Tacacs
Telnet Privilege Map
Description
A TACACS+ server is added to a TACACS+ group which is added to an AAA list. This list is assigned to the login system’s authentication. Finally, the TACACS+ 0 and 15 privilege levels are mapped to locally defined roles. The device then starts a Telnet session with itself to check that it can only run the commands that role is authorized to run.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set service telnet set system aaa authorization privilege-map tacacs 0 role admin set system aaa authorization privilege-map tacacs 15 role monitor set system aaa authorization privilege-map tacacs 3 role operator set system aaa group tacacs tacgroup1 server serv1 set system aaa list list1 method 1 group tacacs tacgroup1 set system aaa server tacacs serv1 address 10.215.168.1 set system aaa server tacacs serv1 encrypted-key U2FsdGVkX1/fXEppmSllou+KXaC3woUPaOhaRPxTKr8= set system login aaa authentication list1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.198 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.198/0.198/0.198/0.000 ms
Step 3: Initiate a Telnet connection from DUT0 to IP address 127.0.0.1 :
admin@DUT0$ telnet 127.0.0.1Show output
Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. Linux 6.12.74 (osdx) (pts/1) osdx login: Password: Welcome to Teldat OSDx v4.2.10.0 This system includes free software. Contact Teldat for licenses information and source code. Last login: Tue May 19 16:46:52 UTC 2026 from ::ffff:127.0.0.1 on pts/1 testing@osdx$
Step 4: Run the command service cnm restart on DUT0 and expect the following output:
Show output
service inactive. doing nothing.
Step 5: Run the command show running on DUT0 and expect the following output:
Show output
# Teldat OSDx VM version v4.2.10.0 # Tue 19 May 2026 16:47:00 +00:00 # Warning: Configuration has not been saved set interfaces ethernet eth0 address 10.215.168.64/24 set service telnet set system aaa authorization privilege-map tacacs 0 role admin set system aaa authorization privilege-map tacacs 15 role monitor set system aaa authorization privilege-map tacacs 3 role operator set system aaa group tacacs tacgroup1 server serv1 set system aaa list list1 method 1 group tacacs tacgroup1 set system aaa server tacacs serv1 address 10.215.168.1 set system aaa server tacacs serv1 encrypted-key U2FsdGVkX1/fXEppmSllou+KXaC3woUPaOhaRPxTKr8= set system login aaa authentication list1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 6: Run the command show date on DUT0 and expect the following output:
Show output
Tue 19 May 2026 16:47:00 +00:00
Step 7: Initiate a Telnet connection from DUT0 to IP address 127.0.0.1 :
admin@DUT0$ telnet 127.0.0.1Show output
Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. Linux 6.12.74 (osdx) (pts/1) osdx login: Password: Welcome to Teldat OSDx v4.2.10.0 This system includes free software. Contact Teldat for licenses information and source code. tacthree@osdx$
Step 8: Run the command service cnm restart on DUT0 and expect the following output:
Show output
CLI Error: Insufficient privileges
Step 9: Run the command show running on DUT0 and expect the following output:
Show output
# Teldat OSDx VM version v4.2.10.0 # Tue 19 May 2026 16:47:02 +00:00 # Warning: Configuration has not been saved set interfaces ethernet eth0 address 10.215.168.64/24 set service telnet set system aaa authorization privilege-map tacacs 0 role admin set system aaa authorization privilege-map tacacs 15 role monitor set system aaa authorization privilege-map tacacs 3 role operator set system aaa group tacacs tacgroup1 server serv1 set system aaa list list1 method 1 group tacacs tacgroup1 set system aaa server tacacs serv1 address 10.215.168.1 set system aaa server tacacs serv1 encrypted-key U2FsdGVkX1/fXEppmSllou+KXaC3woUPaOhaRPxTKr8= set system login aaa authentication list1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 10: Run the command show date on DUT0 and expect the following output:
Show output
Tue 19 May 2026 16:47:02 +00:00
Step 11: Initiate a Telnet connection from DUT0 to IP address 127.0.0.1 :
admin@DUT0$ telnet 127.0.0.1Show output
Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. Linux 6.12.74 (osdx) (pts/1) osdx login: Password: Welcome to Teldat OSDx v4.2.10.0 This system includes free software. Contact Teldat for licenses information and source code. Last login: Tue May 19 16:46:53 UTC 2026 from ::ffff:127.0.0.1 on pts/1 testadmin@osdx$
Step 12: Run the command service cnm restart on DUT0 and expect the following output:
Show output
CLI Error: Insufficient privileges
Step 13: Run the command show running on DUT0 and expect the following output:
Show output
CLI Error: Insufficient privileges
Step 14: Run the command show date on DUT0 and expect the following output:
