The first time you access the device, you can only log in to the CLI through the console port unless the device is automatically configured at startup. After login, you can change console login parameters or configure other access methods.

In login management related descriptions, it is assumed that the device does not enter the automatic configuration process at startup.

Using the console port for the first device access

About this task

Console login is the fundamental login method.

Prerequisites

To log in through the console port, prepare a console terminal, for example, a PC. Make sure the console terminal has a terminal emulation program, such as HyperTerminal or PuTTY. For information about how to use terminal emulation programs, see the programs' user guides.

Procedure

1. Turn off the PC.

The serial ports on PCs do not support hot swapping. Before connecting a cable to or disconnecting a cable from a serial port on a PC, you must turn off the PC.

2. Find the console cable shipped with the device and connect the DB-9 female connector of the console cable to the serial port of the PC.

3. Identify the console port of the device carefully and connect the RJ-45 connector of the console cable to the console port.

IMPORTANT:

To connect a PC to an operating device, first connect the PC end. To disconnect a PC from an operating device, first disconnect the device end.

‌

Figure 1 Connecting a terminal to the console port

‌

4. Turn on the PC.

5. On the PC, launch the terminal emulation program, and create a connection that uses the serial port connected to the device. Set the port properties so the port properties match the following console port default settings:

¡ Bits per second—9600 bps.

¡ Flow control—None.

¡ Parity—None.

¡ Stop bits—1.

¡ Data bits—8.

6. Power on the device and press Enter as prompted.

The user view prompt appears. You can enter commands to configure or manage the device. To get help, enter a question mark (?).

Configuring CLI login

About CLI login

The device uses user lines (also called user interfaces) to manage CLI sessions and monitor user behavior. For a user line, you can configure access control settings, including the login authentication method and user roles.

User lines

User line types

The device supports the types of user lines listed in Table 1. Different user lines require different login methods.

Table 1 CLI login method and user line matrix

User line	Login method
AUX line	Console port.
Virtual type terminal (VTY) line	Telnet or SSH.

‌

User line numbering

A user line has an absolute number and a relative number.

An absolute number uniquely identifies a user line among all user lines. The user lines are numbered starting from 0 and incrementing by 1, in the sequence of AUX and VTY lines. You can use the display line command without any parameters to view supported user lines and their absolute numbers.

A relative number uniquely identifies a user line among all user lines of the same type. The number format is user line type + number. All types of user lines are numbered starting from 0 and incrementing by 1. For example, the first VTY line is VTY 0.

User line assignment

The device assigns user lines to CLI login users depending on their login methods, as shown in Table 1. When a user logs in, the device checks the idle user lines for the login method, and assigns the lowest numbered user line to the user. For example, if VTY 0 and VTY 3 are idle when a user Telnets to the device, the device assigns VTY 0 to the user.

Each user line can be assigned only to one user at a time. If no user line is available, a CLI login attempt will be rejected.

Login authentication modes

You can configure login authentication to prevent illegal access to the device CLI.

The device supports the following login authentication modes:

· None—Disables authentication. This mode allows access without authentication and is insecure.

· Password—Requires password authentication. A user must provide the correct password at login.

· Scheme—Uses the AAA module to provide local or remote login authentication. A user must provide the correct username and password at login.

Different login authentication modes require different user line configurations, as shown in Table 2.

Table 2 Configuration required for different login authentication modes

Authentication mode	Configuration tasks
None	Set the authentication mode to none.
Password	1. Set the authentication mode to password. 2. Set a password.
Scheme	3. Set the authentication mode to scheme. 4. Configure login authentication methods in ISP domain view. For more information, see AAA in User Access and Authentication Configuration Guide.
Scheme

‌

User roles

A user is assigned user roles at login. The user roles control the commands available for the user. For more information about user roles, see "Configuring RBAC."

The device assigns user roles based on the login authentication mode and user type.

· In none or password authentication mode, the device assigns the user roles specified for the user line.

· In scheme authentication mode, the device uses the following rules to assign user roles:

¡ For an SSH login user who uses publickey or password-publickey authentication, the device assigns the user roles specified for the local device management user with the same name.

¡ For other users, the device assigns user roles according to the user role configuration of the AAA module. If the AAA server does not assign any user roles and the default user role feature is disabled, a remote AAA authentication user cannot log in.

Restrictions and guidelines: CLI login configuration

For commands that are available in both user line view and user line class view, the following rules apply:

· A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class.

· A non-default setting in either view takes precedence over the default setting in the other view. A non-default setting in user line view takes precedence over the non-default setting in user line class view.

· A setting in user line class view takes effect only on users who log in after the setting is made. It does not affect users who are already online when the setting is made.

Configuring console login

About console and AUX login

You can connect a terminal to the console port of the device to log in and manage the device, as shown in Figure 2. For information about the login procedure, see "Using the console port for the first device access."

Figure 2 Logging in through the console port

‌

By default, console login is enabled and does not require authentication. The default user role is network-admin for a console user. To improve device security, configure password or scheme authentication for console login immediately after you log in to the device for the first time.

Restrictions and guidelines

A console login configuration change takes effect only on users who log in after the change is made. It does not affect users who are already online when the change is made.

The device displays the current memory usage if the following conditions exist:

1. The memory-threshold command is used to configure free-memory thresholds.

2. The system monitors that the free memory size has decreased to or below the configured minor, severe, critical, or early-warning alarm threshold.

3. The user logs in to the management interface of the device through the console port.

Console login configuration tasks at a glance

To configure console login, perform the following tasks:

1. Configuring console login authentication

¡ Disabling authentication for console login

¡ Configuring password authentication for console login

¡ Configuring scheme authentication for console login

2. (Optional.) Configuring common console login settings

Configuring console login authentication

Disabling authentication for console login

1. Enter system view.

system-view

2. Enter AUX line view or class view.

¡ Enter AUX line view.

line aux first-number [ last-number ]

¡ Enter AUX line class view.

line class aux

3. Disable authentication.

authentication-mode none

By default, authentication is disabled for console login.

CAUTION:

When authentication is disabled, users can log in to the device through the line or line class without authentication. For security purpose, disable authentication with caution.

4. Assign a user role.

user-role role-name

By default, a console user is assigned the network-admin user role.

Configuring password authentication for console login

1. Enter system view.

system-view

2. Enter AUX line view or class view.

¡ Enter AUX line view.

line aux first-number [ last-number ]

¡ Enter AUX class view.

line class aux

3. Enable password authentication.

authentication-mode password

By default, authentication is disabled for console login.

4. Set a password.

set authentication password { hash | simple } password

By default, no password is set.

5. Assign a user role.

user-role role-name

By default, a console user is assigned the network-admin user role.

