Login
- Table of Contents
-
- 01-Fundamentals Configuration Guide
- 00-Preface
- 01-CLI Configuration
- 02-Login Management Configuration
- 03-FTP and TFTP Configuration
- 04-File System Management
- 05-Configuration File Management Configuration
- 06-Software Upgrade Configuration
- 07-ISSU Configuration
- 08-Device Management Configuration
- 09-Automatic Configuration
- 10-Management with BootWare
| Title | Size | Download |
|---|---|---|
| 02-Login Management Configuration | 1.38 MB |
Contents
Logging in through the console or AUX port
Telnetting from the switch to another device
Logging in to the switch from an SSH client
Using the switch as an SSH client to log in to the SSH server
Modem dial-in through the AUX port
Logging in to the Web interface
Configuring source IP-based Web login control
Configuring source IP-based Web login control
Source IP-based Web login control configuration example
Displaying and maintaining Web login
HTTPS login configuration example
Logging in through SNMP from an NMS
Configuring SNMPv1 or SNMPv2c settings
Logging in through CWMP from an ACS
User interface configuration task list
Configuring asynchronous serial interface attributes
Configuring common settings for user interfaces
Configuring the command auto-execute function
Configuring a user privilege level for user interfaces
Configuring access control on VTY user interfaces
Configuring supported protocols on VTY user interfaces
Configuring authentication mode
Configuring command authorization
Configuring command accounting
Defining shortcut keys for starting terminal sessions/aborting tasks
Sending messages to user interfaces
Releasing connections to user interfaces
Displaying and maintaining user interfaces
User interface configuration examples
User authentication configuration example
Command authorization configuration example
Command accounting configuration example
Configuring Telnet login control
Configuring source IP-based Telnet login control
Configuring source/destination IP-based Telnet login control
Configuring source MAC-based Telnet login control
Telnet login control configuration example
This chapter describes the available CLI login methods and their configuration procedures.
If you enable FIPS mode and reboot the switch, the Telnet server function and HTTP server function are disabled. For more information about FIPS mode, see Security Configuration Guide.
Login methods
You can access the switch only through the console or AUX port at the first login. After you log in to the switch, you can configure other login methods, including Telnet and SSH, for remote access.
|
Login method |
Default settings and configuration requirements |
|
|
By default, login through the console and AUX port is enabled, no username or password is required, and the user privilege level is 3. |
||
|
By default, Telnet service is disabled. To use Telnet service, complete the following configuration tasks: · Enable the Telnet server function on your switch. · Assign an IP address to the network management port or VLAN interface of your switch, and make sure that your switch and the Telnet client can reach each other. (By default, your switch does not have an IP address.) · Configure the authentication mode for VTY login users (password by default). · Configure the user privilege level of VTY login users (0 by default). |
||
|
By default, SSH service is disabled. To use SSH service, complete the following configuration tasks: · Enable the SSH server function on your switch. · Assign an IP address to the network management port or VLAN interface of your switch, and make sure that your switch and the SSH client can reach each other. (By default, your switch does not have an IP address.) · Configure the authentication mode for VTY login users as scheme (password by default). · Configure the user privilege level of VTY login users (0 by default). |
||
|
By default, modem dial-in through the AUX port is disabled. To use modem dial-in, log in to your switch through the console port, and complete the following configuration tasks: · Configure the authentication mode for AUX login users (password by default). · Configure the user privilege level of AUX login users (0 by default). |
||
Logging in through the console or AUX port
The AUX port can be used as the backup of the console port. Using the AUX port for local login is the same as using the console port. This example describes the console port configuration and login procedure.
By default, the first time you access the CLI you must log in through the console port.
To log in through the console port, make sure the console terminal has a terminal emulation program (for example, HyperTerminal in Windows XP) and the port settings of the terminal emulation program are the same as the default settings of the console port shown in Table 2.
Table 2 Default console port settings
|
Setting |
Default |
|
Baud rate |
9600 bps |
|
Flow control |
Off |
|
Check mode |
No check bit |
|
Stop bits |
1 |
|
Data bits |
8 |
To log in through the console port:
1. As shown inFigure 1, connect the DB-9 connector of the console cable to the serial port of your console terminal.
Figure 1 Connecting a terminal to the console port
2. Connect the RJ-45 connector of the console cable to the console port of the MPU of the switch. If two MPUs are installed on the switch, log in through the console port on the active MPU (typically with a smaller slot number) for the first login.
|
|
NOTE: · Identify the mark on the console port and make sure you are connecting to the correct port. · The serial ports on PCs do not support hot swapping. If the switch has been powered on, always connect the console cable to the PC before connecting to the switch, and when you disconnect the cable, first disconnect from the switch. |
3. If the PC is off, turn on the PC.
4. Launch the terminal emulation program and configure the communication properties on the terminal.
Figure 2 through Figure 4 shows the configuration procedure on Windows XP HyperTerminal. Make sure the port settings are the same as listed in Table 2.
|
|
NOTE: On Windows Server 2003, add the HyperTerminal first, and then log in to and manage the switch as described in this document. On Windows Server 2008, Windows 7, Windows Vista, or any other operating system, obtain a third-party terminal control program first, and then follow the user guide or online help to log in to the switch. |
Figure 2 Connection description
Figure 3 Specifying the serial port used to establish the connection
Figure 4 Setting the properties of the serial port
5. Power on the switch and press Enter when the following prompt appears:
<Sysname>
6. Execute commands to configure the switch or view the running status of the switch. To get help, enter ?.
By default, console users are not authenticated. For security, change the authentication mode of the console port immediately after you log in for the first time. For more information about authentication modes, see "Configuring authentication mode."
After you log in through the console port, you can also set login parameters other than the authentication mode. For more information, see "Configuring authentication mode."
The following describes how to configure password authentication:
<Sysname> system-view
[Sysname] user-interface console 0
[Sysname-ui-console0] authentication-mode password
[Sysname-ui-console0] set authentication password cipher 123
After the configuration is complete, when users log in through the console port, they must enter authentication password 123.
Logging in through Telnet
You can Telnet to the switch through a VTY user interface for remote management, or use the switch as a Telnet client to Telnet to other devices.
Table 3 shows the Telnet server and client configuration required for a successful Telnet login.
Table 3 Telnet server and Telnet client configuration requirements
|
Device role |
Requirements |
|
Telnet server |
· Assign an IP address to the Telnet server, and make sure the Telnet server and client can reach each other. · Enable the Telnet server. · Configure the authentication mode for Telnet login. |
|
Telnet client |
· Run the Telnet program. · Obtain the IP address of the Telnet server. |
To control Telnet access to the device working as a Telnet server, configure login authentication and user privilege levels for Telnet users.
Telnetting to the switch
By default, Telnet service is disabled on the switch, password authentication applies to Telnet login, but no login password is configured. To allow Telnet access to the switch, you must enable the Telnet server and configure a password, or configure another authentication mode and the relative settings.
You can Telnet to your switch through the network management port or any other Layer 3 interface, for example, a Layer 3 Ethernet interfaces and VLAN interface.
To log in to the switch from a Telnet client:
1. Log in to the switch through the console port, and assign an IP address to the network management port of the switch. For example:
# Assign IP address 202.38.160.92/24 to the network management port.
<Sysname> system-view
[Sysname] interface M-Ethernet 0/0/0
[Sysname-M-Ethernet0/0/0] ip address 202.38.160.92 255.255.255.0
For more information about how to log in to the switch through the console port, see "Logging in through the console or AUX port."
