01 login configuration

8/3/2019 01 Login Configuration

1/44

i

Table of Contents

1 Logging In to an Access Controller Product 1-1

Logging In to an Access Controller Product1-1Introduction to the User Interface1-1

Supported User Interfaces 1-1User Interface Number 1-2Common User Interface Configuration1-2

2 Logging In Through the Console Port2-1Introduction 2-1Setting Up the Connection to the Console Port 2-1Console Port Login Configuration2-4

Common Configuration2-4Console Port Login Configurations for Different Authentication Modes2-5

Console Port Login Configuration with Authentication Mode Being None2-5Configuration Procedure2-5Configuration Example 2-7

Console Port Login Configuration with Authentication Mode Being Password 2-8Configuration Procedure2-8Configuration Example 2-9

Console Port Login Configuration with Authentication Mode Being Scheme2-11Configuration Procedure2-11Configuration Example 2-13

3 Logging In Through Telnet3-1Introduction 3-1

Common Configuration3-2Telnet Configurations for Different Authentication Modes3-2

Telnet Configuration with Authentication Mode Being None 3-3Configuration Procedure3-3Configuration Example 3-4

Telnet Configuration with Authentication Mode Being Password3-5

Configuration Procedure3-5Configuration Example 3-7

Telnet Configuration with Authentication Mode Being Scheme3-8Configuration Procedure3-8Configuration Example 3-10

Telnet Connection Establishment 3-11Telnetting to an Access Controller from a Terminal 3-11Telnetting to Another Access Controller from the Current One3-13

4 Logging In Through the Web-Based Network Management System 4-1Introduction 4-1Setting Up a Web Configuration Environment4-2


2/44

ii

5 Logging In Through an NMS 5-1Introduction 5-1Connection Establishment 5-1

6 Controlling Login Users6-1Introduction 6-1Controlling Telnet Users 6-1

Prerequisites6-1Controlling Telnet Users by SSIDs of Clients6-1Controlling Telnet Users by Source IP Addresses 6-2Controlling Telnet Users by Source and Destination IP Addresses 6-3Controlling Telnet Users by Source MAC Addresses 6-4Configuration Example 6-4

Controlling Network Management Users by Source IP Addresses 6-5Prerequisites6-5Controlling Network Management Users by Source IP Addresses6-5

Configuration Example 6-6


3/44

1-1

Support of the H3C WX series access controllers for features may vary by device model. Refer to

section "Feature Matrices" in Compatibility Matricesfor details.

The interface types and the number of interfaces supported vary by device model. Throughout this

manual, GE interfaces are used in the examples that involve Ethernet interfaces.

The access control engines of the H3C WX3000 series unified switches and the LSBM1WCM2A0

access controller module do not support IPv6-related configurations.

For support of IPv6-related configurations, refer to section "Command Matrices" in Compatibility

Matricesfor details.

The models listed in this manual are not applicable to all regions. Please consult your local sales

office for the models applicable to your region.

1 Logging In to an Access Controller ProductTo log in to an access controller product, go to these sections for information you are interested in:

Logging In to an Access Controller Product

Introduction to the User Interface

Logging In to an Access Controller Product

You can log in to an access controller product in one of the following ways:

Logging in locally through the console port

Telnetting locally or remotely to an Ethernet port

Introduction to the User Interface

Supported User Interfaces

An access controller product supports three types of user interfaces: AUX, console and VTY.

Table 1-1 Description on user interface

User interface Applicable user Port used Description

AUXUsers logging in through theconsole port

Console portEach access controller canaccommodate one AUX user.

ConsoleUsers logging in through theconsole port

Console portEach access controller canaccommodate one console user.

VTY Telnet users and SSH users Ethernet portEach access controller canaccommodate up to five VTY users.


4/44

1-2

User Interface Number

Two kinds of user interface indexes exist: absolute user interface index and relative user interface

index.

1) The absolute user interface indexes are as follows:

AUX user interface: Numbered first, and is 0. Console user interface: Numbered first, and is 0.

VTY user interfaces: Numbered after AUX user interfaces and increases in the step of 1

2) A relative user interface index can be obtained by appending a number to the identifier of a user

interface type. It is generated by user interface type. The relative user interface indexes are as

follows:

AUX user interface: AUX 0

Console user interface: Console 0

VTY user interfaces: VTY 0, VTY 1, VTY 2, and so on.

