01-Fundamentals Configuration Guide

HomeSupportConfigure & DeployConfiguration GuidesH3C S12500X-AF & S12500-X & S9800 Switch Series Configuration Guides(R27xx)-6W10501-Fundamentals Configuration Guide
03-Login management configuration
Title Size Download
03-Login management configuration 299.63 KB

Contents

Login overview·· 1

Using the console port for the first device access· 2

Configuring CLI login· 3

About CLI login· 3

User lines· 3

Login authentication modes· 3

User roles· 4

FIPS compliance· 4

Restrictions and guidelines: CLI login configuration· 4

Configuring console login· 5

About console login· 5

Restrictions and guidelines· 5

Console login configuration tasks at a glance· 5

Configuring console login authentication· 5

Configuring common console login settings· 7

Configuring Telnet login· 9

About Telnet login· 9

Restrictions and guidelines· 9

Configuring the device as a Telnet server 9

Using the device to log in to a Telnet server 13

Configuring SSH login· 14

About SSH login· 14

Configuring the device as an SSH server 14

Using the device to log in to an SSH server 16

Display and maintenance commands for CLI login· 16

Accessing the device through SNMP·· 19

Configuring RESTful access· 20

About RESTful access· 20

FIPS compliance· 20

Configuring RESTful access over HTTP· 20

Configuring RESTful access over HTTPS· 20

Controlling user access to the device· 22

About login user access control 22

FIPS compliance· 22

Controlling Telnet and SSH logins· 22

Controlling Telnet logins· 22

Controlling SSH logins· 22

Example: Controlling Telnet login· 23

Controlling SNMP access· 24

About SNMP access control 24

Example: Controlling SNMP access· 24

Configuring command authorization· 25

About command authorization· 25

Restrictions and guidelines· 25

Procedure· 25

Example: Configuring command authorization· 26

Configuring command accounting· 27

About command accounting· 27

Restrictions and guidelines· 27

Procedure· 28

Example: Configuring command accounting· 28

 


Login overview

The device supports the following types of login methods:

·     CLI loginAt the CLI, you can enter text commands to configure and manage the device.

To log in to the CLI, you can use one of the following methods:

¡     Connect to the console port.

¡     Use Telnet.

¡     Use SSH.

·     SNMP accessYou can run SNMP on an NMS to access the device MIB, and perform Get and Set operations to configure and manage the device.

·     RESTful accessYou can use RESTful API operations to configure and manage the device.

The first time you access the device, you can only log in to the CLI of the default MDC through the console port unless the device is automatically configured at startup. After login, you can create non-default MDCs, change console login parameters, or configure other access methods.

Non-default MDCs do not have any console ports. To log in to a non-default MDC for the first time, you must perform the following tasks:

·     Log in to the default MDC.

·     Switch to the non-default MDC by using the switchto mdc command.

After you log in to a non-default MDC, you can configure other access methods. Then, administrators of the default MDC and those of the non-default MDC can use the login methods to access the non-default MDC. For more information about MDC, see Virtual Technologies Configuration Guide.

The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.

Telnet and HTTP-based RESTful access are not supported in FIPS mode.


Using the console port for the first device access

About using the console port for the first device access

Console login is the fundamental login method.

Prerequisites

To log in through the console port, prepare a console terminal, for example, a PC. Make sure the console terminal has a terminal emulation program, such as HyperTerminal or PuTTY. For information about how to use terminal emulation programs, see the programs' user guides.

Procedure

1.     Turn off the PC.

The serial ports on PCs do not support hot swapping. Before connecting a cable to or disconnecting a cable from a serial port on a PC, you must turn off the PC.

2.     Find the console cable shipped with the device and connect the DB-9 female connector of the console cable to the serial port of the PC.

3.     Identify the console port of the device carefully and connect the RJ-45 connector of the console cable to the console port.

 

IMPORTANT

IMPORTANT:

To connect a PC to an operating device, first connect the PC end. To disconnect a PC from an operating device, first disconnect the device end.

Figure 1 Connecting a terminal to the console port

4.     Turn on the PC.

5.     On the PC, launch the terminal emulation program, and create a connection that uses the serial port connected to the device. Set the port properties so the port properties match the following console port default settings:

¡     Bits per second—9600 bps.

¡     Flow control—None.

¡     Parity—None.

¡     Stop bits—1.

¡     Data bits—8.

6.     Power on the device and press Enter as prompted.

The user view prompt appears. You can enter commands to configure or manage the device. To get help, enter a question mark (?).


Configuring CLI login

About CLI login

The device uses user lines (also called user interfaces) to manage CLI sessions and monitor user behavior. For a user line, you can configure access control settings, including the login authentication method and user roles.

User lines

User line types

The device supports the types of user lines listed in Table 1. Different user lines require different login methods.

Table 1 CLI login method and user line matrix

User line

Login method

AUX line

Console port.

Virtual type terminal (VTY) line

Telnet or SSH.

User line numbering

A user line has an absolute number and a relative number.

An absolute number uniquely identifies a user line among all user lines. The user lines are numbered starting from 0 and incrementing by 1, in the sequence of AUX and VTY lines. You can use the display line command without any parameters to view supported user lines and their absolute numbers.