2. Enable the Telnet server function:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable the Telnet server. |
telnet server enable |
Disabled by default. |
3. Enter VTY user interface view, and configure the authentication mode as needed.
For more information, see "Configuring authentication mode."
4. Configure the user privilege level. Users that Telnet to the switch can execute only level-0 commands by default.
For more information about command levels, see "Configuring a user privilege level for user interfaces."
5. Set up a configuration environment as shown in Figure 5, make sure the PC and switch can reach each other.
Figure 5 Setting up a configuration environment
6. From your Telnet client, Telnet to the IP address of the management port of the switch, as shown in Figure 6.
Figure 6 Running the Telnet program
7. If the authentication mode is none, you can log in to the switch without any authentication. If the authentication mode is password, the terminal prompts you to enter the login password. If the authentication mode is scheme, you must enter the username and password to log in to the switch. After you enter the correct username and password, if the switch prompts you to enter another password of the specified type, you are authenticated for the second time.
8. Execute commands to configure the switch, or check the running status of the switch. To get help, enter ?.
|
|
NOTE: · When configuring your switch through Telnet, do not delete or change the IP address of the network management port or VLAN interface corresponding to the Telnet connection. Otherwise, the Telnet connection will be terminated. · If the number of Telnet login users has reached the upper limit, the message "All user interfaces are used, please try later!" appears. |
Telnetting from the switch to another device
By default, the switch is enabled with the Telnet client function.
To Telnet to another device from the local switch, follow these steps:
1. Set up a configuration environment as shown in Figure 7. If the two switches are not in the same LAN, make sure the two switches can reach each other.
Figure 7 Telnetting from the switch (Telnet client) to another device (Telnet server)
2. Configure the Telnet server:
a. Enable the Telnet server.
b. Configure the authentication mode on the Telnet server as needed.
3. Log in to the switch that operates as the Telnet client.
4. Execute the telnet command on the Telnet client to log in to the Telnet server:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Specify the source IPv4 address or source interface for sending Telnet packets when the switch serves as a Telnet client. |
telnet client source { interface interface-type interface-number | ip ip-address } |
Optional. By default, no source IPv4 address or source interface for sending Telnet packets is specified. The source IPv4 address is selected by the routing process. |
|
3. Exit to user view. |
quit |
N/A |
|
4. Telnet to the Telnet server. |
· telnet remote-host [ service-port ] [ [ vpn-instance vpn-instance-name ] | [ source { interface interface-type interface-number | ip ip-address } ] ] · telnet ipv6 remote-host [ -i interface-type interface-number ] [ port-number ] [ vpn-instance vpn-instance-name ] |
Use either method. Available in user view. |
5. After login, a prompt appears (for example, <Sysname> ). If "All user interfaces are used, please try later!" appears, try again later.
6. Execute commands to configure the switch, or check the running status of the switch. To get help, enter ?.
Logging in through SSH
SSH offers a secure method for remote login. By providing encryption and strong authentication, it protects devices against attacks such as IP spoofing and plain text password interception. You can use an SSH client to log in to the switch working as an SSH server for remote management, or use the device as an SSH client to log in to an SSH server, as shown in Figure 8.
Table 4 shows the SSH server and client configuration required for a successful SSH login.
Table 4 SSH server and client requirements
|
Device role |
Requirements |
|
SSH server |
· Assign an IP address to the SSH server, and make sure the SSH server and client can reach each other. · Configure the authentication mode and other settings. |
|
SSH client |
· If the host operates as an SSH client, run the SSH client program on the host. · Obtain the IP address of the SSH server. |
To control SSH access to the switch working as an SSH server, configure authentication and user privilege level for SSH users.
As an SSH client:
· You can log in to an SSH sever from the client to perform operations on the server.
· By default, the switch is enabled with the SSH client function.
Logging in to the switch from an SSH client
By default, the switch is disabled with the SSH server function, password authentication is adopted for SSH login, but no login password is configured. To log in to the switch from an SSH client, log in to the switch through the console port (see "Logging in through the console or AUX port") and configure the switch as an SSH server.
Follow these guidelines when you configure the SSH server:
· To make the command authorization or command accounting function take effect, apply an HWTACACS scheme to the intended ISP domain. This scheme must specify the IP address of the authorization server and other authorization parameters.
· If the local authentication scheme is used, use the authorization-attribute level level command in local user view to set the user privilege level on the device.
· If a RADIUS or HWTACACS authentication scheme is used, set the user privilege level on the RADIUS or HWTACACS server.
The SSH client authentication method is password in this configuration procedure. For more information about SSH and publickey authentication, see Security Configuration Guide.
To configure the switch as an SSH server:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create local key pairs. |
public-key local create { dsa | rsa } |
By default, no local key pairs are created. |
|
3. Enable SSH server. |
ssh server enable |
By default, SSH server is disabled. |
|
4. Exit to system view. |
quit |
N/A |
|
5. Enter one or more VTY user interface views. |
user-interface vty first-number [ last-number ] |
N/A |
|
6. Specify the scheme authentication mode. |
authentication-mode scheme |
By default, authentication mode for VTY user interfaces is password. |
|
7. Enable the current user interface to support either Telnet, SSH, or both of them. |
protocol inbound { all | ssh } |
Optional. By default, both protocols are supported. |
|
8. Exit to system view. |
quit |
N/A |
|
9. Configure the authentication mode. |
a. Enter the default ISP domain view: b. Apply the specified AAA scheme to the domain: c. Exit to system view: |
Optional. By default, the AAA scheme is local. If you specify the local AAA scheme, perform the configuration concerning local user as well. If you specify an existing scheme by providing the radius-scheme-name argument, perform the following configuration as well: · For RADIUS and HWTACACS configuration, see Security Configuration Guide. · Configure the username and password on the AAA server. For more information, see Security Configuration Guide. |
|
10. Create a local user and enter local user view. |
local-user user-name |
By default, no local user exists. |
|
11. Set the local password. |
password { cipher | simple } password |
By default, no local password is set. |
|
12. Specify the command level of the local user. |
authorization-attribute level level |
Optional. By default, the command level is 0. |
|
13. Specify the service type for the local user. |
service-type ssh |
By default, no service type is specified. |
|
14. Exit to system view. |
quit |
N/A |
|
15. Create an SSH user, and specify the authentication mode for the SSH user. |
ssh user username service-type stelnet authentication-type { password | { any | password-publickey | publickey } assign publickey keyname } |
Optional. By default, no SSH user exists, and no authentication mode is specified. |
|
16. Configure common settings for VTY user interfaces. |
N/A |
Optional. |
Using the switch as an SSH client to log in to the SSH server
You can use the device as an SSH client to log in to an SSH server. If the server is located in a different subnet than the device, make sure the two devices have routes to reach each other.
To use the switch as the SSH client, first log in to the switch through the console port. For more information, see "Logging in through the console or AUX port."
Figure 9 Logging in to an SSH client from the switch
Perform the following tasks in user view:
|
Task |
Command |
Remarks |
|
Log in to an IPv4 SSH server. |
ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * |
The server argument represents the IPv4 address or host name of the server. |
|
Log in to an IPv6 SSH server. |
ssh2 ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * |
The server argument represents the IPv6 address or host name of the server. |
Modem dial-in through the AUX port
An administrator can use a pair of modems to remotely connect to the switch through its AUX port over the PSTN when the IP network connection is broken. To do so, make sure that the dial-in connection, the switch, and the modems are correctly set up.