Configuring scheme authentication for console login

1. Enter system view.

system-view

2. Enter AUX line view or class view.

¡ Enter AUX line view.

line aux first-number [ last-number ]

¡ Enter AUX line class view.

line class aux

3. Enable scheme authentication.

authentication-mode scheme

By default, authentication is disabled for console login.

IMPORTANT:

When you enable scheme authentication, make sure an authentication user account is available. If no authentication user account is available, you cannot log in to the device through the line or line class at the next time.

4. Configure user authentication parameters in ISP domain view.

To use local authentication, configure a local user and set the relevant attributes. To use remote authentication, configure a RADIUS, LDAP, or HWTACACS scheme. For more information, see AAA in User Access and Authentication Configuration Guide.

Configuring common console login settings

Restrictions and guidelines

Some common console login settings take effect immediately and can interrupt the current session. Use a login method different from console login to log in to the device before you change console login settings.

After you change console login settings, adjust the settings on the configuration terminal accordingly for a successful login.

Procedure

1. Enter system view.

system-view

2. Enter AUX line view or class view.

¡ Enter AUX line view.

line aux first-number [ last-number ]

¡ Enter AUX line class view.

line class aux

3. Configure transmission parameters.

¡ Set the transmission rate.

speed speed-value

By default, the transmission rate is 9600 bps.

This command is not available in user line class view.

¡ Specify the parity mode.

parity { even | mark | none | odd | space }

By default, a user line does not use parity.

This command is not available in user line class view.

¡ Configure flow control.

flow-control { hardware | none | software }

By default, the device does not perform flow control.

This command is not available in user line class view.

¡ Specify the number of data bits for a character.

databits { 7 | 8 }

The default is 8.

This command is not available in user line class view.

Parameter	Description
7	Uses standard ASCII characters.
8	Uses extended ASCII characters.

‌

¡ Specify the number of stop bits for a character.

stopbits { 1 | 1.5 | 2 }

The default is 1.

Stop bits indicate the end of a character. The more the stop bits, the slower the transmission.

This command is not available in user line class view.

4. Configure terminal attributes.

¡ Enable the terminal service.

shell

Be default, the terminal service is enabled on all user lines.

The undo shell command is not available in AUX line view.

¡ Specify the terminal display type.

terminal type { ansi | vt100 }

By default, the terminal display type is ANSI.

The device supports ANSI and VT100 terminal display types. As a best practice, specify VT100 type on both the device and the configuration terminal. You can also specify the ANSI type for both sides, but a display problem might occur if a command line has more than 80 characters.

¡ Set the maximum number of lines of command output to send to the terminal at a time.

screen-length screen-length

By default, the device sends a maximum of 24 lines to the terminal at a time.

To disable pausing between screens of output, set the value to 0.

¡ Set the size for the command history buffer.

history-command max-size value

By default, the buffer size is 10. The buffer for a user line can save a maximum of 10 history commands.

¡ Set the CLI connection idle-timeout timer.

idle-timeout minutes [ seconds ]

By default, the CLI connection idle-timeout timer is 10 minutes.

If no interaction occurs between the device and the user within the idle-timeout interval, the system automatically terminates the user connection on the user line.

If you set the timeout timer to 0, the connection will not be aged out.

5. Specify the command to be automatically executed for login users on the lines.

auto-execute command command

By default, no command is specified for auto execution.

CAUTION:

Use this command with caution. If this command is used on a user line, users that log in to the device through this user line might fail to configure the system.

The device will automatically execute the specified command when a user logs in through the user line, and close the user connection after the command is executed.

This command is available in AUX line view or AUX line class view.

6. Configure shortcut keys.

¡ Specify the terminal session activation key.

activation-key character

By default, pressing Enter starts the terminal session.

¡ Specify the escape key.

escape-key { character | default }

By default, pressing Ctrl+C terminates a command.

¡ Set the user line locking key.

lock-key key-string

By default, no user line locking key is set.

Configuring Telnet login

About Telnet login

The device can act as a Telnet server to allow Telnet login, or as a Telnet client to Telnet to other devices.

Restrictions and guidelines

A Telnet login configuration change takes effect only on users who log in after the change is made. It does not affect users who are already online when the change is made.

The device displays the current memory usage if the following conditions exist:

1. The memory-threshold command is used to configure free-memory thresholds.

2. The system monitors that the free memory size has decreased to or below the configured minor, severe, critical, or early-warning alarm threshold.

3. The user Telnets to the device.

Configuring the device as a Telnet server

Telnet server configuration tasks at a glance

To configure the device as a Telnet server, perform the following tasks:

1. Enabling the Telnet server

2. Configuring Telnet login authentication

¡ Disabling authentication for Telnet login

¡ Configuring password authentication for Telnet login

¡ Configuring scheme authentication for Telnet login

3. (Optional.) Configuring common Telnet server settings

4. (Optional.) Configuring common VTY line settings

Enabling the Telnet server

1. Enter system view.

system-view

2. Enable the Telnet server.

telnet server enable

By default, the Telnet server is disabled.

Disabling authentication for Telnet login

1. Enter system view.

system-view

2. Enter VTY line view or class view.

¡ Enter VTY line view.

line vty first-number [ last-number ]

¡ Enter VTY line class view.

line class vty

3. Disable authentication.

authentication-mode none

By default, password authentication is enabled for Telnet login.

CAUTION:

When authentication is disabled, users can log in to the device through the line or line class without authentication. For security purpose, disable authentication with caution.

In VTY line view, this command is associated with the protocol inbound command. If one command has a non-default setting in VTY line view, the other command uses its setting in VTY line view, regardless of its setting in VTY line class view.

4. (Optional.) Assign a user role.

user-role role-name

By default, a VTY line user is assigned the network-operator user role.

Configuring password authentication for Telnet login

1. Enter system view.

system-view

2. Enter VTY line view or class view.

¡ Enter VTY line view.

line vty first-number [ last-number ]

¡ Enter VTY line class view.

line class vty

3. Enable password authentication.

authentication-mode password

By default, password authentication is enabled for Telnet login.

CAUTION:

When you enable password authentication, you must also configure an authentication password for the line or line class. If no authentication password is configured, you cannot log in to the device through the line or line class at the next time.

4. Set a password.

set authentication password { hash | simple } password

By default, no password is set.

5. (Optional.) Assign a user role.

user-role role-name

By default, a VTY line user is assigned the network-operator user role.

Configuring scheme authentication for Telnet login

1. Enter system view.

system-view

2. Enter VTY line view or class view.

¡ Enter VTY line view.

line vty first-number [ last-number ]

¡ Enter VTY line class view.

line class vty

3. Enable scheme authentication.

authentication-mode scheme

By default, password authentication is enabled for Telnet login.

CAUTION:

4. Configure user authentication parameters in ISP domain view.

To use local authentication, configure a local user and set the relevant attributes.