A relative number uniquely identifies a user line among all user lines of the same type. The number format is user line type + number. All types of user lines are numbered starting from 0 and incrementing by 1. For example, the first VTY line is VTY 0.

User line assignment

The device assigns user lines to CLI login users depending on their login methods, as shown in Table 1. When a user logs in, the device checks the idle user lines for the login method, and assigns the lowest numbered user line to the user. For example, if VTY 0 and VTY 3 are idle when a user Telnets to the device, the device assigns VTY 0 to the user.

Each user line can be assigned only to one user at a time. If no user line is available, a CLI login attempt will be rejected.

Login authentication modes

You can configure login authentication to prevent illegal access to the device CLI.

In non-FIPS mode, the device supports the following login authentication modes:

·     None—Disables authentication. This mode allows access without authentication and is insecure.

·     Password—Requires password authentication. A user must provide the correct password at login.

·     Scheme—Uses the AAA module to provide local or remote login authentication. A user must provide the correct username and password at login.

In FIPS mode, the device supports only the scheme authentication mode.

Different login authentication modes require different user line configurations, as shown in Table 2.

Table 2 Configuration required for different login authentication modes

Authentication mode

Configuration tasks

None

Set the authentication mode to none.

Password

1.     Set the authentication mode to password.

2.     Set a password.

Scheme

1.     Set the authentication mode to scheme.

2.     Configure login authentication methods in ISP domain view. For more information, see Security Configuration Guide.

User roles

A user is assigned user roles at login. The user roles control the commands available for the user. For more information about user roles, see "Configuring RBAC."

The device assigns user roles based on the login authentication mode and user type.

·     In none or password authentication mode, the device assigns the user roles specified for the user line.

·     In scheme authentication mode, the device uses the following rules to assign user roles:

¡     For an SSH login user who uses publickey or password-publickey authentication, the device assigns the user roles specified for the local device management user with the same name.

¡     For other users, the device assigns user roles according to the user role configuration of the AAA module. If the AAA server does not assign any user roles and the default user role feature is disabled, a remote AAA authentication user cannot log in.

FIPS compliance

The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.

Telnet login is not supported in FIPS mode.

Restrictions and guidelines: CLI login configuration

For commands that are available in both user line view and user line class view, the following rules apply:

·     A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class.

·     A non-default setting in either view takes precedence over the default setting in the other view. A non-default setting in user line view takes precedence over the non-default setting in user line class view.

·     A setting in user line class view takes effect only on users who log in after the setting is made. It does not affect users who are already online when the setting is made.

Configuring console login

About console login

You can connect a terminal to the console port of the device to log in and manage the device, as shown in Figure 2. For information about the login procedure, see "Using the console port for the first device access."

Figure 2 Logging in through the console port

By default, console login is enabled and does not require authentication. The user role is network-admin for a console user. To improve device security, configure password or scheme authentication for console login immediately after you log in to the device for the first time.

Restrictions and guidelines

A console login configuration change takes effect only for users who log in after the change is made. It does not affect users who are already online when the change is made.

In FIPS mode, the device supports only scheme authentication. You cannot disable authentication or configure password authentication.

Console login configuration tasks at a glance

To configure console login, perform the following tasks:

1.     Configuring console login authentication

¡     Disabling authentication for console login

¡     Configuring password authentication for console login

¡     Configuring scheme authentication for console login

2.     (Optional.) Configuring common console login settings

Configuring console login authentication

Disabling authentication for console login

1.     Enter system view.

system-view

2.     Enter AUX line view or class view.

¡     Enter AUX line view.

line aux first-number [ last-number ]

¡     Enter AUX line class view.

line class aux

3.     Disable authentication.

authentication-mode none

By default, authentication is disabled for console login.

 

CAUTION

CAUTION:

When authentication is disabled, users can log in to the device through the line or line class without authentication. For security purpose, disable authentication with caution.

 

4.     Assign a user role.

user-role role-name

By default, a console user of the default MDC is assigned the network-admin user role. Non-default MDCs do not support console login.

Configuring password authentication for console login

1.     Enter system view.

system-view

2.     Enter AUX line view or class view.

¡     Enter AUX line view.

line aux first-number [ last-number ]

¡     Enter AUX class view.

line class aux

3.     Enable password authentication.

authentication-mode password

By default, authentication is disabled for console login.

 

CAUTION

CAUTION:

When you enable password authentication, you must also configure an authentication password for the line or line class. If no authentication password is configured, you cannot log in to the device through the line or line class at the next time.

 

4.     Set a password.

set authentication password { hash | simple } password

By default, no password is set.

5.     Assign a user role.

user-role role-name

By default, a console user of the default MDC is assigned the network-admin user role. Non-default MDCs do not support console login.

Configuring scheme authentication for console login

1.     Enter system view.

system-view

2.     Enter AUX line view or class view.

¡     Enter AUX line view.

line aux first-number [ last-number ]

¡     Enter AUX line class view.

line class aux

3.     Enable scheme authentication.

In non-FIPS mode:

authentication-mode scheme

By default, authentication is disabled for console login.

