At the command-line interface (CLI), you can enter text commands to configure, manage, and monitor the device. The following text is displayed when you access the CLI:

******************************************************************************

* Without the owner's prior written consent, *

* no decompiling or reverse-engineering shall be allowed. *

******************************************************************************

You can use different methods to log in to the CLI, including through the console port, Telnet, and SSH. For more information about login methods, see "Login overview."

CLI views

Commands are grouped in different views by feature. To use a command, you must enter its view.

CLI views are hierarchically organized, as shown in Figure 1. Each view has a unique prompt, from which you can identify where you are and what you can do. For example, the prompt [Sysname-vlan100] shows that you are in VLAN 100 view and can configure attributes for that VLAN.

Figure 1 CLI views

You are placed in user view immediately after you log in to the CLI. The user view prompt is <Device-name>, where Device-name indicates the device name. The device name is Sysname by default. You can change it by using the sysname command.

In user view, you can perform the following tasks:

· Perform basic operations including display, debug, file management, FTP, Telnet, clock setting, and reboot.

· Enter system view. The system view prompt is [Device-name].

In system view, you can perform the following tasks:

· Configure settings that affect the device as a whole, such as the daylight saving time, banners, and hotkeys.

· Enter different feature views.

For example, you can perform the following tasks:

? Enter interface view to configure interface parameters.

? Enter VLAN view to add ports to the VLAN.

? Enter user line view to configure login user attributes.

A feature view might have child views. For example, NQA operation view has the child view HTTP operation view.

To display all commands available in a view, enter a question mark (?) at the view prompt.

Entering system view from user view

Task	Command
Enter system view.	system-view

Returning to the upper-level view from any view

Task	Command
Return to the upper-level view from any view.	quit

Executing the quit command in user view terminates your connection to the device.

In public key view, use the peer-public-key end command to return to system view.

Returning to user view

To return directly to user view from any other view, use the return command or press Ctrl+Z.

Task	Command
Return directly to user view.	return

Accessing the CLI online help

The CLI online help is context sensitive. Enter a question mark at any prompt or in any position of a command to display all available options.

To access the CLI online help, use one of the following methods:

· Enter a question mark at a view prompt to display the first keyword of every command available in the view. For example:

<Sysname> ?

User view commands:

archive Archive configuration

arp Address Resolution Protocol (ARP) module

backup Backup operation

...

· Enter a space and a question mark after a command keyword to display all available keywords and arguments.

? If the question mark is in the place of a keyword, the CLI displays all possible keywords, each with a brief description. For example:

<Sysname> terminal ?

debugging Enable to display debugging logs on the current terminal

logging Display logs on the current terminal

monitor Enable to display logs on the current terminal

? If the question mark is in the place of an argument, the CLI displays the description for the argument. For example:

<Sysname> system-view

[Sysname] interface vlan-interface ?

<1-4094> Vlan-interface interface number

[Sysname] interface vlan-interface 1 ?

<cr>

[Sysname] interface vlan-interface 1

<1-4094> is the value range for the argument. <cr> indicates that the command is complete and you can press Enter to execute the command.

· Enter an incomplete keyword string followed by a question mark to display all keywords starting with that string. The CLI also displays the descriptions for the keywords. For example:

<Sysname> f?

fdisk Partition a storage medium

fixdisk Check and repair a storage medium

format Format a storage medium

free Release a line

ftp Open an FTP connection

<Sysname> display ftp?

ftp FTP module

ftp-server FTP server information

ftp-user FTP user information

Using the undo form of a command

Most configuration commands have an undo form for the following tasks:

· Canceling a configuration.

· Restoring the default.

· Disabling a feature.

For example, the info-center enable command enables the information center. The undo info-center enable command disables the information center.

Entering a command

When you enter a command, you can perform the following tasks:

· Use keys or hotkeys to edit the command line.

· Use abbreviated keywords or keyword aliases.

Editing a command line

To edit a command line, use the keys listed in Table 1 or the hotkeys listed in Table 4. When you are finished, you can press Enter to execute the command.

Table 1 Command line editing keys

Keys	Function
Common keys	If the edit buffer is not full, pressing a common key inserts a character at the cursor and moves the cursor to the right. The edit buffer can store up to 511 characters. Unless the buffer is full, all common characters that you enter before pressing Enter are saved in the edit buffer.
Backspace	Deletes the character to the left of the cursor and moves the cursor back one character.
Left arrow key (←)	Moves the cursor one character to the left.
Right arrow key (→)	Moves the cursor one character to the right.
Up arrow key (↑)	Displays the previous command in the command history buffer.
Down arrow key (↓)	Displays the next command in the command history buffer.
Tab	If you press Tab after typing part of a keyword, the system automatically completes the keyword. · If a unique match is found, the system displays the complete keyword. · If there is more than one match, press Tab multiple times to pick the keyword you want to enter. · If there is no match, the system does not modify what you entered but displays it again in the next line.

The total length of a command line cannot exceed 512 characters, including spaces and special characters.

The device supports the following special commands:

· #–Used by the system in a configuration file as separators for adjacent sections.

· version–Used by the system in a configuration file to indicate the software version information. For example, version 7.1. xxx , Release xxx .

These commands are special because of the following reasons:

· These commands are not intended for you to use at the CLI.

· You can enter these commands in any view, or enter any values for them. For example, you can enter # abc or version abc. However, the settings do not take effect.

· The device does not provide any online help information for these commands.

Entering a text or string type value for an argument

A text type argument value can contain printable characters except a question mark (?).

A string type argument value can contain any printable characters except for the following characters:

· Question mark (?).

· Quotation mark (").

· Backward slash (\).

· Space.

A specific argument might have more requirements. For more information, see the relevant command reference.

To enter a printable character, you can enter the character or its ASCII code in the range of 32 to 126.

Entering an interface type

You can enter an interface type in one of the following formats:

· Full spelling of the interface type.

· An abbreviation that uniquely identifies the interface type.

· Acronym of the interface type.

For a command line, all interface types are case insensitive. Table 2 shows the full spellings and acronyms of interface types.

For example, to use the interface command to enter the view of interface HundredGigE 1/0/1, you can enter the command line in the following formats:

· interface hundredgige 1/0/1

· interface h 1/0/1

· interface hge 1/0/1

Spaces between the interface types and interfaces are not required.

Table 2 Full spellings and acronyms of interface types

Full spelling	Acronym
Bridge-Aggregation	BAGG
FortyGigE	FGE
GigabitEthernet	GE
HundredGigE	HGE
InLoopBack	InLoop
LoopBack	Loop
M-GigabitEthernet	MGE
Multicast Tunnel	MTunnel
NULL	NULL
Register-Tunnel	REG
Route-Aggregation	RAGG
Ten-GigabitEthernet	XGE
Tunnel	Tun
Vfc	Vfc
Vsi-interface	Vsi
Vlan-interface	Vlan-int

Abbreviating commands

You can enter a command line quickly by entering incomplete keywords that uniquely identify the complete command. In user view, for example, commands starting with an s include startup saved-configuration and system-view. To enter the command system-view, you only need to type sy. To enter the command startup saved-configuration, type st s.

You can also press Tab to complete an incomplete keyword.

Configuring and using command aliases

You can configure one or more aliases for a command or the starting keywords of commands. Then, you can use the aliases to execute the command or commands. If the command or commands have undo forms, you can also use the aliases to execute the undo command or commands.

For example, if you configure the alias shiprt for display ip routing-table, you can enter shiprt to execute the display ip routing-table command. If you configure the alias ship for display ip, you can use ship to execute all commands starting with display ip:

· Enter ship routing-table to execute the display ip routing-table command.

· Enter ship interface to execute the display ip interface command.

Usage guidelines

After you successfully execute a command by using an alias, the system saves the command, instead of the alias, to the running configuration.

The command string represented by an alias can include a maximum of nine parameters. Each parameter starts with the dollar sign ($) and a sequence number in the range of 1 to 9. For example, you can configure the alias shinc for the display $1 | include $2 command. Then, you can enter shinc hotkey CTRL_C to execute the display hotkey | include CTRL_C command.

To use an alias for a command that has parameters, you must specify a value for each parameter. If you fail to do so, the system informs you that the command is incomplete and displays the command string represented by the alias.

The device has a set of system-defined command aliases, as listed in Table 3. System-defined command aliases cannot be deleted.

Table 3 System-defined command aliases

Command alias	Command or command keyword
access-list	acl
end	return
erase	delete
exit	quit
hostname	sysname
logging	info-center
no	undo
show	display
write	save

Configuration procedure

To configure a command alias:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure a command alias.	alias alias command	By default, the device has a set of command aliases, as listed in Table 3.
3. (Optional.) Display command aliases.	display alias [ alias ]	This command is available in any view.

Configuring and using command hotkeys

The system defines the hotkeys shown in Table 4 and provides a set of configurable command hotkeys. Pressing a command hotkey is the same as entering a command.

If a hotkey is also defined by the terminal software you are using to interact with the device, the terminal software definition takes effect.

To configure a command hotkey:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Assign a command to a configurable command hotkey.	hotkey { ctrl_g \| ctrl_l \| ctrl_o \| ctrl_t \| ctrl_u } command	The following are the defaults: · Ctrl+G is assigned the display current-configuration command. · Ctrl+L is assigned the display ip routing-table command. · Ctrl+O is assigned the undo debugging all command. · No command is assigned to Ctrl+T or Ctrl+U.
3. (Optional.) Display hotkeys.	display hotkey	This command is available in any view.

Table 4 System-reserved hotkeys

Hotkey	Function
Ctrl+A	Moves the cursor to the beginning of a line.
Ctrl+B	Moves the cursor one character to the left.
Ctrl+C	Stops the current command.
Ctrl+D	Deletes the character at the cursor.
Ctrl+E	Moves the cursor to the end of a line.
Ctrl+F	Moves the cursor one character to the right.
Ctrl+H	Deletes the character to the left of the cursor.
Ctrl+K	Aborts the connection request.
Ctrl+N	Displays the next command in the history buffer.
Ctrl+P	Displays the previous command in the history buffer.
Ctrl+R	Redisplays the current line.
Ctrl+V	Pastes text from the clipboard.
Ctrl+W	Deletes the word to the left of the cursor.
Ctrl+X	Deletes all characters to the left of the cursor.
Ctrl+Y	Deletes all characters from the cursor to the end of the line.
Ctrl+Z	Returns to user view.
Ctrl+]	Terminates the current connection.
Esc+B	Moves the cursor back one word.
Esc+D	Deletes all characters from the cursor to the end of the word.
Esc+F	Moves the cursor forward one word.
Esc+N	Moves the cursor down one line. You can use this hotkey before pressing Enter.
Esc+P	Moves the cursor up one line. You can use this hotkey before pressing Enter.
Esc+<	Moves the cursor to the beginning of the clipboard.
Esc+>	Moves the cursor to the end of the clipboard.

Enabling redisplaying entered-but-not-submitted commands

Your input might be interrupted by system information output. If redisplaying entered-but-not-submitted commands is enabled, the system redisplays your input after finishing the output. You can then continue entering the command line.

To enable redisplaying entered-but-not-submitted commands:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable redisplaying entered-but-not-submitted commands.	info-center synchronous	By default, the system does not redisplay entered-but-not-submitted commands. For more information about this command, see Network Management and Monitoring Command Reference.

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enable redisplaying entered-but-not-submitted commands.

info-center synchronous

By default, the system does not redisplay entered-but-not-submitted commands.

For more information about this command, see Network Management and Monitoring Command Reference.

Understanding command-line error messages

After you press Enter to submit a command, the command line interpreter examines the command syntax.

· If the command passes syntax check, the CLI executes the command.

· If the command fails syntax check, the CLI displays an error message.

Table 5 Common command-line error messages

Error message	Cause
% Unrecognized command found at '^' position.	The keyword in the marked position is invalid.
% Incomplete command found at '^' position.	One or more required keywords or arguments are missing.
% Ambiguous command found at '^' position.	The entered character sequence matches more than one command.
% Too many parameters.	The entered character sequence contains excessive keywords or arguments.
% Wrong parameter found at '^' position.	The argument in the marked position is invalid.

Using the command history feature

The system automatically saves commands successfully executed by a login user to the following two command history buffers:

· Command history buffer for the user line.

· Command history buffer for all user lines.

Table 6 Comparison between the two types of command history buffers

Item	Command history buffer for a user line	Command history buffer for all user lines
What kind of commands are saved in the buffer?	Commands successfully executed by the current user of the user line.	Commands successfully executed by all login users.
Cleared when the user logs out?	Yes.	No.
How to view buffered commands?	Use the display history-command command.	Use the display history-command all command.
How to recall a buffered command?	· (Method 1.) Navigate to the command in the buffer and press Enter. · (Method 2.) Use the repeat command. For more information, see "Repeating commands in the command history buffer for a line."	You cannot recall buffered commands.
How to set the buffer size?	Use the history-command max-size size-value command in user line view to set the buffer size. By default, the buffer can store up to 10 commands.	You cannot set the buffer size. The buffer can store up to 1024 commands.
How to disable the buffer?	Setting the buffer size to 0 disables the buffer.	You cannot disable the buffer.

Command buffering rules

The system follows these rules when buffering commands:

· If you use incomplete keywords when entering a command, the system buffers the command in the exact form that you used.

· If you use an alias when entering a command, the system transforms the alias to the represented command or command keywords before buffering the command.

· If you enter a command in the same format multiple times in succession, the system buffers the command only once. If you enter a command in different formats multiple times, the system buffers each command format. For example, display cu and display current-configuration are buffered as two entries but successive repetitions of display cu create only one entry.

· To buffer a new command when a buffer is full, the system deletes the oldest command entry in the buffer.

Repeating commands in the command history buffer for a line

You can recall and execute commands in the command history buffer for the current user line multiple times.

To repeat commands in the command history buffer for the current user line:

Task	Command	Remarks
Repeat commands in the command history buffer for the current CLI session.	repeat [ number ] [ count times ] [ delay seconds ]	This command is available in any view. However, to repeat a command, you must first enter the view for the command. To repeat multiple commands, you must first enter the view for the first command. This command executes commands in the order they were executed. The system waits for your interaction when it repeats an interactive command.

Task

Command

Remarks

Repeat commands in the command history buffer for the current CLI session.

repeat [ number ] [ count times ] [ delay seconds ]

This command is available in any view. However, to repeat a command, you must first enter the view for the command. To repeat multiple commands, you must first enter the view for the first command.

This command executes commands in the order they were executed.

The system waits for your interaction when it repeats an interactive command.

Controlling the CLI output

This section describes the CLI output control features that help you identify the desired output.

Pausing between screens of output

By default, the system automatically pauses after displaying a maximum of 24 lines if the output is too long to fit on one screen. You can change the limit by using the screen-length screen-length command. For more information about this command, see Fundamentals Command Reference.

At a pause, the system displays ----more----. You can use the keys described in "Output controlling keys" to display more information or stop the display.

