CLI方式：通过Telnet登录设备典型配置

使用版本

本举例是在T5030的R9900版本版本上进行配置和验证的。

组网需求

如下图所示，要求仅允许使用IP地址为为192.168.0.46/24和192.168.0.52/24的主机以Telnet方式登录设备，且在登录时必须进行基于用户名和密码的身份验证。这两个主机在相同的认证方式下使用两个不同的用户名登录设备时，具有两种不同的权限，分别为管理权限和可执行所有特性中读类型的命令权限。

图-1 通过Telnet登录设备组网图

配置思路

缺省情况下，设备的Telnet服务器处于关闭状态，需要通过Console口登录后开启设备的Telnet服务功能。

可以通过ACL来限制IP地址为192.168.0.58的主机不能以Telnet方式登录设备。

缺省情况下，本地用户的角色为network-operator。因此，对于用户权限仅为允许执行所有特性中读类型的命令，需要重新创建一个具有此权限的角色。

配置步骤

# 通过Console口登录设备，进入系统视图，开启Telnet服务。

<Sysname> system-view

[Sysname] telnet server enable

# 设置通过VTY用户线登录设备使用AAA的认证方式。

[Sysname] line vty 0 63

[Sysname-line-vty0-63] authentication-mode scheme

[Sysname-line-vty0-63] quit

# 创建本地用户userA，授权其用户角色为network-admin，为其配置密码，删除默认角色。

[Sysname] local-user userA class manage

New local user added.

[Sysname-luser-manage-userA] authorization-attribute user-role network-admin

[Sysname-luser-manage-userA] service-type telnet

[Sysname-luser-manage-userA] password simple User1@1234

[Sysname-luser-manage-userA] undo authorization-attribute user-role network-operator

[Sysname-luser-manage-userA] quit

# 创建用户角色roleB，权限为允许执行所有特性中读类型的命令。

[Sysname] role name roleB

[Sysname-role-roleB] rule 1 permit read feature

[Sysname-role-roleB] quit

# 创建本地用户userB，为其配置密码，授权其用户角色为roleB，删除默认角色。

[Sysname] local-user userB class manage

New local user added.

[Sysname-luser-manage-userB] authorization-attribute user-role roleB

[Sysname-luser-manage-userB] service-type telnet

[Sysname-luser-manage-userB] password simple User2@1234

[Sysname-luser-manage-userB] undo authorization-attribute user-role network-operator

[Sysname-luser-manage-userB] quit

# 创建ACL视图，定义规则，仅允许来自192.168.0.46和192.168.0.52的用户访问设备。

[Sysname] acl basic 2000

[Sysname-acl-ipv4-basic-2000] rule 1 permit source 192.168.0.46 0

[Sysname-acl-ipv4-basic-2000] rule 2 permit source 192.168.0.52 0

[Sysname-acl-ipv4-basic-2000] rule 3 deny source any

[Sysname-acl-ipv4-basic-2000] quit

# 引用访问控制列表2000，通过源IP对Telnet用户进行控制。

[Sysname] telnet server acl 2000

验证配置

配置完成后，各用户的权限为：

• 当用户使用userA作为用户名以Telnet方式登录设备时，具有对设备进行管理和配置的权限。

  login: userA

  Password:

  ******************************************************************************

  * Copyright (c) 2004-2022 New H3C Technologies Co., Ltd. All rights reserved.*

  * Without the owner's prior written consent, *

  * no decompiling or reverse-engineering shall be allowed. *

  ******************************************************************************

  <Sysname> ?

  User view commands:

  archer FPGA : archer

  archive Archive configuration

  backup Backup operation

  blade Blade module

  boot-loader Software image file management

  bootrom Update/read/backup/restore bootrom

  bootrom-access Bootrom access control

  cd Change current directory

  check Integrity check

  clock Specify the system clock

  copy Copy a file

  debugging Enable system debugging functions

  debugging-auto-off Automatically turn off all debugging

  delete Delete a file

  diagnostic Generic OnLine Diagnostics (GOLD) module

  diagnostic-logfile Diagnostic log file configuration

  dialer Specify Dial-on-Demand Routing(DDR) configuration

  information

  dir Display files and directories on the storage media

  display Display current system information

  erase Alias for 'delete'

  exception Exception information configuration

  exit Alias for 'quit'

  ---- More ----

• 当用户使用userB作为用户名以Telnet方式登录到设备上时，则只允许执行所有特性中读类型的命令。

  login: userB

  Password:

  ******************************************************************************

  * Copyright (c) 2004-2022 New H3C Technologies Co., Ltd. All rights reserved.*

  * Without the owner's prior written consent, *

  * no decompiling or reverse-engineering shall be allowed. *

  ******************************************************************************

  <Sysname> ?

  User view commands:

  archer FPGA : archer

  archive Archive configuration

  backup Backup operation

  blade Blade module

  boot-loader Software image file management

  bootrom Update/read/backup/restore bootrom

  bootrom-access Bootrom access control

  cd Change current directory

  check Integrity check

  clock Specify the system clock

  copy Copy a file

  debugging Enable system debugging functions

  debugging-auto-off Automatically turn off all debugging

  delete Delete a file

  diagnostic Generic OnLine Diagnostics (GOLD) module

  diagnostic-logfile Diagnostic log file configuration

  dialer Specify Dial-on-Demand Routing(DDR) configuration

  information

  dir Display files and directories on the storage media

  display Display current system information

  erase Alias for 'delete'

  exception Exception information configuration

  exit Alias for 'quit'

  ---- More ----

  <Sysname>

• Host C无法通过Telnet登录设备。

配置文件

#

telnet server enable

telnet server acl 2000

#

acl basic 2000

rule 1 permit source 192.168.0.46 0

rule 2 permit source 192.168.0.52 0

rule 3 deny

#

line vty 0 63

authentication-mode scheme

user-role network-operator

#

local-user userA class manage

password hash $h$6$3BcJwbpD4nbb4Pjd$fCTiXzLkjWHY0IsLI9E+1fV+WH4jEuu2Lf7Qa2Yog4/

1Z/ecgSXpecjuKxx4/hdRb92G+AZUTJK/AQJAmYVzKA==

service-type telnet

authorization-attribute user-role network-admin

#

local-user userB class manage

password hash $h$6$yvsoiG/zeU07hJ7u$31A5lXblIT86GEpK9wRfw2bJ38QHm+es6VEm4op/KYf

v1jGquN5te31wV0xQ1IZHL6Zv6/v6DcvMf2bp74gHNw==

service-type telnet

authorization-attribute user-role roleB

#

role name roleB

rule 1 permit read feature

#