Wired Intelligent Edge

 View Only
last person joined: yesterday 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Expand all | Collapse all

Aruba 2930F... Need To Disable Telnet

This thread has been viewed 28 times
  • 1.  Aruba 2930F... Need To Disable Telnet

    Posted May 24, 2023 04:48 PM

    I've been told by a security auditor that I need to disable Telnet on a 2930F switch. Well, pooey on them, because it's enabled on TWO switches! Port scan shows 22,23, and 80 all open.

    The problem is, I can't even find out where it's enabled, let alone disabled. There are no indications either way, and the 'Telnet Server Enable' command isn't in the config files.. These are managed by Aruba Central, and a Telnet session is active for 'SuperUser' on the switches... but I can't find anything there to try disabling it, either. Most commands I try are met with an 'Incorrect Command' or 'Syntax not Recognized' type response. Any ideas?



  • 2.  RE: Aruba 2930F... Need To Disable Telnet

    MVP EXPERT
    Posted May 24, 2023 05:04 PM

    The command to disable Telnet is as follows

    Switch(config)# no telnet-server



    ------------------------------
    Marcel Koedijk | MVP Expert 2023 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
    ------------------------------



  • 3.  RE: Aruba 2930F... Need To Disable Telnet

    Posted May 24, 2023 05:11 PM

    Didn't think it would be THAT easy, did you?

    Aruba Switch (config)# no telnet-server
    Invalid input: telnet-server
    Aruba Switch (config)# no telnet server
    Invalid input: telnet
    Aruba Switch (config)# telnet server ?
     enable      Enable the telnet server on the switch




  • 4.  RE: Aruba 2930F... Need To Disable Telnet

    MVP EXPERT
    Posted May 24, 2023 05:18 PM
    Check my config and 100% sure it should be "no telnet-server" on a 2930F switch. Tested on firmware wc.16.09.0007.

    What is your switch partnumber and firmware version?

    Verzonden vanuit Outlook voor iOS





  • 5.  RE: Aruba 2930F... Need To Disable Telnet

    Posted May 24, 2023 05:23 PM

    Hence my confusion! ;)

    JL261A Aruba 2930F 24-port PoE switch
    Firmware wc.16.10.0020




  • 6.  RE: Aruba 2930F... Need To Disable Telnet

    MVP EXPERT
    Posted May 24, 2023 05:36 PM

    That is a strange situation because its documented in de 16.10 guides.

    Note that 16.10.0020 is more than a year old and I would recommend to upgrade to 16.10.0024 April 2023 (even for security fixes).

    If update firmware is not the solution I would recommend to open a Aruba TAC case for this.

    https://techhub.hpe.com/eginfolib/Aruba/16.10/5200-6768/index.html#Reconfigure_inbound_telnet_access.html






  • 7.  RE: Aruba 2930F... Need To Disable Telnet

    MVP GURU
    Posted May 24, 2023 05:30 PM





  • 8.  RE: Aruba 2930F... Need To Disable Telnet

    Posted May 24, 2023 05:35 PM

    I am in full agreement... But what I entered above are the errors I'm getting.




  • 9.  RE: Aruba 2930F... Need To Disable Telnet

    MVP EXPERT
    Posted May 24, 2023 05:41 PM

    Maybe try this from this cli "menu".

     

    Telnet access may be disabled by the Inbound Telnet Enabled parameter in the System Information screen of the menu interface: 2. Switch Configuration 1. System Information






  • 10.  RE: Aruba 2930F... Need To Disable Telnet

    Posted May 24, 2023 05:54 PM

    Yeah, my Google-fu brought that one up as well, and I am just as confused as to where they're referring to. Couldn't find anything like 'System Information' at all. But that did get me thinking... So I went in and used the 'Old' GUI. There wasn't anything there, but I'd noticed the 'Step-by-Step' setup guide earlier. I put that into 'Advanced' mode and there they were! Checkboxes for the various access options!

    So, I unchecked 'Telnet' and clicked the Save button... Then exited that menu. Then went back in... and the change refuses to save... I think I'll try again tomorrow, before I force the update through with a baseball bat! LOL... The switch is mission critical, so I won't be able to update the firmware for a bit. Might just take it up to 16.11...




  • 11.  RE: Aruba 2930F... Need To Disable Telnet
    Best Answer

    MVP EXPERT
    Posted May 24, 2023 06:10 PM

    From the 16.11.0011 release notes

     

    16.11.0007 KB To provide a secured management connection to the switch, the following improvements are made:

    Disabled TELNET on default configuration (no telnetserver).

    Disabled HTTP on default configuration (no webmanagement).

    Enabled HTTPS on default configuration (webmanagement ssl) using the installed self-signed certificate.

    Switch will redirect all HTTP request (including REST) to HTTPS, when HTTP is disabled and HTTPS is enabled

     

    Strange "improvement" but ok, maybe we hit here something.






  • 12.  RE: Aruba 2930F... Need To Disable Telnet

    Posted May 25, 2023 03:22 AM

    Hi,

    I guess what has been overseen is the information about: "Aruba Central Managed".

    If the switch is managed by central you cannot do changes anymore locally, unless switching to the support-mode

    (CLI-command: aruba-central support-mode enable)

    If you do so - you will be able to disable telnet utilizing the above mentioned cli-commands; do switch off the support-mode afterwards.

    Indeed, it seems, it's not possible to disable telnet via Central GUI-mode. Pls. open a TAC-case to get this function added in Central.

    Hope that Central will not show a config-conflict when you add the "no telnet-server" this way and it will stay in the config.....

    /Jochem




  • 13.  RE: Aruba 2930F... Need To Disable Telnet

    Posted May 25, 2023 10:11 AM

    Didn't try Support Mode, but the commands were declined when I tried to issue them through Central as well. If @mkk has those release notes right, that solution might 'just work'. Will just be a little while before I have a maintenance window open to reboot the switches.