Login
- Table of Contents
-
- Fundamentals Configuration Guide
- 00-Preface
- 01-Feature Matrix
- 02-CLI Configuration
- 03-Controlling Login Users
- 04-File Management Configuration
- 05-FTP and TFTP Configuration
- 06-Device Management Configuration
- 07-Basic System Configuration
- 08-HTTP Configuration
- 09-Logging In to the AP Configuration
- 10-Index
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 03-Controlling Login Users | 88.49 KB |
Table of Contents
Controlling Telnet Users by SSIDs
Controlling Telnet Users by Source IP Addresses
Controlling Telnet Users by Source and Destination IP Addresses
Controlling Telnet Users by Source MAC Addresses
Controlling Network Management Users by Source IP Addresses
Controlling Network Management Users by Source IP Addresses
Controlling Web Users by Source IP Addresses
Controlling Web Users by Source IP Addresses
l The models listed in this document are not applicable to all regions. Please consult your local sales office for the models applicable to your region.
l Support of the H3C WA series WLAN access points (APs) for features may vary by AP model. For more information, see Feature Matrix.
l The interface types and the number of interfaces vary by AP model.
l The term AP in this document refers to common APs, wireless bridges, and mesh APs.
This chapter includes these sections:
l Controlling Network Management Users by Source IP Addresses
l Controlling Web Users by Source IP Addresses
Introduction
Multiple ways are available for controlling different types of login users, as listed in Table 1-1.
Table 1-1 Ways to control different types of login users
|
Login mode |
Control method |
Implementation |
Related section |
|
Telnet |
By SSIDs |
Through WLAN ACLs |
|
|
By source IP addresses |
Through basic ACLs |
||
|
By source and destination IP addresses |
Through advanced ACLs |
Controlling Telnet Users by Source and Destination IP Addresses |
|
|
By source MAC addresses |
Through Layer 2 ACLs |
||
|
SNMP |
By source IP addresses |
Through basic ACLs |
Controlling Telnet Users
Prerequisites
The source and destination IP addresses to be controlled and the controlling actions (permit or deny) are determined.
Controlling Telnet Users by SSIDs
This configuration needs to reference WLAN ACLs, the numbers of which range from 100 to 199. For more information about ACLs, see ACL in the ACL and QoS Configuration Guide.
Follow these steps to control Telnet users by WLAN ACLs:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Create a WLAN ACL or enter WLAN ACL view |
acl number acl-number |
Required For this command, the config keyword is specified by default. |
|
Define rules for the ACL |
rule [ rule-id ] { permit | deny } [ ssid ssid-name ] |
Required |
|
Return to system view |
quit |
— |
|
Enter user interface view |
user-interface { first-num1 [ last-num1 ] | { console | vty } first-num2 [ last-num2 ] } |
— |
|
Apply the ACL to control Telnet users by SSIDs |
acl acl-number inbound |
Required The inbound keyword specifies to filter the users trying to Telnet to the current access point. |
Controlling Telnet Users by Source IP Addresses
This configuration needs to be implemented by basic ACL; a basic ACL ranges from 2000 to 2999. For more information about ACLs, see ACL in the ACL and QoS Configuration Guide.
Follow these steps to control Telnet users by source IP addresses:
|
Use the command… |
Remarks |
|
|
Enter system view |
system-view |
— |
|
Create a basic ACL or enter basic ACL view |
acl [ ipv6 ] number acl-number [ name acl-name ] [ match-order { auto | config } ] |
As for the acl number command, the config keyword is specified by default. |
|
Define rules for the ACL |
rule [ rule-id ] { deny | permit } [ fragment | logging | source { sour-addr sour-wildcard | any } | time-range time-range-name ] * |
Required |
|
Return to system view |
quit |
— |
|
Enter user interface view |
user-interface { first-num1 [ last-num1 ] | { console | vty } first-num2 [ last-num2 ] } |
— |
|
Apply the ACL to control Telnet users by source IP addresses |
acl [ ipv6 ] acl-number { inbound | outbound } |
Required The inbound keyword specifies to filter the users trying to Telnet to the current access point. The outbound keyword specifies to filter users trying to Telnet to other switches from the current access point. |
Controlling Telnet Users by Source and Destination IP Addresses
This configuration needs to be implemented by advanced ACL; an advanced ACL ranges from 3000 to 3999. For more information about ACLs, see ACL in the ACL and QoS Configuration Guide.
