Tacacs

Contents

Telnet Default Authorization

Description

A TACACS+ server is added to a TACACS+ group which is added to an AAA list. This list is assigned to the login system’s authentication. In this scenario, the default authorization mapping is used, which maps the privilege level 0 to monitor, 5 to operator, and 15 to admin. The device then starts a Telnet session with itself to check that it can only run the commands that role is authorized to run.

Scenario

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set system aaa server tacacs serv1 address 10.215.168.1
set system aaa server tacacs serv1 key 1234
set system aaa group tacacs tacgroup1 server serv1
set system aaa list list1 method 1 group tacacs tacgroup1
set system login aaa authentication list1
set service telnet

Step 2: Ping IP address 10.215.168.1 from DUT0:

admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1

Show output

PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data.
64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.438 ms

--- 10.215.168.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.438/0.438/0.438/0.000 ms

Step 3: Init a Telnet connection from DUT0 to IP address 127.0.0.1 :

admin@DUT0$ telnet 127.0.0.1

Show output

Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
osdx login:
Password:

Welcome to Teldat OSDx 202401241058.f949bb7-v3.9.1.2-snapshot

This system includes free software.
Contact Teldat for licenses information and source code.

testing@osdx$

Step 4: Run command service cnm restart at DUT0 and expect this output:

Show output

CLI Error: Insufficient privileges

Step 5: Run command show running at DUT0 and expect this output:

Show output

CLI Error: Insufficient privileges

Step 6: Run command show date at DUT0 and expect this output:

Show output

Thu Jan 25 00:29:09 UTC 2024

Step 7: Init a Telnet connection from DUT0 to IP address 127.0.0.1 :

admin@DUT0$ telnet 127.0.0.1

Show output

Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
osdx login:
Password:

Welcome to Teldat OSDx 202401241058.f949bb7-v3.9.1.2-snapshot

This system includes free software.
Contact Teldat for licenses information and source code.

testadmin@osdx$

Step 8: Run command service cnm restart at DUT0 and expect this output:

Show output

service inactive. doing nothing.

Step 9: Run command show running at DUT0 and expect this output:

Show output

# Teldat OSDx VM version 202401241058.f949bb7-v3.9.1.2-snapshot
# Thu 25 Jan 2024 12:29:10 AM UTC
# Warning: Configuration has not been saved
set interfaces ethernet eth0 address 10.215.168.64/24
set service telnet
set system aaa group tacacs tacgroup1 server serv1
set system aaa list list1 method 1 group tacacs tacgroup1
set system aaa server tacacs serv1 address 10.215.168.1
set system aaa server tacacs serv1 encrypted-key U2FsdGVkX1/EKYVs3iHdBdV7pjFax0+XkCiV9OSkEIw=
set system login aaa authentication list1
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 10: Run command show date at DUT0 and expect this output:

Show output

Thu Jan 25 00:29:10 UTC 2024

---

Telnet Privilege Map

Description

A TACACS+ server is added to a TACACS+ group which is added to an AAA list. This list is assigned to the login system’s authentication. Finally, the TACACS+ 0 and 15 privilege levels are mapped to locally defined roles. The device then starts a Telnet session with itself to check that it can only run the commands that role is authorized to run.

Scenario

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set system aaa server tacacs serv1 address 10.215.168.1
set system aaa server tacacs serv1 key 1234
set system aaa group tacacs tacgroup1 server serv1
set system aaa list list1 method 1 group tacacs tacgroup1
set system aaa authorization privilege-map tacacs 15 role monitor
set system aaa authorization privilege-map tacacs 0 role admin
set system login aaa authentication list1
set service telnet

Step 2: Ping IP address 10.215.168.1 from DUT0:

admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1

Show output

PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data.
64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.259 ms

--- 10.215.168.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.259/0.259/0.259/0.000 ms

Step 3: Init a Telnet connection from DUT0 to IP address 127.0.0.1 :

admin@DUT0$ telnet 127.0.0.1

Show output

Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
osdx login:
Password:

Welcome to Teldat OSDx 202401241058.f949bb7-v3.9.1.2-snapshot

This system includes free software.
Contact Teldat for licenses information and source code.

testing@osdx$

Step 4: Run command service cnm restart at DUT0 and expect this output:

Show output

service inactive. doing nothing.

