Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 02-Login Management Troubleshooting Guide | 139.47 KB |
Troubleshooting fundamental settings
Login management issues
Forgetting the login password for the console port
Symptom
When local password authentication or AAA local authentication is used for console login, you cannot successfully log in to the device through the console port due to an incorrect password.
Common causes
The following are the common causes of this type of issue:
· You forget the login password for the console port or enter an incorrect password.
· The login account for the console port has expired.
Troubleshooting flow
Figure 1 shows the troubleshooting flowchart.
Solution
1. Verify that you can log in to the device through Telnet or Stelnet.
If you have a user account assigned the Telnet or Stelnet service and the network-admin or level-15 user role, you can use this account to log in to the device through Telnet or Stelnet and modify the settings related to console login. The procedure is as follows:
a. Use the account assigned the Telnet or Stelnet service to log in to the device and execute the display line command to view the authentication mode of the user line for the console port.
<Sysname> display line
Idx Type Tx/Rx Modem Auth Int Location
0 CON 0 9600 - P - 0/0
+ 81 VTY 0 - N - 0/0
...
If the value for the Auth field is P, the authentication mode is local password authentication. If the value for this field is A, the authentication mode is AAA (scheme) authentication.
b. Verify that the user account you use has the network-admin or level-15 user role.
If you log in to the device on a user line that uses local password authentication or does not require authentication, you can enter the view of that user line to identify whether the user line is assigned the network-admin or level-15 user role. If you log in to the device on a user line that uses scheme authentication, the user roles are assigned by AAA. You must check the authorization attributes assigned to your user account to identify whether the user account is assigned the network-admin or level-15 user role. For local authentication, the user account is configured on the device. For remote authentication, the user account is configured on a remote server.
<Sysname> system-view
[Sysname-line-vty0] display this
#
line con 0
authentication-mode password
user-role network-admin
#
line vty 0 63
authentication-mode none
user-role network-admin
#
return
If your user account is not assigned the network-admin or level-15 user role, it does not have permissions to change the settings related to console login. In this case, proceed to step 2. If your user account is assigned the network-admin or level-15 user role, handle the password forgotten issue according to the authentication mode used for console login.
c. If local password authentication is used for console login, change the authentication password for the console port.
Access the user line where the console port is located and set a new password for the user line. In this example, the password is 1234567890!. As a best practice, assign the network-admin or level-15 user role to the user line to ensure that the users who log in to the device through the console port have sufficient privileges.
[Sysname] line console 0
[Sysname-line-console0] set authentication password simple 1234567890!
[Sysname-line-console0] user-role network-admin
d. If AAA local authentication is used for console login, change the password of the local user account that can be used to log in to the device through the console port.
Enter the local user view of the account used to log in to the device through the console port, and change the password of the account. In this example, the username is admin, and the password is 1234567890!. As a best practice, assign the network-admin or level-15 user role to the account to ensure that the users who use this account to log in to the device through the console port have sufficient privileges.
[Sysname] local-user admin class manage
[Sysname-luser-manage-admin] password simple 1234567890!
[Sysname-luser-manage-admin] authorization-attribute user-role network-admin
e. If AAA remote authentication is used for console login, contact the administrator of the AAA server to obtain the login password.
f. To prevent configuration loss after a reboot, execute the save command to save the running configuration.
|
|
IMPORTANT: · Accessing the BootWare menu requires a device reboot, which causes service interruption. As a best practice, back up services as needed and reboot the device when the service traffic is light. · For a distributed device, you must connect your configuration terminal to the console ports on both MPUs and then reboot the entire device. After you access the extended BootWare menu of each MPU, perform the operations in this step and subsequent steps first on the active MPU and then reboot the standby MPU. |
Upon system startup, if you fail to promptly select the basic segment, the system directly runs the BootWare extended segment. When message Press Ctrl+B to access EXTENDED-BOOTWARE MENU... appears, immediately press Ctrl + B. The system provides a prompt on whether password recovery capability is enabled.
Password recovery capability is enabled.
Password recovery capability is disabled.
¡ When password recovery capability is enabled, you can choose to skip authentication for console login or skip the current system configuration. For more information about the troubleshooting procedure, see steps 3 and 4.
¡ When password recovery capability is disabled, you can choose to restore the factory defaults on the device. For more information about the troubleshooting procedure, see step 5.
Press Enter to access the extended BootWare menu, and then follow the system prompt to select the option that skips authentication for console login (the menu option might vary by device model). After the system starts up, you do not need to enter the password of the console port and the system can load all settings.
a. After the system starts up, you must change the password of the console port as soon as possible according to the authentication mode used by the console port.
# If local password authentication is used for console login, change the authentication password for the console port.
Access the user line where the console port is located and set a new password for the user line. In this example, the password is 1234567890!. As a best practice, assign the network-admin or level-15 user role to the user line to ensure that the users who log in to the device through the console port have sufficient privileges.