In FIPS mode:

authentication-mode scheme

By default, scheme authentication is enabled.

 

CAUTION

CAUTION:

When you enable scheme authentication, make sure an authentication user account is available. If no authentication user account is available, you cannot log in to the device through the line or line class at the next time.

 

4.     Configure user authentication parameters in ISP domain view.

To use local authentication, configure a local user and set the relevant attributes. To use remote authentication, configure a RADIUS, LDAP, or HWTACACS scheme. For more information, see AAA in Security Configuration Guide.

Configuring common console login settings

Restrictions and guidelines

Some common console login settings take effect immediately and can interrupt the current session. Use a login method different from console login to log in to the device before you change console login settings.

After you change console login settings, adjust the settings on the configuration terminal accordingly for a successful login.

Procedure

1.     Enter system view.

system-view

2.     Enter AUX line view or class view.

¡     Enter AUX line view.

line aux first-number [ last-number ]

¡     Enter AUX line class view.

line class aux

3.     Configure transmission parameters.

¡     Set the transmission rate.

speed speed-value

By default, the transmission rate is 9600 bps.

This command is not available in user line class view.

¡     Specify the parity mode.

parity { even | mark | none | odd | space }

By default, a user line does not use parity.

This command is not available in user line class view.

¡     Configure flow control.

flow-control { hardware | none | software }

By default, the device does not perform flow control.

This command is not available in user line class view.

The hardware keyword is supported only in R2719 and later.

¡     Specify the number of data bits for a character.

databits { 5 | 6 | 7 | 8 }

The default is 8.

This command is not available in user line class view.

The 5 and 6 keywords are supported only in R2719 and later.

 

Parameter

Description

5 and 6

Available only for modem dial-in.

7

Uses standard ASCII characters.

8

Uses extended ASCII characters.

¡     Specify the number of stop bits for a character.

stopbits { 1 | 1.5 | 2 }

The default is 1.

Stop bits indicate the end of a character. The more the stop bits, the slower the transmission.

This command is not available in user line class view.

4.     Configure terminal attributes.

¡     Enable the terminal service.

shell

Be default, the terminal service is enabled on all user lines.

The undo shell command is not available in AUX line view.

¡     Specify the terminal display type.

terminal type { ansi | vt100 }

By default, the terminal display type is ANSI.

The device supports ANSI and VT100 terminal display types. As a best practice, specify VT100 type on both the device and the configuration terminal. You can also specify the ANSI type for both sides, but a display problem might occur if a command line has more than 80 characters.

¡     Set the maximum number of lines of command output to send to the terminal at a time.

screen-length screen-length

By default, the device sends a maximum of 24 lines to the terminal at a time.

To disable pausing between screens of output, set the value to 0.

¡     Set the size for the command history buffer.

history-command max-size value

By default, the buffer size is 10. The buffer for a user line can save a maximum of 10 history commands.

¡     Set the CLI connection idle-timeout timer.

idle-timeout minutes [ seconds ]

By default, the CLI connection idle-timeout timer is 10 minutes.

If no interaction occurs between the device and the user within the idle-timeout interval, the system automatically terminates the user connection on the user line.

If you set the timeout timer to 0, the connection will not be aged out.

5.     Specify the command to be automatically executed for login users on the lines.

auto-execute command command

By default, no command is specified for auto execution.

 

CAUTION

CAUTION:

Use this command with caution. If this command is used on a user line, users that log in to the device through this user line might fail to configure the system.

 

The device will automatically execute the specified command when a user logs in through the user line, and close the user connection after the command is executed.

This command is not available in AUX line view or AUX line class view.

6.     Configure shortcut keys.

¡     Specify the terminal session activation key.

activation-key character

By default, pressing Enter starts the terminal session.

¡     Specify the escape key.

escape-key { character | default }

By default, pressing Ctrl+C terminates a command.

¡     Set the user line locking key.

lock-key key-string

By default, no user line locking key is set.

Configuring Telnet login

About Telnet login

The device can act as a Telnet server to allow Telnet login, or as a Telnet client to Telnet to other devices.

Restrictions and guidelines

Telnet login is not supported in FIPS mode. For more information about FIPS mode, see Security Configuration Guide.

A Telnet login configuration change takes effect only for users who log in after the change is made. It does not affect users who are already online when the change is made.

Configuring the device as a Telnet server

Telnet server configuration tasks at a glance

To configure the device as a Telnet server, perform the following tasks:

1.     Enabling the Telnet server

2.     Configuring Telnet login authentication

¡     Disabling authentication for Telnet login

¡     Configuring password authentication for Telnet login

¡     Configuring scheme authentication for Telnet login

3.     (Optional.) Configuring common Telnet server settings

4.     (Optional.) Configuring common VTY line settings

Enabling the Telnet server

1.     Enter system view.

system-view

2.     Enable the Telnet server.

telnet server enable

By default, the Telnet server is disabled.

Disabling authentication for Telnet login

1.     Enter system view.

system-view

2.     Enter VTY line view or class view.

¡     Enter VTY line view.

line vty first-number [ last-number ]

¡     Enter VTY line class view.

line class vty

3.     Disable authentication.

authentication-mode none

By default, password authentication is enabled for Telnet login.