Step 5: Run command show running at DUT0 and expect this output:

Show output

# Teldat OSDx VM version 202401241058.f949bb7-v3.9.1.2-snapshot
# Thu 25 Jan 2024 12:29:21 AM UTC
# Warning: Configuration has not been saved
set interfaces ethernet eth0 address 10.215.168.64/24
set service telnet
set system aaa authorization privilege-map tacacs 0 role admin
set system aaa authorization privilege-map tacacs 15 role monitor
set system aaa group tacacs tacgroup1 server serv1
set system aaa list list1 method 1 group tacacs tacgroup1
set system aaa server tacacs serv1 address 10.215.168.1
set system aaa server tacacs serv1 encrypted-key U2FsdGVkX1/zAr/QuGbWPp/+oGiVpIq08Lj7CrDFVSU=
set system login aaa authentication list1
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 6: Run command show date at DUT0 and expect this output:

Show output

Thu Jan 25 00:29:21 UTC 2024

Step 7: Init a Telnet connection from DUT0 to IP address 127.0.0.1 :

admin@DUT0$ telnet 127.0.0.1

Show output

Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
osdx login:
Password:

Welcome to Teldat OSDx 202401241058.f949bb7-v3.9.1.2-snapshot

This system includes free software.
Contact Teldat for licenses information and source code.

testadmin@osdx$

Step 8: Run command service cnm restart at DUT0 and expect this output:

Show output

CLI Error: Insufficient privileges

Step 9: Run command show running at DUT0 and expect this output:

Show output

CLI Error: Insufficient privileges

Step 10: Run command show date at DUT0 and expect this output:

Show output

Thu Jan 25 00:29:22 UTC 2024

---

SSH Default Authorization

Description

A TACACS+ server is added to a TACACS+ group which is added to an AAA list. This list is assigned to the SSH service’s authentication. In this scenario, the default authorization mapping is used, which maps the privilege level 0 to monitor, 5 to operator, and 15 to admin. The device then starts an SSH session with itself to check that it can only run the commands that role is authorized to run.

Scenario

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set system aaa server tacacs serv1 address 10.215.168.1
set system aaa server tacacs serv1 key 1234
set system aaa group tacacs tacgroup1 server serv1
set system aaa list list1 method 1 group tacacs tacgroup1
set service ssh aaa authentication list1

Step 2: Ping IP address 10.215.168.1 from DUT0:

admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1

Show output

PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data.
64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.284 ms

--- 10.215.168.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.284/0.284/0.284/0.000 ms

Step 3: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user testing:

admin@DUT0$ ssh testing@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null

Show output

Warning: Permanently added '127.0.0.1' (ED25519) to the list of known hosts.
testing@127.0.0.1's password:
Welcome to Teldat OSDx 202401241058.f949bb7-v3.9.1.2-snapshot

This system includes free software.
Contact Teldat for licenses information and source code.

testing@osdx$

Step 4: Run command service cnm restart at DUT0 and expect this output:

Show output

CLI Error: Insufficient privileges

Step 5: Run command show running at DUT0 and expect this output:

Show output

CLI Error: Insufficient privileges

Step 6: Run command show date at DUT0 and expect this output:

Show output

Thu Jan 25 00:29:32 UTC 2024

Step 7: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user testadmin:

admin@DUT0$ ssh testadmin@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null

Show output

Warning: Permanently added '127.0.0.1' (ED25519) to the list of known hosts.
testadmin@127.0.0.1's password:
Welcome to Teldat OSDx 202401241058.f949bb7-v3.9.1.2-snapshot

This system includes free software.
Contact Teldat for licenses information and source code.

testadmin@osdx$

Step 8: Run command service cnm restart at DUT0 and expect this output:

Show output

service inactive. doing nothing.