Show output
Tue 19 May 2026 16:47:03 +00:00
SSH Privilege Map
Description
A TACACS+ server is added to a TACACS+ group which is added to an AAA list. This list is assigned to the SSH service’s authentication. Finally, the TACACS+ 0 and 15 privilege levels are mapped to locally defined roles. The device then starts an SSH session with itself to check that it can only run the commands that role is authorized to run.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set service ssh aaa authentication list1 set system aaa authorization privilege-map tacacs 0 role admin set system aaa authorization privilege-map tacacs 15 role monitor set system aaa authorization privilege-map tacacs 3 role operator set system aaa group tacacs tacgroup1 server serv1 set system aaa list list1 method 1 group tacacs tacgroup1 set system aaa server tacacs serv1 address 10.215.168.1 set system aaa server tacacs serv1 encrypted-key U2FsdGVkX1//u/5oovbjN/j3elGGns7ojo26KebjNNg= set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.258 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.258/0.258/0.258/0.000 ms
Step 3: Initiate an SSH connection from DUT0 to IP address 127.0.0.1 using user testing:
admin@DUT0$ ssh testing@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts. testing@127.0.0.1's password: Welcome to Teldat OSDx v4.2.10.0 This system includes free software. Contact Teldat for licenses information and source code. Last login: Tue May 19 16:47:10 2026 from 127.0.0.1 testing@osdx$
Step 4: Run the command service cnm restart on DUT0 and expect the following output:
Show output
service inactive. doing nothing.
Step 5: Run the command show running on DUT0 and expect the following output:
Show output
# Teldat OSDx VM version v4.2.10.0 # Tue 19 May 2026 16:47:17 +00:00 # Warning: Configuration has not been saved set interfaces ethernet eth0 address 10.215.168.64/24 set service ssh aaa authentication list1 set system aaa authorization privilege-map tacacs 0 role admin set system aaa authorization privilege-map tacacs 15 role monitor set system aaa authorization privilege-map tacacs 3 role operator set system aaa group tacacs tacgroup1 server serv1 set system aaa list list1 method 1 group tacacs tacgroup1 set system aaa server tacacs serv1 address 10.215.168.1 set system aaa server tacacs serv1 encrypted-key U2FsdGVkX1//u/5oovbjN/j3elGGns7ojo26KebjNNg= set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 6: Run the command show date on DUT0 and expect the following output:
Show output
Tue 19 May 2026 16:47:17 +00:00
Step 7: Initiate an SSH connection from DUT0 to IP address 127.0.0.1 using user tacthree:
admin@DUT0$ ssh tacthree@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts. tacthree@127.0.0.1's password: Welcome to Teldat OSDx v4.2.10.0 This system includes free software. Contact Teldat for licenses information and source code. Last login: Tue May 19 16:47:01 2026 from ::ffff:127.0.0.1 tacthree@osdx$
Step 8: Run the command service cnm restart on DUT0 and expect the following output:
Show output
CLI Error: Insufficient privileges
Step 9: Run the command show running on DUT0 and expect the following output:
Show output
# Teldat OSDx VM version v4.2.10.0 # Tue 19 May 2026 16:47:18 +00:00 # Warning: Configuration has not been saved set interfaces ethernet eth0 address 10.215.168.64/24 set service ssh aaa authentication list1 set system aaa authorization privilege-map tacacs 0 role admin set system aaa authorization privilege-map tacacs 15 role monitor set system aaa authorization privilege-map tacacs 3 role operator set system aaa group tacacs tacgroup1 server serv1 set system aaa list list1 method 1 group tacacs tacgroup1 set system aaa server tacacs serv1 address 10.215.168.1 set system aaa server tacacs serv1 encrypted-key U2FsdGVkX1//u/5oovbjN/j3elGGns7ojo26KebjNNg= set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 10: Run the command show date on DUT0 and expect the following output:
Show output
Tue 19 May 2026 16:47:18 +00:00
Step 11: Initiate an SSH connection from DUT0 to IP address 127.0.0.1 using user testadmin:
admin@DUT0$ ssh testadmin@127.0.0.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts. testadmin@127.0.0.1's password: Welcome to Teldat OSDx v4.2.10.0 This system includes free software. Contact Teldat for licenses information and source code. Last login: Tue May 19 16:47:10 2026 from 127.0.0.1 testadmin@osdx$
Step 12: Run the command service cnm restart on DUT0 and expect the following output:
Show output
CLI Error: Insufficient privileges
Step 13: Run the command show running on DUT0 and expect the following output:
Show output
CLI Error: Insufficient privileges
Step 14: Run the command show date on DUT0 and expect the following output:
Show output
Tue 19 May 2026 16:47:18 +00:00