 

CAUTION

CAUTION:

When authentication is disabled, users can log in to the device through the line or line class without authentication. For security purpose, disable authentication with caution.

 

In VTY line view, this command is associated with the protocol inbound command. If one command has a non-default setting in VTY line view, the other command uses its setting in VTY line view, regardless of its setting in VTY line class view.

4.     (Optional.) Assign a user role.

user-role role-name

By default, a VTY line user of the default MDC is assigned the network-operator user role. A VTY line user of a non-default MDC is assigned the mdc-operator user role.

Configuring password authentication for Telnet login

1.     Enter system view.

system-view

2.     Enter VTY line view or class view.

¡     Enter VTY line view.

line vty first-number [ last-number ]

¡     Enter VTY line class view.

line class vty

3.     Enable password authentication.

authentication-mode password

By default, password authentication is enabled for Telnet login.

 

CAUTION

CAUTION:

When you enable password authentication, you must also configure an authentication password for the line or line class. If no authentication password is configured, you cannot log in to the device through the line or line class at the next time.

 

In VTY line view, this command is associated with the protocol inbound command. If one command has a non-default setting in VTY line view, the other command uses its setting in VTY line view, regardless of its setting in VTY line class view.

4.     Set a password.

set authentication password { hash | simple } password

By default, no password is set.

5.     (Optional.) Assign a user role.

user-role role-name

By default, a VTY line user of the default MDC is assigned the user role network-operator. A VTY line user of a non-default MDC is assigned the user role mdc-operator.

Configuring scheme authentication for Telnet login

1.     Enter system view.

system-view

2.     Enter VTY line view or class view.

¡     Enter VTY line view.

line vty first-number [ last-number ]

¡     Enter VTY line class view.

line class vty

3.     Enable scheme authentication.

authentication-mode scheme

By default, password authentication is enabled for Telnet login.

 

CAUTION

CAUTION:

When you enable scheme authentication, make sure an authentication user account is available. If no authentication user account is available, you cannot log in to the device through the line or line class at the next time.

 

In VTY line view, this command is associated with the protocol inbound command. If one command has a non-default setting in VTY line view, the other command uses its setting in VTY line view, regardless of its setting in VTY line class view.

4.     Configure user authentication parameters in ISP domain view.

To use local authentication, configure a local user and set the relevant attributes.

To use remote authentication, configure a RADIUS, LDAP, or HWTACACS scheme. For more information, see AAA in Security Configuration Guide.

Configuring common Telnet server settings

1.     Enter system view.

system-view

2.     Set the DSCP value for outgoing Telnet packets.

IPv4:

telnet server dscp dscp-value

IPv6:

telnet server ipv6 dscp dscp-value

By default, the DSCP value is 48.

3.     Specify the Telnet service port number.

IPv4:

telnet server port port-number

IPv6:

telnet server ipv6 port port-number

By default, the Telnet service port number is 23.

4.     Set the maximum number of concurrent Telnet users.

aaa session-limit telnet max-sessions

By default, the maximum number of concurrent Telnet users is 32.

Changing this setting does not affect users who are currently online. If the new limit is less than the number of online Telnet users, no additional users can Telnet in until the number drops below the new limit.

For more information about this command, see Security Command Reference.

Configuring common VTY line settings

1.     Enter system view.

system-view

2.     Enter VTY line view or class view.

¡     Enter VTY line view.

line vty first-number [ last-number ]

¡     Enter VTY line class view.

line class vty

3.     Configure VTY terminal attributes.

¡     Enable the terminal service.

shell

By default, the terminal service is enabled on all user lines.

¡     Specify the terminal display type.

terminal type { ansi | vt100 }

By default, the terminal display type is ANSI.

¡     Set the maximum number of lines of command output to send to the terminal at a time.

screen-length screen-length

By default, the device sends a maximum of 24 lines to the terminal at a time.

To disable pausing between screens of output, set the value to 0.

¡     Set the size for the command history buffer.

history-command max-size value

By default, the buffer size is 10. The buffer for a user line can save a maximum of 10 history commands.

¡     Set the CLI connection idle-timeout timer.

idle-timeout minutes [ seconds ]

By default, the CLI connection idle-timeout timer is 10 minutes.

If no interaction occurs between the device and the user within the idle-timeout interval, the system automatically terminates the user connection on the user line.

If you set the timeout timer to 0, the connection will not be aged out.

4.     Specify the supported protocols.

protocol inbound { all | ssh | telnet }

By default, Telnet and SSH are supported.

A protocol change takes effect only on users who log in after the setting is made. It does not affect users who are already online when the setting is made.

In VTY line view, this command is associated with the authentication-mode command. If one command has a non-default setting in VTY line view, the other command uses its setting in VTY line view, regardless of its setting in VTY line class view.

5.     Specify the command to be automatically executed for login users on the user lines.

auto-execute command command

By default, no command is specified for auto execution.

 

IMPORTANT

IMPORTANT:

Before you configure this command and save the configuration, make sure you can access the CLI to modify the configuration through other VTY user lines or AUX user lines.