You can also disable pausing between screens of output for the current session. Then, all output is displayed at one time and the screen is refreshed continuously until the final screen is displayed.

Output controlling keys

Keys	Function
Space	Displays the next screen.
Enter	Displays the next line.
Ctrl+C	Stops the display and cancels the command execution.
<PageUp>	Displays the previous page.
<PageDown>	Displays the next page.

Disabling pausing between screens of output

To disable pausing between screens of output, execute the following command in user view:

Task	Command	Remarks
Disable pausing between screens of output for the current CLI session.	screen-length disable	By default, a CLI session uses the screen-length screen-length command settings in user line view. This command is a one-time command and takes effect only for the current CLI session.

Task

Command

Remarks

Disable pausing between screens of output for the current CLI session.

screen-length disable

By default, a CLI session uses the screen-length screen-length command settings in user line view.

This command is a one-time command and takes effect only for the current CLI session.

Numbering each output line from a display command

You can use the | by-linenum option to prefix each display command output line with a number for easy identification.

Each line number is displayed as a 5-character string and might be followed by a colon (:) or hyphen (-). If you specify both | by-linenum and | begin regular-expression for a display command, a hyphen is displayed for all lines that do not match the regular expression.

To number each output line from a display command:

Task	Command
Number each output line from a display command.	display command \| by-linenum

For example:

# Display information about VLAN 999, numbering each output line.

<Sysname> display vlan 999 | by-linenum

1: VLAN ID: 999

2: VLAN type: Static

3: Route interface: Not configured

4: Description: VLAN 0999

5: Name: VLAN 0999

6: Tagged ports: None

7: Untagged ports: None

Filtering the output from a display command

You can use the | { begin | exclude | include } regular-expression option to filter the display command output.

· begin—Displays the first line matching the specified regular expression and all subsequent lines.

· exclude—Displays all lines not matching the specified regular expression.

· include—Displays all lines matching the specified regular expression.

· regular-expression—A case-sensitive string of 1 to 256 characters, which can contain the special characters described in Table 7.

The required filtering time increases with the complexity of the regular expression. To abort the filtering process, press Ctrl+C.

Table 7 Special characters supported in a regular expression

Characters	Meaning	Examples
^	Matches the beginning of a line.	"^u" matches all lines beginning with "u". A line beginning with "Au" is not matched.
$	Matches the end of a line.	"u$" matches all lines ending with "u". A line ending with "uA" is not matched.
. (period)	Matches any single character.	".s" matches "as" and "bs".
*	Matches the preceding character or string zero, one, or multiple times.	"zo" matches "z" and "zoo", and "(zo)" matches "zo" and "zozo".
+	Matches the preceding character or string one or multiple times.	"zo+" matches "zo" and "zoo", but not "z".
\|	Matches the preceding or succeeding string.	"def\|int" matches a line containing "def" or "int".
( )	Matches the string in the parentheses, usually used together with the plus sign (+) or asterisk sign (*).	"(123A)" matches "123A". "408(12)+" matches "40812" and "408121212", but not "408".
\N	Matches the preceding strings in parentheses, with the Nth string repeated once.	"(string)\1" matches a string containing "stringstring". "(string1)(string2)\2" matches a string containing "string1string2string2". "(string1)(string2)\1\2" matches a string containing " string1string2string1string2".
[ ]	Matches a single character in the brackets.	"[16A]" matches a string containing 1, 6, or A; "[1-36A]" matches a string containing 1, 2, 3, 6, or A (- is a hyphen). To match the character "]", put it immediately after "[", for example, []abc]. There is no such limit on "[".
[^]	Matches a single character that is not in the brackets.	"[^16A]" matches a string that contains one or more characters except for 1, 6, or A, such as "abc". A match can also contain 1, 6, or A (such as "m16"), but it cannot contain these three characters only (such as 1, 16, or 16A).
{n}	Matches the preceding character n times. The number n must be a nonnegative integer.	"o{2}" matches "food", but not "Bob".
{n,}	Matches the preceding character n times or more. The number n must be a nonnegative integer.	"o{2,}" matches "foooood", but not "Bob".
{n,m}	Matches the preceding character n to m times or more. The numbers n and m must be nonnegative integers and n cannot be greater than m.	" o{1,3}" matches "fod", "food", and "foooood", but not "fd".
\<	Matches a string that starts with the pattern following \<. A string that contains the pattern is also a match if the characters preceding the pattern are not digits, letters, or underscores.	"\<do" matches "domain" and "doa".
\>	Matches a string that ends with the pattern preceding \>. A string that contains the pattern is also a match if the characters following the pattern are not digits, letters, or underscores.	"do\>" matches "undo" and "cdo".
\b	Matches a word that starts with the pattern following \b or ends with the pattern preceding \b.	"er\b" matches "never", but not "verb" or "erase". "\ber" matches "erase", but not "verb" or "never".
\B	Matches a word that contains the pattern but does not start or end with the pattern.	"er\B" matches "verb", but not "never" or "erase".
\w	Same as [A-Za-z0-9_], matches a digit, letter, or underscore.	"v\w" matches "vlan" and "service".
\W	Same as [^A-Za-z0-9_], matches a character that is not a digit, letter, or underscore.	"\Wa" matches "-a", but not "2a" or "ba".
\	Escape character. If a special character listed in this table follows \, the specific meaning of the character is removed.	"\\" matches a string containing "\", "\^" matches a string containing "^", and "\\b" matches a string containing "\b".

For example:

# Display the running configuration, starting from the first configuration line that contains line.

<Sysname> display current-configuration | begin line

line class aux

user-role network-admin

line class vty

user-role network-operator

line aux 0

user-role network-admin

line vty 0 63

authentication-mode none

user-role network-admin

user-role network-operator

...

# Display brief information about interfaces in up state.

<Sysname> display interface brief | exclude DOWN

Brief information on interfaces in route mode:

Link: ADM - administratively down; Stby - standby

Protocol: (s) - spoofing

Interface Link Protocol Primary IP Description

InLoop0 UP UP(s) --

NULL0 UP UP(s) --

Vlan1 UP UP 192.168.1.83

Brief information on interfaces in bridge mode:

Link: ADM - administratively down; Stby - standby

Speed: (a) - auto

Duplex: (a)/A - auto; H - half; F - full

Type: A - access; T - trunk; H - hybrid

Interface Link Speed Duplex Type PVID Description

HGE1/0/1 UP 100G(a) F(a) A 1

# Display SNMP-related running configuration lines.

<Sysname> display current-configuration | include snmp

snmp-agent

snmp-agent community write private

snmp-agent community read public

snmp-agent sys-info version all

snmp-agent target-host trap address udp-domain 192.168.1.26 params securityname public

Saving the output from a display command to a file

A display command shows certain configuration and operation information of the device. Its output might vary over time or with user configuration or operation. You can save the output to a file for future retrieval or troubleshooting.

Use one of the following methods to save the output from a display command:

· Save the output to a separate file. Use this method if you want to use one file for a single display command.

· Append the output to the end of a file. Use this method if you want to use one file for multiple display commands.

To save the output from a display command to a file, use one of the following commands in any view:

Task	Command
Save the output from a display command to a separate file.	display command > filename
Append the output from a display command to the end of a file.	display command >> filename

For example:

# Save the VLAN 1 settings to a separate file named vlan.txt.

<Sysname> display vlan 1 > vlan.txt

# Verify that the VLAN 1 settings are saved to the file vlan.txt.

<Sysname> more vlan.txt

VLAN ID: 1

VLAN type: Static

Route interface: Not configured

Description: VLAN 0001

Name: VLAN 0001

Tagged ports: None

Untagged ports: None

# Append the VLAN 999 settings to the end of the file vlan.txt.

<Sysname> display vlan 999 >> vlan.txt

# Verify that the VLAN 999 settings are appended to the end of the file vlan.txt.

<Sysname> more vlan.txt

VLAN ID: 1

VLAN type: Static

Route interface: Not configured

Description: VLAN 0001

Name: VLAN 0001

Tagged ports: None

Untagged ports: None

VLAN ID: 999

VLAN type: Static

Route interface: Configured

IP address: 192.168.2.1

Subnet mask: 255.255.255.0

Description: For LAN Access

Name: VLAN 0999

Tagged ports: None

Untagged ports: None

Viewing and managing the output from a display command effectively

You can use the following methods in combination to filter and manage the output from a display command:

· Numbering each output line from a display command

· Filtering the output from a display command

· Saving the output from a display command to a file

To use multiple measures to view and manage the output from a display command effectively, execute the following command in any view:

Task	Command
View and manage the output from a display command effectively.	display command [ \| [ by-linenum ] { begin \| exclude \| include } regular-expression ] [ > filename \| >> filename ]

For example:

# Save the running configuration to a separate file named test.txt, with each line numbered.

<Sysname> display current-configuration | by-linenum > test.txt

# Append lines including snmp in the running configuration to the file test.txt.

<Sysname> display current-configuration | include snmp >> test.txt

# Display the first line that begins with user-group in the running configuration and all the following lines.

<Sysname> display current-configuration | by-linenum begin user-group

114: user-group system

115- #

116- return

// The colon (:) following a line number indicates that the line contains the string user-group. The hyphen (-) following a line number indicates that the line does not contain the string user-group.

Saving the running configuration

To make your configuration take effect after a reboot, save the running configuration to a configuration file by using the save command in any view. This command saves all commands that have been successfully executed, except for the one-time commands. Typical one-time commands include display commands used for displaying information and reset commands used for clearing information.

For more information about the save command, see Fundamentals Command Reference.

Configuring RBAC

Overview

Role-based access control (RBAC) controls user access to items and system resources based on user roles. In this chapter, items include commands, XML elements, and MIB nodes, and system resources include interfaces, VLANs, and VPN instances.

RBAC assigns access permissions to user roles that are created for different job functions. Users are given permission to access a set of items and resources based on the users' user roles. Because user roles are static in contrast to users, separating permissions from users enables simple permission authorization management. You only need to change the user role permissions, remove user roles, or assign new user roles in case of user changes. For example, you can change the user role permissions or assign new user roles to change the job responsibilities of a user.

Permission assignment

Use the following methods to assign permissions to a user role:

· Define a set of rules to determine accessible or inaccessible items for the user role. (See "User role rules.")

· Configure resource access policies to specify which resources are accessible to the user role. (See "Resource access policies.")

To use a command related to a system resource, a user role must have access to both the command and the resource.

For example, a user role has access to the vlan command and access only to VLAN 10. When the user role is assigned, you can use the vlan command to create VLAN 10 and enter its view. However, you cannot create any other VLANs. If the user role has access to VLAN 10 but does not have access to the vlan command, you cannot use the command to enter the view of VLAN 10.

When a user logs in to the device with any user role and enters <?> in a view, help information is displayed for the system-defined command aliases in the view. However, the user might not have the permission to access the command aliases. Whether the user can access the command aliases depends on the user role's permission to the commands corresponding to the aliases. For information about command aliases, see "Using the CLI."

A user that logs in to the device with any user role has access to the system-view, quit, and exit commands.

User role rules

User role rules permit or deny access to commands, XML elements, or MIB nodes. You can define the following types of rules for different access control granularities:

· Command rule—Controls access to a command or a set of commands that match a regular expression.

· Feature rule—Controls access to the commands of a feature by command type.

· Feature group rule—Controls access to the commands of features in a feature group by command type.

· XML element rule—Controls access to XML elements used for configuring the device.

· OID rule—Controls SNMP access to a MIB node and its child nodes. An OID is a dotted numeric string that uniquely identifies the path from the root node to a leaf node.

The commands, XML elements, and MIB nodes are controlled based on the following types:

· Read—Commands, XML elements, or MIB nodes that display configuration and maintenance information. For example, the display commands and the dir command.

· Write—Commands, XML elements, or MIB nodes that configure the features in the system. For example, the info-center enable command and the debugging command.

· Execute—Commands, XML elements, or MIB nodes that execute specific functions. For example, the ping command and the ftp command.

A user role can access the set of permitted commands, XML elements, and MIB nodes specified in the user role rules. The user role rules include predefined (identified by sys-n) and user-defined user role rules. For more information about the user role rule priority, see "Configuring user role rules."

Resource access policies

Resource access policies control access of a user role to system resources and include the following types:

· Interface policy—Controls access to interfaces.

· VLAN policy—Controls access to VLANs.

· VPN instance policy—Controls access to VPN instances.

Resource access policies do not control access to the interface, VLAN, or VPN instance options in the display commands. You can specify these options in the display commands if the options are permitted by any user role rule.

Predefined user roles

The system provides predefined user roles. These user roles have access to all system resources (interfaces, VLANs, and VPN instances). However, their access permissions differ, as shown in Table 8.

Among all of the predefined user roles, only network-admin and level-15 can perform the following tasks:

· Access the RBAC feature.

· Change the settings in user line view, including user-role, authentication-mode, protocol inbound, and set authentication password.

· Create, modify, and delete local users and local user groups. The other user roles can only modify their own passwords if they have permissions to configure local users and local user groups.

The access permissions of the level-0 to level-14 user roles can be modified through user role rules and resource access policies. However, you cannot make changes on the predefined access permissions of these user roles. For example, you cannot change the access permission of these user roles to the display history-command all command.

Table 8 Predefined roles and permissions matrix

User role name	Permissions
network-admin	Accesses all features and resources in the system, except for the display security-logfile summary, info-center security-logfile directory, and security-logfile save commands.
network-operator	· Accesses the display commands for features and resources in the system. To display all accessible commands of the user role, use the display role command. · Enables local authentication login users to change their own passwords. · Accesses the command used for entering XML view. · Accesses all read-type XML elements. · Accesses all read-type MIB nodes.
level-n (n = 0 to 15)	· level-0—Has access to diagnostic commands, including ping, tracert, ssh2, telnet, and super. Level-0 access rights are configurable. · level-1—Has access to the display commands of all features and resources in the system except for display history-command all. The level-1 user role also has all access rights of the level-0 user role. Level-1 access rights are configurable. · level-2 to level-8, and level-10 to level-14—Have no access rights by default. Access rights are configurable. · level-9—Has access to most of the features and resources in the system. If you are logged in with a local user account that has a level-9 user role, you can change the password in the local user account. The following are the major features and commands that the level-9 user role cannot access: ? RBAC non-debugging commands. ? Local users. ? File management. ? Device management. ? The display history-command all command. · level-15—Has the same rights as network-admin.
security-audit	Security log manager. The user role has the following access rights to security log files: · Accesses the commands for displaying and maintaining security log files (for example, the dir, display security-logfile summary, and more commands). · Accesses the commands for managing security log files and security log file system (for example, the info-center security-logfile directory, mkdir, and security-logfile save commands). For more information about security log management, see Network Management and Monitoring Configuration Guide. For more information about file system management, see "Managing file systems." IMPORTANT: Only the security-audit user role has access to security log files. You cannot assign the security-audit user role to non-AAA authentication users.

