Web: Example for Logging in to the CLI Using the Telnet (HWTACACS Server Authentication)

By default, Telnet is disabled on the device. You need to establish a Telnet login environment. This section provides an example for configuring how to log in to the CLI using Telnet.

Context

Telnet login is not secure. You are advised to log in to the CLI using STelnet.

Networking Requirements

Figure 1 shows that the FW has a local administrator. The local administrator has some administrator permissions and can use Telnet to log in to the CLI only from a local PC for FW management and maintenance. HWTACACS server authentication takes precedence over local authentication. The FW implements local authentication on administrators only when the HWTACACS server does not respond.

Figure 1 Networking diagram of logging in to the CLI using Telnet

Data Planning

Item	Data	Description
Administrator account/password	vtyadmin/Mydevice@abc	The account name and password should be easy to remember.
HWTACACS server template	Name: hwtacacs_server HWTACACS server address: 172.16.0.2 Password: Admin@123	-
Administrator PC IP address	10.3.0.100/255.255.255.0	-
Role	service-admin	service-admin is a user-defined role and has permissions only on the network, policy, and object.
Trusted host	10.3.0.0/24	-
Authentication methods	RADIUS and local	-

Configuration Roadmap

Configure the login interface.
Set the IP address for the interface and add the interface to a security zone.
Configure a security policy to permit the access from the firewall to the server.
Configure the HWTACACS server template.
Create an administrator role.
Create an administrator. Then set the authentication type, administrator role, and trusted host for the administrator.
Enable the Telnet service.
Set the IP address for the administrator PC. Then use the Telnet client to log in to the VTY.

Procedure

Optional: Configure the login interface.

If you use the default settings of management interface to log in to the device, skip this step.

Because the default IP address of the management interface has been set to 192.168.0.1, the interface has been added to the Trust zone, and the administrator is allowed to log in to the device using HTTPS.
1. Choose Network > Interface.
2. Click at the right of GE0/0/3 and set the parameters as listed in the following table.
  
  Zone
  
  trust
  
  Connection Type
  
  Static IP
  
  IP Address
  
  10.3.0.1/255.255.255.0
  
  Management Access
  
  Telnet
3. Click OK.
Set the IP address for the interface and add the interface to a security zone.
1. Choose Network > Interface.
2. Click for interface GE0/0/2 and set parameters as listed in the following table.
  
  Zone
  
  DMZ
  
  Connection Type
  
  Static IP
  
  IP Address
  
  172.16.0.1/255.255.255.0
3. Click OK.
Configure a security policy to permit the access from the firewall to the server.
1. Choose Policy > Security Policy > Security Policy.
2. Click Add to add a security policy and set the parameters as listed in the table.
  
  Name
  
  rule1
  
  Source Zone
  
  local
  
  Destination Zone
  
  DMZ
  
  Source Address/Region
  
  172.16.0.2
  
  Action
  
  Allow
Configure the HWTACACS server template.
1. Choose Object > Authentication Server > HWTACACS.
2. Click Add.
3. Set the HWTACACS server parameters as shown in the following figure.
  
  Parameters set on the FW must be consistent with those set on the HWTACACS server.
4. Click Test and then OK in the dialog box that is displayed. Then enter the account name and password obtained from the HWTACACS server. Then click Start Checking to check the connectivity to the RADIUS server.
  If the connectivity check succeeds, click Cancel.
5. Click OK.
Optional: Create an administrator role.

Ignore this step if the default administrator role is used.

In this example, only the HWTACACS server is used for authentication, and the local role is used to authorize the administrator. To use the HWTACACS authorization mode, see CLI: Example for Logging In to the CLI Using STelnet (HWTACACS Authentication and Authorization).
1. Choose System > Administrator > Administrator Role.
2. click Add, and set the following parameters.
  
  Name
  
  service-admin
  
  Description
  
  policy_object_network_readwrite_and_other_modules_none
  
  Popedom
  
  Policy, Object, and Network
  
  Read-write
  
  Dashboard, Monitor, and System
  
  None
3. Click OK.
Create an administrator. Then set the authentication type, administrator role, and trusted host for the administrator.
1. Choose System > Administrator > Administrator.
2. Click Add and set the parameters as follows:
  
  The value of User Name must be the account name obtained from the HWTACACS server.
Enable the Telnet service.
1. Choose System > Administrator > Service Settings.
2. Select Enable in Telnet Service.
3. Click Apply.
Click Save on the upper-right corner and click OK in the dialog box that is displayed.
Set the IP address for the administrator PC. Then use the Telnet client to log in to the VTY interface.
1. Set the IP address and subnet mask of the administrator PC to 10.3.0.100 and 255.255.255.0.
2. Run the Telnet software on the PC. Windows OS is used as an example. Choose Start > Run. The Run window is displayed. Enter telnet 10.3.0.1 in Open.
3. Click OK and start to connect to the FW.
4. On the login page, enter vtyadmin for Username: and press Enter.
5. Enter Mydevice@abc for Password: and press Enter to log in to the VTY interface.

Zone	trust
Connection Type	Static IP
IP Address	10.3.0.1/255.255.255.0
Management Access	Telnet

Zone	DMZ
Connection Type	Static IP
IP Address	172.16.0.1/255.255.255.0

Name	rule1
Source Zone	local
Destination Zone	DMZ
Source Address/Region	172.16.0.2
Action	Allow

Name	service-admin
Description	policy_object_network_readwrite_and_other_modules_none
Popedom
Policy, Object, and Network	Read-write
Dashboard, Monitor, and System	None

Configuration Scripts

#                                                                               
 telnet server enable
#
interface GigabitEthernet0/0/2                                                  
 ip address 172.16.0.1 255.255.255.0                                           
#
interface GigabitEthernet0/0/3                                                  
 ip address 10.3.0.1 255.255.255.0                                           
 service-manage enable
 service-manage telnet permit                                                    
#
user-interface vty 0 4 
 authentication-mode aaa
 protocol inbound telnet
 user privilege level 3
 idle-timeout 5
#                                                                               
acl number 2001                                                                 
 rule 5 permit source 10.3.0.0 0.0.0.255
 rule 10 deny                                        
#
aaa
 authentication-scheme hwtacacs                                                   
  authentication-mode hwtacacs local
#
 manager-user vtyadmin                                                          
  password cipher %@%@*y:3*ZN}.%%qcL1cCyDwlB.|@XBVMDWq'6JF(iOz2D8>A\SN%@%@           
  service-type telnet                                                             
  level 15
  acl-number 2001                                                                      
  authentication-scheme hwtacacs 
  hwtacacs-server hwtacacs_server
 #
 bind manager-user vtyadmin role service-admin
role service-admin                                                              
  description policy_object_network_readwrite_and_other_modules_none
  dashboard none
  monitor none
  system none
  network read-write 
  object read-write
  policy read-write
# 
hwtacacs-server template hwtacacs_server
 hwtacacs-server authentication 172.16.0.2 49
 hwtacacs-server authorization 172.16.0.2 49
 hwtacacs-server shared-key cipher %@%@'`Fo,5PRT<%+yu"zhf[18:7W%@%@
#
firewall zone trust 
 set priority 85 
 add interface GigabitEthernet0/0/3
#
firewall zone dmz 
 set priority 50 
 add interface GigabitEthernet0/0/2
#                                                                              
security-policy                                                                 
 rule name rule1                                                                
  source-zone local                                                             
  destination-zone dmz                                                          
  destination-address 172.16.0.2 32                                             
  action permit                                                                 
#
return