For a VTY line, you can specify a command that is to be automatically executed when a user logs in. After executing the specified command, the system automatically disconnects the Telnet session.

6.     Configure shortcut keys.

¡     Specify the shortcut key for terminating a task.

escape-key { character | default }

The default setting is Ctrl+C.

¡     Set the user line locking key.

lock-key key-string

By default, no user line locking key is set.

Using the device to log in to a Telnet server

About using the device to log in to a Telnet server

You can use the device as a Telnet client to log in to a Telnet server.

Figure 3 Telnetting from the device to a Telnet server

Prerequisites

Assign an IP address to the device and obtain the IP address of the Telnet server. If the device resides on a different subnet than the Telnet server, make sure the device and the Telnet server can reach each other.

Procedure

1.     Enter system view.

system-view

2.     (Optional.) Specify the source IPv4 address or source interface for outgoing Telnet packets.

telnet client source { interface interface-type interface-number | ip ip-address }

By default, no source IPv4 address or source interface is specified. The device uses the primary IPv4 address of the output interface as the source address for outgoing Telnet packets.

3.     Exit to user view.

quit

4.     Use the device to log in to a Telnet server.

IPv4:

telnet remote-host [ service-port ] [ vpn-instance vpn-instance-name ] [ source { interface interface-type interface-number | ip ip-address } | dscp dscp-value ] *

IPv6:

telnet ipv6 remote-host [ -i interface-type interface-number ] [ port-number ] [ vpn-instance vpn-instance-name ] [ source { interface interface-type interface-number | ipv6 ipv6-address } | dscp dscp-value ] *

Configuring SSH login

About SSH login

SSH offers a secure remote login method. By providing encryption and strong authentication, it protects devices against attacks such as IP spoofing and plaintext password interception. For more information, see Security Configuration Guide.

The device can act as an SSH server to allow Telnet login, or as an SSH client to log in to an SSH server.

Configuring the device as an SSH server

About SSH server configuration procedure

This section provides the SSH server configuration procedure used when the SSH client authentication method is password. For more information about SSH and publickey authentication configuration, see Security Configuration Guide.

Procedure

1.     Enter system view.

system-view

2.     Create local key pairs.

In non-FIPS mode:

public-key local create { dsa | ecdsa [ secp192r1 | secp256r1 | secp384r1 | secp521r1 ] | rsa } [ name key-name ]

In FIPS mode:

public-key local create { dsa | ecdsa [ secp256r1 | secp384r1 | secp521r1 ] | rsa } [ name key-name ]

3.     Enable the SSH server.

ssh server enable

By default, the SSH server is disabled.

4.     (Optional.) Create an SSH user and specify the authentication mode.

ssh user username service-type stelnet authentication-type password

5.     Enter VTY line view or class view.

¡     Enter VTY line view.

line vty first-number [ last-number ]

¡     Enter VTY line class view.

line class vty

6.     Enable scheme authentication.

In non-FIPS mode:

authentication-mode scheme

By default, password authentication is enabled for VTY lines.

In VTY line view, this command is associated with the protocol inbound command. If one command has a non-default setting in VTY line view, the other command uses its setting in VTY line view, regardless of its setting in VTY line class view.

In FIPS mode:

authentication-mode scheme

By default, scheme authentication is enabled for VTY lines.

In VTY line view, this command is associated with the protocol inbound command. If one command has a non-default setting in VTY line view, the other command uses its setting in VTY line view, regardless of its setting in VTY line class view.

 

CAUTION

CAUTION:

When you enable scheme authentication, make sure an authentication user account is available. If no authentication user account is available, you cannot log in to the device through the line or line class at the next time.

 

7.     (Optional.) Specify the protocols for the user lines to support.

In non-FIPS mode:

protocol inbound { all | ssh | telnet }

By default, Telnet and SSH are supported.

A protocol change takes effect only on users who log in after the setting is made. It does not affect users who are already online when the setting is made.

In VTY line view, this command is associated with the authentication-mode command. If one command has a non-default setting in VTY line view, the other command uses its setting in VTY line view, regardless of its setting in VTY line class view.

In FIPS mode:

protocol inbound ssh

By default, SSH is supported.

A protocol change takes effect only on users who log in after the setting is made. It does not affect users who are already online when the setting is made.

In VTY line view, this command is associated with the authentication-mode command. If one command has a non-default setting in VTY line view, the other command uses its setting in VTY line view, regardless of its setting in VTY line class view.

8.     (Optional.) Set the maximum number of concurrent SSH users.

aaa session-limit ssh max-sessions

By default, the maximum number of concurrent SSH users is 32.

Changing this setting does not affect users who are currently online. If the new limit is less than the number of online SSH users, no additional SSH users can log in until the number drops below the new limit.

For more information about this command, see Security Command Reference.

9.     (Optional.) Configure common settings for VTY lines:

a.     Exit to system view.

quit

b.     Configure common settings for VTY lines.

See "Configuring common VTY line settings."

Using the device to log in to an SSH server

About using the device to log in to an SSH server

You can use the device as an SSH client to log in to an SSH server.

Figure 4 Logging in to an SSH server from the device

Prerequisites

Assign an IP address to the device and obtain the IP address of the SSH server. If the device resides on a different subnet than the SSH server, make sure the device and the SSH server can reach each other.