To use remote authentication, configure a RADIUS, LDAP, or HWTACACS scheme. For more information, see AAA in User Access and Authentication Configuration Guide.

Config uring the alarm threshold and alarm clearance threshold for Telnet login failures

1. Enter system view.

system-view

2. Set the alarm threshold and alarm clearance threshold for Telnet login failures in a statistics period.

telnet server login-failed threshold-alarm upper-limit report-times lower-limit resume-times period period-time

By default, the statistics period is five minutes and the alarm threshold and alarm clearance threshold for Telnet login failures in the statistics period is 30 and 20, respectively.

After you execute this command, if the number of Telnet login failures reaches the alarm threshold in a statistics period, an alarm message is generated. If the number of Telnet login failures drops below the alarm clearance threshold in a statistics period, an alarm clearance message is generated. This helps you obtain real-time information about Telnet logins.

Configuring common Telnet server settings

1. Enter system view.

system-view

2. Set the DSCP value for outgoing Telnet packets.

IPv4:

telnet server dscp dscp-value

IPv6:

telnet server ipv6 dscp dscp-value

By default, the DSCP value is 48. The DSCP value is carried in the ToS field of an IPv4 packet and in the Traffic class field of an IPv6 packet to indicate the packet transmission priority.

3. Specify the Telnet service port number.

IPv4:

telnet server port port-number

IPv6:

telnet server ipv6 port port-number

By default, the Telnet service port number is 23.

4. Set the maximum number of concurrent Telnet users.

aaa session-limit telnet max-sessions

By default, the maximum number of concurrent Telnet users is 32.

Changing this setting does not affect users who are currently online. If the new limit is less than the number of online Telnet users, no additional users can Telnet in until the number drops below the new limit.

For more information about this command, see User Access and Authentication Command Reference.

Configuring common VTY line settings

1. Enter system view.

system-view

2. Enter VTY line view or class view.

¡ Enter VTY line view.

line vty first-number [ last-number ]

¡ Enter VTY line class view.

line class vty

3. Configure VTY terminal attributes.

¡ Enable the terminal service.

shell

By default, the terminal service is enabled on all user lines.

¡ Specify the terminal display type.

terminal type { ansi | vt100 }

By default, the terminal display type is ANSI.

¡ Set the maximum number of lines of command output to send to the terminal at a time.

screen-length screen-length

By default, the device sends a maximum of 24 lines to the terminal at a time.

To disable pausing between screens of output, set the value to 0.

¡ Set the size for the command history buffer.

history-command max-size value

By default, the buffer size is 10. The buffer for a user line can save a maximum of 10 history commands.

¡ Set the CLI connection idle-timeout timer.

idle-timeout minutes [ seconds ]

By default, the CLI connection idle-timeout timer is 10 minutes.

If no interaction occurs between the device and the user within the idle-timeout interval, the system automatically terminates the user connection on the user line.

If you set the timeout timer to 0, the connection will not be aged out.

4. Specify the supported protocols.

protocol inbound { all | ssh | telnet }

By default, Telnet and SSH are supported.

A protocol change takes effect only on users who log in after the setting is made. It does not affect users who are already online when the setting is made.

In VTY line view, this command is associated with the authentication-mode command. If one command has a non-default setting in VTY line view, the other command uses its setting in VTY line view, regardless of its setting in VTY line class view.

5. Specify the command to be automatically executed for login users on the user lines.

auto-execute command command

By default, no command is specified for auto execution.

IMPORTANT:

Before you execute this command and save the configuration, make sure you can access the CLI to modify the configuration through other VTY lines or AUX lines.

‌

For a VTY line, you can specify a command that is to be automatically executed when a user logs in. After executing the specified command, the system automatically disconnects the Telnet session.

6. Configure shortcut keys.

¡ Specify the shortcut key for terminating a task.

escape-key { character | default }

The default setting is Ctrl+C.

¡ Set the user line locking key.

lock-key key-string

By default, no user line locking key is set.

Using the device to log in to a Telnet server

About this task

You can use the device as a Telnet client to log in to a Telnet server.

Figure 3 Telnetting from the device to a Telnet server

‌

Prerequisites

Assign an IP address to the device and obtain the IP address of the Telnet server. If the device resides on a different subnet than the Telnet server, make sure the device and the Telnet server can reach each other.

Procedure

1. Enter system view.

system-view

2. (Optional.) Specify the source IPv4 address or source interface for outgoing Telnet packets.

telnet client source { interface interface-type interface-number | ip ip-address }

By default, no source IPv4 address or source interface is specified. The device uses the primary IPv4 address of the output interface as the source address for outgoing Telnet packets.

3. Return to user view.

quit

4. Use the device to log in to a Telnet server.

IPv4:

telnet remote-host [ service-port ] [ source { interface interface-type interface-number | ip ip-address } | dscp dscp-value ] * [ escape character ]

IPv6:

telnet ipv6 remote-host [ -i interface-type interface-number ] [ port-number ] [ source { interface interface-type interface-number | ipv6 ipv6-address } | dscp dscp-value ] * [ escape character ]

Configuring SSH login

About SSH login

SSH offers a secure remote login method. By providing encryption and strong authentication, it protects devices against attacks such as IP spoofing and plaintext password interception. For more information, see SSH in Security Configuration Guide.

The device can act as an SSH server to allow Telnet login, or as an SSH client to log in to an SSH server.

Configuring the device as an SSH server

About this task

This section provides the SSH server configuration procedure used when the SSH client authentication method is password. For more information about SSH and publickey authentication configuration, see SSH in Security Configuration Guide.

Procedure

1. Enter system view.

system-view

2. Create local key pairs.

public-key local create { dsa | ecdsa [ secp192r1 | secp256r1 | secp384r1 | secp521r1 ] | rsa } [ name key-name ]

3. Enable the SSH server.

ssh server enable

By default, the SSH server is disabled.

4. (Optional.) Create an SSH user and specify the authentication mode.

ssh user username service-type stelnet authentication-type password

5. Enter VTY line view or class view.

¡ Enter VTY line view.

line vty first-number [ last-number ]

¡ Enter VTY line class view.

line class vty

6. Enable scheme authentication.

authentication-mode scheme

By default, password authentication is enabled for VTY lines.

CAUTION:

7. (Optional.) Specify the protocols for the user lines to support.

protocol inbound { all | ssh | telnet }

By default, Telnet and SSH are supported.

A protocol change takes effect only on users who log in after the setting is made. It does not affect users who are already online when the setting is made.

8. (Optional.) Set the maximum number of concurrent SSH users.

aaa session-limit ssh max-sessions

By default, the maximum number of concurrent SSH users is 32.

Changing this setting does not affect users who are currently online. If the new limit is less than the number of online SSH users, no additional SSH users can log in until the number drops below the new limit.