Common User Interface Configuration

To do Use the command Remarks

Lock the current userinterface

lock

Optional

Execute this command in user view.

A user interface is not locked by default.

Specify to send messages toall user interfaces/a specifieduser interface

send { all | number| typenumber}

Optional

Execute this command in user view.

Disconnect a specified userinterface

free user-interface[ type]number

OptionalExecute this command in user view.

The interface type and quantity supported bythis command vary by device model.

Enter system view system-view

Set the bannerheader { incoming | legal |login | motd | shell }text

Optional

By default, no banner is configured.

Set a system name for theaccess controller product

sysnamestringOptional

The default system name is H3C.

Enter user interface view user-interface [ type]first-number[ last-number]


Define a shortcut key foraborting tasks

escape-key { default |character}

Optional

The default shortcut key combination foraborting tasks is Ctrl+C.

Set the history commandbuffer size

history-command max-sizevalue

Optional

The default history command buffer size is 10.That is, a history command buffer can store upto 10 commands by default.


5/44

1-3


Set the timeout time for theuser interface

idle-timeoutminutes[ seconds]

Optional

The default timeout time of a user interface is10 minutes.

With the timeout time being 10 minutes, theconnection to a user interface is terminated if

no operation is performed in the user interfacewithin 10 minutes.

You can use the idle-timeout 0 command todisable the timeout function.

Set the maximum number oflines the screen can contain

screen-lengthscreen-length

Optional

By default, the screen can contain up to 24lines.

You can use the screen-length 0 commandto disable the function to display information inpages.

Make terminal servicesavailable shell

Optional

By default, terminal services are available inall user interfaces.

Set the display type of aterminal

terminal type { ansi | vt100 }

Optional

By default, the terminal display type is ANSI.The device must use the same type of displayas the terminal. If the terminal uses VT 100,the device should also use VT 100.

Display the information aboutthe current user interface/alluser interfaces

display users [ all ] You can execute this command in any view.

Display the physical attributes

and configuration of thecurrent/a specified userinterface

display user-interface [ type| number] [summary ]

You can execute this command in any view.



6/44

2-1

2 Logging In Through the Console PortWhen logging in through the console port, go to these sections for information you are interested in:

Introduction

Setting Up the Connection to the Console Port

Console Port Login Configuration

Console Port Login Configuration with Authentication Mode Being None

Console Port Login Configuration with Authentication Mode Being Password

Console Port Login Configuration with Authentication Mode Being Scheme

Introduction

Support for the console port and AUX port varies by device model.

Logging in through the console port is the most common way to log in to the device. It is also the

prerequisite to configure other login methods. By default, you can log in to the device through itsconsole port only.

To log in to the device through its console port, the related configuration of the user terminal must be in

accordance with that of the console port.

Table 2-1 lists the default settings of a console port.

Table 2-1 The default settings of a console port

Setting Default

Baud rate 9,600 bps

Check mode No check bit

Stop bits 1

Data bits 8

After logging in to the device, you can modify the settings of the console port. Refer to section Console

Port Login Configuration for more information.

Setting Up the Connection to the Console Port

Step1 Connect the serial port of your PC/terminal to the console port of the access controller (AC), as shown

in Figure 2-1.


7/44

2-2

Figure 2-1 Diagram for setting the connection to the console port

Console cable

RS-232 port Console port

PC AC

Step2 If you use a PC to connect to the console port, launch a terminal emulation utility (such as Terminal in

Windows 3.X or HyperTerminal in Windows 9X/Windows 2000/Windows XP) and perform the

configuration shown in Figure 2-2 through Figure 2-4 for the connection to be created. Normally, the

parameters of a terminal are configured as those listed in Table 2-1.

Figure 2-2 Create a connection

Figure 2-3 Specify the port used to establish the connection


8/44

2-3

Figure 2-4 Set port parameters terminal window

Step3 Turn on the access controller. You will be prompted to press the Enter key if the access controller

successfully completes POST (power-on self test). The prompt (such as ) appears after the

user presses the Enter key, as shown in Figure 2-5.

Figure 2-5 The terminal window

Step4 You can then configure the access controller or check the information about the access controller by

executing commands. You can also acquire help by type the ? character. Refer to the following

chapters for information about the commands.


9/44

2-4

Console Port Login Configuration

Common Configuration

Table 2-2 lists the common configuration of console port login.

Table 2-2 Common configuration of console port login

Configuration Description

Baud rateOptional

The default baud rate is 9,600 bps.