To set up a configuration environment as shown in Figure 10:
1. Connect the serial port of the PC to one modem and the AUX port of the device to another modem.
2. Connect each modem to the PSTN through a telephone cable.
Figure 10 Setting up a configuration environment
3. Obtain the telephone number of the modem connected to the device.
4. Configure the following settings on the modem directly connected to the device:
¡ AT&F—Restores the factory default.
¡ ATS0=1—Configures auto-answer on first ring.
¡ AT&D—Ignores data Terminal Ready signals.
¡ AT&K0—Disables local flow control.
¡ AT&R1—Ignores Data Flow Control signals
¡ AT&S0—Forces DSR to remain on.
¡ ATEQ1&W—Disables the modem from returning command responses and execution results, and saves configuration.
To verify your configuration, enter AT&V to display the configuration results.
|
|
NOTE: The configuration commands and output vary by modem. For more information, see the modem user guide. |
5. To avoid data loss, verify that the speed of the AUX port is slower than the transmission rate of the modem, and the default parity check, stop bits, and data bits settings are used.
6. Launch the terminal emulation program and create a connection by using the telephone number of the modem connected to the device.
Figure 11 to Figure 13 shows the configuration procedure in Windows XP HyperTerminal.
Figure 11 Creating a connection
Figure 12 Entering the phone number
7. If the authentication mode is password, a prompt (for example, Sysname) appears after you enter the configured password. Then, you can configure or manage the switch. To get help, enter ?.
Logging in to the Web interface
The switch provides a built-in Web server for you to configure the switch through a Web browser. Web login is by default disabled.
To enable Web login, log in through the console port, and perform the following configuration tasks:
· Enable HTTP service.
· Assign an IP address to the VLAN interface, and make sure that the interface and the configuration terminal can reach each other.
· Configure a local user account for Web login
The switch supports using HTTP 1.0 and HTTPS to transfer webpage data across the Internet.
HTTPS uses SSL to encrypt data between the client and the server for data integrity and security, and is more secure than HTTP. You can define a certificate attribute-based access control policy to allow only legal clients to access the device.
HTTP login and HTTPS login are separate login methods. To use HTTPS login, you do not need to configure HTTP login.
Table 5 shows the basic Web login configuration requirements.
Table 5 Basic web login configuration requirements
|
Object |
Requirements |
|
Device |
· Assign an IP address to the VLAN interface. · Configure routes to make sure the switch and the PC can reach each other. Configure HTTP login. |
|
PC |
· Install a Web browser. · Obtain the IP address of the switch's VLAN interface. |
Configuring HTTP login
|
Step |
Command |
Remarks |
|
1. Specify a fixed verification code for Web login. |
web captcha verification-code |
Optional. By default, a Web user must enter the verification code indicated on the login page to log in. This command is available in user view. |
|
2. Enter system view. |
system-view |
N/A |
|
3. Enable the HTTP service. |
ip http enable |
By default, HTTP service is disabled. |
|
4. Configure the HTTP service port number. |
ip http port port-number |
Optional. 80 by default. If you execute the command multiple times, the most recent configuration takes effect. |
|
5. Associate the HTTP service with an ACL. |
ip http acl acl-number |
Optional. By default, the HTTP service is not associated with any ACL. Associating the HTTP service with an ACL enables the switch to allow only clients permitted by the ACL to access the switch. |
|
6. Create a local user and enter local user view. |
local-user user-name |
By default, no local user is configured. |
|
7. Configure a password for the local user. |
password { cipher | simple } password |
By default, no password is configured for the local user. |
|
8. Specify the command level of the local user. |
authorization-attribute level level |
No command level is configured for the local user. |
|
9. Specify the Telnet service type for the local user. |
service-type web |
By default, no service type is configured for the local user. |
|
10. Exit to system view. |
quit |
N/A |
|
11. Create a VLAN interface and enter its view. |
interface vlan-interface vlan-interface-id |
If the VLAN interface already exists, the command enters its view. |
|
12. Assign an IP address and subnet mask to the VLAN interface. |
ip address ip-address { mask | mask-length } |
By default, no IP address is assigned to the VLAN interface. |
Configuring HTTPS login
The switch supports the following HTTPS login modes:
· Simplified mode—To make the switch operate in this mode, you only need to enable HTTPS service on the switch. The switch will use a self-signed certificate (a certificate that is generated and signed by itself, rather than a CA) and the default SSL settings. This mode is simple to configure but has potential security risks.
· Secure mode—To make the switch operate in this mode, you must enable HTTPS service on the switch, specify an SSL server policy for the service, and configure PKI domain-related parameters. This mode is more complicated to configure but provides higher security.
For more information about SSL and PKI, see Security Configuration Guide.
To configure HTTPS login:
|
Step |
Command |
Remarks |
|
1. Specify a fixed verification code for Web login. |
web captcha verification-code |
Optional. By default, a Web user must enter the verification code indicated on the login page to log in. This command is available in user view. |
|
2. Enter system view. |
system-view |
N/A |
|
3. Associate the HTTPS service with an SSL server policy. |
ip https ssl-server-policy policy-name |
Optional. By default, the HTTPS service is not associated with any SSL server policy, and the switch uses a self-signed certificate for authentication. If you disable the HTTPS service, the system automatically de-associates the HTTPS service from the SSL service policy. Before re-enabling the HTTPS service, re-associate the HTTPS service with an SSL server policy. If the HTTPS service has been enabled, any changes to the SSL server policy associated with it do not take effect. |
|
4. Enable the HTTPS service. |
ip https enable |
By default, the HTTPS service is disabled. Enabling the HTTPS service triggers an SSL handshake negotiation process: · If a local certificate exists on the switch, the SSL negotiation succeeds and the HTTPS service starts up. If no local certificate exists, a certificate application process is triggered. Because the application process takes much time, the SSL negotiation often fails and the HTTPS service cannot be started. In that case, execute this command multiple times to start the HTTPS service. |
|
5. Associate the HTTPS service with a certificate attribute-based access control policy. |
ip https certificate access-control-policy policy-name |
Optional. By default, the HTTPS service is not associated with any certificate-based attribute access control policy. The switch uses the associated policy to control client access rights. You must configure the client-verify enable command and at least one permit rule in the SSL server policy. Otherwise, no clients can log in through HTTPS. For more information about certificate attribute-based access control policies, see the chapter on PKI in Security Configuration Guide. |
|
6. Specify the HTTPS service port number. |
ip https port port-number |
Optional. The default HTTPS service port is 443. |
|
7. Associate the HTTPS service with an ACL. |
ip https acl acl-number |
By default, the HTTPS service is not associated with any ACL. The switch allows only clients permitted by the associated ACL to log in. |
|
8. Set the HTTPS user authentication mode. |
web https-authorization mode { auto | manual } |
Optional. The default HTTPS user authentication mode is manual. In manual mode, a user must enter the correct username and password to log in through HTTPS. In auto mode, the device first authenticates users by their certificates: · If the certificate is correct and not expired, the CN field in the certificate is used as the username to perform AAA authentication. If the authentication succeeds, the Web interface of the device appears on the user's terminal. · If the certificate is correct and not expired, but the AAA authentication fails, the device shows the Web login page and the user must enter the correct username and password to log in. · If the certificate is incorrect or expired, the HTTPS connection is terminated. |
|
9. Create a local user and enter local user view. |
local-user user-name |
By default, no local user is configured. |
|
10. Configure a password for the local user. |
password { cipher | simple } password |
By default, no password is configured for the local user. |
|
11. Specify a privilege level for the local user. |
authorization-attribute level level |
By default, no privilege level is specified for a local user. |
|
12. Authorize the local user to use the Web service. |
service-type web |
By default, no service type is authorized to a local user. |
|
13. Exit to system view. |
quit |
N/A |
|
14. Create a VLAN interface and enter its view. |
interface vlan-interface vlan-interface-id |
If the VLAN interface already exists, the command enters its view. |
|
15. Assign an IP address and subnet mask to the interface. |
ip address ip-address { mask | mask-length } |
By default, no IP address is assigned to the interface. |
Configuring source IP-based Web login control
Use a basic ACL (2000 to 2999) to filter HTTP traffic by source IP address for Web login control. To access the device, a Web user must use an IP address permitted by the ACL. For more information about ACL, see ACL and QoS Configuration Guide.