For more information about this command, see User Access and Authentication Command Reference.

9. (Optional.) Configure common settings for VTY lines:

a. Return to system view.

quit

b. Configure common settings for VTY lines.

See "Configuring common VTY line settings."

Using the device to log in to an SSH server

About this task

You can use the device as an SSH client to log in to an SSH server.

Figure 4 Logging in to an SSH server from the device

‌

Prerequisites

Assign an IP address to the device and obtain the IP address of the SSH server. If the device resides on a different subnet than the SSH server, make sure the device and the SSH server can reach each other.

Procedure

To use the device to log in to an SSH server, execute one of the following commands in user view:

IPv4:

ssh2 server

IPv6:

ssh2 ipv6 server

To work with the SSH server, you might need to specify a set of parameters. For more information, see Security Configuration Guide.

Verifying and maintaining CLI login

Displaying user line configuration and operating status

Perform display tasks in any view.

· Display user line information.

display line [ num1 | { aux | vty } num2 ] [ summary ]

· Display online CLI users.

display users [ all ]

Sending messages to user lines

To send messages to user lines, execute the following command in user view:

send { all | num1 | { aux | vty } num2 }

Releasing user lines

About this task

Multiple users can log in to the device to simultaneously configure the device. When necessary, you can execute this command to release some user connections.

Restrictions and guidelines

You cannot use this command to release the connection you are using.

Procedure

To release user lines, execute the following command in user view:

free line { num1 | { aux | vty } num2 }

Locking the current user line

About this task

You can lock the current user line to prevent unauthorized users from using the line.

Procedure

Perform lock tasks in user view.

· Lock the current user line and set the password for unlocking the line.

lock

To unlock the locked user line, you must press Enter and provide the password you set.

· Lock the current user line and enable unlocking authentication.

lock reauthentication

To unlock the locked user line, you must press Enter and provide the login password to pass reauthentication.

Displaying Telnet client settings

To display Telnet client settings, execute the following command in any view:

display telnet client

Configuring Web login

About Web login

The device provides a built-in Web server that supports HTTP and HTTPS. You can use a Web browser to log in to the Web server and configure the device. For more information, see HTTP configuration in Network Connectivity Configuration Guide.

Restrictions and guidelines: Web login configuration

To improve device security, the system automatically enables the HTTPS service when you enable the HTTP service. When the HTTP service is enabled, you cannot disable the HTTPS service.

Web login configuration tasks at a glance

To configure Web login, perform the following tasks:

1. Configuring Web login

¡ Configuring HTTP login

¡ Configuring HTTPS login

2. Configuring a Web login local user

3. Managing Web connections

4. Enabling Web operation logging

Prerequisites for Web login

Before logging in to the Web interface of device, log in to the device by using any other method and assign an IP address to the device. Make sure the configuration terminal and the device can communicate over the IP network.

Configuring HTTP login

1. (Optional.) Specify a fixed verification code for Web login.

web captcha verification-code

By default, no fixed verification code is specified. A Web user must enter the verification code displayed on the login page at login.

Execute this command in user view.

2. Enter system view.

system-view

3. Enable the HTTP service.

ip http enable

By default, the HTTP service is disabled.

For more information about this command, see Network Connectivity Command Reference.

4. (Optional.) Specify the HTTP service port number.

ip http port port-number

The default HTTP service port number is 80.

For more information about this command, see Network Connectivity Command Reference

5. (Optional.) Specify the HTTP methods to be added to the reply to an OPTIONS request.

http method { delete | get | head | options | post | put } *

By default, no HTTP methods are specified.

6. (Optional.) Enable the HTTP preflight request feature.

ip http preflight enable

By default, the HTTP preflight request feature is disabled.

7. (Optional.) Add a URL to the URL allowlist for HTTP access.

http url allowlist url

No URL is specified in the URL allowlist for HTTP access.

Configuring HTTPS login

1. (Optional.) Specify a fixed verification code for Web login.

web captcha verification-code

By default, no fixed verification code is configured. A Web user must enter the verification code displayed on the login page at login.

2. Enter system view.

system-view

3. (Optional.) Apply policies to the HTTPS service.

¡ Apply an SSL server policy.

ip https ssl-server-policy policy-name

By default, no SSL server policy is associated. The HTTP service uses a self-signed certificate.

For more information about this command, see Network Connectivity Command Reference.

¡ Apply a certificate-based access control policy to control HTTPS access.

ip https certificate access-control-policy policy-name

By default, no certificate-based access control policy is applied.

For more information about this command, see Network Connectivity Command Reference. For more information about certificate-based access control policies, see PKI in Security Configuration Guide.

4. Enable the HTTPS service.

ip https enable

By default, HTTPS is disabled.

For more information about this command, see Network Connectivity Command Reference.

5. (Optional.) Specify the HTTPS service port number.

ip https port port-number

The default HTTPS service port number is 443.

For more information about this command, see Network Connectivity Command Reference.

6. (Optional.) Set the HTTPS login authentication mode.

web https-authorization mode { auto | manual }

By default, manual authentication mode is used for HTTPS login.

Configuring a Web login local user

1. Enter system view.

system-view

2. Create a local user and enter local user view.

local-user user-name [ class manage ]

3. (Optional.) Configure a password for the local user.

password [ { hash | simple } password ]

By default, no password is configured for a local user. The local user can pass authentication after entering the correct username and passing attribute checks.

4. Configure user attributes.

¡ Assign a user role to the local user.

authorization-attribute user-role user-role

The default user role is network-operator for a Web user.

¡ Specify the service type for the local user.

service-type { http | https }

By default, no service type is specified for a local user.

Managing Web connections

Setting the Web connection idle-timeout timer

1. Enter system view.

system-view

2. Set the Web connection idle-timeout timer.

web idle-timeout minutes

By default, the Web connection idle-timeout timer is 10 minutes.

Specifying the maximum number of online HTTP or HTTPS users

1. Enter system view.

system-view

2. Specify the maximum number of online HTTP or HTTPS users.

aaa session-limit { http | https } max-sessions

By default, the device supports a maximum number of 32 online HTTP users and 32 online HTTPS users.

Changing this setting does not affect users who are currently online. If the new setting is less than the number of online HTTP or HTTPS users, no additional HTTP or HTTPS users can log in until the number drops below the new limit. For more information about this command, see User Access and Authentication Command Reference.

Logging off Web users

To log off Web users, execute the following command in user view:

free web users { all | user-id user-id | user-name user-name }

Enabling Web operation logging

1. Enter system view.

system-view

2. Enable Web operation logging.

webui log enable

By default, Web operation logging is disabled.

Verifying and maintaining Web login

Perform display tasks in any view.

