3

This system includes free software.
Contact Teldat for licenses information and source code.

testing@osdx$

Step 4: Run command service cnm restart at DUT0 and expect this output:

Show output

CLI Error: Insufficient privileges

Step 5: Run command show running at DUT0 and expect this output:

Show output

CLI Error: Insufficient privileges

Step 6: Run command show date at DUT0 and expect this output:

Show output

Thu Nov 23 23:48:52 UTC 2023

Step 7: Init an SSH connection from DUT0 to IP address 127.0.0.1:

admin@DUT0$ ssh testadmin@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null

Show output

Warning: Permanently added '127.0.0.1' (ED25519) to the list of known hosts.
testadmin@127.0.0.1's password:
Welcome to Teldat OSDx v3.8.1.7-beta3

This system includes free software.
Contact Teldat for licenses information and source code.

testadmin@osdx$

Step 8: Run command service cnm restart at DUT0 and expect this output:

Show output

service inactive. doing nothing.

Step 9: Run command show running at DUT0 and expect this output:

Show output

# Teldat OSDx VM version v3.8.1.7-beta3
# Thu 23 Nov 2023 11:48:53 PM UTC
# Warning: Configuration has not been saved
set interfaces ethernet eth0 address 10.215.168.20/24
set service ssh aaa authentication list1
set system aaa group tacacs tacgroup1 server serv1
set system aaa list list1 method 1 group tacacs tacgroup1
set system aaa server tacacs serv1 address 10.215.168.1
set system aaa server tacacs serv1 encrypted-key U2FsdGVkX19G3w0bl37gd7GFbg4F0lF16f/bddoi6PM=
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 10: Run command show date at DUT0 and expect this output:

Show output

Thu Nov 23 23:48:53 UTC 2023

---

SSH Privilege Map

Description

A TACACS+ server is added to a TACACS+ group which is added to a AAA list. This list is assigned to the SSH service’s authentication. Finally, the TACACS+ 0 and 15 privilege levels are mapped to locally defined roles. The device then starts an SSH session with itself to check that it can only run the commands that role is authorized to run.

Scenario

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.20/24
set system aaa server tacacs serv1 address 10.215.168.1
set system aaa server tacacs serv1 key 1234
set system aaa group tacacs tacgroup1 server serv1
set system aaa list list1 method 1 group tacacs tacgroup1
set system aaa authorization privilege-map tacacs 15 role monitor
set system aaa authorization privilege-map tacacs 0 role admin
set service ssh aaa authentication list1

Step 2: Ping IP address 10.215.168.1 from DUT0:

admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1

Show output

PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data.
64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.344 ms

--- 10.215.168.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.344/0.344/0.344/0.000 ms

Step 3: Init an SSH connection from DUT0 to IP address 127.0.0.1:

admin@DUT0$ ssh testing@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null

Show output

Warning: Permanently added '127.0.0.1' (ED25519) to the list of known hosts.
testing@127.0.0.1's password:
Welcome to Teldat OSDx v3.8.1.7-beta3

This system includes free software.
Contact Teldat for licenses information and source code.

testing@osdx$

Step 4: Run command service cnm restart at DUT0 and expect this output:

Show output

service inactive. doing nothing.

Step 5: Run command show running at DUT0 and expect this output:

Show output

# Teldat OSDx VM version v3.8.1.7-beta3
# Thu 23 Nov 2023 11:49:01 PM UTC
# Warning: Configuration has not been saved
set interfaces ethernet eth0 address 10.215.168.20/24
set service ssh aaa authentication list1
set system aaa authorization privilege-map tacacs 0 role admin
set system aaa authorization privilege-map tacacs 15 role monitor
set system aaa group tacacs tacgroup1 server serv1
set system aaa list list1 method 1 group tacacs tacgroup1
set system aaa server tacacs serv1 address 10.215.168.1
set system aaa server tacacs serv1 encrypted-key U2FsdGVkX1+1EK8OwyhjFGyjwhsD//8NObEMRPrdd90=
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 6: Run command show date at DUT0 and expect this output:

Show output

Thu Nov 23 23:49:01 UTC 2023

Step 7: Init an SSH connection from DUT0 to IP address 127.0.0.1:

admin@DUT0$ ssh testadmin@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null

Show output

Warning: Permanently added '127.0.0.1' (ED25519) to the list of known hosts.
testadmin@127.0.0.1's password:
Welcome to Teldat OSDx v3.8.1.7-beta3

This system includes free software.
Contact Teldat for licenses information and source code.

testadmin@osdx$

Step 8: Run command service cnm restart at DUT0 and expect this output:

Show output

CLI Error: Insufficient privileges

Step 9: Run command show running at DUT0 and expect this output:

Show output

CLI Error: Insufficient privileges

Step 10: Run command show date at DUT0 and expect this output:

Show output

Thu Nov 23 23:49:02 UTC 2023

---