You can also log off suspicious Web users that have been logged in.
Configuring source IP-based Web login control
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a basic ACL and enter its view, or enter the view of an existing basic ACL. |
acl [ ipv6 ] number acl-number [ match-order { config | auto } ] |
By default, no basic ACL exists. |
|
3. Create rules for this ACL. |
rule [ rule-id ] { permit | deny } [ source { sour-addr sour-wildcard | any } | time-range time-name | fragment | logging ]* |
N/A |
|
Exit the basic ACL view. |
quit |
N/A |
|
5. Associate the HTTP service with the ACL. |
ip http acl acl-number |
N/A |
Logging off online Web users
|
Task |
Command |
Remarks |
|
Log off online Web users. |
free web-users { all | user-id user-id | user-name user-name } |
Available in user interface view. |
Source IP-based Web login control configuration example
Network requirements
As shown in Figure 14, configure the switch to allow only Web users from Host B to access.
Configuration procedure
# Create ACL 2000, and configure rule 1 to permit packets sourced from Host B.
<Sysname> system-view
[Sysname] acl number 2030 match-order config
[Sysname-acl-basic-2030] rule 1 permit source 10.110.100.52 0
# Associate the ACL with the HTTP service so that only Web users from Host B are allowed to access the switch.
[Sysname] ip http acl 2030
Displaying and maintaining Web login
|
Task |
Command |
Remarks |
|
Display information about Web users. |
display web users [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Display HTTP state information. |
display ip http [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
HTTP login example
Network requirements
As shown in Figure 15, configure the switch to allow the PC to log in over the IP network.
Configuration procedure
1. Configure the switch:
# Create VLAN 999 and add interface GigabitEthernet 3/0/1 that connects the switch to the PC to the VLAN.
<Sysname> system-view
[Sysname] vlan 999
[Sysname-vlan999] port GigabitEthernet 3/0/1
[Sysname-vlan999] quit
# Specify the IP address and subnet mask of VLAN-interface 999 as 192.168.0.58 and 255.255.255.0.
[Sysname] interface vlan-interface 999
[Sysname-VLAN-interface999] ip address 192.168.0.58 255.255.255.0
[Sysname-VLAN-interface999] quit
# Create a local user named admin, and set the password to admin for the user. Specify the Telnet service type for the local user, and set the command level to 3 for this user.
[Sysname] local-user admin
[Sysname-luser-admin] service-type web
[Sysname-luser-admin] authorization-attribute level 3
[Sysname-luser-admin] password simple admin
2. Verify the configuration:
# On the PC, run the Web browser. Enter the IP address of the switch in the address bar. The Web login page appears, as shown in Figure 16.
# Enter the user name, password, verify code, select English, and click Login. The homepage appears. After login, you can configure switch settings through the Web interface.
HTTPS login configuration example
Network requirements
As shown in Figure 17, to allow only authorized users to access the switch's Web interface, configure the switch as the HTTPS server and the host as the HTTPS client, and request a certificate for each of them.
Configuration procedure
In this example, the CA runs Windows Server and has the SCEP add-on installed. The switch, host, and CA can reach one another.
1. Configure the switch (HTTPS server):
# Configure a PKI entity, and set the common name to http-server1 and the FQDN to ssl.security.com.
<Sysname> system-view
[Sysname] pki entity en
[Sysname-pki-entity-en] common-name http-server1
[Sysname-pki-entity-en] fqdn ssl.security.com
[Sysname-pki-entity-en] quit
# Create a PKI domain, specify the trusted CA as new-ca, the URL of the server for certificate request as http://10.1.2.2/certsrv/mscep/mscep.dll, authority for certificate request as RA, and the entity for certificate request as en.
[Sysname] pki domain 1
[Sysname-pki-domain-1] ca identifier new-ca
[Sysname-pki-domain-1] certificate request url http://10.1.2.2/certsrv/mscep/mscep.dll
[Sysname-pki-domain-1] certificate request from ra
[Sysname-pki-domain-1] certificate request entity en
[Sysname-pki-domain-1] quit
# Create RSA local key pairs.
[Sysname] public-key loc al create rsa
# Retrieve the CA certificate.
[Sysname] pki retrieval-certificate ca domain 1
# Request a local certificate for the switch through SCEP.
[Sysname] pki request-certificate domain 1
# Create SSL server policy myssl, specify PKI domain 1 for the SSL server policy, and enable certificate-based SSL client authentication.
[Sysname] ssl server-policy myssl
[Sysname-ssl-server-policy-myssl] pki-domain 1
Sysname-ssl-server-policy-myssl] client-verify enable
[Sysname-ssl-server-policy-myssl] quit
# Create certificate attribute group mygroup1 and configure a certificate attribute rule for it, specifying that the distinguished name in the subject name includes the string of new-ca.
[Sysname] pki certificate attribute-group mygroup1
[Sysname-pki-cert-attribute-group-mygroup1] attribute 1 issuer-name dn ctn new-ca
[Sysname-pki-cert-attribute-group-mygroup1] quit
# Create certificate attribute-based access control policy myacp and configure a certificate attribute-based access control rule, specifying that a certificate is considered valid when it matches an attribute rule in certificate attribute group myacp.
[Sysname] pki certificate access-control-policy myacp
[Sysname-pki-cert-acp-myacp] rule 1 permit mygroup1
[Sysname-pki-cert-acp-myacp] quit
# Associate the HTTPS service with SSL server policy myssl.
[Sysname] ip https ssl-server-policy myssl
# Associate the HTTPS service with certificate attribute-based access control policy myacp.
[Sysname] ip https certificate access-control-policy myacp
# Enable the HTTPS service.
[Sysname] ip https enable
# Create local user usera, set the password to 123, assign the Web service type to the user, and , and specify the user privilege level 3.
[Sysname] local-user usera
[Sysname-luser-usera] password simple 123
[Sysname-luser-usera] authorization-attribute level 3
[Sysname-luser-usera] service-type web
2. Configure the host (HTTPS client):
On the host, run the IE browser, and then enter http://10.1.2.2/certsrv in the address bar and request a certificate for the host as prompted.