User role assignment

You assign access rights to a user by assigning a minimum of one user role. The user can use the collection of items and resources accessible to all user roles assigned to the user. For example, you can access any interface to use the qos apply policy command if you are assigned the following user roles:

· User role A denies access to the qos apply policy command and permits access only to interface HundredGigE 1/0/1.

· User role B permits access to the qos apply policy command and all interfaces.

Depending on the authentication method, user role assignment has the following methods:

· AAA authorization—If scheme authentication is used, the AAA module handles user role assignment.

? If the user passes local authorization, the device assigns the user roles specified in the local user account.

? If the user passes remote authorization, the remote AAA server assigns the user roles specified on the server. The AAA server can be a RADIUS or HWTACACS server.

· Non-AAA authorization—When the user accesses the device without authentication or by passing password authentication on a user line, the device assigns user roles specified on the user line. This method also applies to SSH clients that use publickey or password-publickey authentication. User roles assigned to these SSH clients are specified in their respective device management user accounts.

For more information about AAA and SSH, see Security Configuration Guide. For more information about user lines, see "Login overview" and "Configuring CLI login."

FIPS compliance

The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.

Configuration task list

Tasks at a glance
(Required.) Creating a user role
(Required.) Configuring user role rules
(Optional.) Configuring a feature group
(Required.) Configuring resource access policies: · Configuring the user role interface policy · Configuring the user role VLAN policy · Configuring the user role VPN instance policy
(Optional.) Assigning user roles
(Optional.) Configuring temporary user role authorization

Creating a user role

In addition to the predefined user roles, you can create a maximum of 64 custom user roles for granular access control.

To create a user role:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a user role and enter its view.	role name role-name	By default, the system has the following predefined user roles: · network-admin. · network-operator. · level-n (where n equals an integer in the range of 0 to 15). · security-audit. Among these user roles, only the permissions and descriptions of the level-0 to level-14 user roles are configurable.
3. (Optional.) Configure a description for the user role.	description text	By default, a user role does not have a description.

Configuring user role rules

You can configure user role rules to permit or deny the access of a user role to specific commands, XML elements, and MIB nodes.

Configuration restrictions and guidelines

When you configure RBAC user role rules, follow these restrictions and guidelines:

· You can configure a maximum of 256 user-defined rules for a user role. The total number of user-defined user role rules cannot exceed 1024.

· Any rule modification, addition, or removal for a user role takes effect only on users who are logged in with the user role after the change.

The following guidelines apply to non-OID rules:

· If two user-defined rules of the same type conflict, the rule with the higher ID takes effect. For example, a user role can use the tracert command but not the ping command if the user role contains rules configured by using the following commands:

? rule 1 permit command ping

? rule 2 permit command tracert

? rule 3 deny command ping

· If a predefined user role rule and a user-defined user role rule conflict, the user-defined user role rule takes effect.

The following guidelines apply to OID rules:

· The system compares an OID with the OIDs specified in user role rules, and it uses the longest match principle to select a rule for the OID. For example, a user role cannot access the MIB node with OID 1.3.6.1.4.1.25506.141.3.0.1 if the user role contains rules configured by using the following commands:

? rule 1 permit read write oid 1.3.6

? rule 2 deny read write oid 1.3.6.1.4.1

? rule 3 permit read write oid 1.3.6.1.4

· If the same OID is specified in multiple rules, the rule with the higher ID takes effect. For example, a user role can access the MIB node with OID 1.3.6.1.4.1.25506.141.3.0.1 if the user role contains rules configured by using the following commands:

? rule 1 permit read write oid 1.3.6

? rule 2 deny read write oid 1.3.6.1.4.1

? rule 3 permit read write oid 1.3.6.1.4.1

Configuration procedure

To configure rules for a user role:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter user role view.	role name role-name	N/A
3. Configure rules for the user role.	· Configure a command rule: rule number { deny \| permit } command command-string · Configure a feature rule: rule number { deny \| permit } { execute \| read \| write } * feature [ feature-name ] · Configure a feature group rule: rule number { deny \| permit } { execute \| read \| write } * feature-group feature-group-name · Configure an XML element rule: rule number { deny \| permit } { execute \| read \| write } * xml-element [ xml-string ] · Configure an OID rule: rule number { deny \| permit } { execute \| read \| write } * oid oid-string	By default, a user-defined user role does not have any rule or access to any command, XML element, or MIB node. Repeat this step to add a maximum of 256 rules to the user role. IMPORTANT: When you configure feature rules, you can specify only features available in the system. Enter feature names the same as the feature names are displayed, including the case.

Configuring a feature group

Use feature groups to bulk assign command access permissions to sets of features. In addition to the predefined feature groups, you can create a maximum of 64 custom feature groups and assign a feature to multiple feature groups.

To configure a feature group:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a feature group and enter its view.	role feature-group name feature-group-name	By default, the system has the following predefined feature groups: · L2—Includes all Layer 2 commands. · L3—Includes all Layer 3 commands. These two groups are not user configurable.
3. Add a feature to the feature group.	feature feature-name	By default, a feature group does not have any feature. Repeat this step to add multiple features to the feature group. IMPORTANT: You can specify only features available in the system. Enter feature names the same as the feature names are displayed, including the case.

Configuring resource access policies

Every user role has one interface policy, VLAN policy, and VPN instance policy. By default, these policies permit a user role to access any interface, VLAN, and VPN instance. You can configure the policies of a user-defined user role or a predefined level-n user role to limit its access to interfaces, VLANs, and VPN instances. The policy configuration takes effect only on users who are logged in with the user role after the configuration.

Configuring the user role interface policy

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter user role view.	role name role-name	N/A
3. Enter user role interface policy view.	interface policy deny	By default, the interface policy of the user role permits access to all interfaces. This command denies the access of the user role to all interfaces if the permit interface command is not configured.
4. (Optional.) Specify a list of interfaces accessible to the user role.	permit interface interface-list	By default, no accessible interfaces are configured in user role interface policy view. Repeat this step to add multiple accessible interfaces.

Configuring the user role VLAN policy

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter user role view.	role name role-name	N/A
3. Enter user role VLAN policy view.	vlan policy deny	By default, the VLAN policy of the user role permits access to all VLANs. This command denies the access of the user role to all VLANs if the permit vlan command is not configured.
4. (Optional.) Specify a list of VLANs accessible to the user role.	permit vlan vlan-id-list	By default, no accessible VLANs are configured in user role VLAN policy view. Repeat this step to add multiple accessible VLANs.

Configuring the user role VPN instance policy

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter user role view.	role name role-name	N/A
3. Enter user role VPN instance policy view.	vpn-instance policy deny	By default, the VPN instance policy of the user role permits access to all VPN instances. This command denies the access of the user role to all VPN instances if the permit vpn-instance command is not configured.
4. (Optional.) Specify a list of VPN instances accessible to the user role.	permit vpn-instance vpn-instance-name&<1-10>	By default, no accessible VPN instances are configured in user role VPN instance policy view. Repeat this step to add multiple accessible VPN instances.

Assigning user roles

To control user access to the system, you must assign a minimum of one user role. Make sure a minimum of one user role among the user roles assigned by the server exists on the device. User role assignment procedure varies for remote AAA authentication users, local AAA authentication users, and non-AAA authentication users (see "User role assignment"). For more information about AAA authentication, see Security Configuration Guide.

Enabling the default user role feature

The default user role feature assigns the default user role to AAA-authenticated users if the authentication server (local or remote) does not assign any user roles to the users. These users are allowed to access the system with the default user role.

You can specify any user role existing in the system as the default user role.

To enable the default user role feature for AAA authentication users:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable the default user role feature.	role default-role enable [ role-name ]	By default, the default user role feature is disabled. If you do not specify a user role, the default user role is network-operator. If the none authorization method is used for local users, you must enable the default user role feature.

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enable the default user role feature.

role default-role enable [ role-name ]

By default, the default user role feature is disabled.

If you do not specify a user role, the default user role is network-operator. If the none authorization method is used for local users, you must enable the default user role feature.

Assigning user roles to remote AAA authentication users

For remote AAA authentication users, user roles are configured on the remote authentication server. For information about configuring user roles for RADIUS users, see the RADIUS server documentation. For HWTACACS users, the role configuration must use the roles="role-1 role-2 … role-n" format, where user roles are space separated. For example, configure roles="level-0 level-1 level-2" to assign level-0, level-1, and level-2 to an HWTACACS user.

If the AAA server assigns the security-audit user role and other user roles to the same user, only the security-audit user role takes effect.

Assigning user roles to local AAA authentication users

Configure user roles for local AAA authentication users in their local user accounts. Every local user has a default user role. If this default user role is not suitable, remove it.

If a local user is the only user with the security-audit user role, the user cannot be deleted.

The security-audit user role is mutually exclusive with other user roles.

· When you assign the security-audit user role to a local user, the system requests confirmation to remove all the other user roles from the user.

· When you assign the other user roles to a local user who has the security-audit user role, the system requests confirmation to remove the security-audit role from the user.

To assign a user role to a local user:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a local user and enterits view.	local-user user-name class { manage \| network }	N/A
3. Authorize the user to have a user role.	authorization-attribute user-role role-name	Repeat this step to assign a maximum of 64 user roles to the user. By default, the network-operator user role is assigned to local users created by a network-admin or level-15 user.

Assigning user roles to non-AAA authentication users on user lines

Specify user roles for the following two types of login users on the user lines:

· Users who use password authentication or no authentication.

· SSH clients that use publickey or password-publickey authentication. User roles assigned to these SSH clients are specified in their respective device management user accounts.

For more information about user lines, see "Login overview" and "Configuring CLI login." For more information about SSH, see Security Configuration Guide.

To assign a user role to non-AAA authentication users on a user line:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter user line view or user line class view.	· Enter user line view: line { first-num1 [ last-num1 ] \| { aux \| vty } first-num2 [ last-num2 ] } · Enter user line class view: line class { aux \| vty }	For information about the priority order and application scope of the settings in user line view and user line class view, see "Configuring CLI login."
3. Specify a user role on the user line.	user-role role-name	Repeat this step to specify a maximum of 64 user roles on a user line. By default, the network-admin user role is specified on the AUX user line, and the network-operator user role is specified on any other user line. The device cannot assign the security-audit user role to non-AAA authentication users.

Configuring temporary user role authorization

Temporary user role authorization allows you to obtain another user role without reconnecting to the device. This feature is useful when you want to use a user role temporarily to configure a feature.

Temporary user role authorization is effective only on the current login. This feature does not change the user role settings in the user account that you have been logged in with. The next time you are logged in with the user account, the original user role settings take effect.

Configuration guidelines

When you configure temporary user role authorization, follow these guidelines:

· To enable a user to obtain another user role without reconnecting to the device, you must configure user role authentication. Table 9 describes the available authentication modes and configuration requirements.

· If HWTACACS authentication is used, the following rules apply:

? The device uses the entered username and password to request role authentication, and it sends the username to the server in the username or username@domain-name format. Whether the domain name is included in the username depends on the user-name-format command in the HWTACACS scheme.

? To obtain a level-n user role, the user account on the server must have the target user role level or a level higher than the target user role. A user account that obtains the level-n user role can obtain any user role among level-0 through level-n.

? To obtain a non-level-n user role, make sure the user account on the server meets the following requirements:

- The account has a user privilege level.

- The HWTACACS custom attribute is configured for the account in the form of allowed-roles="role". The variable role represents the target user role.

· If RADIUS authentication is used, the following rules apply:

? The device does not use the username you enter to request user role authentication. It uses a username in the $enabn$ format. The variable n represents a user role level, and a domain name is not included in the username. You can always pass user role authentication when the password is correct.

? To obtain a level-n user role, you must create a user account for the level-n user role in the $enabn$ format on the RADIUS server. The variable n represents the target user role level. For example, to obtain the authorization of the level-3 user role, you can enter any username. The device uses the username $enab3$ to request user role authentication from the server.

? To obtain a non-level-n user role, you must perform the following tasks:

- Create the user account $enab0$ on the server.

- Configure the cisco-av-pair attribute for the account in the form of allowed-roles="role". The variable role represents the target user role.

· The device selects an authentication domain for user role authentication in the following order:

d. The ISP domain included in the entered username.

e. The default ISP domain.

· If you execute the quit command after obtaining user role authorization, you are logged out of the device.

Table 9 User role authentication modes

Keywords	Authentication mode	Description
local	Local password authentication only (local-only)	The device uses the locally configured password for authentication. If no local password is configured for a user role in this mode, an AUX user can obtain the user role by either entering a string or not entering anything.
scheme	Remote AAA authentication through HWTACACS or RADIUS (remote-only)	The device sends the username and password to the HWTACACS or RADIUS server for remote authentication. To use this mode, you must perform the following configuration tasks: · Configure the required HWTACACS or RADIUS scheme, and configure the ISP domain to use the scheme for the user. For more information, see Security Configuration Guide. · Add the user account and password on the HWTACACS or RADIUS server.
local scheme	Local password authentication first, and then remote AAA authentication (local-then-remote)	Local password authentication is performed first. If no local password is configured for the user role in this mode: · The device performs remote AAA authentication for VTY users. · An AUX user can obtain another user role by either entering a string or not entering anything.
scheme local	Remote AAA authentication first, and then local password authentication (remote-then-local)	Remote AAA authentication is performed first. Local password authentication is performed in either of the following situations: · The HWTACACS or RADIUS server does not respond. · The remote AAA configuration on the device is invalid.

Configuring user role authentication

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set an authentication mode.	super authentication-mode { local \| scheme } *	By default, local-only authentication applies.
3. (Optional.) Specify the default target user role for temporary user role authorization.	super default role role-name	By default, the default target user role is network-admin.
4. Set a local authentication password for a user role.	· In non-FIPS mode: super password [ role role-name ] [ { hash \| simple } string ] · In FIPS mode: super password [ role role-name ]	Use this step for local password authentication. By default, no password is set. If you do not specify the role role-name option, the command sets a password for the default target user role.

Obtaining temporary user role authorization

Perform the following task in user view:

Task	Command	Remarks
Obtain the temporary authorization to use a user role.	super [ role-name ]	If you do not specify the role-name argument, you obtain the default target user role for temporary user role authorization. The operation fails after three consecutive unsuccessful password attempts. The user role must have the permission to execute the super command to obtain temporary user role authorization.

Task

Command

Remarks

Obtain the temporary authorization to use a user role.

super [ role-name ]

If you do not specify the role-name argument, you obtain the default target user role for temporary user role authorization.

The operation fails after three consecutive unsuccessful password attempts.

The user role must have the permission to execute the super command to obtain temporary user role authorization.

Displaying and maintaining RBAC settings

Execute display commands in any view.