Procedure

To use the device to log in to an SSH server, execute one of the following commands in user view:

IPv4:

ssh2 server

IPv6:

ssh2 ipv6 server

To work with the SSH server, you might need to specify a set of parameters. For more information, see Security Configuration Guide.

Display and maintenance commands for CLI login

Execute display commands in any view.

 

Task

Command

Remarks

Display user line information.

display line [ num1 | { aux | vty } num2 ] [ summary ]

N/A

Display the packet source setting for the Telnet client.

display telnet client

N/A

Display online CLI users.

display users [ all ]

N/A

Release a user line.

free line { num1 | { aux | vty } num2 }

Multiple users can log in to the device to simultaneously configure the device. When necessary, you can execute this command to release some connections.

You cannot use this command to release the connection you are using.

This command is available in user view.

Lock the current user line and set the password for unlocking the line.

lock

By default, the system does not lock any user lines.

This command is not supported in FIPS mode.

This command is available in user view.

Lock the current user line and enable unlocking authentication.

lock reauthentication

By default, the system does not lock any user lines or initiate reauthentication.

To unlock the locked user line, you must press Enter and provide the login password to pass reauthentication.

This command is available in any view.

Send messages to user lines.

send { all | num1 | { aux | vty } num2 }

This command is available in user view.


 


Accessing the device through SNMP

You can run SNMP on an NMS to access the device MIB and perform Get and Set operations to configure and manage the device.

Figure 5 SNMP access diagram

For more information about SNMP, see Network Management and Monitoring Configuration Guide.

 


Configuring RESTful access

About RESTful access

The device provides the Representational State Transfer application programming interface (RESTful API). Based on this API, you can use programming languages such as Python, Ruby, or Java to write programs to perform the following tasks:

·     Send RESTful requests to the device to pass authentication.

·     Use RESTful API operations to configure and manage the device. RESTful API operations include Get, Put, Post, and Delete.

The device supports using HTTP or HTTPS to transfer RESTful packets.

FIPS compliance

The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.

RESTful access over HTTP is not supported in FIPS mode.

Configuring RESTful access over HTTP

1.     Enter system view.

system-view

2.     Enable RESTful access over HTTP.

restful http enable

By default, RESTful access over HTTP is disabled.

3.     Create a local user and enter local user view.

local-user user-name [ class manage ]

4.     Configure a password for the local user.

password [ { hash | simple } password ]

5.     (Optional.) Assign a user role to the local user.

authorization-attribute user-role user-role

The default user role is network-operator for a RESTful access user.

6.     Specify the HTTP service for the local user.

service-type http

By default, no service type is specified for a local user.

Configuring RESTful access over HTTPS

1.     Enter system view.

system-view

2.     (Optional.) Apply an SSL server policy to the RESTful access over HTTPS service.

restful https ssl-server-policy policy-name

By default, no SSL server policy is applied to the RESTful access over HTTPS service.

The RESTful access over HTTPS service will use the SSL server policy to enhance service security. For more information about SSL server policies, see SSL configuration in Security Configuration Guide.

This command is supported only in R2719 and later.

3.     Enable RESTful access over HTTPS.

restful https enable

By default, RESTful access over HTTPS is disabled.

4.     Create a local user and enter local user view.

local-user user-name [ class manage ]

5.     Configure a password for the local user.

In non-FIPS mode:

password [ { hash | simple } password ]

In FIPS mode:

password

6.     (Optional.) Assign a user role to the local user.

authorization-attribute user-role user-role

The default user role is network-operator for a RESTful access user.

7.     Specify the HTTPS service for the local user.

service-type https

By default, no service type is specified for a local user.


Controlling user access to the device

About login user access control

Use ACLs to prevent unauthorized access, and configure command authorization and accounting to monitor and control user behavior.

If an applied ACL does not exist or does not have any rules, no user login restriction is applied. If the ACL exists and has rules, only users permitted by the ACL can access the device.

For more information about ACLs, see ACL and QoS Configuration Guide.

FIPS compliance

The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.

Telnet is not supported in FIPS mode.

Controlling Telnet and SSH logins

Controlling Telnet logins

1.     Enter system view.

system-view

2.     Apply an ACL to control Telnet logins.

IPv4:

telnet server acl { advanced-acl-number | basic-acl-number | mac mac-acl-number }

IPv6:

telnet server ipv6 acl { ipv6 { advanced-acl-number | basic-acl-number } | mac mac-acl-number }

By default, no ACL is used to control Telnet logins.

3.     (Optional.) Enable logging for Telnet login attempts that are denied by the Telnet login control ACL.

telnet server acl-deny-log enable

By default, logging is disabled for Telnet login attempts that are denied by the Telnet login control ACL.

Controlling SSH logins

1.     Enter system view.

system-view

2.     Apply an ACL to control SSH logins.

IPv4:

ssh server acl { advanced-acl-number | basic-acl-number | mac mac-acl-number }

IPv6:

ssh server ipv6 acl { ipv6 { advanced-acl-number | basic-acl-number } | mac mac-acl-number }

By default, no ACL is used to control SSH logins.