<Sysname> system-view
[Sysname] line console 0
[Sysname-line-console0] set authentication password simple 1234567890!
[Sysname-line-console0] user-role network-admin
# If AAA local authentication is used for console login, change the password of the local user account that can be used to log in to the device through the console port.
Enter the local user view of the account used to log in to the device through the console port, and change the password of the account. In this example, the username is admin, and the password is 1234567890!. As a best practice, assign the network-admin or level-15 user role to the account to ensure that the users who use this account to log in to the device through the console port have sufficient privileges.
<Sysname> system-view
[Sysname] local-user admin class manage
[Sysname-luser-manage-admin] password simple 1234567890!
[Sysname-luser-manage-admin] authorization-attribute user-role network-admin
b. To prevent configuration loss after a reboot, execute the save command to save the running configuration.
Press Enter to access the extended BootWare menu, and then follow the system prompt to select the option that skips the current system configuration (the menu option might differ by device model). When the system starts, it ignores all settings in the next-startup configuration file and starts up with initial settings. This is a one-time operation and takes effect only for the first system boot or reboot after you choose this option. After the system starts up, you do not need to enter the password of the console port.
a. After the system starts up, you must export the settings in the original next-startup configuration file as soon as possible. Do not power off the device during this operation. You can use one of the following methods:
- Use FTP or TFTP to export the original next-startup configuration file to your local terminal.
- Execute the more command in user view to display the contents of the original next-startup configuration file, and then copy and paste all the displayed contents to a local configuration file.
b. Manually edit the settings related to console login in the local file, and then upload the edited file to the root directory of the storage medium on the device.
c. Specify the edited configuration file as the next-startup configuration file (in this example, the configuration file is startup.cfg).
<Sysname> startup saved-configuration startup.cfg
d. Reboot the device.
|
|
CAUTION: In this operation, the system will automatically delete the main and backup next-startup configuration files upon startup, and then load the factory defaults. You must ensure that this operation does not have negative impact on services. |
Press Enter to access the extended BootWare menu, and then follow the system prompt to select the option that restores the factory defaults. The menu option might differ by device model. After the system starts up, you do not need to enter the password of the console port.
a. After the system starts up, configure the login authentication mode for the console port as per your actual needs, as well as the relevant login password or account.
The authentication mode is none:
<Sysname> system-view
[Sysname] line console 0
[Sysname-line-console0] authentication-mode none
[Sysname-line-console0] user-role network-admin
You can log in to the device through this user line without providing any username or password. This authentication mode has security risks. Use it with caution.
The authentication mode is local password authentication:
<Sysname> system-view
[Sysname] line console 0
[Sysname-line-console0] authentication-mode password
[Sysname-line-console0] set authentication password simple 1234567890!
[Sysname-line-console0] user-role network-admin
The authentication mode is local AAA authentication:
<Sysname> system-view
[Sysname] line console 0
[Sysname-line-console0] authentication-mode scheme
[Sysname-line-console0] quit
[Sysname] local-user admin class manage
[Sysname-luser-manage-admin] service-type terminal
[Sysname-luser-manage-admin] password simple 1234567890!
[Sysname-luser-manage-admin] authorization-attribute user-role network-admin
The authentication mode is remote AAA authentication:
<Sysname> system-view
[Sysname] line console 0
[Sysname-line-console0] authentication-mode scheme
[Sysname-line-console0] quit
In addition, you must configure an authentication domain for login users and a RADIUS, HWTACACS, or LDAP scheme. For more information about the configuration, see AAA configuration in Security Configuration Guide.
b. To prevent configuration loss after a reboot, execute the save command to save the running configuration.
6. If the issue persists, collect the following information and contact Technical Support:
¡ Results of each step.
¡ The configuration file, log messages, and alarm messages.
Related alarm and log messages
Alarm messages
N/A
Log messages
N/A
Forgetting the password for Telnet login
Symptom
When local password authentication or AAA local authentication is used for Telnet login, you cannot successfully Telnet to the device due to an incorrect password.
Common causes
The following are the common causes of this type of issue:
· You forget the login password for the user account that you use to Telnet to the device or enter an incorrect password.
· The account that you use to Telnet to the device has expired.
Troubleshooting flow
Figure 2 shows the troubleshooting flowchart.
Solution
1. Verify that you can use another method to log in to the device.
If the Telnet login password is lost, you can log in to the device through another method (such as through the console port) and reconfigure a Telnet login password.
a. Log in to the device through a non-Telnet method, and then execute the display line command to display the authentication mode used by VTY lines.
<Sysname> display line
Idx Type Tx/Rx Modem Auth Int Location
+ 0 CON 0 9600 - P - 0/0
81 VTY 0 - P - 0/0
...