Check mode

Optional

By default, the check mode of the console port is set tonone, which means no check bit.

Stop bitsOptional

The default stop bits of a console port is 1.

Console portconfiguration

Data bits OptionalThe default data bits of a console port is 8.

AUX/Consoleuser interfaceconfiguration

Configure the commandlevel available to the userslogging in to theAUX/console user interface

Optional

By default, commands of level 3 are available to the userslogging in to the AUX/console user interface.


Optional

The default shortcut key combination for aborting tasks isCtrl+C.

Define a shortcut key forstarting terminal sessions

Optional

By default, pressing the Enter key starts the terminal

session.

Make terminal servicesavailable

Optional

By default, terminal services are available in all userinterfaces


Optional

By default, the screen can contain up to 24 lines.

Set history command buffersize

Optional

By default, the history command buffer can contain up to 10commands.

Terminalconfiguration

Set the timeout time of auser interface

Optional

The default timeout time is 10 minutes.

Modifying the settings of the console port terminates the connection to the console port. To establish

the connection again, you need to modify the configuration of the termination emulation utility running

on your PC accordingly. Refer to Setting Up the Connection to the Console Port for more.


10/44

2-5

Console Port Login Configurations for Different Authentication Modes

Table 2-3 lists console port login configurations for different authentication modes.

Table 2-3 Console port login configurations for different authentication modes

Authenticati

on modeConsole port login configuration Description

NonePerform commonconfiguration

Perform commonconfiguration for consoleport login

Optional

Refer to Common Configuration for more.

Configure thepassword

Configure the passwordfor local authentication

Required

PasswordPerform commonconfiguration


Optional


Specify to performlocal

authentication orRADIUSauthentication

AAA configurationspecifies whether to

perform localauthentication or RADIUSauthentication

Optional

Local authentication is performed by

default.

Refer to AAA Configurationin the SecurityVolumefor more.

Configure username andpassword

Configure user names andpasswords forlocal/remote users

Required

The user name and password of a localuser are configured on the accesscontroller.

The user name and password of aremote user are configured on theRADIUS server. Refer to user manualof RADIUS server for more.

Manage

AUX/consoleusers

Set service type forAUX/console users Required

Scheme

Perform commonconfiguration


Optional


Changes of the authentication mode of console port login will not take effect unless you exit and enter

the CLI again.

Console Port Login Configuration with Authentication Mode BeingNone

Configuration Procedure



Enter AUX/console user user-interface aux 0


11/44

2-6


interface viewuser-interface console 0

Configure not to authenticateusers

authentication-modenone

Required

By default, users logging in through theAUX/console port are not authenticated.

Set the baudrate

speedspeed-value

Optional

The default baud rate of an AUX/console port(also the console port) is 9,600 bps.

Set the checkmode

parity { even | mark |none | odd | space }

Optional

By default, the check mode of a console port isset to none, that is, no check bit.

Set the stopbits

stopbits { 1 | 1.5 | 2 }Optional

The stop bits of an AUX/console port is 1.

Configure theconsole port

Set the databits

databits { 5 | 6 | 7 | 8 }Optional

The default data bits of a console port is 8.

Configure the command levelavailable to users logging in tothe user interface

user privilege level level

Optional

By default, commands of level 3 are availableto users logging in to the AUX/console userinterface.


activation-keycharacter

Optional

By default, pressing the Enter key starts theterminal session.



Optional



shell

Optional

By default, terminal services are available in alluser interfaces.



Optional


You can use the screen-length 0 command todisable the function to display information inpages.

Set the history command buffer

size

history-command

max-sizevalue

Optional

The default history command buffer size is 10.

That is, a history command buffer can store upto 10 commands by default.

Set the timeout time for the userinterface


Optional


With the timeout time being 10 minutes, theconnection to a user interface is terminated ifno operation is performed in the user interfacewithin 10 minutes.



12/44

2-7

Note that the command level available to users logging in to the device depends on both the

authentication-mode none command and the user privilege level levelcommand, as listed in the

following table.

Table 2-4 Determine the command level (A)

Scenario

Authentication mode User type CommandCommand level

The user privilege levellevelcommand not executed

Level 3None(authentication-modenone)

Users logging inthroughAUX/consoleports

The user privilege levellevelcommand already executed

Determined by thelevelargument

Configuration Example

Network requirementsAssume the access controller is configured to allow you to login through Telnet, and your user level is

set to the administrator level (level 3). After you telnet to the access controller, perform configuration to

meet the following.