Task	Command
Display user role information.	display role [ name role-name ]
Display user role feature information.	display role feature [ name feature-name \| verbose ]
Display user role feature group information.	display role feature-group [ name feature-group-name ] [ verbose ]

RBAC configuration examples

RBAC configuration example for local AAA authentication users

Network requirements

As shown in Figure 2, the switch performs local AAA authentication for the Telnet user. The user account for the Telnet user is user1@bbb, which is assigned user role role1.

Configure role1 to have the following permissions:

· Execute the read commands of any feature.

· Configure VLANs 10 to 20. Access to any other VLANs is denied.

Figure 2 Network diagram

Configuration procedure

# Assign an IP address to VLAN-interface 2 (the interface connected to the Telnet user).

<Switch> system-view

[Switch] interface vlan-interface 2

[Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0

[Switch-Vlan-interface2] quit

# Enable the Telnet server.

[Switch] telnet server enable

# Enable scheme authentication on the user lines for Telnet users.

[Switch] line vty 0 63

[Switch-line-vty0-63] authentication-mode scheme

[Switch-line-vty0-63] quit

# Enable local authentication and authorization for ISP domain bbb.

[Switch] domain bbb

[Switch-isp-bbb] authentication login local

[Switch-isp-bbb] authorization login local

[Switch-isp-bbb] quit

# Create user role role1.

[Switch] role name role1

# Configure rule 1 to permit the user role to access the read commands of all features.

[Switch-role-role1] rule 1 permit read feature

# Configure rule 2 to permit the user role to create VLANs and access commands in VLAN view.

[Switch-role-role1] rule 2 permit command system-view ; vlan *

# Change the VLAN policy to permit the user role to configure only VLANs 10 to 20.

[Switch-role-role1] vlan policy deny

[Switch-role-role1-vlanpolicy] permit vlan 10 to 20

[Switch-role-role1-vlanpolicy] quit

[Switch-role-role1] quit

# Create a device management user named user1 and enter local user view.

[Switch] local-user user1 class manage

# Set a plaintext password of aabbcc for the user.

[Switch-luser-manage-user1] password simple aabbcc

# Set the service type to Telnet.

[Switch-luser-manage-user1] service-type telnet

# Assign role1 to the user.

[Switch-luser-manage-user1] authorization-attribute user-role role1

# Remove the default user role (network-operator) from the user. This operation ensures that the user has only the permissions of role1.

[Switch-luser-manage-user1] undo authorization-attribute user-role network-operator

[Switch-luser-manage-user1] quit

Verifying the configuration

# Telnet to the switch, and enter the username and password to access the switch. (Details not shown.)

# Verify that you can create VLANs 10 to 20. This example uses VLAN 10.

<Switch> system-view

[Switch] vlan 10

[Switch-vlan10] quit

# Verify that you cannot create any VLAN other than VLANs 10 to 20. This example uses VLAN 30.

[Switch] vlan 30

Permission denied.

# Verify that you can use all read commands of any feature. This example uses display clock.

[Switch] display clock

09:31:56 UTC Sat 01/01/2011

[Switch] quit

# Verify that you cannot use the write or execute commands of any feature.

<Switch> debugging role all

Permission denied.

<Switch> ping 192.168.1.58

Permission denied.

RBAC configuration example for RADIUS authentication users

Network requirements

As shown in Figure 3, the switch uses the FreeRADIUS server to provide AAA service for login users, including the Telnet user. The user account for the Telnet user is hello@bbb, which is assigned user role role2.

User role role2 has the following permissions:

· Use all commands in ISP domain view.

· Use the read and write commands of the arp and radius features.

· Cannot access the read commands of the acl feature.

· Configure VLANs 1 to 20 and interfaces HundredGigE 1/0/1 to HundredGigE 1/0/4. Access to any other VLANs and interfaces is denied.

The switch and the FreeRADIUS server use a shared key of expert and authentication port 1812. The switch delivers usernames with their domain names to the server.

Figure 3 Network diagram

Configuration procedure

Make sure the settings on the switch and the RADIUS server match.

1. Configure the switch:

# Assign VLAN-interface 2 an IP address from the same subnet as the Telnet user.

<Switch> system-view

[Switch] interface vlan-interface 2

[Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0

[Switch-Vlan-interface2] quit

# Assign VLAN-interface 3 an IP address from the same subnet as the RADIUS server.

[Switch] interface vlan-interface 3

[Switch-Vlan-interface3] ip address 10.1.1.2 255.255.255.0

[Switch-Vlan-interface3] quit

# Enable the Telnet server.

[Switch] telnet server enable

# Enable scheme authentication on the user lines for Telnet users.

[Switch] line vty 0 63

[Switch-line-vty0-63] authentication-mode scheme

[Switch-line-vty0-63] quit

# Create RADIUS scheme rad and enter RADIUS scheme view.

[Switch] radius scheme rad

# Specify the primary server address and the service port in the scheme.

[Switch-radius-rad] primary authentication 10.1.1.1 1812

# Set the shared key to expert in the scheme for the switch to authenticate to the server.

[Switch-radius-rad] key authentication simple expert

[Switch-radius-rad] quit

# Specify scheme rad as the authentication and authorization schemes for ISP domain bbb.

IMPORTANT:

Because RADIUS user authorization information is piggybacked in authentication responses, the authentication and authorization methods must use the same RADIUS scheme.

[Switch] domain bbb

[Switch-isp-bbb] authentication login radius-scheme rad

[Switch-isp-bbb] authorization login radius-scheme rad

[Switch-isp-bbb] quit

# Create feature group fgroup1.

[Switch] role feature-group name fgroup1

# Add the arp and radius features to the feature group.

[Switch-featuregrp-fgroup1] feature arp

[Switch-featuregrp-fgroup1] feature radius

[Switch-featuregrp-fgroup1] quit

# Create user role role2.

[Switch] role name role2

# Configure rule 1 to permit the user role to use all commands available in ISP domain view.

[Switch-role-role2] rule 1 permit command system-view ; domain *

# Configure rule 2 to permit the user role to use the read and write commands of all features in fgroup1.

[Switch-role-role2] rule 2 permit read write feature-group fgroup1

# Configure rule 3 to disable access to the read commands of the acl feature.

[Switch-role-role2] rule 3 deny read feature acl

# Configure rule 4 to permit the user role to create VLANs and use all commands available in VLAN view.

[Switch-role-role2] rule 4 permit command system-view ; vlan *

# Configure rule 5 to permit the user role to enter interface view and use all commands available in interface view.

[Switch-role-role2] rule 5 permit command system-view ; interface *

# Configure the user role VLAN policy to disable configuration of any VLAN except VLANs 1 to 20.

[Switch-role-role2] vlan policy deny

[Switch-role-role2-vlanpolicy] permit vlan 1 to 20

[Switch-role-role2-vlanpolicy] quit

# Configure the user role interface policy to disable configuration of any interface except HundredGigE 1/0/1 to HundredGigE 1/0/4.

[Switch-role-role2] interface policy deny

[Switch-role-role2-ifpolicy] permit interface hundredgige 1/0/1 to hundredgige 1/0/4

[Switch-role-role2-ifpolicy] quit

[Switch-role-role2] quit

2. Configure the RADIUS server:

# Add either of the user role attributes to the dictionary file of the FreeRADIUS server.

Cisco-AVPair = "shell:roles=\"role2\""

Cisco-AVPair = "shell:roles*\"role2\""

# Configure the settings required for the FreeRADIUS server to communicate with the switch. (Details not shown.)

Verifying the configuration

# Telnet to the switch, and enter the username and password to access the switch. (Details not shown.)

# Verify that you can use all commands available in ISP domain view.

<Switch> system-view

[Switch] domain abc

[Switch-isp-abc] authentication login radius-scheme abc

[Switch-isp-abc] quit

# Verify that you can use all read and write commands of the radius and arp features. This example uses radius.

[Switch] radius scheme rad

[Switch-radius-rad] primary authentication 2.2.2.2

[Switch-radius-rad] display radius scheme rad

…

Output of the RADIUS scheme is omitted.

# Verify that you cannot configure any VLAN except VLANs 1 to 20. This example uses VLAN 10 and VLAN 30.

[Switch] vlan 10

[Switch-vlan10] quit

[Switch] vlan 30

Permission denied.

# Verify that you cannot configure any interface except HundredGigE 1/0/1 to HundredGigE 1/0/4. This example uses HundredGigE 1/0/2 and HundredGigE 1/0/5.

[Switch] vlan 10

[Switch-vlan10] port hundredgige 1/0/2

[Switch-vlan10] port hundredgige 1/0/5

Permission denied.

RBAC temporary user role authorization configuration example (HWTACACS authentication)

Network requirements

As shown in Figure 4, the switch uses local authentication for login users, including the Telnet user. The user account for the Telnet user test@bbb, which is assigned user role level-0.

Configure the remote-then-local authentication mode for temporary user role authorization. The switch uses the HWTACACS server to provide authentication for changing the user role among level-0 through level-3 or changing the user role to network-admin. If the AAA configuration is invalid or the HWTACACS server does not respond, the switch performs local authentication.

Figure 4 Network diagram

Configuration procedure

1. Configure the switch:

# Assign an IP address to VLAN-interface 2 (the interface connected to the Telnet user).

<Switch> system-view

[Switch] interface vlan-interface 2

[Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0

[Switch-Vlan-interface2] quit

# Assign an IP address to VLAN-interface 3 (the interface connected to the HWTACACS server).

[Switch] interface vlan-interface 3

[Switch-Vlan-interface3] ip address 10.1.1.2 255.255.255.0

[Switch-Vlan-interface3] quit

# Enable the Telnet server.

[Switch] telnet server enable

# Enable scheme authentication on the user lines for Telnet users.

[Switch] line vty 0 63

[Switch-line-vty0-63] authentication-mode scheme

[Switch-line-vty0-63] quit

# Enable remote-then-local authentication for temporary user role authorization.

[Switch] super authentication-mode scheme local

# Create HWTACACS scheme hwtac and enter HWTACACS scheme view.

[Switch] hwtacacs scheme hwtac

# Specify the primary authentication server address and the service port in the scheme.

[Switch-hwtacacs-hwtac] primary authentication 10.1.1.1 49

# Set the shared key to expert in the scheme for the switch to authenticate to the server.

[Switch-hwtacacs-hwtac] key authentication simple expert

# Exclude ISP domain names from the usernames sent to the HWTACACS server.

[Switch-hwtacacs-hwtac] user-name-format without-domain

[Switch-hwtacacs-hwtac] quit

# Create ISP domain bbb and enter ISP domain view.

[Switch] domain bbb

# Configure ISP domain bbb to use local authentication for login users.

[Switch-isp-bbb] authentication login local

# Configure ISP domain bbb to use local authorization for login users.

[Switch-isp-bbb] authorization login local

# Apply HWTACACS scheme hwtac to the ISP domain for user role authentication.

[Switch-isp-bbb] authentication super hwtacacs-scheme hwtac

[Switch-isp-bbb] quit

# Create a device management user named test and enter local user view.

[Switch] local-user test class manage

# Set the user service type to Telnet.

[Switch-luser-manage-test] service-type telnet

# Set the user password to aabbcc.

[Switch-luser-manage-test] password simple aabbcc

# Assign level-0 to the user.

[Switch-luser-manage-test] authorization-attribute user-role level-0

# Remove the default user role (network-operator).

[Switch-luser-manage-test] undo authorization-attribute user-role network-operator

[Switch-luser-manage-test] quit

# Set the local authentication password to 654321 for user role level-3.

[Switch] super password role level-3 simple 654321

[Switch] quit

# Set the local authentication password to 654321 for user role network-admin.

[Switch] super password role network-admin simple 654321

[Switch] quit

2. Configure the HWTACACS server:

This example uses ACSv4.0.

d. Access the User Setup page.

e. Add a user account named test. (Details not shown.)

f. In the Advanced TACACS+ Settings area, configure the following parameters:

- Select Level 3 for the Max Privilege for any AAA Client option.

If the target user role is only network-admin for temporary user role authorization, you can select any level for the option.

- Select the Use separate password option, and specify enabpass as the password.

Figure 5 Configuring advanced TACACS+ settings

d. Select Shell (exec) and Custom attributes, and enter allowed-roles="network-admin" in the Custom attributes field.

Use a blank space to separate the allowed roles.

Figure 6 Configuring custom attributes for the Telnet user

Verifying the configuration

1. Telnet to the switch, and enter username test@bbb and password aabbcc to access the switch. Verify that you have access to diagnostic commands.

<Switch> telnet 192.168.1.70

Trying 192.168.1.70 ...

Press CTRL+K to abort

Connected to 192.168.1.59 ...

******************************************************************************

* Without the owner's prior written consent, *

* no decompiling or reverse-engineering shall be allowed. *

******************************************************************************

Password:

<Switch>?

User view commands:

ping Ping function

quit Exit from current command view

ssh2 Establish a secure shell client connection

super Switch to a user role

system-view Enter the System View

telnet Establish a telnet connection

tracert Tracert function

2. Verify that you can obtain the level-3 user role:

# Use the super password to obtain the level-3 user role. When the system prompts for a username and password, enter username test@bbb and password enabpass.

<Switch> super level-3

Username: test@bbb

Password:

The following output shows that you have obtained the level-3 user role.

User privilege role is level-3, and only those commands that authorized to the role can be used.

# If the ACS server does not respond, enter local authentication password 654321 at the prompt.

Invalid configuration or no response from the authentication server.

Change authentication mode to local.

Password:

User privilege role is level-3, and only those commands that authorized to the role can be used.

The output shows that you have obtained the level-3 user role.

3. Use the method in step 2 to verify that you can obtain the level-0, level-1, level-2, and network-admin user roles. (Details not shown.)

RBAC temporary user role authorization configuration example (RADIUS authentication)

Network requirements

As shown in Figure 7, the switch uses local authentication for login users, including the Telnet user. The user account for the Telnet user is test@bbb, which is assigned user role level-0.

Configure the remote-then-local authentication mode for temporary user role authorization. The switch uses the RADIUS server to provide authentication for the network-admin user role. If the AAA configuration is invalid or the RADIUS server does not respond, the switch performs local authentication.

Figure 7 Network diagram

Configuration procedure

1. Configure the switch:

# Assign an IP address to VLAN-interface 2 (the interface connected to the Telnet user).

<Switch> system-view

[Switch] interface vlan-interface 2

[Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0

[Switch-Vlan-interface2] quit

# Assign an IP address to VLAN-interface 3 (the interface connected to the RADIUS server).

[Switch] interface vlan-interface 3

[Switch-Vlan-interface3] ip address 10.1.1.2 255.255.255.0

[Switch-Vlan-interface3] quit

# Enable the Telnet server.

[Switch] telnet server enable

# Enable scheme authentication on the user lines for Telnet users.

[Switch] line vty 0 63

[Switch-line-vty0-63] authentication-mode scheme

[Switch-line-vty0-63] quit

# Enable remote-then-local authentication for temporary user role authorization.

[Switch] super authentication-mode scheme local

# Create RADIUS scheme radius and enter RADIUS scheme view.

[Switch] radius scheme radius

# Specify the primary authentication server address and the shared key in the scheme for secure communication between the switch and the server.