3.     (Optional.) Enable logging for SSH login attempts that are denied by the SSH login control ACL.

ssh server acl-deny-log enable

By default, logging is disabled for SSH login attempts that are denied by the SSH login control ACL.

For more information about ssh commands, see SSH in Security Command Reference.

Example: Controlling Telnet login

Network configuration

As shown in Figure 6, the device is a Telnet server.

Configure the device to permit only Telnet packets sourced from Host A and Host B.

Figure 6 Network diagram

Procedure

IMPORTANT

IMPORTANT:

By default, interfaces on the device are in ADM or Administratively Down state. To have an interface operate, you must use the undo shutdown command to enable that interface.

# Configure an ACL to permit packets sourced from Host A and Host B.

<Sysname> system-view

[Sysname] acl basic 2000 match-order config

[Sysname-acl-ipv4-basic-2000] rule 1 permit source 10.110.100.52 0

[Sysname-acl-ipv4-basic-2000] rule 2 permit source 10.110.100.46 0

[Sysname-acl-ipv4-basic-2000] quit

# Apply the ACL to filter Telnet logins.

[Sysname] telnet server acl 2000

Controlling SNMP access

About SNMP access control

For information about SNMP access control, see SNMP in Network Management and Monitoring Configuration Guide.

Example: Controlling SNMP access

Network configuration

As shown in Figure 7, the device is running SNMP.

Configure the device to allow Host A and Host B to access the device through SNMP.

Figure 7 Network diagram

Procedure

IMPORTANT

IMPORTANT:

By default, interfaces on the device are in ADM or Administratively Down state. To have an interface operate, you must use the undo shutdown command to enable that interface.

# Create an ACL to permit packets sourced from Host A and Host B.

<Sysname> system-view

[Sysname] acl basic 2000 match-order config

[Sysname-acl-ipv4-basic-2000] rule 1 permit source 10.110.100.52 0

[Sysname-acl-ipv4-basic-2000] rule 2 permit source 10.110.100.46 0

[Sysname-acl-ipv4-basic-2000] quit

# Associate the ACL with the SNMP community and the SNMP group.

[Sysname] snmp-agent community read aaa acl 2000

[Sysname] snmp-agent group v2c groupa acl 2000

[Sysname] snmp-agent usm-user v2c usera groupa acl 2000

Configuring command authorization

About command authorization

By default, commands available for a user depend only on the user's user roles. When the authentication mode is scheme, you can configure the command authorization feature to further control access to commands.

After you enable command authorization, a user can use only commands that are permitted by both the AAA scheme and user roles.

Restrictions and guidelines

The command authorization method can be different from the user login authorization method.

To make the command authorization feature take effect, you must configure a command authorization method in ISP domain view. For more information, see Security Configuration Guide.

Procedure

1.     Enter system view.

system-view

2.     Enter user line view or user line class view.

¡     Enter user line view.

line { first-number1 [ last-number1 ] | { aux | vty } first-number2 [ last-number2 ] }

¡     Enter user line class view.

line class { aux | vty }

A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class. A non-default setting in either view takes precedence over the default setting in the other view. A non-default setting in user line view takes precedence over the non-default setting in user line class view.

A setting in user line class view takes effect only on users who log in after the setting is made. It does not affect users who are already online when the setting is made.

3.     Enable scheme authentication.

In non-FIPS mode:

authentication-mode scheme

By default, authentication is disabled for console login, and password authentication is enabled for VTY login.

In VTY line view, this command is associated with the protocol inbound command. If one command has a non-default setting in VTY line view, the other command uses its setting in VTY line view, regardless of its setting in VTY line class view.

In FIPS mode:

authentication-mode scheme

By default, scheme authentication is enabled.

In VTY line view, this command is associated with the protocol inbound command. If one command has a non-default setting in VTY line view, the other command uses its setting in VTY line view, regardless of its setting in VTY line class view.

 

CAUTION

CAUTION:

When you enable scheme authentication, make sure an authentication user account is available. If no authentication user account is available, you cannot log in to the device through the line or line class at the next time.

 

4.     Enable command authorization.

command authorization

By default, command authorization is disabled, and the commands available for a user only depend on the user role.

If the command authorization command is configured in user line class view, command authorization is enabled on all user lines in the class. You cannot configure the undo command authorization command in the view of a user line in the class.

Example: Configuring command authorization

Network configuration

As shown in Figure 8, Host A needs to log in to the device to manage the device.

Configure the device to perform the following operations:

·     Allow Host A to Telnet in after authentication.

·     Use the HWTACACS server to control the commands that the user can execute.

·     If the HWTACACS server is not available, use local authorization.

Figure 8 Network diagram

Procedure

IMPORTANT

IMPORTANT:

By default, interfaces on the device are in ADM or Administratively Down state. To have an interface operate, you must use the undo shutdown command to enable that interface.

# Assign IP addresses to relevant interfaces. Make sure the device and the HWTACACS server can reach each other. Make sure the device and Host A can reach each other.