The user is not authenticated when logging in through the console port.

Commands of level 2 are available to user logging in to the AUX user interface.

The baud rate of the console port is 19,200 bps.

The screen can contain up to 30 lines.

The history command buffer can contain up to 20 commands.

The timeout time of the AUX user interface is 6 minutes.

Figure 2-6 Network diagram for AUX user interface configuration (with the authentication mode being

none)

Configuration procedure

# Enter system view.

system-view

# Enter AUX user interface view.

[Sysname] user-interface aux 0

# Specify not to authenticate the user logging in through the console port.

[Sysname-ui-aux0] authentication-mode none

# Specify commands of level 2 are available to the user logging in to the AUX user interface.


13/44

2-8

[Sysname-ui-aux0] user privilege level 2

# Set the baud rate of the console port to 19,200 bps.

[Sysname-ui-aux0] speed 19200

# Set the maximum number of lines the screen can contain to 30.

[Sysname-ui-aux0] screen-length 30

# Set the maximum number of commands the history command buffer can store to 20.[Sysname-ui-aux0] history-command max-size 20

# Set the timeout time of the AUX user interface to 6 minutes.

[Sysname-ui-aux0] idle-timeout 6

After the above configuration, to ensure a successful login, the console user needs to change the

corresponding configuration of the terminal emulation program running on the PC, to make the

configuration consistent with that on the access controller. Refer to Setting Up the Connection to the

Console Port.

Console Port Login Configuration with Authentication Mode BeingPassword




user-interface aux 0Enter AUX/console userinterface view

user-interface console 0

Configure to authenticateusers using the localpassword

authentication-modepassword

Required

By default, users logging in through theconsole port are not authenticated, whileusers logging in through Telnet need to passthe password authentication.

Set the local passwordset authentication password{ cipher | simple } password

Required

Set the baudrate

speedspeed-value

Optional

The default baud rate of an AUX/console port(also the console port) is 9,600 bps.

Set the

check mode

parity { even | mark | none |

odd | space }

Optional

By default, the check mode of an

AUX/console port is set to none, that is, nocheck bit.

Set the stopbits

stopbits { 1 | 1.5 | 2 }

Optional

The default stop bits of an AUX/console portis 1.

Configurethe consoleport

Set the databits

databits { 5 | 6 | 7 | 8 }

Optional

The default data bits of an AUX/console portis 8.

Configure the commandlevel available to userslogging in to the user

interface

user privilege levellevel

Optional



14/44

2-9




Optional




Optional


Make terminal servicesavailable to the userinterface

shell

Optional



screen-length screen-length

Optional


You can use the screen-length 0 commandto disable the function to display informationin pages.



Optional

The default history command buffer size is10. That is, a history command buffer canstore up to 10 commands by default.



Optional


With the timeout time being 10 minutes, theconnection to a user interface is terminated ifno operation is performed in the userinterface within 10 minutes.

You can use the idle-timeout 0 command to

disable the timeout function.

Note that the level the commands of which are available to users logging in to the device depends on

both the authentication-modepassword and the user privilege levellevelcommand, as listed in the

following table.

Table 2-5 Determine the command level (B)

Scenario



Level 3Local authentication(authentication-modepassword)

Users logging in tothe AUX/console userinterface The user privilege levellevel

command already executedDetermined by thelevelargument


Network requirements

Assume the access controller is configured to allow you to login through Telnet, and your user level is

set to the administrator level (level 3). After you telnet to the access controller, perform configuration tomeet the following.


15/44

2-10

The user is authenticated against the local password when logging in through the console port.

The local password is set to 123456 (in plain text).

The commands of level 2 are available to users logging in to the AUX user interface.

The baud rate of the console port is 19200 bps.


The history command buffer can store up to 20 commands.



password)



system-view



# Specify to authenticate the user logging in through the console port using the local password.

[Sysname-ui-aux0] authentication-mode password

# Set the local password to 123456 (in plain text).

[Sysname-ui-aux0] set authentication password simple 123456

# Specify commands of level 2 are available to the user logging in to the AUX user interface.

[Sysname-ui-aux0] user privilege level 2





# Set the maximum number of commands the history command buffer can store to 20.

[Sysname-ui-aux0] history-command max-size 20






Console Port for more.