[Switch-radius-radius] primary authentication 10.1.1.1 key simple expert

# Exclude ISP domain names from the usernames sent to the RADIUS server.

[Switch-radius-radius] user-name-format without-domain

[Switch-radius-radius] quit

# Create ISP domain bbb and enter ISP domain view.

[Switch] domain bbb

# Configure ISP domain bbb to use local authentication for login users.

[Switch-isp-bbb] authentication login local

# Configure ISP domain bbb to use local authorization for login users.

[Switch-isp-bbb] authorization login local

# Apply RADIUS scheme radius to the ISP domain for user role authentication.

[Switch-isp-bbb] authentication super radius-scheme radius

[Switch-isp-bbb] quit

# Create a device management user named test and enter local user view.

[Switch] local-user test class manage

# Set the user service type to Telnet.

[Switch-luser-manage-test] service-type telnet

# Set the user password to aabbcc.

[Switch-luser-manage-test] password simple aabbcc

# Assign level-0 to the user.

[Switch-luser-manage-test] authorization-attribute user-role level-0

# Remove the default user role (network-operator).

[Switch-luser-manage-test] undo authorization-attribute user-role network-operator

[Switch-luser-manage-test] quit

# Set the local authentication password to abcdef654321 for user role network-admin.

[Switch] super password role network-admin simple abcdef654321

[Switch] quit

2. Configure the RADIUS server:

This example uses ACSv4.2.

d. Add a user account named $enab0$ and set the password to 123456. (Details not shown.)

e. Access the Cisco IOS/PIX 6.x RADIUS Attributes page.

f. Configure the cisco-av-pair attribute, as shown in Figure 8.

Figure 8 Configuring the cisco-av-pair attribute

Verifying the configuration

1. Telnet to the switch, and enter username test@bbb and password aabbcc to access the switch. Verify that you have access to diagnostic commands.

<Switch> telnet 192.168.1.70

Trying 192.168.1.70 ...

Press CTRL+K to abort

Connected to 192.168.1.59 ...

******************************************************************************

* Without the owner's prior written consent, *

* no decompiling or reverse-engineering shall be allowed. *

******************************************************************************

Password:

<Switch>?

User view commands:

ping Ping function

quit Exit from current command view

ssh2 Establish a secure shell client connection

super Switch to a user role

system-view Enter the System View

telnet Establish a telnet connection

tracert Tracert function

2. Verify that you can obtain the network-admin user role:

# Use the super password to obtain the network-admin user role. When the system prompts for a username and password, enter username test@bbb and password 123456.

<Switch> super network-admin

Username: test@bbb

Password:

The following output shows that you have obtained the network-admin user role.

User privilege role is network-admin, and only those commands that authorized to the role can be used.

# If the ACS server does not respond, enter local authentication password abcdef654321 at the prompt.

Invalid configuration or no response from the authentication server.

Change authentication mode to local.

Password:

User privilege role is network-admin, and only those commands that authorized to the role can be used.

The output shows that you have obtained the network-admin user role.

Troubleshooting RBAC

This section describes several typical RBAC issues and their solutions.

Local users have more access permissions than intended

Symptom

A local user can use more commands than should be permitted by the assigned user roles.

Analysis

The local user might have been assigned to user roles without your knowledge. For example, the local user is automatically assigned the default user role when you create the user.

Solution

To resolve the issue:

1. Use the display local-user command to examine the local user accounts for undesirable user roles, and remove them.

2. If the issue persists, contact H3C Support.

Login attempts by RADIUS users always fail

Symptom

Attempts by a RADIUS user to log in to the network access device always fail, even though the following conditions exist:

· The network access device and the RADIUS server can communicate with one another.

· All AAA settings are correct.

Analysis

RBAC requires that a login user have a minimum of one user role. If the RADIUS server does not authorize the login user to use any user role, the user cannot log in to the device.

Solution

To resolve the issue:

1. Use one of the following methods:

? Configure the role default-role enable command. A RADIUS user can log in with the default user role when no user role is assigned by the RADIUS server.

? Add the user role authorization attributes on the RADIUS server.

2. If the issue persists, contact H3C Support.

Login overview

The first time you access the device, you can only log in to the CLI through the console port. After login, you can change console login parameters or configure other access methods, including Telnet, SSH, SNMP, and RESTful.

Telnet is not supported in FIPS mode.

Table 10 Login methods at a glance

Login method	Default settings and minimum configuration requirements	Login configuration
CLI login:		Configuring CLI login
· Local console login	By default, local console login is enabled and does not require authentication. The default user role is network-admin. To improve device security, configure password or scheme authentication for the AUX line immediately after you log in to the device for the first time.	Configuring local console login
· Telnet login	By default, Telnet login is disabled. To enable Telnet login, perform the following tasks: · Enable the Telnet server feature. · Assign an IP address to a Layer 3 interface and make sure the interface and the Telnet client can reach each other. · Configure an authentication mode for VTY login users. By default, password authentication is used but no password is configured. · Assign a user role to VTY login users. By default, a VTY login user is assigned the network-operator user role.	Configuring Telnet login
· SSH login	By default, SSH login is disabled. To enable SSH login, perform the following tasks: · Enable the SSH server feature and configure SSH attributes. · Assign an IP address to a Layer 3 interface. Make sure the interface and the SSH client can reach each other. · Configure scheme authentication for VTY login users. By default, password authentication is used. · Assign a user role to VTY login users. By default, a VTY login user is assigned the network-operator user role.	Configuring SSH login
SNMP access	By default, SNMP access is disabled. To enable SNMP access, perform the following tasks: · Assign an IP address to a Layer 3 interface. Make sure the interface and the NMS can reach each other. · Configure SNMP basic parameters.	Accessing the device through SNMP
RESTful access	By default, RESTful access is disabled. To enable RESTful access, perform the following tasks: · Assign an IP address to a Layer 3 interface. Make sure the interface and the RESTful access user's host can reach each other. · Enable RESTful access over HTTP or RESTful access over HTTPS. · Configure a local user account for RESTful access and assign a user role to the account. By default, the network-operator user role is assigned to the account. · Assign HTTP or HTTPS service to the user. By default, no service type is assigned to a local user.	Configuring RESTful access over HTTP

Using the console port for the first device access

The first time you access the device, you can only log in to the CLI through the console port.

To log in through the console port, prepare a console terminal, for example, a PC. Make sure the console terminal has a terminal emulation program, such as HyperTerminal or PuTTY. For information about how to use terminal emulation programs, see the programs' user guides.

To log in through the console port:

1. Connect the DB-9 female connector of the console cable to the serial port of the PC.

2. Identify the console port of the device carefully and connect the RJ-45 connector of the console cable to the console port.

IMPORTANT:

The serial ports on PCs do not support hot swapping. To connect a PC to an operating device, first connect the PC end. To disconnect a PC from an operating device, first disconnect the device end.

Figure 9 Connecting a terminal to the console port

3. If the PC is off, turn on the PC.

4. On the PC, launch the terminal emulation program, and create a connection that uses the serial port connected to the device. Set the port properties so the port properties match the following console port default settings:

? Bits per second—9600 bps.

? Flow control—None.

? Parity—None.

? Stop bits—1.

? Data bits—8.

5. Power on the device and press Enter as prompted.

The default user view prompt <H3C> appears. You can enter commands to configure or manage the device. To get help, enter ?.

Configuring CLI login

By default, you can log in to the CLI through the console port. After you log in, you can configure other CLI login methods, including Telnet and SSH.

To prevent illegal access to the CLI and control user behavior, perform the following tasks as required:

· Configure login authentication.

· Assign user roles.

· Configure command authorization and command accounting.

· Use ACLs to filter unauthorized logins.

This chapter describes how to configure and use CLI login methods, including login authentication, user roles, and common user line settings. For more information about command authorization, command accounting, and unauthorized access filtering, see "Controlling user access to the device."

CLI overview

User lines

The device uses user lines (also called user interfaces) to manage CLI sessions and monitor user behavior. For a user line, you can configure access control settings, including the login authentication method and user roles.

The device supports the user lines listed in Table 11. Different user lines require different login methods.

Table 11 CLI login method and user line matrix

User line	Login method
AUX line	Console port.
Virtual type terminal (VTY) line	Telnet or SSH.

User line numbering

Every user line has an absolute number and a relative number.

An absolute number uniquely identifies a user line among all user lines. The user lines are numbered starting from 0 and incrementing by 1, in the sequence of console, TTY, AUX, and VTY lines. You can use the display line command without any parameters to view supported user lines and their absolute numbers.

A relative number uniquely identifies a user line among all user lines of the same type. The number format is user line type + number. TTY lines are numbered starting from 1 and incrementing by 1. All other types of user lines are numbered starting from 0 and incrementing by 1. For example, the first VTY line is VTY 0.

User line assignment

The device assigns user lines to CLI login users depending on their login methods, as shown in Table 11. When a user logs in, the device checks the idle user lines for the login method, and assigns the lowest numbered user line to the user. For example, four VTY lines (0 to 3) are configured, of which VTY 0 and VTY 3 are idle. When a user Telnets to the device, the device assigns VTY 0 to the user.

Each user line can be assigned only to one user at a time. If no user line is available, a CLI login attempt will be rejected.

Login authentication modes

You can configure login authentication to prevent illegal access to the device CLI.

In non-FIPS mode, the device supports the following login authentication modes:

· None—Disables authentication. This mode allows access without authentication and is insecure.

· Password—Requires password authentication. A user must provide the correct password at login.

· Scheme—Uses the AAA module to provide local or remote login authentication. A user must provide the correct username and password at login.

In FIPS mode, the device supports only the scheme authentication mode.

Different login authentication modes require different user line configurations, as shown in Table 12.

Table 12 Configuration required for different login authentication modes

Authentication mode	Configuration tasks
None	Set the authentication mode to none.
Password	1. Set the authentication mode to password. 2. Set a password.
Scheme	1. Set the authentication mode to scheme. 2. Configure login authentication methods in ISP domain view. For more information, see Security Configuration Guide.
Scheme

User roles

A user is assigned user roles at login. The user roles control the commands available for the user. For more information about user roles, see "Configuring RBAC."

The device assigns user roles based on the login authentication mode and user type.

· In none or password authentication mode, the device assigns the user roles specified for the user line.

· In scheme authentication mode, the device uses the following rules to assign user roles:

? For an SSH login user who uses publickey or password-publickey authentication, the device assigns the user roles specified for the local device management user with the same name.

? For other users, the device assigns user roles according to the user role configuration of the AAA module. If the AAA server does not assign any user roles and the default user role feature is disabled, a remote AAA authentication user cannot log in.

FIPS compliance

Telnet login is not supported in FIPS mode.

Configuring local console login

You can connect a terminal to the console port of the device to log in and manage the device, as shown in Figure 10. For the login procedure, see "Using the console port for the first device access."

Figure 10 Logging in through the console port

By default, console login is enabled both locally and remotely and it does not require authentication. The default user role is network-admin. To improve device security, configure password or scheme authentication for the AUX line immediately after you log in to the device for the first time.

To configure console login, perform the following tasks:

Tasks at a glance	Remarks
(Required.) Perform one of the following tasks: · Disabling authentication for console login · Configuring password authentication for console login · Configuring scheme authentication for console login	In FIPS mode, only the scheme authentication mode is supported.
(Optional.) Configuring common AUX line settings	N/A

Tasks at a glance

Remarks

(Required.) Perform one of the following tasks:

· Disabling authentication for console login

· Configuring password authentication for console login

· Configuring scheme authentication for console login

In FIPS mode, only the scheme authentication mode is supported.

(Optional.) Configuring common AUX line settings

N/A

Console login configuration changes do not take effect for current online users. They take effect only for new login users.

Disabling authentication for console login

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AUX line view or class view.	· Enter AUX line view: line aux first-number [ last-number ] · Enter AUX line class view: line class aux	A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class. A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view. A setting in user line class view does not take effect for current online users. It takes effect only for new login users.
3. Disable authentication.	authentication-mode none	In non-FIPS mode, authentication is disabled for the AUX line by default. In FIPS mode, scheme authentication is enabled for the AUX line by default.
4. Assign a user role.	user-role role-name	By default, an AUX line user is assigned the network-admin user role.

After you finish this configuration task, a user can log in through the console port without authentication.

Configuring password authentication for console login

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AUX line view or class view.	· Enter AUX line view: line aux first-number [ last-number ] · Enter AUX line class view: line class aux	A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class. A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view. A setting in user line class view does not take effect for current online users. It takes effect only for new login users.
3. Enable password authentication.	authentication-mode password	In non-FIPS mode, authentication is disabled for the AUX line by default. In FIPS mode, scheme authentication is enabled by default.
4. Set a password.	set authentication password { hash \| simple } password	By default, no password is set.
5. Assign a user role.	user-role role-name	By default, an AUX line user is assigned the network-admin user role.

After you finish this configuration task, a user must provide the configured password when logging in through the console port.

Configuring scheme authentication for console login

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AUX line view or class view.	· Enter AUX line view: line aux first-number [ last-number ] · Enter AUX line class view: line class aux	A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class. A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view. A setting in user line class view does not take effect for current online users. It takes effect only for new login users.
3. Enable scheme authentication.	authentication-mode scheme	In non-FIPS mode, authentication is disabled for the AUX line by default. In FIPS mode, scheme authentication is enabled by default.

To use scheme authentication, you must also perform the following tasks:

· Configure login authentication methods in ISP domain view.

· For remote authentication, configure a RADIUS, HWTACACS, or LDAP scheme.

· For local authentication, create a local user account and configure the relevant attributes.

For more information, see Security Configuration Guide.

After you finish this configuration task, a user must provide the configured username and password when logging in through the console port.

Configuring common AUX line settings

Some common settings for an AUX line take effect immediately and can interrupt the current session. Use a login method different from console login to log in to the device before you change AUX line settings.

After you change AUX line settings, adjust the settings on the configuration terminal accordingly for a successful login.

