Web: Example for Logging in to the CLI Using the Telnet (Local Authentication)

By default, Telnet is disabled on the device. You need to establish a Telnet login environment. This section provides an example for configuring how to log in to the CLI using Telnet.

Context

Telnet login is not secure. You are advised to log in to the CLI using STelnet.

Networking Requirements

Figure 1 shows that the FW has a local administrator. The local administrator has some administrator permissions and can use Telnet to log in to the CLI only from a local PC for FW management and maintenance. The FW implements local authentication on administrators.

Figure 1 Networking diagram of logging in to the CLI using Telnet

Data Planning

Item	Data	Description
Administrator account/password	vtyadmin/Mydevice@abc	The account name and password should be easy to remember.
IP address of the administrator's PC	10.3.0.100/24	-
Role	service-admin	service-admin is a user-defined role and has permissions only on the network, policy, and object.
Trusted host	10.3.0.0/24	-
Authentication type	Local authentication	-

Configuration Roadmap

Configure the login interface.
Create an administrator role.
Create an administrator. Then set the authentication type, administrator role, and trusted host for the administrator.
Enable the Telnet service.
Configure the IP address of the administrator PC and use the Telnet software to log in to the VTY interface.

Procedure

Optional: Enable the HTTPS server on interface GigabitEthernet 0/0/3.

If you use the default settings of management interface to log in to the device, skip this step.

Because the default IP address of the management interface has been set to 192.168.0.1, the interface has been added to the Trust zone, and the administrator is allowed to log in to the device using HTTPS.
1. Choose Network > Interface.
2. Click for interface GE0/0/3 and set parameters as listed in the following table.
  
  Zone
  
  trust
  
  Connection Type
  
  Static IP
  
  IP Address
  
  10.3.0.1/255.255.255.0
  
  Management Access
  
  Telnet
3. Click OK.
Optional: Create an administrator role for administrator B.

Ignore this step if the default administrator role is used.
1. Choose System > Administrator > Administrator Role.
2. Click Add and set parameters as listed in the following table.
  
  Name
  
  service-admin
  
  Description
  
  policy_object_network_readwrite_and_other_modules_none
  
  Popedom
  
  Policy, Object, Network
  
  Read-write
  
  Dashboard, Monitor, System
  
  None
3. Click OK.
Create an administrator. Then set the authentication type, administrator role, and trusted host for the administrator.
1. Choose System > Administrator > Administrator.
2. Click Add and set the parameters as follows:
Enable the Telnet service.
1. Choose System > Administrator > Service Settings.
2. Select Enable next to Telnet Service.
3. Click Apply.
In the upper right of the page, click Save Then click OK in the dialog box that is displayed.
Configure the local administrator PC as follows:
1. Set the IP address and subnet mask of the administrator PC to 10.3.0.100 and 255.255.255.0.
2. Run the Telnet software on the PC. Windows OS is used as an example. Choose Start > Run. The Run window is displayed. Enter telnet 10.3.0.1 in Open.
3. Click OK and start to connect to the FW.
4. On the login page, enter vtyadmin for Username: and press Enter.
5. Enter Mydevice@abc for Password: and press Enter to log in to the VTY interface.

Zone	trust
Connection Type	Static IP
IP Address	10.3.0.1/255.255.255.0
Management Access	Telnet

Name	service-admin
Description	policy_object_network_readwrite_and_other_modules_none
Popedom
Policy, Object, Network	Read-write
Dashboard, Monitor, System	None

Configuration Scripts

#                                                                               
 telnet server enable
#
interface GigabitEthernet0/0/3                                                  
 ip address 10.3.0.1 255.255.255.0                                           
 service-manage enable
 service-manage telnet permit                                                    
#
user-interface vty 0 4 
 authentication-mode aaa
 protocol inbound telnet
 user privilege level 3
 idle-timeout 5
#                                                                               
acl number 2001                                                                 
 rule 5 permit source 10.3.0.0 0.0.0.255
 rule 10 deny                                        
#
aaa
 authentication-scheme admin_local
#
 manager-user vtyadmin                                                          
  password cipher %@%@*y:3*ZN}.%%qcL1cCyDwlB.|@XBVMDWq'6JF(iOz2D8>A\SN%@%@           
  service-type telnet                                                             
  level 15
  acl-number 2001                                                                      
  authentication-scheme  admin_local
#
 bind manager-user vtyadmin role service-admin
role service-admin                                                              
  description policy_object_network_readwrite_and_other_modules_none
  dashboard none
  monitor none
  system none
  network read-write 
  object read-write
  policy read-write
# 
firewall zone trust 
 set priority 85 
 add interface GigabitEthernet0/0/3
#                                                                              
return