· Display Web interface navigation tree information.

display web menu [ chinese ]

· Display online Web users.

display web users

Web login configuration examples

Example: Configuring HTTP login

Network configuration

As shown in Figure 5, the host and the AC can communicate over the IP network.

Configure the AC to allow the host to log in by using HTTP.

Figure 5 Network diagram

‌

Procedure

# Create VLAN-interface 100 and assign IP address 192.168.100.99/24 to the interface. (Details not shown.)

# Create a local user named admin. Set the password to hello12345, the service type to HTTP, and the user role to network-admin.

<AC> system-view

[AC] local-user admin

[AC-luser-manage-admin] service-type http

[AC-luser-manage-admin] authorization-attribute user-role network-admin

[AC-luser-manage-admin] password simple hello12345

[AC-luser-manage-admin] quit

# Enable HTTP.

[AC] ip http enable

Verifying the configuration

1. On the host, run a Web browser and enter the IP address of the device in the address bar.

The Web login page appears.

2. Enter the username and password. Click Login.

After you pass authentication, the homepage appears and you can configure the AC.

Example: Configuring HTTPS login with a Windows Server 2003 CA server

Network configuration

As shown in Figure 6, the host, AC, and CA can communicate over the IP network.

Perform the following tasks to allow only authorized users to access the AC's Web interface:

· Configure the AC as the HTTPS server and request a certificate for the AC.

· Configure the host as the HTTPS client and request a certificate for the host.

Figure 6 Network diagram

‌

Restrictions and guidelines

If the Windows Server 2003 CA server is used to issue certificates for the AC and the host, a security risk prompt will pop up when a user accesses the device over HTTPS. If the user can accept the risk brought by this type of authentication, choose to ignore the prompt and continue to browse the webpage.

Prerequisites

Assign IP addresses to relevant interfaces. Make sure the host, AC, and CA can communicate over the IP network. (Details not shown.)

This example uses a Windows Server 2003 CA server. Configure the Windows Server 2003 CA server as required. For more information, see PKI configuration in Security Configuration Guide.

Procedure

1. Configure the AC (HTTPS server):

# Create PKI entity en and set entity parameters.

<AC> system-view

[AC] pki entity en

[AC-pki-entity-en] common-name http-server1

[AC-pki-entity-en] fqdn ssl.security.com

[AC-pki-entity-en] quit

# Create PKI domain 1 and set domain parameters.

[AC] pki domain 1

[AC-pki-domain-1] ca identifier new-ca

[AC-pki-domain-1] certificate request url http://10.1.2.2/certsrv/mscep/mscep.dll

[AC-pki-domain-1] certificate request from ra

[AC-pki-domain-1] certificate request entity en

# Configure the PKI domain to use the 1024-bit long RSA key pair hostkey for both signing and encryption.

[AC-pki-domain-1] public-key rsa general name hostkey length 1024

[AC-pki-domain-1] quit

# Create RSA local key pairs.

[AC] public-key local create rsa

# Retrieve the CA certificate.

[AC] pki retrieve-certificate domain 1 ca

# Configure the AC to request a local certificate through SCEP.

[AC] pki request-certificate domain 1

# Create SSL server policy myssl. Specify PKI domain 1 for the SSL server policy, and enable certificate-based SSL client authentication.

[AC] ssl server-policy myssl

[AC-ssl-server-policy-myssl] pki-domain 1

[AC-ssl-server-policy-myssl] client-verify enable

[AC-ssl-server-policy-myssl] quit

# Create certificate attribute group mygroup1. Configure a certificate attribute rule that matches statements with the new-ca string in the distinguished name of the subject name.

[AC] pki certificate attribute-group mygroup1

[AC-pki-cert-attribute-group-mygroup1] attribute 1 issuer-name dn ctn new-ca

[AC-pki-cert-attribute-group-mygroup1] quit

# Create certificate-based access control policy myacp. Configure a certificate access control rule that uses the matching criteria in certificate attribute group mygroup1.

[AC] pki certificate access-control-policy myacp

[AC-pki-cert-acp-myacp] rule 1 permit mygroup1

[AC-pki-cert-acp-myacp] quit

# Associate SSL server policy myssl with the HTTPS service.

[AC] ip https ssl-server-policy myssl

# Use certificate-based access control policy myacp to control HTTPS access.

[AC] ip https certificate access-control-policy myacp

# Enable the HTTPS service.

[AC] ip https enable

# Create local user usera. Set the password to hello12345, the service type to HTTPS, and the user role to network-admin.

[AC] local-user usera

[AC-luser-usera] password simple hello12345

[AC-luser-usera] service-type https

[AC-luser-usera] authorization-attribute user-role network-admin

2. Configure the host (HTTPS client):

# On the host, run a Web browser and enter http://10.1.2.2/certsrv in the address bar.

# Request a certificate for the host as prompted.

Verifying the configuration

1. On the host, enter https://10.1.1.1 in the Web browser's address bar, and select the certificate issued by new-ca.

2. When the Web login page appears, enter username usera and password hello12345 to log in to the Web interface.

For more information about PKI and SSL configuration commands and the public-key local create rsa command, see Security Command Reference.

Example: Configuring HTTPS login with CA certificate and local certificate obtained

Network configuration

As shown in Figure 7, users can access and manage the AC via the Web interface of the AC. To avoid illegal user access, users must log in to the Web interface of the AC through HTTPS.

Figure 7 Network diagram

‌

Restrictions and guidelines

When the host browser authenticates a local certificate provided by the HTTPS website, it identifies whether the alternative subject name in the certificate matches the domain name of the current access website. Therefore, you must configure the alternative subject name as the domain name of the HTTPS website as prompted by the CA when applying for a local certificate. This ensures that when you use the domain name to access the HTTPS website, the local certificate of the AC Web interface can be successfully verified by the browser.

To manage multiple ACs at the same time, you can apply for a wildcard certificate when applying for a local certificate from the CA. For example, you can configure the alternative subject name as *.abc.com, and map IP addresses for Web login to different domain names such as AC1.abc.com and AC2.abc.com. When you log in to any AC through HTTPS, the local certificate of the Web interface can be successfully verified by the browser.

Prerequisites

· Make sure the following requirements are met:

¡ The host has obtained and installed a CA certificate that can verify the validity of the local certificate on the AC.

¡ When the host accesses the AC through the domain name in the alternative subject name field of the local certificate, the domain name can be resolved to an IP address that can log in to the AC Web interface.

· Make sure a CA certificate, a local certificate file, and the key pair file associated with the local certificate have been uploaded to the file system of the AC over FTP or TFTP. For more information about FTP and TFTP, see "Configuring FTP" and "Configuring TFTP."