To configure common settings for an AUX line:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AUX line view or class view.	· Enter AUX line view: line aux first-number [ last-number ] · Enter AUX line class view: line class aux	A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class. A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view. A setting in user line class view does not take effect for current online users. It takes effect only for new login users.
3. Set the transmission rate.	speed speed-value	By default, the transmission rate is 9600 bps. This command is not available in AUX line class view.
4. Specify the parity.	parity { even \| mark \| none \| odd \| space }	By default, a user line does not use parity. This command is not available in AUX line class view.
5. Specify the number of stop bits for a character.	stopbits { 1 \| 1.5 \| 2 }	The default is 1. Stop bits indicate the end of a character. The more the stop bits, the slower the transmission. This command is not available in AUX line class view.
6. Specify the number of data bits for a character.	databits { 5 \| 6 \| 7 \| 8 }	The default is 8. Configure this command depending on the character coding type. For example, set the number of data bits to 7 for standard ASCII characters. Set the number of data bits to 8 for extended ASCII characters. This command is not available in AUX line class view.
7. Specify the terminal session activation key.	activation-key character	By default, pressing Enter starts the terminal session.
8. Specify the escape key.	escape-key { character \| default }	By default, pressing Ctrl+C terminates a command.
9. Set the user line locking key.	lock-key key-string	By default, no user line locking key is set.
10. Configure the flow control mode.	flow-control { hardware \| none \| software }	By default, the flow control mode is none. This command is not available in AUX line class view.
11. Specify the terminal display type.	terminal type { ansi \| vt100 }	By default, the terminal display type is ANSI. The device supports ANSI and VT100 terminal display types. As a best practice, specify VT100 type on both the device and the configuration terminal. If either side uses the ANSI type, a display problem might occur when a command line has more than 80 characters. For example, a cursor positioning error might occur.
12. Set the maximum number of lines of command output to send to the terminal at a time.	screen-length screen-length	By default, the device sends up to 24 lines to the terminal at a time when pausing between screens of output is enabled. To disable pausing between screens of output, set the value to 0.
13. Set the size for the command history buffer.	history-command max-size value	By default, the buffer saves up to 10 history commands.
14. Set the CLI connection idle-timeout timer.	idle-timeout minutes [ seconds ]	By default, the CLI connection idle-timeout timer is 10 minutes. If no interaction occurs between the device and the user within the idle-timeout interval, the system automatically terminates the user connection on the user line. If you set the timeout timer to 0, the connection will not be aged out.
15. Specify the command to be automatically executed for login users on the lines.	auto-execute command command	By default, no command is specified for auto execution. The device will automatically execute the specified command when a user logs in through the user line, and close the user connection after the command is executed. This command is not available in AUX line view or AUX line class view.
16. Enable the terminal service.	shell	Be default, the terminal service is enabled on all user lines. The undo shell command is not available in AUX line view.

Configuring Telnet login

The device can act as a Telnet server to allow Telnet login, or as a Telnet client to Telnet to other devices.

By default, Telnet login is disabled on the device. To configure Telnet login, you must first log in to the device through any other method.

NOTE:

Telnet login is not supported in FIPS mode.

Configuring the device as a Telnet server

Tasks at a glance
(Required.) Enabling Telnet server
(Required.) Perform one of the following tasks: · Disabling authentication for Telnet login · Configuring password authentication for Telnet login · Configuring scheme authentication for Telnet login
(Optional.) Setting the maximum number of concurrent Telnet users
(Optional.) Setting the DSCP value for outgoing Telnet packets
(Optional.) Configuring common VTY line settings

Telnet login configuration changes do not take effect for current online users. They take effect only for new login users.

Enabling Telnet server

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable the Telnet server.	telnet server enable	By default, the Telnet server is disabled.

Disabling authentication for Telnet login

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter VTY line view or class view.	· Enter VTY line view: line vty first-number [ last-number ] · Enter VTY line class view: line class vty	A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class. A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view. A setting in user line class view does not take effect for current online users. It takes effect only for new login users.
3. Disable authentication.	authentication-mode none	In non-FIPS mode, password authentication is enabled for VTY lines by default. In VTY line view, this command is associated with the protocol inbound command. If you specify a non-default value for one of the two commands, the other command uses the default setting, regardless of the setting in VTY line class view.
4. (Optional.) Assign a user role.	user-role role-name	By default, a VTY line user is assigned the network-operator user role.

After you finish this configuration task, a user can Telnet to the device without authentication, as shown in the following example:

******************************************************************************

* Without the owner's prior written consent, *

* no decompiling or reverse-engineering shall be allowed. *

******************************************************************************

<H3C>

If the maximum number of login users has been reached, the login attempt fails and the message "All user lines are used, please try later!" appears.

Configuring password authentication for Telnet login

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter VTY line view or class view.	· Enter VTY line view: line vty first-number [ last-number ] · Enter VTY line class view: line class vty	A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class. A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view. A setting in user line class view does not take effect for current online users. It takes effect only for new login users.
3. Enable password authentication.	authentication-mode password	In non-FIPS mode, password authentication is enabled for VTY lines by default. In VTY line view, this command is associated with the protocol inbound command. If you specify a non-default value for one of the two commands, the other command uses the default setting, regardless of the setting in VTY line class view.
4. Set a password.	set authentication password { hash \| simple } password	By default, no password is set.
5. (Optional.) Assign a user role.	user-role role-name	By default, a VTY line user is assigned the network-operator user role.

After you finish this configuration task, a user must provide the configured password when Telnetting to the device, as shown in the following example:

******************************************************************************

* Without the owner's prior written consent, *

* no decompiling or reverse-engineering shall be allowed. *

******************************************************************************

Password:

<H3C>

If the maximum number of login users has been reached, the login attempt fails and the message "All user lines are used, please try later!" appears.

Configuring scheme authentication for Telnet login

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter VTY line view or class view.	· Enter VTY line view: line vty first-number [ last-number ] · Enter VTY line class view: line class vty	A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class. A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view. A setting in user line class view does not take effect for current online users. It takes effect only for new login users.
3. Enable scheme authentication.	authentication-mode scheme	In non-FIPS mode, password authentication is enabled for VTY lines by default. In VTY line view, this command is associated with the protocol inbound command. If you specify a non-default value for one of the two commands, the other command uses the default setting, regardless of the setting in VTY line class view.

To use scheme authentication, you must also perform the following tasks:

· Configure login authentication methods in ISP domain view.

· For remote authentication, configure a RADIUS, HWTACACS, or LDAP scheme.

· For local authentication, create a local user account and configure the relevant attributes.

For more information, see Security Configuration Guide.

After you finish this configuration task, a user must provide the configured username and password when Telnetting to the device, as shown in the following example:

******************************************************************************

* Without the owner's prior written consent, *

* no decompiling or reverse-engineering shall be allowed. *

******************************************************************************

Password:

<H3C>

If the maximum number of login users has been reached, the login attempt fails and the message "All lines are used, please try later!" appears.

Setting the maximum number of concurrent Telnet users

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Set the maximum number of concurrent Telnet users.

aaa session-limit telnet max-sessions

The default is 32.

Changing this setting does not affect users who are currently online. If the new limit is less than the number of online Telnet users, no additional users can Telnet in until the number drops below the new limit.

For more information about this command, see Security Command Reference.

Setting the DSCP value for outgoing Telnet packets

The DSCP value is carried in the ToS or Traffic class field of an IP or IPv6 packet to indicate the transmission priority of the packet.

To set the DSCP value for outgoing Telnet packets:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Set the DSCP value for outgoing Telnet packets.

· For a Telnet server running IPv4:
telnet server dscp dscp-value

· For a Telnet server running IPv6:
telnet server ipv6 dscp dscp-value

By default, the DSCP value is 48.

Configuring common VTY line settings

For a VTY line, you can specify a command that is to be automatically executed when a user logs in. After executing the specified command, the system automatically disconnects the Telnet session. Typically, you configure the auto-execute command telnet X.X.X.X command on the device so the device redirects a Telnet user to the host at X.X.X.X. The connection to the current device is closed when the user terminates the Telnet connection to X.X.X.X.

To configure common settings for VTY lines:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter VTY line view or class view.	· Enter VTY line view: line vty first-number [ last-number ] · Enter VTY line class view: line class vty	A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class. A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view. A setting in user line class view does not take effect for current online users. It takes effect only for new login users.
3. Enable the terminal service.	shell	By default, the terminal service is enabled on all user lines.
4. Specify the supported protocols.	protocol inbound { all \| ssh \| telnet }	By default, both Telnet and SSH are supported. A protocol change does not take effect for current online users. It takes effect only for new login users. In VTY line view, this command is associated with the authentication-mode command. If you specify a non-default value for one of the two commands, the other command uses the default setting, regardless of the setting in VTY line class view.
5. Specify the shortcut key for terminating a task.	escape-key { character \| default }	The default setting is Ctrl+C.
6. Set the user line locking key.	lock-key key-string	By default, no user line locking key is set.
7. Specify the terminal display type.	terminal type { ansi \| vt100 }	The default terminal display type is ANSI.
8. Set the maximum number of lines of command output to send to the terminal at a time.	screen-length screen-length	By default, the device sends up to 24 lines to the terminal at a time when pausing between screens of output is enabled. To disable pausing between screens of output, set the value to 0.
9. Set the size for the command history buffer.	history-command max-size value	The default size is 10 history commands.
10. Set the CLI connection idle-timeout timer.	idle-timeout minutes [ seconds ]	By default, the CLI connection idle-timeout timer is 10 minutes. If no interaction occurs between the device and the user within the idle-timeout interval, the system automatically terminates the user connection on the user line. If you set the timeout timer to 0, the connection will not be aged out.
11. Specify the command to be automatically executed for login users on the user lines.	auto-execute command command	By default, no command is specified for auto execution. IMPORTANT: Before you configure this command and save the configuration, make sure you can access the CLI to modify the configuration through other VTY user lines or AUX user lines.

Using the device to log in to a Telnet server

You can use the device as a Telnet client to log in to a Telnet server. If the server is located in a different subnet than the client, make sure the two devices can reach each other.

Figure 11 Telnetting from the device to a Telnet server

To use the device to log in to a Telnet server:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. (Optional.) Specify the source IPv4 address or source interface for outgoing Telnet packets.	telnet client source { interface interface-type interface-number \| ip ip-address }	By default, no source IPv4 address or source interface is specified. The device uses the primary IPv4 address of the output interface as the source address for outgoing Telnet packets.
3. Exit to user view.	quit	N/A
4. Use the device to log in to a Telnet server.	· Log in to an IPv4 Telnet server: telnet remote-host [ service-port ] [ vpn-instance vpn-instance-name ] [ source { interface interface-type interface-number \| ip ip-address } \| dscp dscp-value ] * · Log in to an IPv6 Telnet server: telnet ipv6 remote-host [ -i interface-type interface-number ] [ port-number ] [ vpn-instance vpn-instance-name ] [ source { interface interface-type interface-number \| ipv6 ipv6-address } \| dscp dscp-value ] *	N/A

Configuring SSH login

SSH offers a secure method to remote login. By providing encryption and strong authentication, it protects devices against attacks such as IP spoofing and plaintext password interception. For more information, see Security Configuration Guide.

The device can act as an SSH server to allow Telnet login, or as an SSH client to log in to an SSH server.

By default, SSH login is disabled on the device. To configure SSH login, you must first log in to the device through any other method.

Configuring the device as an SSH server

This section provides the SSH server configuration procedure used when the SSH client authentication method is password. For more information about SSH and publickey authentication configuration, see Security Configuration Guide.

To configure the device as an SSH server:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create local key pairs.	· In non-FIPS mode: public-key local create { dsa \| ecdsa [ secp192r1 \| secp256r1 \| secp384r1 ] \| rsa } [ name key-name ] · In FIPS mode: public-key local create { dsa \| ecdsa [ secp256r1 \| secp384r1 ] \| rsa } [ name key-name ]	By default, no local key pairs are created.
3. Enable the Stelnet server.	ssh server enable	By default, the Stelnet server is disabled.
4. (Optional.) Create an SSH user and specify the authentication mode.	· In non-FIPS mode: ssh user username service-type stelnet authentication-type { password \| { any \| password-publickey \| publickey } assign publickey keyname } · In FIPS mode: ssh user username service-type stelnet authentication-type { password \| password-publickey assign publickey keyname }	By default, no SSH user is configured on the device.
5. Enter VTY line view or class view.	· Enter VTY line view: line vty first-number [ last-number ] · Enter VTY line class view: line class vty	A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class. A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view. A setting in user line class view does not take effect for current online users. It takes effect only for new login users.
6. Enable scheme authentication.	authentication-mode scheme	In non-FIPS mode, password authentication is enabled for VTY lines by default. In FIPS mode, scheme authentication is enabled for VTY lines by default. In VTY line view, this command is associated with the protocol inbound command. If you specify a non-default value for one of the two commands, the other command uses the default setting, regardless of the setting in VTY line class view.
7. (Optional.) Specify the protocols for the user lines to support.	· In non-FIPS mode: protocol inbound { all \| ssh \| telnet } · In FIPS mode: protocol inbound ssh	In non-FIPS mode, both Telnet and SSH are supported by default. In FIPS mode, SSH is supported by default. A protocol change does not take effect for current online users. It takes effect only for new login users. In VTY line view, this command is associated with the authentication-mode command. If you specify a non-default value for one of the two commands, the other command uses the default setting, regardless of the setting in VTY line class view.
8. Exit to system view.	quit	N/A
9. (Optional.) Configure common settings for VTY lines.	See "Configuring common VTY line settings."	N/A
10. (Optional.) Set the maximum number of concurrent SSH users.	aaa session-limit ssh max-sessions	The default is 32. Changing this setting does not affect users who are currently online. If the new limit is less than the number of online SSH users, no additional SSH users can log in until the number drops below the new limit. For more information about this command, see Security Command Reference.

Using the device to log in to an SSH server

You can use the device as an SSH client to log in to an SSH server. If the server is located in a different subnet than the client, make sure the two devices can reach each other.

Figure 12 Logging in to an SSH server from the device

Perform the following tasks in user view:

Task	Command
Log in to an IPv4 SSH server.	ssh2 server
Log in to an IPv6 SSH server.	ssh2 ipv6 server

To work with the SSH server, you might need to specify a set of parameters. For more information, see Security Configuration Guide.

Displaying and maintaining CLI login

Execute display commands in any view.

Task	Command	Remarks
Display online CLI users.	display users [ all ]	N/A
Display user line information.	display line [ num1 \| { aux \| vty } num2 ] [ summary ]	N/A
Display the packet source setting for the Telnet client.	display telnet client	N/A
Release a user line.	free line { num1 \| { aux \| vty } num2 }	Multiple users can log in to the device to simultaneously configure the device. When necessary, you can execute this command to release some connections. You cannot use this command to release the connection you are using. This command is available in user view.
Lock the current user line and set the password for unlocking the line.	lock	By default, the system does not lock any user lines. This command is not supported in FIPS mode. This command is available in user view.
Lock the current user line and enable unlocking authentication.	lock reauthentication	By default, the system does not lock any user lines or initiate reauthentication. To unlock the locked user line, you must press Enter and provide the login password to pass reauthentication. This command is available in any view.
Send messages to user lines.	send { all \| num1 \| { aux \| vty } num2 }	This command is available in user view.

Accessing the device through SNMP

You can run SNMP on an NMS to access the device MIB and perform Get and Set operations to manage and monitor the device.

Figure 13 SNMP access diagram

The device supports SNMPv1, SNMPv2c, and SNMPv3, and can cooperate with various network management software products. However, the device and the NMS must use the same SNMP version.