16/44

2-11

Console Port Login Configuration with Authentication Mode BeingScheme




Enter thedefault ISPdomain view

domaindomain-name

Specify theAAA schemeto be appliedto the domain

authentication default{ hwtacacs- schemehwtacacs-scheme-name[ local ] | local | none |radius-schemeradius-scheme-name[ local ] }

Configuretheauthentication mode

Quit tosystem view

quit

Optional

By default, the local AAA scheme is applied. Ifyou specify to apply the local AAA scheme, youneed to perform the configuration concerninglocal user as well.

If you specify to apply an existing scheme byproviding the radius-scheme-nameargument,you need to perform the following

configuration as well:

Perform AAA&RADIUS configuration onthe access controller. (Refer to AAAConfiguration in the Security Volume formore.)

Configure the user name and passwordaccordingly on the AAA server. (Refer tothe user manual of AAA server.)

Create a local user (Enterlocal user view.)

local-useruser-nameRequired

No local user exists by default.

Set the authenticationpassword for the local user

password { simple | cipher }password

Required

service-typeterminal

Specify the service type forAUX and console users

authorization-attribute { aclacl-number|callback-numbercallback-number| idle-cutminute| levellevel|user-profileprofile-name|vlanvlan-id| work-directorydirectory-name} *

Required

Quit to system view quit

user-interface aux 0Enter AUX/console userinterface view

user-interface console 0

Configure to authenticateusers locally or remotely

authentication-modescheme [ command-authorization ]

Required

The specified AAA scheme determineswhether to authenticate users locally orremotely.

Users are authenticated locally by default.


17/44

2-12


Set thebaud rate

speedspeed-value

Optional

The default baud rate of the AUX/console portis 9,600 bps.

Set the

checkmode

parity { even | mark | none |odd | space }

Optional

By default, the check mode of an AUX/consoleport is set to none, that is, no check bit.

Set thestop bits

stopbits { 1 | 1.5 | 2 }

Optional

The default stop bits of an AUX/console port is1.

Configure theconsole port

Set thedata bits

databits { 5 | 6 | 7 | 8 }Optional

The default data bits of a console port is 8.

Configure the commandlevel available to userslogging in to the userinterface

user privilege level level

Optional




Optional




Optional


Make terminal servicesavailable to the userinterface

shell

Optional

By default, terminal services are available in alluser interfaces.

Set the maximum numberof lines the screen cancontain


Optional


You can use the screen-length 0 command todisable the function to display information inpages.



Optional

The default history command buffer size is 10.That is, a history command buffer can store upto 10 commands by default.


idle-timeout minutes[seconds]

Optional

The default timeout time of a user interface is

10 minutes.

With the timeout time being 10 minutes, theconnection to a user interface is terminated ifno operation is performed in the user interfacewithin 10 minutes.


Note that the level of the commands that are available to users logging in to the device depends on the

authentication-modescheme [ command-authorization ] command, as listed in Table 2-6.


18/44

2-13

Table 2-6 Determine the command level

Scenario


The user privilege levellevelcommand is

not executed, and theauthorization-attribute command doesnot specify the available command level.

Level 0

The defaultcommand levelavailable for localusers is level 0.

authentication-modescheme[ command-authorization ]

Users logging into theAUX/consoleport and passAAA&RADIUSor localauthentication

The user privilege levellevelcommand isnot executed, and theauthorization-attribute commandspecifies the available command level.

Determined by theauthorization-attribute command



Assume the access controller is configured to allow you to login through Telnet, and your user level is

set to the administrator level (level 3). After you telnet to the access controller, perform configuration to

meet the following.

Configure the name of the local user as guest.

Set the authentication password of the local user to 123456 (in plain text).

Set the service type of the local user to Terminal.

Configure to authenticate the user logging in through the console port in the scheme mode.

The commands of level 2 are available to the user logging in to the AUX user interface.

The baud rate of the console port is 19,200 bps.





scheme)



system-view

# Create a local user named guest and enter local user view.

[Sysname] local-user guest


19/44

2-14

# Set the authentication password to 123456 (in plain text).

[Sysname-luser-guest] password simple 123456

# Set the service type to Terminal, and specify that commands of level 2 are available to the user

logging in to the AUX user interface.

[Sysname-luser-guest] authorization-attribute level 2

[Sysname-luser-guest] service-type terminal

[Sysname-luser-guest] quit



# Configure to authenticate the user logging in through the console port in the scheme mode.

[Sysname-ui-aux0] authentication-mode scheme






[Sysname-ui-aux0] history-command max-size 20






Console Port for more.