If the value for the Auth field is P, the authentication mode is local password authentication. If the value for this field is A, the authentication mode is AAA (scheme) authentication.
b. Based on the authentication mode used by the VTY lines, configure a new login password for Telnet login.
For local password authentication:
Set the authentication mode for VTY login users to local password authentication, and configure the login password and user role. For example, set the login password to 1234567890! and specify the network-admin user role for VTY login users.
<Sysname> system-view
[Sysname] line vty 0 63
[Sysname-line-vty0-63] authentication-mode password
[Sysname-line-vty0-63] set authentication password simple 1234567890!
[Sysname-line-vty0-63] user-role network-admin
For AAA local authentication:
Set the authentication mode for VTY login users to AAA authentication, and configure a new password for the account that you use to Telnet to the device and specify user roles for the account. In this example, the local account used for Telnet login is admin, the password is set to 1234567890!, and the network-admin user role is specified for the account.
<Sysname> system-view
[Sysname] line vty 0 63
[Sysname-line-vty0-63] authentication-mode scheme
[Sysname-line-vty0-63] quit
[Sysname] local-user admin class manage
[Sysname-luser-manage-admin] service-type telnet
[Sysname-luser-manage-admin] password simple 1234567890!
[Sysname-luser-manage-admin] authorization-attribute user-role network-admin
If you forget the original login account name, you can create a new local account by performing the operations in this step.
For AAA remote authentication:
Contact the administrator of the AAA server to obtain the login password.
2. If the issue persists, collect the following information and contact Technical Support:
¡ Results of each step.
¡ The configuration file, log messages, and alarm messages.
Related alarm and log messages
Alarm messages
N/A
Log messages
N/A
Telnet login failure
Symptom
When the device acts as a Telnet server, you fail to log in to the device through a Telnet client.
Common causes
The following are the common causes of this type of issue:
· The network connection between the Telnet client and the device is poor.
· The Telnet client feature is not enabled on the Telnet client.
· The Telnet service is not enabled on the device.
· VTY lines do not support the Telnet protocol.
· The login username or password is incorrect.
· The number of login users on the device has reached the upper limit.
· Access control for Telnet login has been configured on the device, and the Telnet client is not permitted by the rules in the ACL specified for filtering users.
· The authentication mode settings are not configured correctly.
· When both the Telnet client and Telnet server are H3C devices, you do not log in to the Telnet server from the source address or source interface specified on the Telnet client for outgoing Telnet packets.
Troubleshooting flow
Figure 3 shows the troubleshooting flowchart.
Figure 3 Flowchart for troubleshooting Telnet login failure
Solution
1. Verify that the client can successfully ping the device.
Execute the ping command on the Telnet client to check the network connection between the Telnet client and the device.
If the Telnet client cannot ping the IP address of the device, it cannot establish a Telnet connection with the device. As a result, it cannot Telnet to the device. The reason for the ping failure might be that ping is disabled on the Telnet client. To troubleshoot the ping failure, follow the procedure in "Ping and tracert issues.”
2. Verify that the Telnet client feature is enabled on the client.
Typically, before you set up a new Telnet connection on a PC, you must enable the Telnet client feature in the Turn Windows features on or off window on the PC.
For information about enabling the Telnet client feature on other types of devices, such as mobile devices, see the user manuals for those devices.
3. Verify that the Telnet service is enabled on the device.
By default, the Telnet service is disabled. If the command output for the display this command in system view does not contain the telnet server enable command line, the Telnet service remains disabled. You can execute the telnet server enable command to enable the Telnet service to allow clients to Telnet to the device.
4. Verify that the VTY line through which the user Telnets to the device supports the Telnet protocol.
Execute the display this command in VTY line view or VTY line class view.
¡ If the command output does not contain the protocol inbound telnet or protocol inbound all command line, the VTY line does not support the Telnet protocol.
¡ In non-FIPS mode, the system supports all protocols by default. If the command output contains the undo protocol inbound command line or does not contain the protocol inbound command line, the system supports all protocols.
If the Telnet protocol is not supported on the user line, execute the protocol inbound telnet or protocol inbound all command on the user line to allow Telnet login.
<Sysname> system-view
[Sysname] line vty 0 63
[Sysname-line-vty0-63] authentication-mode scheme
[Sysname-line-vty0-63] protocol inbound all
A configuration change in user line view does not take effect on the current session. It takes effect on subsequent login sessions.
5. Verify that the username and password used by the client to Telnet to the device are correct.
If the device prompts an authentication failure when you initiate a Telnet connection and enter the username and password for Telnet login as instructed by the Telnet client, you can attempt to log in again by re-entering the username and password. If the login still fails, you can check the LOGIN/5/LOGIN_INVALID_USERNAME_PWD log. You have entered an invalid username or password if the log contains the following message:
LOGIN/5/LOGIN_INVALID_USERNAME_PWD: Invalid username or password from vty0.