By default, SNMP access is disabled. To configure SNMP access, you must first log in to the device through any other method.

For more information about SNMP, see Network Management and Monitoring Configuration Guide.

Configuring RESTful access

The device provides the Representational State Transfer application programming interface (RESTful API). Based on this API, you can use programming languages such as Python, Ruby, or Java to write programs to perform the following tasks:

· Send RESTful requests to the device to pass authentication.

· Use RESTful API operations to configure and manage the device. RESTful API operations include Get, Put, Post, and Delete.

The device supports using HTTP or HTTPS to transfer RESTful packets.

RESTful access is disabled by default. To configure RESTful access, you must first log in through the console port.

FIPS compliance

RESTful access over HTTP is not supported in FIPS mode.

Configuring RESTful access over HTTP

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable RESTful access over HTTP.	restful http enable	By default, RESTful access over HTTP is disabled.
3. Create a local user and enter local user view.	local-user user-name [ class manage ]	By default, no local user is configured.
4. Configure a password for the local user.	password [ { hash \| simple } password ]	The password is saved in hashed form. By default, no password is configured for a local user.
5. (Optional.) Assign a user role to the local user.	authorization-attribute user-role user-role	The default user role is network-operator for a RESTful access user.
6. Specify the HTTP service for the local user.	service-type http	By default, no service type is specified for a local user.

Configuring RESTful access over HTTPS

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable RESTful access over HTTPS.	restful https enable	By default, RESTful access over HTTPS is disabled.
3. Create a local user and enter local user view.	local-user user-name [ class manage ]	By default, no local user is configured.
4. Configure a password for the local user.	· In non-FIPS mode: password [ { hash \| simple } password ] · In FIPS mode: password	The password is saved in hashed form. By default, no password is configured for a local user.
5. (Optional.) Assign a user role to the local user.	authorization-attribute user-role user-role	The default user role is network-operator for a RESTful access user.
6. Specify the HTTPS service for the local user.	service-type https	By default, no service type is specified for a local user.

Controlling user access to the device

Use ACLs to prevent unauthorized access, and configure command authorization and accounting to monitor and control user behavior. For more information about ACLs, see ACL and QoS Configuration Guide.

FIPS compliance

Telnet is not supported in FIPS mode.

Controlling Telnet and SSH logins

Use different types of ACLs to filter Telnet and SSH logins by different match criteria:

· Basic ACL (2000 to 2999)—Source IP address.

· Advanced ACL (3000 to 3999)—Source IP address and destination IP address.

· Ethernet frame header ACL (4000 to 4999)—Source MAC address.

If an applied ACL does not exist or does not have any rules, no user login restriction is applied. If the ACL exists and has rules, only users permitted by the ACL can access the device through Telnet or SSH.

Configuration procedures

To control Telnet logins:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Apply an ACL to filter Telnet logins.

· telnet server acl [ mac ] acl-number

· telnet server ipv6 acl [ ipv6 | mac ] acl-number

By default, no ACL is used to filter Telnet logins.

To control SSH logins:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Apply an ACL to filter SSH logins.

· ssh server acl [ mac ] acl-number

· ssh server ipv6 acl [ ipv6 | mac ] acl-number

By default, no ACL is used to filter SSH logins.

For more information about these two commands, see Security Command Reference.

Configuration example

Network requirements

As shown in Figure 14, the device is a Telnet server.

Configure the device to permit only Telnet packets sourced from Host A and Host B.

Figure 14 Network diagram

Configuration procedure

# Configure an ACL to permit packets sourced from Host A and Host B.

<Sysname> system-view

[Sysname] acl basic 2000 match-order config

[Sysname-acl-ipv4-basic-2000] rule 1 permit source 10.110.100.52 0

[Sysname-acl-ipv4-basic-2000] rule 2 permit source 10.110.100.46 0

[Sysname-acl-ipv4-basic-2000] quit

# Apply the ACL to filter Telnet logins.

[Sysname] telnet server acl 2000

Controlling SNMP access

Use a basic ACL (2000 to 2999) to control SNMP access by source IP address. To access the requested MIB view, an NMS must use a source IP address permitted by the ACL. If the ACL does not exist or does not have any rules, no user login restriction is applied.

Configuration procedure

To control SNMPv1 or SNMPv2c access:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Configure the SNMP access right.

· (Method 1.) Create an SNMP community and specify ACLs for the community:

? In VACM mode:
snmp-agent community { read | write } [ simple | cipher ] community-name [ mib-view view-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } | acl ipv6 { ipv6-acl-number | name ipv6-acl-name } ] *

? In RBAC mode:
snmp-agent community [ simple | cipher ] community-name user-role role-name [ acl { ipv4-acl-number | name ipv4-acl-name } | acl ipv6 { ipv6-acl-number | name ipv6-acl-name } ] *

· (Method 2.) Create an SNMPv1/v2c group and add a user to the group, specifying ACLs for the group and user:

a. snmp-agent group { v1 | v2c } group-name [ read-view view-name ] [ write-view view-name ] [ notify-view view-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } | acl ipv6 { ipv6-acl-number | name ipv6-acl-name } ] *

b. snmp-agent usm-user { v1 | v2c } user-name group-name [ acl { ipv4-acl-number | name ipv4-acl-name } | acl ipv6 { ipv6-acl-number | name ipv6-acl-name } ] *

For more information about SNMP, see Network Management and Monitoring Configuration Guide.

To control SNMPv3 access:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an SNMPv3 group, specifying ACLs for the group.	In non-FIPS mode: snmp-agent group v3 group-name [ authentication \| privacy ] [ read-view view-name ] [ write-view view-name ] [ notify-view view-name ] [ acl { ipv4-acl-number \| name ipv4-acl-name } \| acl ipv6 { ipv6-acl-number \| name ipv6-acl-name } ] * In FIPS mode: snmp-agent group v3 group-name { authentication \| privacy } [ read-view view-name ] [ write-view view-name ] [ notify-view view-name ] [ acl { ipv4-acl-number \| name ipv4-acl-name } \| acl ipv6 { ipv6-acl-number \| name ipv6-acl-name } ] *	N/A
3. Create an SNMPv3 user, specifying ACLs for the user.	In non-FIPS mode: · In VACM mode: snmp-agent usm-user v3 user-name group-name [ remote { ipv4-address \| ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ] [ { cipher \| simple } authentication-mode { md5 \| sha } auth-password [ privacy-mode { aes128 \| 3des \| des56 } priv-password ] ] [ acl { ipv4-acl-number \| name ipv4-acl-name } \| acl ipv6 { ipv6-acl-number \| name ipv6-acl-name } ] * · In RBAC mode: snmp-agent usm-user v3 user-name user-role role-name [ remote { ipv4-address \| ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ] [ { cipher \| simple } authentication-mode { md5 \| sha } auth-password [ privacy-mode { aes128 \| 3des \| des56 } priv-password ] ] [ acl { ipv4-acl-number \| name ipv4-acl-name } \| acl ipv6 { ipv6-acl-number \| name ipv6-acl-name } ] * In FIPS mode: · In VACM mode: snmp-agent usm-user v3 user-name group-name [ remote { ipv4-address \| ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ] { cipher \| simple } authentication-mode sha auth-password [ privacy-mode aes128 priv-password ] [ acl { ipv4-acl-number \| name ipv4-acl-name } \| acl ipv6 { ipv6-acl-number \| name ipv6-acl-name } ] * · In RBAC mode: snmp-agent usm-user v3 user-name user-role role-name [ remote { ipv4-address \| ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ] { cipher \| simple } authentication-mode sha auth-password [ privacy-mode aes128 priv-password ] [ acl { ipv4-acl-number \| name ipv4-acl-name } \| acl ipv6 { ipv6-acl-number \| name ipv6-acl-name } ] *	For more information about SNMP, see Network Management and Monitoring Configuration Guide.

Configuration example

Network requirements

As shown in Figure 15, the device is running SNMP.

Configure the device to allow Host A and Host B to access the device through SNMP.

Figure 15 Network diagram

Configuration procedure

# Create an ACL to permit packets sourced from Host A and Host B.

<Sysname> system-view

[Sysname] acl basic 2000 match-order config

[Sysname-acl-ipv4-basic-2000] rule 1 permit source 10.110.100.52 0

[Sysname-acl-ipv4-basic-2000] rule 2 permit source 10.110.100.46 0

[Sysname-acl-ipv4-basic-2000] quit

# Associate the ACL with the SNMP community and the SNMP group.

[Sysname] snmp-agent community read aaa acl 2000

[Sysname] snmp-agent group v2c groupa acl 2000

[Sysname] snmp-agent usm-user v2c usera groupa acl 2000

Configuring command authorization

By default, commands available for a user depend only on the user's user roles. When the authentication mode is scheme, you can configure the command authorization feature to further control access to commands.

After you enable command authorization, a user can use only commands that are permitted by both the AAA scheme and user roles.

The command authorization method can be different from the user login authorization method.

This section provides the procedure for configuring command authorization. To make the command authorization feature take effect, you must configure a command authorization method in ISP domain view. For more information, see Security Configuration Guide.

Configuration procedure

To configure command authorization:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter user line view or user line class view.	· Enter user line view: line { first-number1 [ last-number1 ] \| { aux \| vty } first-number2 [ last-number2 ] } · Enter user line class view: line class { aux \| vty }	A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class. A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view. A setting in user line class view does not take effect for current online users. It takes effect only for new login users.
3. Enable scheme authentication.	authentication-mode scheme	In non-FIPS mode, authentication is disabled for AUX lines, and password authentication is enabled for VTY lines by default. In FIPS mode, scheme authentication is enabled by default. In VTY line view, this command is associated with the protocol inbound command. If you specify a non-default value for one of the two commands, the other command uses the default setting, regardless of the setting in VTY line class view.
4. Enable command authorization.	command authorization	By default, command authorization is disabled, and the commands available for a user only depend on the user role. If the command authorization command is configured in user line class view, command authorization is enabled on all user lines in the class. You cannot configure the undo command authorization command in the view of a user line in the class.

Configuration example

Network requirements

As shown in Figure 16, Host A needs to log in to the device to manage the device.

Configure the device to perform the following operations:

· Allow Host A to Telnet in after authentication.

· Use the HWTACACS server to control the commands that the user can execute.

· If the HWTACACS server is not available, use local authorization.

Figure 16 Network diagram

Configuration procedure

# Assign IP addresses to relevant interfaces. Make sure the device and the HWTACACS server can reach each other. Make sure the device and Host A can reach each other. (Details not shown.)

# Enable the Telnet server.

<Device> system-view

[Device] telnet server enable

# Enable scheme authentication for user lines VTY 0 through VTY 63.

[Device] line vty 0 63

[Device-line-vty0-63] authentication-mode scheme

# Enable command authorization for the user lines.

[Device-line-vty0-63] command authorization

[Device-line-vty0-63] quit

# Create HWTACACS scheme tac.

[Device] hwtacacs scheme tac

# Configure the scheme to use the HWTACACS server at 192.168.2.20:49 for authentication and authorization.

[Device-hwtacacs-tac] primary authentication 192.168.2.20 49

[Device-hwtacacs-tac] primary authorization 192.168.2.20 49

# Set the shared keys to expert.

[Device-hwtacacs-tac] key authentication simple expert

[Device-hwtacacs-tac] key authorization simple expert

# Remove domain names from usernames sent to the HWTACACS server.

[Device-hwtacacs-tac] user-name-format without-domain

[Device-hwtacacs-tac] quit

# Configure the system-defined domain (system).

[Device] domain system

# Use HWTACACS scheme tac for login user authentication and command authorization. Use local authentication and local authorization as the backup method.

[Device-isp-system] authentication login hwtacacs-scheme tac local

[Device-isp-system] authorization command hwtacacs-scheme tac local

[Device-isp-system] quit

# Create local user monitor. Set the simple password to 123, the service type to Telnet, and the default user role to level-1.

[Device] local-user monitor

[Device-luser-manage-monitor] password simple 123

[Device-luser-manage-monitor] service-type telnet

[Device-luser-manage-monitor] authorization-attribute user-role level-1

Configuring command accounting

Command accounting uses the HWTACACS server to record all executed commands to monitor user behavior on the device.

If command accounting is enabled but command authorization is not, every executed command is recorded. If both command accounting and command authorization are enabled, only authorized commands that are executed are recorded.

The command accounting method can be the same as or different from the command authorization method and user login authorization method.

This section provides only the procedure for configuring command accounting. To make the command accounting feature take effect, you must configure a command accounting method in ISP domain view. For more information, see Security Configuration Guide.

Configuration procedure

To configure command accounting:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter user line view or user line class view.	· Enter user line view: line { first-number1 [ last-number1 ] \| { aux \| vty } first-number2 [ last-number2 ] } · Enter user line class view: line class { aux \| vty }	A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class. A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view. A setting in user line class view does not take effect for current online users. It takes effect only for new login users.
3. Enable scheme authentication.	authentication-mode scheme	In non-FIPS mode, authentication is disabled for AUX lines, and password authentication is enabled for VTY lines by default. In FIPS mode, scheme authentication is enabled by default. In VTY line view, this command is associated with the protocol inbound command. If you specify a non-default value for one of the two commands, the other command uses the default setting, regardless of the setting in VTY line class view.
4. Enable command accounting.	command accounting	By default, command accounting is disabled. The accounting server does not record the commands executed by users. If the command accounting command is configured in user line class view, command accounting is enabled on all user lines in the class. You cannot configure the undo command accounting command in the view of a user line in the class.

Configuration example

Network requirements

As shown in Figure 17, users need to log in to the device to manage the device.

Configure the device to send commands executed by users to the HWTACACS server to monitor and control user operations on the device.

Figure 17 Network diagram

Configuration procedure

# Enable the Telnet server.

<Device> system-view

[Device] telnet server enable

# Enable command accounting for user line AUX 0.

[Device] line aux 0

[Device-line-aux0] command accounting

[Device-line-aux0] quit

# Enable command accounting for user lines VTY 0 through VTY 63.

[Device] line vty 0 63

[Device-line-vty0-63] command accounting

[Device-line-vty0-63] quit

# Create HWTACACS scheme tac.

[Device] hwtacacs scheme tac

# Configure the scheme to use the HWTACACS server at 192.168.2.20:49 for accounting.

[Device-hwtacacs-tac] primary accounting 192.168.2.20 49

# Set the shared key to expert.

[Device-hwtacacs-tac] key accounting simple expert

# Remove domain names from usernames sent to the HWTACACS server.

[Device-hwtacacs-tac] user-name-format without-domain

[Device-hwtacacs-tac] quit

# Configure the system-defined domain (system) to use the HWTACACS scheme for command accounting.

[Device] domain system

[Device-isp-system] accounting command hwtacacs-scheme tac

[Device-isp-system] quit

Configuring FTP

File Transfer Protocol (FTP) is an application layer protocol for transferring files from one host to another over an IP network, as shown in Figure 18. It uses TCP port 20 to transfer data and TCP port 21 to transfer control commands. For more information about FTP, see RFC 959.