20/44

3-1

3 Logging In Through TelnetWhen logging in through Telnet, go to these sections for information you are interested in:

Introduction

Telnet Configuration with Authentication Mode Being None

Telnet Configuration with Authentication Mode Being Password

Telnet Configuration with Authentication Mode Being Scheme

Telnet Connection Establishment

Introduction

You can telnet to a remote access controller product to manage and maintain the device. To achieve this,

you need to configure both the device and the Telnet terminal properly.

Table 3-1 Requirements for telnetting to the device

Item Requirement

Start the Telnet Server

The IP address of the VLAN interface and the management interface of the access controllerproduct are configured and the route between the access controller product and the Telnetterminal is available.

Accesscontrollerproduct

The authentication mode and other settings are configured. Refer to Table 3-2 and Table 3-3.

Telnet is running.Telnetterminal

The IP address of the management VLAN of the access controller product is available.

After you log in to the access controller through Telnet, you can issue commands to the access

controller by way of pasting session text, which cannot exceed 2000 bytes, and the pasted

commands must be in the same view; otherwise, the access controller may not execute the

commands correctly.

If the session text exceeds 2000 bytes, you can save it in a configuration file, upload the

configuration file to the access controller and reboot the access controller with this configuration file.

For details, refer to File System Management Configurationin the System Volume.

To log in on the access controller using Telnet based on IPv6 is same as that based on IPv4. Refer

to IPv6 Application Configurationinthe IP Services Volumefor details. Support for the login on the

access controller using Telnet based on IPv6 varies by device model.


21/44

3-2

Common Configuration

Table 3-2 lists the common Telnet configuration.

Table 3-2 Common Telnet configuration

Configuration Description

Configure the commandlevel available to userslogging in to the VTY userinterface

Optional

By default, commands of level 0 are available to userslogging in to a VTY user interface.

Configure the protocols theuser interface supports

Optional

By default, Telnet and SSH protocol are supported.

VTY userinterfaceconfiguration

Set the command that isautomatically executedwhen a user logs into theuser interface

Optional

By default, no command is automatically executed when auser logs into a user interface.


Optional

The default shortcut key combination for aborting tasks isCtrl+C.


Optional

By default, terminal services are available in all userinterfaces


Optional

By default, the screen can contain up to 24 lines.


Optional

By default, the history command buffer can contain up to 10commands.

VTY terminalconfiguration

Set the timeout time of auser interface

Optional

The default timeout time is 10 minutes.

The auto-execute command command may cause you unable to perform common configuration

in the user interface, so use it with caution.

Before executing the auto-execute command command and save your configuration, make sure

you can log in to the access controller in other modes and can cancel the configuration.

Telnet Configurations for Different Authentication Modes

Table 3-3 lists Telnet configurations for different authentication modes.

Table 3-3 Telnet configurations for different authentication modes

Authenticationmode

Telnet configuration Description

NonePerform commonconfiguration

Perform common Telnetconfiguration

Optional

Refer to Table 3-2.


22/44

3-3

Authenticationmode

Telnet configuration Description

Configure thepassword

Configure the password forlocal authentication

Required

PasswordPerform commonconfiguration


Optional

Refer to Table 3-2.

Specify to performlocal authenticationor RADIUSauthentication

AAA configurationspecifies whether toperform localauthentication or RADIUSauthentication

Optional

Local authentication is performedby default.

Refer to the AAA Configurationinthe Security Volumefor more.

Configure user nameand password

Configure user names andpasswords for local/remoteusers

Required

The user name and passwordof a local user are configured onthe access controller.

The user name and passwordof a remote user are configured

on the RADIUS server. Refer touser manual of RADIUS serverfor more.

Manage VTY usersSet service type for VTYusers

Required

Scheme

Perform commonconfiguration


Optional

Refer to Table 3-2.

Telnet Configuration with Authentication Mode Being None




Enter one or more VTY userinterface views

user-interface vtyfirst-number[ last-number]

Configure not to authenticateusers logging in to VTY userinterfaces

authentication-mode none

Required

By default, VTY users are authenticatedafter logging in.

Configure the command levelavailable to users logging in toVTY user interface


Optional

By default, commands of level 0 areavailable to users logging in to VTY userinterfaces.

Configure the protocols to besupported by the VTY userinterface

protocol inbound { all | ssh| telnet }

Optional

By default, both Telnet protocol and SSHprotocol are supported.