3. Verify the configuration:
On the host, enter https://10.1.1.1 in the browser's address bar and then select the certificate issued by new-ca. When the Web login page of the switch appears, enter the username usera and password 123 to log in to the Web management page.
For more information about PKI configuration commands, SSL configuration commands, and the public-key local create rsa command, see Security Command Reference.
You can run SNMP on an NMS to access the device MIB and perform GET and SET operations to manage and monitor the device. The device supports SNMPv1, SNMPv2c, and SNMPv3, and can work with various network management software products, including IMC. For more information about SNMP, see Network Management and Monitoring Configuration Guide.
By default, SNMP access is disabled. To enable SNMP access, log in to the device by using any other method.
Configuring SNMP login
Connect the Ethernet port of the NMS host to an Ethernet port of VLAN 1 on the switch, and make sure that the NMS host and VLAN 1 interface can reach each other.
|
|
IMPORTANT: This document describes only the basic SNMP configuration procedures on the device. To make SNMP work correctly, make sure the SNMP settings (including the SNMP version) on the NMS are consistent with those on the device. |
Prerequisites
· Assign an IP address to a Layer 3 interface on the device.
· Configure routes to make sure that the NMS and the Layer 3 interface can reach each other.
Configuring SNMPv3 settings
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable SNMP agent. |
snmp-agent |
Optional. Disabled by default. You can enable SNMP agent with this command or any command that begins with snmp-agent. |
|
3. Configure an SNMP group and specify its access right. |
snmp-agent group v3 group-name [ authentication | privacy ] [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number ] |
By default, no SNMP group is configured. |
|
4. Add a user to the SNMP group. |
snmp-agent usm-user v3 user-name group-name [ [ cipher ] authentication-mode { md5 | sha } auth-password [ privacy-mode { 3des | aes128 | des56 } priv-password ] ] [ acl acl-number ] |
If the cipher keyword is specified, both auth-password and priv-password are cipher text passwords. |
Configuring SNMPv1 or SNMPv2c settings
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable SNMP agent. |
snmp-agent |
Optional. Disabled by default. You can enable SNMP agent with this command or any command that begins with snmp-agent. |
|
3. Create or update MIB view information. |
snmp-agent mib-view { excluded | included } view-name oid-tree [ mask mask-value ] |
Optional. By default, the MIB view name is ViewDefault and OID is 1. |
|
4. Specify the SNMP NMS access right. |
· (Method 1) Specify the SNMP NMS access right directly by configuring an
SNMP community · (Method 2) Specify the SNMP NMS access right indirectly a. Configure an SNMP group b. Add a user to the SNMP group |
Use either method. The direct configuration method is for SNMPv1 or SNMPv2c. The community name configured on the NMS should be consistent with the username configured on the agent. The indirect configuration method is for SNMPv3. |
NMS login example
In this example, IMC is used as the NMS for illustration.
1. Configure the switch:
# Assign IP address 13.13.13.111/24 to VLAN-interface 1. Make sure the switch and the NMS host can reach each other. (Details not shown.)
# Enter system view.
<Sysname> system-view
# Enable the SNMP agent.
[Sysname] snmp-agent
# Create an SNMP community and assign access rights.
[Sysname] snmp-agent sys-info version all
[Sysname] snmp-agent community read public
[Sysname] snmp-agent community write private
# Configure an SNMP group.
[Sysname] snmp-agent group v3 managev3group
# Add a user to the SNMP group.
[Sysname] snmp-agent usm-user v3 managev3user managev3group
2. Configure IMC:
a. On the PC, launch a browser, and enter http://192.168.4.112:8080/imc in the address bar. (Suppose the IP address of IMC is 192.168.4.112.)
When you log in to IMC for the first time, you can use the default account with the username admin and password admin. Be sure to change the password immediately after login. For information about how to change the password, see IMC manuals, such as H3C Intelligent Management Center Getting Started Guide.
b. On the login page, enter the username and password, and then click Login.
The IMC homepage appears.
c. Configure the switch in the IMC system. (Details not shown.)
The settings of the switch in the IMC system must match those of the switch. For more information about NMS and SNMP agent configuration on IMC and the switch, see Network Management and Monitoring Configuration Guide.
You can also add accounts with different rights for operators and perform other operations in the IMC system. For more information about IMC, see IMC manuals.
You can launch a browser on a PC to log in to an ACS, and use the server to access and manage CPE through the CWMP.
CWMP is intended for management and configuration of home network devices in DSL access networks. The H3C implementation of the ACS system is the IMC BIMS component, which runs on IMC Platform. For more information about ACS and CWMP, see Network Management and Monitoring Configuration Guide. For more information about IMC BIMS, see the IMC BIMS manuals.
To log in to an ACS running BIMS from a PC, follow these steps:
1. Launch a browser on the PC.
2. Enter http:// 0.185.10.41:8080/imc in the address bar (suppose that the ACS uses the IP address 10.185.10.41 and the port 8080).
3. Enter the login username and password, which are the same as those used for logging in to IMC.
When you log in to IMC for the first time, you can use the default account with the username admin and password admin. Be sure to change the password immediately after login. For information about how to change the password, see IMC manuals, such as H3C Intelligent Management Center Getting Started Guide.
You can also add accounts with different rights for operators and perform other operations in the IMC system. For more information, see IMC online help.
The switch uses user interfaces (also called "lines") to control CLI logins and monitor CLI sessions. You can configure access control settings, including authentication, user privilege, and login redirect on the user interfaces. After users are logged in, their actions must be compliant with the settings on the user interfaces assigned to them.
Users are assigned different user interfaces, depending on their login methods, as shown in Table 6.
Table 6 CLI login method and user interface matrix
|
User interface |
Login method |
|
Console user interface |
Console port (EIA/TIA-232 DCE) |
|
AUX user interface |
AUX port (EIA/TIA-232 DTE, typically used for dial-in access through modems) |
|
VTY user interface |
Telnet or SSH |
The switch supports at most 16 concurrent VTY users.
User interface assignment
The switch automatically assigns user interfaces to CLI login users, depending on their login methods. Each user interface can be assigned to only one user at a time. If no user interface is available, a CLI login attempt will be rejected.
For a CLI login, the switch always picks the lowest numbered user interface from the idle user interfaces available for the type of login. For example, four VTY user interfaces (0 to 3) are configured, of which VTY 0 and VTY 3 are idle. When a user Telnets to the switch, the switch assigns VTY 0 to the user and uses the settings on VTY 0 to authenticate and manage the user.
User interface numbering
User interfaces can be numbered in two ways: absolute numbering and relative numbering.
Absolute numbering
An absolute number uniquely identifies a user interface among all user interfaces. The user interfaces are numbered starting from 0 and incrementing by 1 and in the sequence of console, AUX, and VTY user interfaces.
· Standalone mode
The console port and AUX port each use two numbers, and the VTY user interface uses numbers 20 through 35.
· IRF mode
The user interfaces of the master are numbered the first, and then the subordinate switch. The console port and AUX port each use four numbers, and the VTY user interface uses numbers 24 through 39.
You can use the display user-interface command without any parameters to view supported user interfaces and their absolute numbers.
Relative numbering
A relative number uniquely identifies a user interface among all user interfaces that are the same type in the format user interface type + number, starting from 0 and incrementing by 1. For example, the first console user interface is console 0.