Procedure

1. Configure a PKI domain:

# Create PKI domain aaa and enter its view.

<AC> system-view

[AC] pki domain aaa

# Disable CRL checking. (You can configure CRL checking as required. This example assumes CRL checking is not required.)

[AC-pki-domain-aaa] undo crl check enable

# Configure a general-purpose RSA key pair named abc for certificate request in the view of

PKI domain aaa.

[AC-pki-domain-aaa] public-key rsa general name abc

[AC-pki-domain-aaa] quit

2. Import the certificate files:

# Import a CA certificate in PEM format to PKI domain aaa. This example imports a CA certificate named ca.pem.

[AC] pki import domain aaa pem ca filename ca.pem

# Import local certificate file xyz.abc.com.cert.pem in PEM format that does not contain a key pair to the PKI domain.

[AC] pki import domain aaa pem local filename xyz.abc.com.cert.pem

# Import local asymmetric key pair file xyz.abc.com.key.pem in PEM format to the PKI domain.

[AC] public-key local import rsa abc filename xyz.abc.com.key.pem

3. Configure an SSL server policy and HTTPS service:

# Create SSL server policy myssl and specify PKI domain aaa for the SSL server policy.

[AC] ssl server-policy myssl

[AC-ssl-server-policy-myssl] pki-domain aaa

[AC-ssl-server-policy-myssl] quit

# Associate SSL server policy myssl with the HTTPS service.

[AC] ip https ssl-server-policy myssl

# Enable the HTTPS service.

[AC] ip https enable

# Create local user usera. Set the password to hello12345, the service type to HTTPS, and the user role to network-admin.

[AC] local-user usera

[AC-luser-usera] password simple hello12345

[AC-luser-usera] service-type https

[AC-luser-usera] authorization-attribute user-role network-admin

For more information about PKI and SSL configuration commands, see Security Command Reference.

Verifying the configuration

1. On the host, enter the domain name of the AC Web interface in the Web browser's address bar.

2. When the Web login page appears, enter username usera and password hello12345 to log in to the Web interface.

Controlling user access to the device

About login user access control

Use ACLs to prevent unauthorized access, and configure command authorization and accounting to monitor and control user behavior.

To control user access, specify an ACL that has rules so that only users permitted by the ACL can access the device.

· If no ACL is applied, all users can access the device.

· If the ACL for Web user access control does not exist or does not have rules, all Web users can access the device.

· If the ACL for Telnet, SSH, or SNMP access control does not exist or does not have rules, no Telnet, SSH, or SNMP users can access the device.

For more information about ACLs, see ACL configuration in Security Configuration Guide.

Controlling Telnet and SSH logins

Controlling Telnet logins

1. Enter system view.

system-view

2. Apply an ACL to control Telnet logins.

IPv4:

telnet server acl { advanced-acl-number | basic-acl-number | mac mac-acl-number }

IPv6:

telnet server ipv6 acl { ipv6 { advanced-acl-number | basic-acl-number } | mac mac-acl-number }

By default, no ACL is used to control Telnet logins.

3. (Optional.) Enable logging for Telnet login attempts that are denied by the Telnet login control ACL.

telnet server acl-deny-log enable

By default, logging is disabled for Telnet login attempts that are denied by the Telnet login control ACL.

Controlling SSH logins

1. Enter system view.

system-view

2. Apply an ACL to control SSH logins.

IPv4:

ssh server acl { advanced-acl-number | basic-acl-number | mac mac-acl-number }

IPv6:

ssh server ipv6 acl { ipv6 { advanced-acl-number | basic-acl-number } | mac mac-acl-number }

By default, no ACL is used to control SSH logins.

3. (Optional.) Enable logging for SSH login attempts that are denied by the SSH login control ACL.

ssh server acl-deny-log enable

By default, logging is disabled for SSH login attempts that are denied by the SSH login control ACL.

For more information about ssh commands, see Security Command Reference.

Example: Controlling Telnet login

Network configuration

As shown in Figure 8, the AC is a Telnet server.

Configure the AC to permit only Telnet packets sourced from Host B.

Figure 8 Network diagram

‌

Procedure

# Configure an ACL to permit packets sourced from Host B.

<AC> system-view

[AC] acl basic 2000 match-order config

[AC-acl-ipv4-basic-2000] rule 1 permit source 10.110.100.52 0

[AC-acl-ipv4-basic-2000] quit

# Enable the Telnet server and apply the ACL to filter Telnet logins.

[AC] telnet server enable

[AC] telnet server acl 2000

Verifying the configuration

# Log in to Telnet server 10.110.110.66 from Host B.

C:> telnet 10.110.110.66

Trying 10.110.110.66 ...

Press CTRL+K to abort

Connected to 10.110.110.66 ...

******************************************************************************

* Without the owner's prior written consent, *

* no decompiling or reverse-engineering shall be allowed. *

******************************************************************************

<AC>

The output shows that you can log in to the Telnet server from Host B.

# Log in to Telnet server 10.110.110.66 from Host A.

C:\> telnet 10.110.110.66

Trying 10.110.110.66 ...

Press CTRL+K to abort

Connected to 10.110.110.66 ...

Failed to connect to the remote host!

The output shows that you cannot log in to the Telnet server from Host A.

Controlling Web logins

Configuring source IP-based Web login control

1. Enter system view.

system-view

2. Apply a basic ACL to control Web logins.

¡ Control HTTP logins.

ip http acl { acl-number | name acl-name }

¡ Control HTTPS logins.

ip https acl { acl-number | name acl-name }

By default, no ACL is applied to control Web logins.

3. (Optional.) Apply an ACL to control TCP connections.

¡ Control TCP connections from HTTP clients.

IPv4:

http acl { advanced-acl-number | basic-acl-number }

IPv6:

http ipv6 acl { advanced-acl-number | basic-acl-number }

¡ Control TCP connections from HTTPS clients.

IPv4:

https acl { advanced-acl-number | basic-acl-number }

IPv6:

https ipv6 acl { advanced-acl-number | basic-acl-number }

By default, all HTTP clients and HTTPS clients can establish TCP connections to the device.

Example: Controlling Web login

Network configuration

As shown in Figure 9, the AC is an HTTP server.

Configure the AC to provide HTTP service only to Host B.

Figure 9 Network diagram

‌

Procedure

# Create an ACL and configure rule 1 to permit packets sourced from Host B.

<AC> system-view

[AC] acl basic 2030 match-order config

[AC-acl-ipv4-basic-2030] rule 1 permit source 10.110.100.52 0

[AC-acl-ipv4-basic-2030] quit

# Enable the HTTP service and apply the ACL to the HTTP service so only a Web user on Host B can access the AC.

[AC] ip http enable

[AC] ip http acl 2030

Verifying the configuration

# Verify that you can log in to HTTP server 10.110.110.66 from Host B.

1. On Host B, launch a Web browser and enter http://10.110.110.66 in the address bar.

2. Enter the username and password. Click Login.

After you pass authentication, the homepage appears and you can configure the AC.

