00-S12500_Login_Authentication_Configuration_Examples
Chapters Download (130.69 KB)
| Title | Size | Download |
|---|---|---|
| 00-S12500_Login_Authentication_Configuration_Examples | 130.69 KB |
Example: Configuring password authentication for console users
Example: Configuring local scheme authentication for console users
Example: Configuring password authentication for Telnet users
Example: Configuring local scheme authentication for Telnet users
This document provides authentication configuration examples for console and Telnet logins.
The H3C S12500 switch supports the following login authentication modes:
· None—Disables authentication. This mode allows access without authentication and is insecure.
· Password—Requires a password for login authentication.
· Scheme—Requires a username and password for login authentication.
To log in to the switch, you can use the methods shown in Table 1.
Table 1 Login methods at a glance
|
Login method |
Default settings and minimum configuration requirements |
|
By default, login through the console port is enabled and no username or password is required. After login, configure password or scheme authentication mode to improve device security. By default, login through the AUX port is enabled and requires a password, but no password is configured. To use the AUX port for login, log in through any other method and complete the following configuration tasks: · Configure a password for password authentication, or change the authentication mode and configure parameters for the new authentication mode. · Assign a user role (network-operator by default). |
|
|
By default, Telnet login is disabled. To log in through Telnet, complete the following configuration tasks: · Enable the Telnet server function. · Assign an IP address to a Layer 3 interface. Make sure the interface and the Telnet client can reach each other. · Configure an authentication mode for VTY login users. By default, password authentication is used but no password is configured. · Assign a user role to VTY login users (network-operator by default). |
|
|
SSH |
By default, SSH login is disabled. To log in through SSH, complete the following configuration tasks: · Enable the SSH server function and configure SSH attributes. · Assign an IP address to a Layer 3 interface. Make sure the interface and the SSH client can reach each other. · Configure scheme authentication for VTY users (password authentication by default). · Assign a user role to VTY login users (network-operator by default). For SSH configuration examples, see H3C S12500 SSH Configuration Examples. |
The configuration examples in this document were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.
This document assumes that you have basic knowledge of login authentication.
Configure password authentication for console users on the switch in Figure 1. Require console users to provide the password test at login.
To require a console user to provide a password at login, configure password authentication for the console user interface on the switch.
You do not need to change the user role setting for a console user when password authentication is used. The user role depends on the user role setting for the console user interface and is network-admin by default.
This configuration example was created and verified on S12500-CMW710-R7129.
# Enable password authentication for the console user interface, and set the password to test.
<Switch1> system-view
[Switch1] user-interface console 0
[Switch1-ui-console0] authentication-mode password
[Switch1-ui-console0] set authentication password simple test
[Switch1-ui-console0] quit
# Log in to the switch through the console port. Verify that the system displays a prompt for the console login password.
******************************************************************************
* Copyright (c) 2004-2013 Hewlett-Packard Development Company, L.P. *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
User interface con0 is available.
Press ENTER to get started.
Password:
# Enter the correct password to verify that you can access the CLI.
<Switch1> system-view
System View: return to User View with Ctrl+Z.
[Switch1]
#
user-interface con 0
authentication-mode password
user-role network-admin
set authentication password hash $h$6$4PKgIe09Fnyq3ZGB$Gjw9CActpVa5IJm9oGEgMBxt
opkZkEYv7CriP31oqNJOpAyBPwxIvOds+7XcJ5aGz2xaO77H3CsaSMpRzKenq0Q==
#
Configure local scheme authentication for console users on the switch in Figure 2. Require console users to provide the username test and password test at login.
To meet the network requirements, perform the following tasks:
· To require a console user to provide a username and password at login, configure scheme authentication for the console user interface.
· Because local authentication is the default authentication method for login users, you only need to configure a local user on the switch.
· To allow the local user to log in to the switch, authorize the local user to use the terminal service.
· To allow the local user to use all commands, assign the user role network-admin to the local user. The user role of a login user depends on the user role setting for the local user. It is network-operator by default when local scheme authentication is used.
This configuration example was created and verified on S12500-CMW710-R7129.
# Enable scheme authentication for the console user interface.
<Switch1> system-view
[Switch1] user-interface console 0
[Switch1-ui-console0] authentication-mode scheme
[Switch1-ui-console0] quit
# Configure a local user with the username test and password test.
[Switch1] local-user test class manage
[Switch1-luser-manage-test] password simple test
# Assign the user role network-admin and the terminal service to the user.
[Switch1-luser-manage-test] authorization-attribute user-role network-admin
[Switch1-luser-manage-test] service-type terminal
[Switch1-luser-manage-test] quit
# Log in to the switch through the console port. Verify that the system displays a prompt for the console login username and password.
******************************************************************************
* Copyright (c) 2004-2013 Hewlett-Packard Development Company, L.P. *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
User interface con0 is available.
Press ENTER to get started.
login: test
Password:
# Enter the correct username and password to verify that you can access the CLI.
<Switch1> system-view
System View: return to User View with Ctrl+Z.
[Switch1]
#
domain default enable system
#
user-interface con 0
authentication-mode scheme
user-role network-admin
#
local-user test class manage
password hash $h$6$DaTNpkN/T5vDTCTX$knzvBlMhlFZ77CORDl55gdS8+oMzxCsxe/xH+qoSllg
AEyWm7wW70ZB5O2QqlvHEUg8nkLaM/1/xK/6Cvq5shQ==
service-type terminal
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
Configure password authentication for Telnet users on the switch in Figure 3. Require Telnet users to provide the password test at login.