FTP is based on the client/server model. The device can act as the FTP server or FTP client. Make sure the FTP server and the FTP client can reach each other before establishing the FTP connection.

Figure 18 FTP application scenario

FTP supports the following transfer modes:

· Binary mode—Used to non-text files, such as .app, .bin, and .btm files.

· ASCII mode—Used to transfer text files, such as .txt, .bat, and .cfg files.

When the device acts as the FTP client, you can set the transfer mode (binary by default). When the device acts as the FTP server, the transfer mode is determined by the FTP client.

FTP can operate in either of the following modes:

· Active mode (PORT)—The FTP server initiates the TCP connection. This mode is not suitable when the FTP client is behind a firewall, for example, when the FTP client resides in a private network.

· Passive mode (PASV)—The FTP client initiates the TCP connection. This mode is not suitable when the server does not allow the client to use a random unprivileged port greater than 1024.

FTP operation mode varies depending on the FTP client program.

FIPS compliance

FTP is not supported in FIPS mode.

Using the device as an FTP server

To use the device as an FTP server, you must enable the FTP server and configure authentication and authorization on the device. Other commands are optional.

Configuring basic parameters

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable the FTP server.	ftp server enable	By default, the FTP server is disabled.
3. (Optional.) Use an ACL to control access to the FTP server.	ftp server acl { ipv4-acl-number \| ipv6 ipv6-acl-number }	By default, no ACL is used for access control.
4. (Optional.) Set the FTP connection idle-timeout timer.	ftp timeout minutes	By default, the FTP connection idle-timeout timer is 30 minutes. If no data transfer occurs on an FTP connection within the idle-timeout interval, the FTP server closes the FTP connection to release resources.
5. (Optional.) Set the DSCP value for outgoing FTP packets.	· For an IPv4 FTP server: ftp server dscp dscp-value · For an IPv6 FTP server: ftp server ipv6 dscp dscp-value	By default, the DSCP value is 0.
6. (Optional.) Set the maximum number of concurrent FTP users.	aaa session-limit ftp max-sessions	By default, the maximum number of concurrent FTP users is 32. Changing this setting does not affect users who are currently online. If the new list is less than the number of online FTP users, no additional FTP users can log in until the number drops below the new limit. For more information about this command, see Security Command Reference.

Configuring authentication and authorization

Perform this task on the FTP server to authenticate FTP clients and set the authorized directories that authenticated clients can access.

The following authentication modes are available:

· Local authentication—The device looks up the client's username and password in the local user account database. If a match is found, authentication succeeds.

· Remote authentication—The device sends the client's username and password to a remote authentication server for authentication. The user account is configured on the remote authentication server rather than the device.

The following authorization modes are available:

· Local authorization—The device assigns authorized directories to FTP clients based on the locally configured authorization attributes.

· Remote authorization—A remote authorization server assigns authorized directories on the device to FTP clients.

For information about configuring authentication and authorization, see Security Configuration Guide.

Manually releasing FTP connections

Execute the following commands in user view.

Task

Command

Manually release FTP connections.

· Release the FTP connection established by using a specific user account:
free ftp user username

· Release the FTP connection to a specific IP address:
free ftp user-ip [ ipv6 ] client-address [ port port-num ]

Displaying and maintaining the FTP server

Execute display commands in any view.

Task	Command
Display FTP server configuration and status information.	display ftp-server
Display detailed information about online FTP users.	display ftp-user

FTP server configuration example (in standalone mode)

Network requirements

· Configure the device as an FTP server.

· Create a local user account named abc on the FTP server. Set the password to 123456.

· Use the user account to log in to the FTP server from the FTP client.

· Upload the temp.bin file from the FTP client to the FTP server.

· Download configuration file startup.cfg from the FTP server to the FTP client for backup.

Figure 19 Network diagram

Configuration procedure

1. Configure IP addresses as shown in Figure 19. Make sure the device and PC can reach other. (Details not shown.)

2. Configure the device (FTP server):

# Create a local user named abc. Set the password to 123456.

<Sysname> system-view

[Sysname] local-user abc class manage

[Sysname-luser-abc] password simple 123456

# Assign the network-admin user role to the user. Set the working directory to the root directory of the flash memory on the active MPU. (To set the working directory to the root directory of the flash memory on the standby MPU, you must include the slot number in the directory path.)

[Sysname-luser-abc] authorization-attribute user-role network-admin work-directory flash:/

# Assign the service type FTP to the user.

[Sysname-luser-abc] service-type ftp

[Sysname-luser-abc] quit

# Enable the FTP server.

[Sysname] ftp server enable

[Sysname] quit

# Examine the storage space for space insufficiency and delete unused files for more free space.

<Sysname> dir

Directory of flash:

0 -rw- 0 Sep 27 2010 14:43:34 kernel.bin

1 -rw- 0 Sep 27 2010 14:43:34 base.bin

2 drw- - Jun 29 2011 18:30:38 logfile

3 drw- - Jun 21 2011 14:51:38 diagfile

4 drw- - Jun 21 2011 14:51:38 seclog

5 -rw- 2943 Jul 02 2011 08:03:08 startup.cfg

6 -rw- 63901 Jul 02 2011 08:03:08 startup.mdb

7 -rw- 716 Jun 21 2011 14:58:02 hostkey

8 -rw- 572 Jun 21 2011 14:58:02 serverkey

9 -rw- 6541264 Aug 04 2011 20:40:49 backup.bin

473664 KB total (467080 KB free)

<Sysname> delete /unreserved flash:/backup.bin

3. Perform FTP operations from the PC (FTP client):

# Log in to the FTP server at 1.1.1.1 using username abc and password 123456.

c:\> ftp 1.1.1.1

Connected to 1.1.1.1.

220 FTP service ready.

User(1.1.1.1:(none)):abc

331 Password required for abc.

Password:

230 User logged in.

# Use the ASCII mode to download configuration file startup.cfg from the device to the PC for backup.

ftp> ascii

200 TYPE is now ASCII

ftp> get startup.cfg back-startup.cfg

# Use the binary mode to upload the file temp.bin from the PC to the root directory of the flash memory on the active MPU.

ftp> binary

200 TYPE is now 8-bit binary

ftp> put temp.bin

# Exit FTP.

ftp> bye

FTP server configuration example (in IRF mode)

Network requirements

· Configure the IRF fabric as an FTP server.

· Create a local user account named abc on the FTP server. Set the password to 123456.

· Use the user account to log in to the FTP server from the FTP client.

· Upload the temp.bin file from the FTP client to the FTP server.

· Download configuration file config.cfg from the FTP server to the FTP client for backup.

Figure 20 Network diagram

Configuration procedure

1. Configure IP addresses as shown in Figure 20. Make sure the IRF fabric and the PC can reach each other. (Details not shown.)

2. Configure the FTP server:

# Examine the storage space on the member devices. If the free space is insufficient, use the delete/unreserved file-url command to delete unused files. (Details not shown.)

# Create a local user named abc. Set the password to 123456.

<Sysname> system-view

[Sysname] local-user abc class manage

[Sysname-luser-abc] password simple 123456

# Assign the network-admin user role to the user. Set the working directory to the root directory of the flash memory on the global active MPU. (To set the working directory to the root directory of the flash memory on a global standby MPU, you must include the chassis and slot numbers in the directory path.)

[Sysname-luser-abc] authorization-attribute user-role network-admin work-directory flash:/

# Assign the service type FTP to the user.

[Sysname-luser-abc] service-type ftp

[Sysname-luser-abc] quit

# Enable the FTP server.

[Sysname] ftp server enable

[Sysname] quit

3. Perform FTP operations from the FTP client:

# Log in to the FTP server at 1.1.1.1 using username abc and password 123456.

c:\> ftp 1.1.1.1

Connected to 1.1.1.1.

220 FTP service ready.

User(1.1.1.1:(none)):abc

331 Password required for abc.

Password:

230 User logged in.

# Use the ASCII mode to download configuration file config.cfg from the server to the client for backup.

ftp> ascii

200 TYPE is now ASCII

ftp> get config.cfg back-config.cfg

# Use the binary mode to upload the temp.bin file to the root directory of the flash memory on the global active MPU.

ftp> binary

200 TYPE is now 8-bit binary

ftp> put temp.bin

# Exit FTP.

ftp> bye

Using the device as an FTP client

Establishing an FTP connection

To access an FTP server, you must establish a connection from the FTP client to the FTP server.

To establish an IPv4 FTP connection:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. (Optional.) Specify a source IP address for outgoing FTP packets.	ftp client source { interface interface-type interface-number \| ip source-ip-address }	By default, no source IP address is specified. The device uses the primary IP address of the output interface as the source IP address.
3. Return to user view.	quit	N/A
4. Log in to the FTP server.	· (Method 1.) Log in to the FTP server from user view: ftp ftp-server [ service-port ] [ vpn-instance vpn-instance-name ] [ dscp dscp-value \| source { interface interface-type interface-number \| ip source-ip-address } ] * · (Method 2.) Log in to the FTP server from FTP client view: a. Enter FTP client view: ftp b. Log in to the FTP server: open server-address [ service-port ]	The source IP address specified in the ftp command takes precedence over the one set by the ftp client source command.

To establish an IPv6 FTP connection:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. (Optional.) Specify the source IPv6 address for FTP packets sent by the FTP client.	ftp client ipv6 source { interface interface-type interface-number \| ipv6 source-ipv6-address }	By default, no source IPv6 address is specified. The source address is automatically selected as defined in RFC 3484.
3. Return to user view.	quit	N/A
4. Log in to the FTP server.	· (Method 1.) Log in to the FTP server from user view: ftp ipv6 ftp-server [ service-port ] [ vpn-instance vpn-instance-name ] [ dscp dscp-value \| source { interface interface-type interface-number \| ipv6 source-ipv6-address } ] * [ -i interface-type interface-number ] · (Method 2.) Log in to the FTP server from FTP client view: a. Enter FTP client view: ftp ipv6 b. Log in to the FTP server: open server-address [ service-port ]	The source IP address specified in the ftp ipv6 command takes precedence over the one set by the ftp client ipv6 source command.

Managing directories on the FTP server

Perform the following tasks in FTP client view:

Task	Command
Display directory and file information on the FTP server.	· Display the detailed information of a directory or file on the FTP server: dir [ remotefile [ localfile ] ] · Display the name of a directory or file on the FTP server: ls [ remotefile [ localfile ] ]
Change the working directory on the FTP server.	cd { directory \| .. \| / }
Return to the upper level directory on the FTP server.	cdup
Display the working directory that is being accessed.	pwd
Create a directory on the FTP server.	mkdir directory
Delete a directory from the remote FTP server.	rmdir directory

Working with files on the FTP server

After you log in to the server, you can upload a file to or download a file from the authorized directory by following these steps:

1. Use the dir or ls command to display the directory and location of the file on the FTP server.

2. Delete unused files to get more free storage space.

3. Set the file transfer mode to ASCII for text files or to binary for non-text files.

4. Use the lcd command to change the local working directory of the FTP client. You can upload the file or save the downloaded file in this directory.

5. Upload or download the file.

To work with files on an FTP server, execute the following commands in FTP client view:

Task	Command	Remarks
Display directory or file information on the FTP server.	· Display the detailed information of a directory or file on the FTP server: dir [ remotefile [ localfile ] ] · Display the name of a directory or file on the FTP server: ls [ remotefile [ localfile ] ]	N/A
Delete a file from the FTP server permanently.	delete remotefile	N/A
Set the file transfer mode.	· Set the file transfer mode to ASCII: ascii · Set the file transfer mode to binary: binary	The default file transfer mode is binary.
Change the FTP operation mode.	passive	The default mode is passive.
Display or change the local working directory of the FTP client.	lcd [ directory \| / ]	N/A
Upload a file to the FTP server.	put localfile [ remotefile ]	N/A
Download a file from the FTP server.	get remotefile [ localfile ]	N/A
Add the content of a file on the FTP client to a file on the FTP server.	append localfile [ remotefile ]	N/A
Specify the retransmit marker.	restart marker	Use this command together with the put, get, or append command.
Update the local file.	newer remotefile	N/A
Get the missing part of a file.	reget remotefile [ localfile ]	N/A
Rename the file.	rename [ oldfilename [ newfilename ] ]	N/A

Changing to another user account

After you log in to the FTP server, you can initiate an FTP authentication to change to a new account. By changing to a new account, you can get a different privilege without re-establishing the FTP connection.

For successful account change, you must enter the new username and password correctly. A wrong username or password can cause the FTP connection to be disconnected.

To change to another user account, execute the following command in user view:

Task	Command
Initiate an FTP authentication on the current FTP connection.	user username [ password ]

Maintaining and troubleshooting the FTP connection

Perform the following tasks in FTP client view:

Task	Command	Remarks
Display FTP commands on the FTP server.	rhelp	N/A
Display FTP commands help information on the FTP server.	rhelp protocol-command	N/A
Display FTP server status.	rstatus	N/A
Display detailed information about a directory or file on the FTP server.	rstatus remotefile	N/A
Display FTP connection status.	status	N/A
Display the system information of the FTP server.	system	N/A

01-Fundamentals Configuration Guide

Using the CLI

CLI views

Entering system view from user view

Returning to the upper-level view from any view

Using the undo form of a command

Entering a text or string type value for an argument

Abbreviating commands

Configuring and using command aliases

Usage guidelines

Configuration procedure

Configuring and using command hotkeys

Using the command history feature

Controlling the CLI output

Output controlling keys

Disabling pausing between screens of output

Numbering each output line from a display command

Predefined user roles

FIPS compliance

Creating a user role

Enabling the default user role feature

Obtaining temporary user role authorization

RBAC configuration examples

Network requirements

Configuration procedure

Verifying the configuration

Network requirements

Configuration procedure

Verifying the configuration

RBAC temporary user role authorization configuration example (HWTACACS authentication)

Network requirements

Configuration procedure

Verifying the configuration

Network requirements

Configuration procedure

Verifying the configuration

Troubleshooting RBAC

Local users have more access permissions than intended

Symptom

Analysis

Solution

Symptom

Analysis

Solution

User line assignment

Configuring password authentication for console login

Configuring common AUX line settings

Configuring Telnet login

Configuring the device as a Telnet server

Configuring password authentication for Telnet login

Configuring scheme authentication for Telnet login

Configuring common VTY line settings

Using the device to log in to a Telnet server

Configuring the device as an SSH server

Using the device to log in to an SSH server

Displaying and maintaining CLI login

Controlling Telnet and SSH logins

Configuration example

Network requirements

Configuration procedure

Network requirements

Configuration procedure

Network requirements

Configuration procedure

Network requirements

Configuration procedure

Configuring FTP

FIPS compliance

Configuring basic parameters

Configuring authentication and authorization

FTP server configuration example (in standalone mode)

Network requirements