User interface configuration task list
|
Task |
Remarks |
|
Optional. |
|
|
Optional. |
|
|
Optional. |
|
|
Optional. |
|
|
Optional. |
|
|
Optional. |
|
|
Optional. |
|
|
Optional. |
|
|
Optional. |
|
|
Defining shortcut keys for starting terminal sessions/aborting tasks |
Optional. |
|
Optional. |
|
|
Optional. |
Configuring asynchronous serial interface attributes
For users to Telnet to Device B from Device A, you can connect Device A to Device B through the asynchronous serial interfaces, and configure the redirect enable and redirect listen-port port-number commands on Device A. Then, users can use the telnet DeviceA's-IP-address port-number command to log in to Device B. To facilitate the user login operation, you can associate the Telnet redirect listening port with Device A's IP address by using the ip alias ip-address port-number command, so users only need to enter telnet IP-address to log in to Device B.
To configure asynchronous attributes for a serial interface (AUX port or console port):
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter user interface view. |
user-interface { first-num1 [ last-num1 ] | { aux | console } first-num2 [ last-num2 ] } |
N/A |
|
3. Configure the transmission rate. |
speed speed-value |
Optional. 9600 bps by default. |
|
4. Configure the data bits for each character. |
databits { 5 | 6 | 7 | 8 } |
Optional. The setting depends on the contexts to be transmitted, For example, you can set it to 7 if standard ASCII characters are to be sent; set it to 8 if extended ASCII characters are to be sent. 8 by default. |
|
5. Configure a parity check method. |
parity { even | mark | none | odd | space } |
Optional. None by default. |
|
6. Configure the number of stop bits transmitted per byte. |
stopbits { 1 | 1.5 | 2 } |
Optional. 1 by default. |
|
7. Detect the stop bits. |
stopbit-error intolerance |
Optional. By default, stop bits are not detected. |
|
8. Configure the flow control mode. |
flow-control { hardware | software | none } |
Optional. By default, the flow control mode is none. The switch does not support the hardware and software keywords. |
|
9. Associate the Telnet redirect listening port with an IP address. |
ip alias ip-address port-number |
Optional. By default, no IP address is associated with the Telnet redirect listening port. |
Configuring common settings for user interfaces
The device supports two terminal display types: ANSI and VT100. H3C recommends that you set the display type to VT100 on both the device and the configuration terminal. If either side uses the ANSI type, a display problem such as cursor positioning error might occur when a command line has more than 80 characters.
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter user interface view. |
user-interface { first-num1 [ last-num1 ] | { aux | console | vty } first-num2 [ last-num2 ] } |
N/A |
|
3. Start the terminal service. |
shell |
Optional. The terminal service is enabled on all user interfaces by default. |
|
4. Set the idle-timeout disconnection function for terminal users. |
idle-timeout minutes [ seconds ] |
Optional. 10 minutes by default. |
|
5. Set the maximum number of lines on a screen. |
screen-length screen-length |
Optional. By default, up to 24 lines of data are displayed on a screen. |
|
6. Set the display type of the current user terminal. |
terminal type { ansi | vt100 } |
Optional. ANSI by default. |
|
7. Set the size of the history command buffer of the user interface. |
history-command max-size size-value |
Optional. The history buffer can store 10 commands by default. |
|
8. Return to user view. |
return |
N/A |
|
9. Lock the user interface to prevent unauthorized users from using this interface. |
lock |
Optional. Disabled by default. |
Configuring the command auto-execute function
|
|
CAUTION: You might be unable to access the CLI through a VTY user interface after configuring the auto-execute command command on it. Before you configure the command and save the configuration, make sure you can access the CLI through a different user interface. |
The command auto-execute function is typically used for redirecting a Telnet user to a specific host. After executing the specified command and performing the incurred task, the system automatically disconnect the Telnet session.
To configure the command auto-execute function:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter user interface view. |
user-interface { first-num1 [ last-num1 ] | { aux | vty } first-num2 [ last-num2 ] } |
N/A The console port does not support this command. |
|
3. Specify a command to be automatically executed when a user logs in to the user interfaces. |
auto-execute command command |
By default, no automatically executed command is specified. |
Configuring a user privilege level for user interfaces
User privilege levels restrict the access rights of different users to the switch:
· If the authentication mode is scheme, the user must provide the username and password. For SSH publickey authentication, the user privilege level is the user interface level configured in user interface view, which is 0 by default.
· If the authentication mode is none or password when a user logs in, no username is needed, and the privilege level of the user is the user interface level.
The user privilege level can be configured in user interface view or by configuring AAA parameters. Which configuration mode takes effect depends on the user login authentication mode. For more information, see "Using the CLI."
To configure the user privilege level for user interfaces:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter user interface view. |
user-interface { first-num1 [ last-num1 ] | { aux | console | vty } first-num2 [ last-num2 ] } |
N/A |
|
3. Configure user's privilege level under the current user interface. |
user privilege level level |
Optional. By default, users logging in through console port have a privilege level of 3; users logging in through other user interfaces have a privilege level of 0. |
Configuring access control on VTY user interfaces
You can configure access control on the VTY user interface by referencing an ACL. For more information about ACL, see ACL and QoS Configuration Guide.
To control access to VTY user interfaces:
Configuring supported protocols on VTY user interfaces
If SSH is configured, you must set the authentication mode to scheme by using the authentication-mode scheme command to guarantee a successful login. The protocol inbound ssh command fails if the authentication mode is password or none.
To configure supported protocols on VTY user interfaces:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter VTY user interface view. |
user-interface { first-num1 [ last-num1 ] | vty first-num2 [ last-num2 ] } |
N/A |
|
3. Configure the supported protocols on the current user interface. |
protocol inbound { all | ssh | telnet } |
Optional. By default, both Telnet and SSH are supported. The specified protocols take effect the next time you log in through that user interface. |
Configuring authentication mode
Authentication mode under a user interface determines whether to authenticate users that are logging in through the user interface. The switch supports the following authentication modes:
· None—Requires no authentication. This mode is insecure.
· Password—Requires password authentication. If your password was lost, see H3C Series Ethernet Switches Login Password Recovery Manual for password recovery.
· Scheme—Uses the AAA module to provide local or remote console login authentication. You must provide a username and password for accessing the CLI. If the password configured in the local user database was lost, see H3C Series Ethernet Switches Login Password Recovery Manual for password recovery. If the username or password configured on a remote server was lost, contact the server administrator for help.
To improve switch security, configure the password or scheme authentication mode immediately after you log in to the switch for the first time.
For more information about user authentication modes and parameters, see Security Configuration Guide. By default, the switch performs local authentication on users. If you log in through SSH, the rules apply to password authentication only. For more information about SSH, see Security Configuration Guide.