# Enable the Telnet server.

<Device> system-view

[Device] telnet server enable

# Enable scheme authentication for user lines VTY 0 through VTY 4.

[Device] line vty 0 4

[Device-line-vty0-4] authentication-mode scheme

# Enable command authorization for the user lines.

[Device-line-vty0-4] command authorization

[Device-line-vty0-4] quit

# Create HWTACACS scheme tac.

[Device] hwtacacs scheme tac

# Configure the scheme to use the HWTACACS server at 192.168.2.20:49 for authentication and authorization.

[Device-hwtacacs-tac] primary authentication 192.168.2.20 49

[Device-hwtacacs-tac] primary authorization 192.168.2.20 49

# Set the shared keys to expert.

[Device-hwtacacs-tac] key authentication simple expert

[Device-hwtacacs-tac] key authorization simple expert

# Remove domain names from usernames sent to the HWTACACS server.

[Device-hwtacacs-tac] user-name-format without-domain

[Device-hwtacacs-tac] quit

# Configure the system-defined domain (system).

[Device] domain system

# Use HWTACACS scheme tac for login user authentication and command authorization. Use local authentication and local authorization as the backup method.

[Device-isp-system] authentication login hwtacacs-scheme tac local

[Device-isp-system] authorization command hwtacacs-scheme tac local

[Device-isp-system] quit

# Create local user monitor. Set the simple password to 123, the service type to Telnet, and the default user role to level-1.

[Device] local-user monitor

[Device-luser-manage-monitor] password simple 123

[Device-luser-manage-monitor] service-type telnet

[Device-luser-manage-monitor] authorization-attribute user-role level-1

Configuring command accounting

About command accounting

Command accounting uses the HWTACACS server to record all executed commands to monitor user behavior on the device.

If command accounting is enabled but command authorization is not, every executed command is recorded. If both command accounting and command authorization are enabled, only authorized commands that are executed are recorded.

Restrictions and guidelines

The command accounting method can be the same as or different from the command authorization method and user login authorization method.

To make the command accounting feature take effect, you must configure a command accounting method in ISP domain view. For more information, see Security Configuration Guide.

Procedure

1.     Enter system view.

system-view

2.     Enter user line view or user line class view.

¡     Enter user line view.

line { first-number1 [ last-number1 ] | { aux | vty } first-number2 [ last-number2 ] }

¡     Enter user line class view.

line class { aux | vty }

A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class. A non-default setting in either view takes precedence over the default setting in the other view. A non-default setting in user line view takes precedence over the non-default setting in user line class view.

A setting in user line class view takes effect only on users who log in after the setting is made. It does not affect users who are already online when the setting is made.

3.     Enable scheme authentication.

In non-FIPS mode:

authentication-mode scheme

By default, authentication is disabled for console login, and password authentication is enabled for VTY login.

In VTY line view, this command is associated with the protocol inbound command. If one command has a non-default setting in VTY line view, the other command uses its setting in VTY line view, regardless of its setting in VTY line class view.

In FIPS mode:

authentication-mode scheme

By default, scheme authentication is enabled.

In VTY line view, this command is associated with the protocol inbound command. If one command has a non-default setting in VTY line view, the other command uses its setting in VTY line view, regardless of its setting in VTY line class view.

 

CAUTION

CAUTION:

When you enable scheme authentication, make sure an authentication user account is available. If no authentication user account is available, you cannot log in to the device through the line or line class at the next time.

 

4.     Enable command accounting.

command accounting

By default, command accounting is disabled. The accounting server does not record the commands executed by users.

If the command accounting command is configured in user line class view, command accounting is enabled on all user lines in the class. You cannot configure the undo command accounting command in the view of a user line in the class.

Example: Configuring command accounting

Network configuration

As shown in Figure 9, users need to log in to the device to manage the device.

Configure the device to send commands executed by users to the HWTACACS server to monitor and control user operations on the device.

Figure 9 Network diagram

Procedure

IMPORTANT

IMPORTANT:

By default, interfaces on the device are in ADM or Administratively Down state. To have an interface operate, you must use the undo shutdown command to enable that interface.

# Enable the Telnet server.

<Device> system-view

[Device] telnet server enable

# Enable command accounting for user line AUX 0.

[Device] line aux 0

[Device-line-aux0] command accounting

[Device-line-aux0] quit

# Enable command accounting for user lines VTY 0 through VTY 63.

[Device] line vty 0 63

[Device-line-vty0-63] command accounting

[Device-line-vty0-63] quit

# Create HWTACACS scheme tac.

[Device] hwtacacs scheme tac

# Configure the scheme to use the HWTACACS server at 192.168.2.20:49 for accounting.

[Device-hwtacacs-tac] primary accounting 192.168.2.20 49

# Set the shared key to expert.

[Device-hwtacacs-tac] key accounting simple expert

# Remove domain names from usernames sent to the HWTACACS server.

[Device-hwtacacs-tac] user-name-format without-domain

[Device-hwtacacs-tac] quit

# Configure the system-defined domain (system) to use the HWTACACS scheme for command accounting.

[Device] domain system

[Device-isp-system] accounting command hwtacacs-scheme tac

[Device-isp-system] quit

 

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
All Support
  • Become a Partner
  • Partner Resources
  • Partner Business Management
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us
新华三官网