Follow these steps to control Telnet users by source and destination IP addresses:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Create an advanced ACL or enter advanced ACL view |
acl [ ipv6 ] number acl-number [ name acl-name ] [ match-order { auto | config } ] |
As for the acl number command, the config keyword is specified by default. |
|
Define rules for the ACL |
rule [ rule-id ] { permit | deny } rule-string |
Required You can define rules as needed to filter by specific source and destination IP addresses. |
|
Quit to system view |
quit |
— |
|
Enter user interface view |
user-interface { first-num1 [ last-num1 ] | { console | vty } first-num2 [ last-num2 ] } |
— |
|
Apply the ACL to control Telnet users by specified source and destination IP addresses |
acl [ ipv6 ] acl-number { inbound | outbound } |
Required The inbound keyword specifies to filter the users trying to Telnet to the current access point. The outbound keyword specifies to filter users trying to Telnet to other switches from the current access point. |
Controlling Telnet Users by Source MAC Addresses
This configuration needs to be implemented by Layer 2 ACL; a Layer 2 ACL ranges from 4000 to 4999. For more information about ACLs, see ACL in the ACL and QoS Configuration Guide.
Follow these steps to control Telnet users by source MAC addresses:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Create a basic ACL or enter basic ACL view |
acl number acl-number [ name acl-name ] [ match-order { auto | config } ] |
As for the acl number command, the config keyword is specified by default. |
|
Define rules for the ACL |
rule [ rule-id ] { permit | deny } rule-string |
Required You can define rules as needed to filter by specific source MAC addresses. |
|
Quit to system view |
quit |
— |
|
Enter user interface view |
user-interface { first-num1 [ last-num1 ] | { console | vty } first-num2 [ last-num2 ] } |
— |
|
Apply the ACL to control Telnet users by source MAC addresses |
acl acl-number inbound |
Required The inbound keyword specifies to filter the users trying to Telnet to the current access point. |
Layer 2 ACL is invalid for this function if the source IP address of the Telnet client and the interface IP address of the Telnet server are not in the same subnet.
Configuration Example
Network requirements
Only the Telnet users sourced from the IP addresses of 10.110.100.52 and 10.110.100.46 are permitted to log in to the AP.
Figure 1-1 Network diagram for controlling Telnet users using ACLs
Configuration procedure
# Define a basic ACL.
<Sysname> system-view
[Sysname] acl number 2000 match-order config
[Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0
[Sysname-acl-basic-2000] rule 2 permit source 10.110.100.46 0
[Sysname-acl-basic-2000] rule 3 deny source any
[Sysname-acl-basic-2000] quit
# Apply the ACL to only permit Telnet users sourced from the IP addresses of 10.110.100.52 and 10.110.100.46 to access the AP.
[Sysname] user-interface vty 0 4
[Sysname-ui-vty0-4] acl 2000 inbound
Controlling Network Management Users by Source IP Addresses
You can manage a WA series WLAN access point through network management software. Network management users can access APs through SNMP.
Perform the following two operations to control network management users by source IP addresses.
l Defining an ACL
l Applying the ACL to control users accessing the access point through SNMP
Prerequisites
The controlling policy against network management users is determined, including the source IP addresses to be controlled and the controlling actions (permitting or denying).
Controlling Network Management Users by Source IP Addresses
This configuration needs to be implemented by basic ACLs; a basic ACL ranges from 2000 to 2999. For more information about ACLs, see ACL in the ACL and QoS Configuration Guide.