To configure the authentication mode as none:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter user interface view. |
user-interface { first-num1 [ last-num1 ] | { aux | console | vty } first-num2 [ last-num2 ] } |
N/A |
|
3. Enable the none authentication mode. |
authentication-mode none |
The default is password for VTY and AUX logins and none for console login. |
To configure the authentication mode as password:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter user interface view. |
user-interface { first-num1 [ last-num1 ] | { aux | console | vty } first-num2 [ last-num2 ] } |
N/A |
|
3. Enable password authentication. |
authentication-mode password |
The default is password for VTY and AUX logins and none for console login. |
|
4. Set the local authentication password. |
set authentication password [ hash ] { cipher | simple } password |
No local authentication password is set by default. This command is not supported in FIPS mode. |
To configure the authentication mode as scheme (local authentication):
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter user interface view. |
user-interface { first-num1 [ last-num1 ] | { aux | console | vty } first-num2 [ last-num2 ] } |
N/A |
|
3. Enable scheme authentication. |
authentication-mode scheme |
The default is password for VTY and AUX logins and none for console login. |
|
4. Set the user privilege level. |
See "Configuring a user privilege level for user interfaces." |
Optional. By default, console users have a privilege level of 3, and other users have a privilege level of 0. |
|
5. Exit to system view. |
quit |
N/A |
|
6. Create a local user and enter local user view. |
local-user user-name |
By default, no local user exists. |
|
7. Set the authentication password. |
password { cipher | simple } password |
N/A |
|
8. Assign services. |
service-type { ssh | telnet | terminal } * |
VTY users use Telnet or SSH service. Console or AUX users use terminal service. |
|
9. Configure user attributes. |
authorization-attribute { acl acl-number | callback-number callback-number | idle-cut minute | level level | user-profile profile-name | vlan vlan-id | work-directory directory-name } * |
Optional. By default, FTP/SFTP users can access the switch's root directory with the user level 0. |
For more information about the local-user, password, service-type, and authorization-attribute commands, see Security Command Reference.
Configuring command authorization
By default, command level for a login user depends on the user privilege level. A user can use the commands of or lower than the user privilege level. If command authorization is enabled, a command is available only if the user has the commensurate user privilege level and is authorized to use the command by the AAA scheme.
To configure command authorization:
1. Configure the authentication mode as scheme.
2. Enable command authorization.
3. Configure an HWTACACS scheme to specify the IP addresses of the HWTACACS authorization servers and other related parameters.
4. Configure the ISP domain to use the HWTACACS scheme for command line users.
For more information about HWTACACS configuration, see Security Configuration Guide.
To enable command authorization:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter user interface view. |
user-interface { first-num1 [ last-num1 ] | { aux | console | vty } first-num2 [ last-num2 ] } |
N/A |
|
3. Enable command authorization. |
command authorization |
By default, command authorization is disabled. The commands available for a user only depend on the user privilege level. |
Configuring command accounting
Command accounting allows the HWTACACS server to record all executed commands that are supported by the switch, regardless of the command execution result. This function helps control and monitor user behaviors on the switch.
If command accounting is enabled and command authorization is not enabled, every executed command is recorded on the HWTACACS server. If both command accounting and command authorization are enabled, only the authorized and executed commands are recorded on the HWTACACS server.
To configure command accounting:
1. Enable command accounting.
2. Configure an HWTACACS scheme to specify the IP addresses of the HWTACACS accounting servers and other related parameters.
3. Configure the ISP domain to use the HWTACACS scheme for command line users.
For more information about HWTACACS configurations, see Security Configuration Guide.
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter user interface view. |
user-interface { first-num1 [ last-num1 ] | { aux | console | vty } first-num2 [ last-num2 ] } |
N/A |
|
3. Enable command accounting. |
command accounting |
By default, command accounting is disabled. The accounting server does not record the commands executed by users. |
Defining shortcut keys for starting terminal sessions/aborting tasks
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter user interface view. |
user-interface { first-num1 [ last-num1 ] | { aux | console | vty } first-num2 [ last-num2 ] } |
N/A |
|
3. Define a shortcut key for starting a terminal session. |
activation-key character |
Optional. Pressing Enter starts the terminal session by default. This command is not supported on VTY user interfaces. |
|
4. Define a shortcut key for aborting a task. |
escape-key { default | character } |
Optional. The default shortcut key combination for aborting a task is Ctrl+C. |
Sending messages to user interfaces
|
Task |
Command |
Remarks |
|
Send messages to user interfaces. |
send { all | num1 | { aux | console | vty } num2 } |
Available in user view. |
Releasing connections to user interfaces
Multiple administrators can log in to the system simultaneously to configure the switch. When you want to make configurations without interruption from other administrators, you can release other login connections.
You cannot use this command to release the connection that you are using.
To release connections to user interfaces:
|
Task |
Command |
Remarks |
|
Release connections to user interfaces. |
free user-interface { num1 | { aux | console | vty } num2 } |
Available in user view. |
Displaying and maintaining user interfaces
|
Task |
Command |
Remarks |
|
Display information about all the user interfaces supported on the switch. |
display users [ all ] [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Display information about the specified or all user interfaces. |
display user-interface [ num1 | { aux | console | vty } num2 ] [ summary ] [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
User interface configuration examples
User authentication configuration example
Network requirements
As shown in Figure 19, three administrators need to access the switch for switch management: one through a console port, one through an IP network, and one through a PSTN.
Configure the switch to:
· Perform no authentication for users who log in through the console port.
· Perform password authentication for users who log in through the IP network.
· Use the RADIUS server to authenticate users who log in through the PSTN, and use local authentication as the backup.
· Assign different command levels to different types of users.
Configuration procedure
# Assign IP addresses to the interfaces on the switch so that the switch and Host B can reach each other and the switch and the RADIUS server can reach each other. (Details not shown.)
# Enable the Telnet service on the switch.
<Sysname> system-view
[Sysname] telnet server enable
# Configure the switch to perform no authentication for users logging in through the console port and to allow the users to use commands of privilege level 3 (all commands).
[Sysname] user-interface console 0
[Sysname-ui-console0] authentication-mode none
[Sysname-ui-console0] user privilege level 3
[Sysname-ui-console0] quit
# Configure the switch to perform password authentication for users logging in to VTY user interfaces 0 through 4. Set the password to 123, and set the privilege level of the users to 2.
[Sysname] user-interface vty 0 4
[Sysname-ui-vty0-4] authentication-mode password
[Sysname-ui-vty0-4] set authentication password cipher 123
[Sysname-ui-vty0-4] user privilege level 2
[Sysname-ui-vty0-4] quit
# Configure the switch to use AAA to authenticate users logging in to user interface VTY 5.
[Sysname] user-interface vty 5
[Sysname-ui-vty5] authentication-mode scheme
[Sysname-ui-vty5] quit
# Create a RADIUS scheme and configure the IP address and UDP port for the primary authentication server for the scheme. Make sure that the port number is consistent with that on the RADIUS server. Set the shared key for authentication packets to expert for the scheme and the RADIUS server type of the scheme to extended. Configure the switch to remove the domain name in the username sent to the RADIUS server.
[Sysname] radius scheme rad
[Sysname-radius-rad] primary authentication 192.168.2.20 1812
[Sysname-radius-rad] key authentication expert
[Sysname-radius-rad] server-type extended
[Sysname-radius-rad] user-name-format without-domain
[Sysname-radius-rad] quit
# Configure the default ISP domain system to use RADIUS scheme rad for login users and use local authentication as the backup.
[Sysname] domain system
[Sysname-isp-system] authentication login radius-scheme rad local
[Sysname-isp-system] authorization login radius-scheme rad local
[Sysname-isp-system] quit
# Add a local user named monitor, set the user password to 123, and specify to display the password in cipher text. Authorize user monitor to use the Telnet service and specify the level of the user as 1, the monitor level.
