This topic is to discuss the following lesson:
Please translate the following sentence:
“Telnet is niet secure dus liever niet gebruiken…”
Hi Valli,
Just removed this, this was a bit of my draft (in Dutch
Rene
I think it is better to create the credentials “user and password” before typing the command login local
, because in case of problems (if you lose control), the equipment will ask you an account that you have not created yet.
Am I wright ?
Hello Hugues
Yes, if you type the command login local
and log out without creating any credentials, then you will not be able to log back in.
Laz
Hi Laz, first I would like to thankyou for your quick response. Just to be specific, I was working on CCNA routing & switching ICND1 100-105, Unit 7 Network Management, subtitle Telnet Server and Client. Here is what I found on packet tracer 7.1:
R2#telnet 192.168.12.1 ?
<0-65535> Port number
<cr>
as you see here I do not have the option to add a source address as explained on the lecture note after the command telnet 192.168.12.1 /source interface…
Hello Mintesinot
I tried it out myself and I confirm your findings. Unfortunately packet tracer does not include the whole list of available commands that exist on a real IOS device. This is one of those cases where it only includes a subset. However, keep in mind that for the specific exams (ICND1, ICND2, CCNA) the commands included in packet tracer are sufficient for your studies. The source interface command that Rene mentions in the lesson is useful to understand the concepts described, but it will not be necessary for the exams themselves.
I hope this has been helpful!
Laz
Difference between tacacs server, radius server and radius /tacacs client.
I am trying to understand the basic difference between tacacs client and tacacs server and radius client and radius server and ISE .
Since TACACS+ is a cisco proprietary, we can only configure centralized server on CISCO ACS or CISCO ISE acting as TACACS server , while a windows 2012 server as centralized RADIUS server? while network access devices such as cisco switches, as either Tacacs clients or Radius clients with source interface vlan on switch that carries the radius or tacacs traffic towards the centralized servers ?
In shared authetnication model - your windows PC or macintosh laptop is a supplicant while your cisco switch is authenticator which authenticates using credentials of local directory on ise or LDAP on microsoft AD server ?
Is authentication done locally at cisco switch with response of Radius server from microsoft AD or tacacs+ CIsco ISE , or is it done all at end devices through secured tunnel ? I am not getting deeper in to authentication protocols like EAP FAST or PEAP. I just want to understand the device roles, as where the authentication process happens in between the three nodes starting with host supplicants, authenticator (network switch) and back end authentication device like ISE or microsft AD LDAP.
Hello Harshi
I just responded to this post here:
I hope this has been helpful!
Laz
Hi dear team!!
On this lesson you said this “If you use telnet, it’s best to use an access-list to restrict what devices are allowed to connect.”
Even though we do this…, an attacker can also try to change his IP to access the server… What else can we do to protect the telnet server and our network?
Hello Vanilson
There are several things you can do to make your Telnet connection even more secure. Other than the access list, you can apply the following:
- Password protection and password policies - Use a password in the console and vty lines and set up your password policy so it only allows three failed attempts before blocking you out for a period of time.
- Use Management Plane Protection (MPP) (take a look at the lesson for more info) to restrict the interfaces via which the device permits packets from protocols such as Telnet.
- Use Control Plane Policing (CoPP) (see lesson) to ensure that the control plane of a device will not get so overwhelmed in a potential attack that Telnet traffic (and any management traffic) will not get processed correctly.
In addition to all of this, if you want to protect your communication session so that intercepted packets cannot be deciphered, it is preferable to use SSH as your management protocol.
I hope this has been helpful!
Laz
Hi Rene,
If we will set vrf mgmt in Switch.
How can I set ACL in line vty?
Hello Eric
If you have VRFs configured on your device, then for you to access the VTY management interface from a particular VRF (other than the default one) you must apply the following command:
Router(config-line)# access-class 1 in vrf-also
By default incoming Telnet/SSH connections from interfaces that are part of a VRF instance are rejected. The vrf-also
keyword must be applied so that incoming connections from interfaces on other VRFs will be accepted.
Starting from IOS XE 16.8.1 VRF awareness has been added to the access class line feature using the vrfname
keyword. Specifically, you can do the following:
Device(config)# line vty 0 4
Device(config-line)# ipv6 access-class acl-name in vrfname vfrA
Note that you cannot use both VRF awareness and vrf-also
on the same VTY line, as they are mutually exclusive commands.
More information about VRF awareness can be found at this Cisco documentation:
I hope this has been helpful!
Laz