Set the command that isautomatically executed when auser logs into the user interface

auto-execute commandtext

Optional

By default, no command is automaticallyexecuted when a user logs into a userinterface.


23/44

3-4




Optional


Make terminal servicesavailable shell

Optional




Optional



Set the history command buffersize

history-commandmax-sizevalue

Optional


Set the timeout time of the VTYuser interface


Optional

The default timeout time of a user interfaceis 10 minutes.

With the timeout time being 10 minutes, theconnection to a user interface is terminatedif no operation is performed in the userinterface within 10 minutes.

You can use the idle-timeout 0 commandto disable the timeout function.

Note that if you configure not to authenticate the users, the command level available to users logging into the device depends on both the authentication-modenone command and the user privilege level

levelcommand, as listed in Table 3-4.

Table 3-4 Determine the command level when users logging in to the device are not authenticated

Scenario



Level 0None(authentication-modenone)

VTY usersThe user privilege levellevel

command already executed

Determined by the level

argument



Assume that you are a level 3 AUX/console user and want to perform the following configuration for

Telnet users logging in to VTY 0:

Do not authenticate users logging in to VTY 0.

Commands of level 2 are available to users logging in to VTY 0.

Telnet protocol is supported.



24/44

3-5


The timeout time of VTY 0 is 6 minutes.

Figure 3-1 Network diagram for Telnet configuration (with the authentication mode being none)

Console cable


PC AC


# Enter system view, and enable the Telnet service.

system-view

[Sysname] telnet server enable

# Enter VTY 0 user interface view.

[Sysname] user-interface vty 0

# Configure not to authenticate Telnet users logging in to VTY 0.

[Sysname-ui-vty0] authentication-mode none

# Specify commands of level 2 are available to users logging in to VTY 0.

[Sysname-ui-vty0] user privilege level 2

# Configure Telnet protocol is supported.

[Sysname-ui-vty0] protocol inbound telnet


[Sysname-ui-vty0] screen-length 30

# Set the maximum number of commands the history command buffer can store to 20.[Sysname-ui-vty0] history-command max-size 20

# Set the timeout time to 6 minutes.

[Sysname-ui-vty0] idle-timeout 6

Telnet Configuration with Authentication Mode Being Password






Configure to authenticate userslogging in to VTY user interfacesusing the local password

authentication-modepassword

Required

Set the local passwordset authenticationpassword { cipher | simple }password

Required

Configure the command level

available to users logging in to theuser interface user privilege levellevel

Optional

By default, commands of level 0 areavailable to users logging in to VTY userinterface.


25/44

3-6


Configure the protocol to besupported by the user interface

protocol inbound { all | ssh |telnet }

Optional

By default, both Telnet protocol and SSHprotocol are supported.

Set the command that isautomatically executed when auser logs into the user interface

auto-execute command text

Optional


Define a shortcut key for abortingtasks


Optional


Make terminal services available shell

Optional

By default, terminal services areavailable in all user interfaces.

Set the maximum number of linesthe screen can contain


Optional

By default, the screen can contain up to

24 lines.

You can use the screen-length 0command to disable the function todisplay information in pages.

Set the history command buffersize


Optional

The default history command buffer sizeis 10. That is, a history command buffercan store up to 10 commands by default.

Set the timeout time of the userinterface


Optional

The default timeout time of a userinterface is 10 minutes.

With the timeout time being 10 minutes,the connection to a user interface isterminated if no operation is performedin the user interface within 10 minutes.

You can use the idle-timeout 0command to disable the timeoutfunction.

Note that if you configure to authenticate the users in the password mode, the command level available

to users logging in to the device depends on both the authentication-modepassword command and

the user privilege levellevelcommand, as listed in Table 3-5.

Table 3-5 Determine the command level when users logging in to the device are authenticated in the

password mode

Scenario



Level 0Password(authentication-modepassword)

VTY usersThe user privilege levellevelcommand already executed

Determined by the levelargument


26/44

3-7





Authenticate users logging in to VTY 0 using the local password.

Set the local password to 123456 (in plain text).

Commands of level 2 are available to users logging in to VTY 0.

Telnet protocol is supported.