[Sysname] local-user monitor
[Sysname-luser-admin] password cipher 123
[Sysname-luser-admin] service-type telnet
[Sysname-luser-admin] authorization-attribute level 1
Command authorization configuration example
Network requirements
As shown in Figure 20, configure the switch to use the HWTACACS server to authenticate and perform command line authorization for users accessing the VTY interfaces 0 through 4, and use local authentication and authorization as the backup.
Configuration procedure
# Assign an IP address to the switch so that the switch and Host A, and the switch and the HWTACACS server can reach each other. (Details not shown.)
# Enable the Telnet service on the switch.
<Sysname> system-view
[Sysname] telnet server enable
# Configure the switch to use AAA to control user access to VTY interfaces 0 through 4.
[Sysname] user-interface vty 0 4
[Sysname-ui-vty0-4] authentication-mode scheme
# Enable command authorization to restrict the command level for login users.
[Sysname-ui-vty0-4] command authorization
[Sysname-ui-vty0-4] quit
# Create an HWTACACS scheme named tac and configure the IP address and TCP port for the primary authorization server for the scheme. Make sure that the port number is consistent with that on the HWTACACS server. Set the shared key for authentication packets to expert for the scheme and the HWTACACS server type of the scheme to standard. Configure the switch to remove the domain name in the username that is sent to the HWTACACS server.
[Sysname] hwtacacs scheme tac
[Sysname-hwtacacs-tac] primary authentication 192.168.2.20 49
[Sysname-hwtacacs-tac] primary authorization 192.168.2.20 49
[Sysname-hwtacacs-tac] key authentication expert
[Sysname-hwtacacs-tac] key authorization expert
[Sysname-hwtacacs-tac] user-name-format without-domain
[Sysname-hwtacacs-tac] quit
# Configure the default ISP domain system to use HWTACACS scheme tac for login users and use local authorization as the backup.
[Sysname] domain system
[Sysname-isp-system] authentication login hwtacacs-scheme tac local
[Sysname-isp-system] authorization command hwtacacs-scheme tac local
[Sysname-isp-system] quit
# Add a local user named monitor, set the user password to 123, and specify to display the password in cipher text. Authorize user monitor to use the Telnet service and specify the level of the user as 1, that is, the monitor level.
[Sysname] local-user monitor
[Sysname-luser-admin] password cipher 123
[Sysname-luser-admin] service-type telnet
[Sysname-luser-admin] authorization-attribute level 1
Command accounting configuration example
Network requirements
As shown in Figure 21, configure the switch to send commands that login users execute to the HWTACACS server to control and monitor user operations.
Configuration procedure
# Enable the Telnet service on switch.
<Sysname> system-view
[Sysname] telnet server enable
# Enable command accounting for users logging in through the console port.
[Sysname] user-interface console 0
[Sysname-ui-console0] command accounting
[Sysname-ui-console0] quit
# Enable command accounting for users logging in through Telnet or SSH.
[Sysname] user-interface vty 0 4
[Sysname-ui-vty0-4] command accounting
[Sysname-ui-vty0-4] quit
# Create an HWTACACS scheme named tac and configure the IP address and TCP port for the primary authorization server for the scheme. Make sure that the port number is consistent with that on the HWTACACS server. Set the shared key for authentication packets to expert for the scheme. Configure switch to remove the domain name in the username sent to the HWTACACS server.
[Sysname] hwtacacs scheme tac
[Sysname-hwtacacs-tac] primary accounting 192.168.2.20 49
[Sysname-hwtacacs-tac] key accounting expert
[Sysname-hwtacacs-tac] user-name-format without-domain
[Sysname-hwtacacs-tac] quit
# Create ISP domain system, and configure the ISP domain to use HWTACACS scheme tac for accounting of command line users.
[Sysname] domain system
[Sysname-isp-system] accounting command hwtacacs-scheme tac
[Sysname-isp-system] quit
To harden device security, use ACLs to prevent unauthorized logins. For more information about ACLs, see ACL and QoS Configuration Guide.
Use a basic ACL (2000 to 2999) to filter Telnet traffic by source IP address. Use an advanced ACL (3000 to 3999) to filter Telnet traffic by source and/or destination IP address. Use an Ethernet frame header ACL (4000 to 4999) to filter Telnet traffic by source MAC address.
To access the device, a Telnet user must match a permit statement in the ACL applied to the user interface.
Configuring source IP-based Telnet login control
|
Command |
Remarks |
|
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a basic ACL and enter its view, or enter the view of an existing basic ACL. |
acl [ ipv6 ] number acl-number [ name name ] [match-order { config | auto } ] |
By default, no basic ACL exists. |
|
3. Configure rules for this ACL. |
rule [ rule-id ] { permit | deny } [ source { sour-addr sour-wildcard | any } | time-range time-name | fragment | logging ]* |
N/A |
|
Exit the basic ACL view. |
quit |
N/A |
|
5. Enter user interface view. |
user-interface [ type ] first-number [ last-number ] |
N/A |
|
6. Use the ACL to control user login by source IP address. |
acl [ ipv6 ] acl-number { inbound | outbound } |
· inbound—Filters incoming Telnet packets. · outbound—Filters outgoing Telnet packets. |
Configuring source/destination IP-based Telnet login control
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
Create an advanced ACL and enter its view, or enter the view of an existing advanced ACL. |
acl [ ipv6 ] number acl-number [ name name ] [ match-order { config | auto } ] |
By default, no advanced ACL exists. |
|
3. Configure rules for the ACL. |
rule [ rule-id ] { permit | deny } rule-string |
N/A |
|
4. Exit advanced ACL view. |
quit |
N/A |
|
5. Enter user interface. |
user-interface [ type ] first-number [ last-number ] |
N/A |
|
6. Use the ACL to control user login by source and destination IP addresses. |
acl [ ipv6 ] acl-number { inbound | outbound } |
· inbound—Filters incoming Telnet packets. outbound—Filters outgoing Telnet packets. |
Configuring source MAC-based Telnet login control
Ethernet frame header ACLs apply to Telnet traffic only if the Telnet client and server are located in the same subnet.
To configure source MAC-based Telnet login control:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create an Ethernet frame header ACL and enter its view. |
acl number acl-number [ name name ] [ match-order { config | auto } ] |
By default, no Ethernet frame header ACL exists. |
|
3. Configure rules for the ACL. |
rule [ rule-id ] { permit | deny } rule-string |
N/A |
|
4. Exit the advanced ACL view. |
quit |
N/A |
|
5. Enter user interface view. |
user-interface [ type ] first-number [ last-number ] |
N/A |
|
6. Use the ACL to control user login by source MAC address. |
acl acl-number inbound |
inbound: Filters incoming Telnet packets. |
Telnet login control configuration example
Network requirements
As shown in Figure 22, configure an ACL on the switch to permit only incoming Telnet packets sourced from Host A and Host B.
Configuration procedure
# Configure basic ACL 2000, and configure rule 1 to permit packets sourced from Host B, and rule 2 to permit packets sourced from Host A.
<Sysname> system-view
[Sysname] acl number 2000 match-order config
[Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0
[Sysname-acl-basic-2000] rule 2 permit source 10.110.100.46 0
[Sysname-acl-basic-2000] quit
# Reference ACL 2000 in user interface view to allow Telnet users from Host A and Host B to access the switch.
[Sysname] user-interface vty 0 4
[Sysname-ui-vty0-4] acl 2000 inbound