# Verify that you cannot log in to HTTP server 10.110.110.66 from Host A.

3. On Host A, launch a Web browser and enter http://10.110.110.66 in the address bar.

4. Enter the username and password. Click Login.

You cannot pass authentication.

Configuring command authorization

About command authorization

By default, commands available for a user depend only on the user's user roles. When the authentication mode is scheme, you can configure the command authorization feature to further control access to commands.

After you enable command authorization, a user can use only commands that are permitted by both the AAA scheme and user roles.

Restrictions and guidelines

The command authorization method can be different from the user login authorization method.

For the command authorization feature to take effect, you must configure a command authorization method in ISP domain view. For more information, see AAA in User Access and Authentication Configuration Guide.

For the command authorization feature to take effect, you must also set the authentication mode for device login to scheme. If the authentication mode is none or password, command authorization will not take effect after you enable command authorization.

Procedure

1. Enter system view.

system-view

2. Enter user line view or user line class view.

¡ Enter user line view.

line { first-number1 [ last-number1 ] | { aux | vty } first-number2 [ last-number2 ] }

¡ Enter user line class view.

line class { aux | vty }

A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class. A non-default setting in either view takes precedence over the default setting in the other view. A non-default setting in user line view takes precedence over the non-default setting in user line class view.

A setting in user line class view takes effect only on users who log in after the setting is made. It does not affect users who are already online when the setting is made.

3. Enable scheme authentication.

authentication-mode scheme

By default, authentication is disabled for console login.

CAUTION:

4. Enable command authorization.

command authorization

By default, command authorization is disabled, and the commands available for a user only depend on the user role.

If the command authorization command is executed in user line class view, command authorization is enabled on all user lines in the class. You cannot execute the undo command authorization command in the view of a user line in the class.

Example: Configuring command authorization

Network configuration

As shown in Figure 10, a user needs to log in to the AC to manage the AC from Host A.

Configure the AC to perform the following operations:

· Allow Host A to Telnet in after authentication.

· Use the HWTACACS server to control the commands that the user can execute.

· Use local authorization if the HWTACACS server is not available.

Figure 10 Network diagram

‌

Procedure

# Assign IP addresses to relevant interfaces. Make sure the AC and the HWTACACS server can reach each other, and the AC and Host A can reach each other. (Details not shown.)

# Enable the Telnet server.

<AC> system-view

[AC] telnet server enable

# Enable scheme authentication for user lines VTY 0 through VTY 4.

[AC] line vty 0 4

[AC-line-vty0-4] authentication-mode scheme

# Enable command authorization for the user lines.

[AC-line-vty0-4] command authorization

[AC-line-vty0-4] quit

# Create HWTACACS scheme tac.

[AC] hwtacacs scheme tac

# Configure the scheme to use the HWTACACS server at 192.168.2.20:49 for authentication and authorization.

[AC-hwtacacs-tac] primary authentication 192.168.2.20 49

[AC-hwtacacs-tac] primary authorization 192.168.2.20 49

# Set the shared keys to expert.

[AC-hwtacacs-tac] key authentication simple expert

[AC-hwtacacs-tac] key authorization simple expert

# Remove domain names from usernames sent to the HWTACACS server.

[AC-hwtacacs-tac] user-name-format without-domain

[AC-hwtacacs-tac] quit

# Configure the system-defined domain (system).

[AC] domain system

# Use scheme tac for login user authentication and command authorization. Use local authentication and local authorization as the backup method.

[AC-isp-system] authentication login hwtacacs-scheme tac local

[AC-isp-system] authorization command hwtacacs-scheme tac local

[AC-isp-system] quit

# Create local user monitor. Set the simple password to hello12345, the service type to Telnet, and the default user role to level-1.

[AC] local-user monitor

[AC-luser-manage-monitor] password simple hello12345

[AC-luser-manage-monitor] service-type telnet

[AC-luser-manage-monitor] authorization-attribute user-role level-1

Verifying the configuration

# Telnet to AC 10.110.100.77 from Host A. After login, execute the ip http enable command. Because you are not authorized to execute the command, the system displays Permission denied.

C:\> telnet 10.110.100.77

Trying 10.110.100.77 ...

Press CTRL+K to abort

Connected to 10.110.100.77 ...

******************************************************************************

* Without the owner's prior written consent, *

* no decompiling or reverse-engineering shall be allowed. *

******************************************************************************

Password:

<AC> system-view

System View: return to User View with Ctrl+Z.

[AC] ip http enable

Permission denied.

[AC]

# Execute the interface command. Because you are authorized to execute the command, you enter the interface view.

[AC] interface gigabitethernet 1/0/1

[AC-GigabitEthernet1/0/1]

Configuring command accounting

About command accounting

Command accounting uses the HWTACACS server to record all executed commands to monitor user behavior on the device.

If command accounting is enabled but command authorization is not, every executed command is recorded. If both command accounting and command authorization are enabled, only authorized commands that are executed are recorded.

Restrictions and guidelines

The command accounting method can be the same as or different from the command authorization method and user login authorization method.

For the command accounting feature to take effect, you must configure a command accounting method in ISP domain view. For more information, see AAA in User Access and Authentication Configuration Guide.

Procedure

1. Enter system view.

system-view

2. Enter user line view or user line class view.

¡ Enter user line view.

line { first-number1 [ last-number1 ] | { aux | vty } first-number2 [ last-number2 ] }

¡ Enter user line class view.

line class { aux | vty }

A setting in user line class view takes effect only on users who log in after the setting is made. It does not affect users who are already online when the setting is made.

3. Enable scheme authentication.

authentication-mode scheme

By default, authentication is disabled for console login.

CAUTION:

4. Enable command accounting.

command accounting

By default, command accounting is disabled. The accounting server does not record the commands executed by users.

If the command accounting command is executed in user line class view, command accounting is enabled on all user lines in the class. You cannot execute the undo command accounting command in the view of a user line in the class.

Example: Configuring command accounting

Network configuration

As shown in Figure 11, users need to log in to the AC to manage the AC.

Configure the AC to send commands executed by users to the HWTACACS server to monitor and control user operations on the AC.