To meet the network requirements, perform the following tasks:
· To allow Telnet logins, enable the Telnet server on the switch.
· To require a Telnet user to provide a password at login, configure password authentication for the VTY user interfaces on the switch.
· To allow a Telnet user to use all commands, assign the user role network-admin to the VTY user interfaces. The default user role is network-operator for a Telnet user.
This configuration example was created and verified on S12500-CMW710-R7129.
# Enable Telnet server.
<switch1> system-view
[switch1] telnet server enable
# Configure interface GigabitEthernet 7/0/35.
[switch1] interface Vlan-interface 5
[switch1-Vlan-interface5] ip address 15.15.1.1 16
[switch1-Vlan-interface5] quit
[switch1] interface GigabitEthernet 7/0/35
[switch1-GigabitEthernet7/0/35] port link-mode bridge
[switch1-GigabitEthernet7/0/35] port access vlan 5
[switch1-GigabitEthernet7/0/35] quit
# For all VTY user interfaces, enable password authentication, set the password to test, and assign the user role network-admin.
[switch1] user-interface vty 0 15
[switch1-ui-vty0-15] authentication-mode password
[switch1-ui-vty0-15] set authentication password simple test
[switch1-ui-vty0-15] user-role network-admin
[switch1-ui-vty0-15] quit
# Telnet to the switch. Verify that the system displays a prompt for the password.
******************************************************************************
* Copyright (c) 2004-2013 Hewlett-Packard Development Company, L.P. *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
Password:
# Enter the correct password to verify that you can access the CLI
<Switch1> system-view
System View: return to User View with Ctrl+Z.
[Switch1]
#
domain default enable system
#
telnet server enable
#
vlan 5
#
interface Vlan-interface5
ip address 15.15.1.1 255.255.0.0
#
interface GigabitEthernet7/0/35
port link-mode bridge
port access vlan 5
#
user-interface vty 0 15
user-role network-admin
user-role network-operator
set authentication password hash $h$6$ifF6RyM3SrB7BiSA$2zNo5WkQc2Oz8GXYOq7FkL2s
98vO13C11511sWzNn+J/NcqmEKGuwbMubqY0r8gA5iGy7ojYux/m1A+ux+F5yw==
idle-timeout 0 0
#
Configure local scheme authentication for Telnet users on the switch in Figure 4. Require Telnet users to provide the username test and password test at login.
To meet the network requirements, perform the following tasks:
· To allow Telnet logins, enable Telnet server on the switch.
· To require a Telnet user to provide a username and password at login, configure scheme authentication for the VTY user interfaces.
· Because local authentication is the default authentication method for login users, you only need to configure a local user on the switch.
· To allow the local user to Telnet to the switch, authorize the local user to use the Telnet service.
· To allow the local user to use all commands, assign the user role network-admin to the local user. The user role of a login user depends on the user role setting for the local user. It is network-operator by default when local scheme authentication is used.
This configuration example was created and verified on S12500-CMW710-R7129.
# Enable Telnet server.
<switch1> system-view
[switch1] telnet server enable
# Configure interface GigabitEthernet 7/0/35.
[switch1] interface Vlan-interface 5
[switch1-Vlan-interface5] ip address 15.15.1.1 16
[switch1-Vlan-interface5] quit
[switch1] interface GigabitEthernet 7/0/35
[switch1-GigabitEthernet7/0/35] port link-mode bridge
[switch1-GigabitEthernet7/0/35] port access vlan 5
[switch1-GigabitEthernet7/0/35] quit
# Enable scheme authentication for all VTY user interfaces.
[switch1] user-interface vty 0 15
[Switch1-ui-vty0-15] authentication-mode scheme
[Switch1-ui-vty0-15] quit
# Configure a local user with the username test and password test.
[Switch1] local-user test class manage
[Switch1-luser-manage-test] password simple test
# Assign the user role network-admin and the Telnet service to the user.
[Switch1-luser-manage-test] authorization-attribute user-role network-admin
[Switch1-luser-manage-test] service-type telnet
[Switch1-luser-manage-test] quit
# Telnet to the switch. Verify that the system displays a prompt for the username and password.
******************************************************************************
* Copyright (c) 2004-2013 Hewlett-Packard Development Company, L.P. *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
login: test
Password:
# Enter the correct username and password to verify that you can access the CLI.
<Switch1> system-view
System View: return to User View with Ctrl+Z.
[Switch1]
#
domain default enable system
#
telnet server enable
#
vlan 5
#
interface Vlan-interface5
ip address 15.15.1.1 255.255.0.0
#
interface GigabitEthernet7/0/35
port link-mode bridge
port access vlan 5
#
user-interface vty 0 15
authentication-mode scheme
user-role network-admin
user-role network-operator
idle-timeout 0 0
#
local-user test class manage
password hash $h$6$uUxUbGGD00+3wYOs$cVq29Rs+FEp5GSCfTmCw3Wkg43lLKHtUaWOf7LkHDAP
7B2VqITsm5OK7vIgd3W2HGDHXzjc1g/Z4PNPIkFN2WQ==
service-type telnet
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
· H3C S12500 Routing Switch Series Fundamentals Configuration Guide
· H3C S12500 Routing Switch Series Fundamentals Command Reference