Step 9: Run command show running at DUT0 and expect this output:

Show output

# Teldat OSDx VM version 202401241058.f949bb7-v3.9.1.2-snapshot
# Thu 25 Jan 2024 12:29:32 AM UTC
# Warning: Configuration has not been saved
set interfaces ethernet eth0 address 10.215.168.64/24
set service ssh aaa authentication list1
set system aaa group tacacs tacgroup1 server serv1
set system aaa list list1 method 1 group tacacs tacgroup1
set system aaa server tacacs serv1 address 10.215.168.1
set system aaa server tacacs serv1 encrypted-key U2FsdGVkX19ITGqTTbX9aw9FI3wQ43gnwgoqxIXzD+g=
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 10: Run command show date at DUT0 and expect this output:

Show output

Thu Jan 25 00:29:33 UTC 2024

---

SSH Privilege Map

Description

A TACACS+ server is added to a TACACS+ group which is added to an AAA list. This list is assigned to the SSH service’s authentication. Finally, the TACACS+ 0 and 15 privilege levels are mapped to locally defined roles. The device then starts an SSH session with itself to check that it can only run the commands that role is authorized to run.

Scenario

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set system aaa server tacacs serv1 address 10.215.168.1
set system aaa server tacacs serv1 key 1234
set system aaa group tacacs tacgroup1 server serv1
set system aaa list list1 method 1 group tacacs tacgroup1
set system aaa authorization privilege-map tacacs 15 role monitor
set system aaa authorization privilege-map tacacs 0 role admin
set service ssh aaa authentication list1

Step 2: Ping IP address 10.215.168.1 from DUT0:

admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1

Show output

PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data.
64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.209 ms

--- 10.215.168.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.209/0.209/0.209/0.000 ms

Step 3: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user testing:

admin@DUT0$ ssh testing@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null

Show output

Warning: Permanently added '127.0.0.1' (ED25519) to the list of known hosts.
testing@127.0.0.1's password:
Welcome to Teldat OSDx 202401241058.f949bb7-v3.9.1.2-snapshot

This system includes free software.
Contact Teldat for licenses information and source code.

testing@osdx$

Step 4: Run command service cnm restart at DUT0 and expect this output:

Show output

service inactive. doing nothing.

Step 5: Run command show running at DUT0 and expect this output:

Show output

# Teldat OSDx VM version 202401241058.f949bb7-v3.9.1.2-snapshot
# Thu 25 Jan 2024 12:29:43 AM UTC
# Warning: Configuration has not been saved
set interfaces ethernet eth0 address 10.215.168.64/24
set service ssh aaa authentication list1
set system aaa authorization privilege-map tacacs 0 role admin
set system aaa authorization privilege-map tacacs 15 role monitor
set system aaa group tacacs tacgroup1 server serv1
set system aaa list list1 method 1 group tacacs tacgroup1
set system aaa server tacacs serv1 address 10.215.168.1
set system aaa server tacacs serv1 encrypted-key U2FsdGVkX18CdNlzy7zNfgFJos0cFZ8n2Arm5pcxEbs=
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 6: Run command show date at DUT0 and expect this output:

Show output

Thu Jan 25 00:29:43 UTC 2024

Step 7: Init an SSH connection from DUT0 to IP address 127.0.0.1 with the user testadmin:

admin@DUT0$ ssh testadmin@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null

Show output

Warning: Permanently added '127.0.0.1' (ED25519) to the list of known hosts.
testadmin@127.0.0.1's password:
Welcome to Teldat OSDx 202401241058.f949bb7-v3.9.1.2-snapshot

This system includes free software.
Contact Teldat for licenses information and source code.

testadmin@osdx$

Step 8: Run command service cnm restart at DUT0 and expect this output:

Show output

CLI Error: Insufficient privileges

Step 9: Run command show running at DUT0 and expect this output:

Show output

CLI Error: Insufficient privileges

Step 10: Run command show date at DUT0 and expect this output:

Show output

Thu Jan 25 00:29:44 UTC 2024

---