Figure 11 Network diagram

‌

Procedure

# Enable the Telnet server.

<AC> system-view

[AC] telnet server enable

# Enable command accounting for user line console 0.

[AC] line console 0

[AC-line-console0] command accounting

[AC-line-console0] quit

# Enable command accounting for user lines VTY 0 through VTY 4.

[AC] line vty 0 4

[AC-line-vty0-4] command accounting

[AC-line-vty0-4] quit

# Create HWTACACS scheme tac.

[AC] hwtacacs scheme tac

# Configure the scheme to use the HWTACACS server at 192.168.2.20:49 for accounting.

[AC-hwtacacs-tac] primary accounting 192.168.2.20 49

# Set the shared key to expert.

[AC-hwtacacs-tac] key accounting simple expert

# Remove domain names from usernames sent to the HWTACACS server.

[AC-hwtacacs-tac] user-name-format without-domain

[AC-hwtacacs-tac] quit

# Configure the system-defined domain (system) to use the HWTACACS scheme for command accounting.

[AC] domain system

[AC-isp-system] accounting command hwtacacs-scheme tac

[AC-isp-system] quit

Verifying the configuration

# Use Host A, Host B, and Host C as a Telnet or SSH client to log in to the AC respectively, and perform VLAN and interface configuration. The accounting server processes accounting packets from the hosts as defined by the accounting settings. (Details not shown.)

Configuring character encodings

About character encodings

A character encoding is used to encode the characters in a character set into a specific binary number for storage. Each character in a character set corresponds to a unique binary code.

The device supports the GB18030 and UTF-8 encodings, which are available for both Chinese and English. GB18030 uses one byte and two bytes to encode English and Chinese characters, respectively, while UTF-8 uses one byte and three bytes. UTF-8 is an international encoding that contains all characters around the world, and can display correctly on the supported browsers. GB18030 saves more space for Chinese than UTF-8, but might display incorrectly because it is not universal.

Specifying character encodings

About this task

If the parameters to configure contain Chinese characters, make sure the login terminal and the device use the same character encoding. Otherwise, the configuration containing Chinese characters on the device might fail to be parsed correctly, or even fail to take effect.

This feature specifies the encoding for the configuration saved on the device, the default encoding for CLI terminals, and the encoding for SNMP clients. The character encoding for the system to save the configuration is the system encoding, which refers to the encoding transferred within the system. The encoding configuration on the device is to be encoded in the system encoding before being sent to the plug-in, and then is saved to the system configuration file. The default encoding of CLI terminals and the encoding of SNMP clients are user encodings, corresponding to COMSH user encoding and SNMP user encoding, respectively. Different console output needs to convert the system encoding into different user encodings.

Before configuring this feature, you can use display character-encoding to obtain current character encodings on the system and the login terminal.

Restrictions and guidelines

The character encoding settings on CLI terminals and SNMP clients take effect immediately and do not require a device reboot.

For a new character encoding to take effect on the system, reboot the device. Use the following restrictions and guidelines as needed:

· Before rebooting the device, use display | original-encoding to predict whether the configuration in the next start-up configuration file can be parsed correctly in the new character encoding. If a setting displays incorrectly, the setting cannot be parsed, and the new character encoding will cause the setting to fail to be restored after the reboot. To resolve this issue, you can configure another character encoding or use character-encoding again after the reboot.

· A new character encoding does not affect the character encodings that have already specified for the configuration files and log files. The new encoding will not automatically convert the configuration files and log files. You can use display | original-encoding to manually convert the files and save the converted files to a new configuration file.

· Before rebooting the device, you can use undo character-encoding to cancel the change to the system character encoding.

Procedure

1. Enter system view.

system-view

2. Specify a character encoding.

character-encoding system { gb18030 | utf-8 } cli-terminal { gb18030 | utf-8 } snmp { gb18030 | utf-8 }

By default, no character encoding is specified.

Specifying a character encoding for the current terminal

About this task

For Chinese characters to display correctly, make sure the login terminal and the system use the same character encoding.

Restrictions and guidelines

This feature makes sense only when the system character encoding is configured. You can use character-encoding to specify the system and terminal encodings. If you change the user encoding on the user interface, use terminal character-encoding to change the terminal encoding to keep user encoding and terminal encoding consistent. The terminal character-encoding command takes effect immediately.

Procedure

To specify a character encoding for the current terminal, execute the following command in user view:

terminal character-encoding { gb18030 | utf-8 }

By default, the character encoding for the current terminal is the same as the default encoding for the CLI.

Enabling character encoding check

About this task

This feature enables the device to examine the input characters for compliance with the configured character encoding. If the characters do not comply with the character encoding, the characters are blocked and an error message is returned.

Restrictions and guidelines

As a best practice, enable this feature. If this feature is disabled, the device does not examine any input characters for compliance with the configured character encoding, or block any characters. If the input characters do not comply with the character encoding, the configuration will not take effect.

Procedure

To enable character encoding check, execute the following command in user view:

character-encoding check

By default, character encoding check is enabled.

Verifying and maintaining character encoding configuration

Displaying the current character encoding on the device or login terminal

To display the current character encoding on the device or login terminal, execute the following command in any view:

display character-encoding [ terminal ]

Converting the command output into a character encoding

About this task

This feature enables the device to convert the output from the specified command to the specified encoding. It is mainly used to identify whether the current configuration or command output can be correctly parsed in a new character encoding. If the matching information cannot be correctly parsed, perform one of following operations:

· Modify the command lines that cannot be correctly parsed, and then reboot the device.

· Reboot the device for the new character encoding to take effect, and then modify the command lines that cannot be correctly parsed.

Procedure

To convert the output from a command in the system encoding into the character encoding on the current terminal, execute the following command in any view:

display command | original-encoding { gb18030 | utf-8 }

02-Fundamentals Configuration Guide

About this task

Prerequisites

Procedure

User line types

User line assignment

Disabling authentication for console login

Configuring password authentication for console login

Configuring scheme authentication for console login

Configuring common console login settings

Restrictions and guidelines

Procedure

Configuring Telnet login

About Telnet login

Configuring the device as a Telnet server

Telnet server configuration tasks at a glance

Configuring password authentication for Telnet login

Configuring scheme authentication for Telnet login

Configuring the alarm threshold and alarm clearance threshold for Telnet login failures

Configuring common VTY line settings

Using the device to log in to a Telnet server

About this task

Procedure

Configuring the device as an SSH server

About this task

Procedure

Using the device to log in to an SSH server

About this task

Prerequisites

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Procedure

Setting the Web connection idle-timeout timer

Specifying the maximum number of online HTTP or HTTPS users

Logging off Web users

Network configuration

Procedure

Verifying the configuration

Network configuration

Restrictions and guidelines

Prerequisites

Procedure

Verifying the configuration

Network configuration

Restrictions and guidelines

Prerequisites

Procedure

Verifying the configuration

Controlling Telnet and SSH logins

Example: Controlling Telnet login

Network configuration

Procedure

Verifying the configuration

Network configuration

Procedure

Verifying the configuration

Network configuration

Procedure

Verifying the configuration

Network configuration

Procedure

Verifying the configuration

About this task

Restrictions and guidelines

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Procedure

Intelligent Terminal Products

Config uring the alarm threshold and alarm clearance threshold for Telnet login failures