If you forget the correct login username or password, you can change the authentication mode to none or reset the password, and then attempt to Telnet to the device again.
¡ In user line view or user line class view, execute the authentication-mode none command to disable authentication. The configuration indicates that when a user logs in to the device through the specified user line or user line class, no authentication is required. The user can use the user line or user line class to log in without having to enter a username or password. This mode brings security risks. Use it with caution.
<Sysname> system-view
[Sysname] line vty 0 63
[Sysname-line-vty0-63] authentication-mode none
¡ If the authentication mode is local password authentication, execute the set authentication password command in user line view or user line class view to configure an authentication password for local password authentication.
<Sysname> system-view
[Sysname] line vty 0 63
[Sysname-line-vty0-63] authentication-mode password
[Sysname-line-vty0-63] set authentication password simple hello12345&!
¡ If the authentication mode is AAA authentication, follow the procedure in AAA troubleshooting guide and password control troubleshooting guide.
6. Identify whether the number of login users on the device has reached the upper limit.
Log in to the device through the console port and execute the display users command in any view to display the current number of Telnet users. By default, the device supports a maximum of 32 concurrent Telnet users.
Check the TELNETD/6/TELNETD_REACH_SESSION_LIMIT log. The number of Telnet users has reached the upper limit if the following log message is generated:
TELNETD/6/TELNETD_REACH_SESSION_LIMIT: Telnet client 1.1.1.1 failed to log in. The current number of Telnet sessions is 10. The maximum number allowed is (10).
If the number of Telnet users has reached the upper limit, you can first disconnect the connections of other idle Telnet users or execute the aaa session-limit telnet command to increase the maximum number of concurrent Telnet users. Then, initiate a Telnet connection to the device again.
7. Identify whether ACLs have been applied to control Telnet login on the device.
In system view, execute the display this command. If the command output contains settings related to the telnet server acl or telnet server ipv6 acl command, ACLs have been applied to control Telnet login.
¡ Verify that the rules in the ACLs permit the IP address, port number, and protocol number of the Telnet client. You can check the TELNETD_ACL_DENY log. The rules in the ACLs deny the IP address of the Telnet client if the following log message is generated:
TELNETD/5/TELNETD_ACL_DENY: The Telnet Connection 1.2.3.4(vpn1) request was denied according to ACL rules.
¡ Execute the undo telnet server acl or undo telnet server ipv6 acl command to remove ACL access restrictions for Telnet users.
8. Verify that the authentication mode settings are correctly configured on the device.
In any view, execute the display line command to check the Auth field to obtain the authentication mode used on the user line through which you Telnet to the device. The value of A indicates AAA authentication, the value of N indicates none authentication, and the value of P indicates local password authentication.
¡ If local password authentication is configured as the login authentication mode for the VTY line by using the authentication-mode password command, you must ensure that an authentication password has been configured for the VTY line.
¡ If AAA authentication is configured as the login authentication mode by using the authentication-mode scheme command, you must ensure that the user account used for Telnet login has been created. For more information about the troubleshooting procedure, see "AAA and password control issues.”
9. When both the Telnet client and Telnet server are H3C devices, identify whether the Telnet client has configured a source address or a source interface for outgoing Telnet packets.
Execute the display this command in system view. If the command output contains the telnet client source command line, a source IPv4 address or source interface has been specified on the Telnet client for outgoing Telnet packets. In this case, you must ensure that you log in to the Telnet server from the specified source IPv4 address or source interface on the Telnet client. If the login fails, perform one of the following operations and attempt to log in to the Telnet server again:
¡ Execute the telnet client source command to reconfigure the source IPv4 address or source interface for the Telnet client to use for outgoing Telnet packets.
¡ Execute the undo telnet client source command to restore the default. In this case, no source IPv4 address or source interface is specified. The Telnet client uses the primary IPv4 address of the output interface for the route to the server as the source IPv4 address.
When you perform the operations in this step, follow these restrictions and guidelines:
¡ The source setting configured by using the telnet client source command has a lower precedence than the source setting specified by using the telnet command in user view.
¡ In an IPv6 network, you can execute the telnet ipv6 command in user view to specify a source interface or source IPv6 address for outgoing Telnet packets.
10. If the issue persists, collect the following information and contact Technical Support:
¡ Results of each step.
¡ The configuration file, log messages, and alarm messages.
Related alarm and log messages
Alarm messages
N/A
Log messages
· LOGIN/5/LOGIN_FAILED
· LOGIN/5/LOGIN_INVALID_USERNAME_PWD
· TELNETD/5/TELNETD_ACL_DENY
· TELNETD/6/TELNETD_REACH_SESSION_LIMIT