Follow these steps to control network management users by source IP addresses:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Create a basic ACL or enter basic ACL view |
acl [ ipv6 ] number acl-number [ name acl-name ] [ match-order { auto | config } ] |
As for the acl number command, the config keyword is specified by default. |
|
Define rules for the ACL |
rule [ rule-id ] { deny | permit } [ fragment | logging | source { sour-addr sour-wildcard | any } | time-range time-range-name ] * |
Required |
|
Quit to system view |
quit |
— |
|
Apply the ACL while configuring the SNMP community name |
snmp-agent community { read | write } community-name [ acl acl-number | mib-view view-name ]* |
Required According to the SNMP version and configuration customs of NMS users, you can reference an ACL when configuring community name, group name or username. For the detailed configuration, see SNMP in the Network Management and Monitoring Configuration Guide. |
|
Apply the ACL while configuring the SNMP group name |
snmp-agent group { v1 | v2c } group-name [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number ] snmp-agent group v3 group-name [ authentication | privacy ] [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number ] |
|
|
Apply the ACL while configuring the SNMP user name |
snmp-agent usm-user { v1 | v2c } user-name group-name [ acl acl-number ] snmp-agent usm-user v3 user-name group-name [ [ cipher ] authentication-mode { md5 | sha } auth-password [ privacy-mode { aes128 | des56 | 3des } priv-password ] ] [ acl acl-number ] |
Configuration Example
Network requirements
Only SNMP users sourced from the IP addresses of 10.110.100.52 and 10.110.100.46 are permitted to access the AP .
Figure 1-2 Network diagram for controlling SNMP users using ACLs
Configuration procedure
# Define a basic ACL.
<Sysname> system-view
[Sysname] acl number 2000 match-order config
[Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0
[Sysname-acl-basic-2000] rule 2 permit source 10.110.100.46 0
[Sysname-acl-basic-2000] rule 3 deny source any
[Sysname-acl-basic-2000] quit
# Apply the ACL to only permit SNMP users sourced from the IP addresses of 10.110.100.52 and 10.110.100.46 to access the AP.
[Sysname] snmp-agent community read h3c acl 2000
[Sysname] snmp-agent group v2c h3cgroup acl 2000
[Sysname] snmp-agent usm-user v2c h3cuser h3cgroup acl 2000
Controlling Web Users by Source IP Addresses
The WA series WLAN access points support Web-based remote management, which allows Web users to access the access points using the HTTP protocol. By referencing access control lists (ACLs), you can control the access of Web users to the access points.
Prerequisites
The control policies to be implemented on Web users are decided, including the source IP addresses to be controlled and the control action, that is, whether to allow or deny the access.
Controlling Web Users by Source IP Addresses
This configuration needs to be implemented by basic ACLs; a basic ACL ranges from 2000 to 2999. For more information about ACLs, see ACL in the ACL and QoS Configuration Guide.
Follow these steps to configure controlling Web users by source IP addresses:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Create a basic ACL or enter basic ACL view |
acl [ ipv6 ] number acl-number [ name acl-name ] [ match-order { auto | config } ] |
Required The config keyword is specified by default. |
|
Define rules for the ACL |
rule [ rule-id ] { deny | permit } [ fragment | logging | source { sour-addr sour-wildcard | any } | time-range time-range-name ] * |
Required |
|
Quit to system view |
quit |
— |
|
Reference the ACL to control Web users |
ip http acl acl-number |
Required |
Logging off Online Web Users
Perform the following operation to log off online Web users:
|
To do… |
Use the command… |
Remarks |
|
Log off online Web users |
free web-users { all | user-id user-id | user-name user-name } |
Required Use this command in user view |
Configuration Example
Network requirements
Configure a basic ACL to allow only Web users that use IP address 10.110.100.52 to access the AP.
Figure 1-3 Configure an ACL to control the access of HTTP users to the AP
Configuration procedure
# Create a basic ACL.
<Sysname> system-view
[Sysname] acl number 2030 match-order config
[Sysname-acl-basic-2030] rule 1 permit source 10.110.100.52 0
# Reference the ACL to allow only Web users using IP address 10.110.100.52 to access the AP.
[Sysname] ip http acl 2030