Figure 3-2 Network diagram for Telnet configuration (with the authentication mode being password)

Console cable


PC AC


# Enter system view, and enable the Telnet service.

system-view




# Configure to authenticate users logging in to VTY 0 using the local password.

[Sysname-ui-vty0] authentication-mode password

# Set the local password to 123456 (in plain text).

[Sysname-ui-vty0] set authentication password simple 123456

# Specify commands of level 2 are available to users logging in to VTY 0.

[Sysname-ui-vty0] user privilege level 2




[Sysname-ui-vty0] screen-length 30


[Sysname-ui-vty0] history-command max-size 20




27/44

3-8

Telnet Configuration with Authentication Mode Being Scheme




Enter thedefault ISPdomain view

domaindomain-name

Configure theAAA schemeto be appliedto the domain

authentication default{ hwtacacs-schemehwtacacs-scheme- name[ local ] | local | none |radius-schemeradius-scheme-name[ local ] }

Configure theauthentication scheme

Quit to systemview

quit

Optional

By default, the local AAA scheme is applied.If you specify to apply the local AAA scheme,you need to perform the configurationconcerning local user as well.

If you specify to apply an existing scheme byproviding the radius-scheme-nameargument, you need to perform the followingconfiguration as well:

Perform AAA&RADIUS configuration onthe access controller. (Refer to AAAConfigurationin the Security Volumeformore.)

Configure the user name and passwordaccordingly on the AAA server. (Refer tothe user manual of AAA server.)

Create a local user and enterlocal user view

local-useruser-name No local user exists by default.

Set the authenticationpassword for the local user

password { simple | cipher }password

Required

Specify the service type forVTY users

service-type telnet [ levellevel]

Required




Configure to authenticateusers locally or remotely

authentication-modescheme [ command-authorization ]

Required

The specified AAA scheme determineswhether to authenticate users locally orremotely.

Users are authenticated locally by default.

Configure the command levelavailable to users logging in tothe user interface


Optional

By default, commands of level 0 areavailable to users logging in to the VTY user

interfaces.

Configure the supportedprotocol

protocol inbound { all | ssh |telnet }

Optional

Both Telnet protocol and SSH protocol aresupported by default.

Set the command that isautomatically executed when auser logs into the userinterface

auto-execute commandtext

Optional




Optional



28/44

3-9



shell

Optional

Terminal services are available in all useinterfaces by default.



Optional





Optional




Optional


With the timeout time being 10 minutes, theconnection to a user interface is terminated ifno operation is performed in the userinterface within 10 minutes.


Note that if you configure to authenticate the users in the scheme mode, the command level available to

users logging in to the device depends on the authentication-mode scheme

[ command-authorization ] command, the user privilege level level command, and the

authorization-attribute levelcommand, as listed in Table 3-6.

Table 3-6 Determine the command level when users logging in to the device are authenticated in the

scheme mode

Scenario

Authenticationmode

User type CommandCommand level

The user privilege levellevelcommand is notexecuted, and the authorization-attributelevelcommand does not specify the availablecommand level.

Level 0

The user privilege levellevelcommand is notexecuted, and the authorization-attributelevelcommand specifies the available commandlevel.

Determined by theauthorization-attributelevelcommand

The user privilege levellevelcommand isexecuted, and the authorization-attributelevelcommand does not specify the availablecommand level.

Level 0

authentication-mode scheme[ command-authorization ]

VTY users thatareAAA&RADIUSauthenticated orlocallyauthenticated

The user privilege levellevelcommand isexecuted, and the authorization-attributelevelcommand specifies the available commandlevel.



29/44

3-10

Scenario

Authenticationmode

User type CommandCommand level

The user privilege levellevelcommand is notexecuted, and the authorization-attributelevelcommand does not specify the available

command level.


Level 0


VTY users thatareauthenticated inthe RSA modeof SSH

The user privilege levellevelcommand isexecuted, and the authorization-attributelevelcommand specifies the available commandlevel.

Determined by theuser privilegelevellevelcommand

The user privilege levellevelcommand is notexecuted, and the authorization-attributelevelcommand does not specify the availablecommand level.

Level 0




Level 0

VTY users thatareauthenticated inthe passwordmode of SSH

The user privilege levellevelcommand isexecuted, and the service-type commandspecifies the available command level.

Determined by theservice-typecommand

Refer to AAA Configurationand SSH 2.0 Configuration in the Security Volumefor information about

AAA-RADIUS-HWTACACS and SSH.





Configure the name of the local user as guest.

Set the authentication password of the local user to 123456 (in plain text).

Set the service type of VTY users to Telnet.

Configure to authenticate users logging in to VTY 0 in scheme mode.


30/44

3-11

The commands of level 2 are available to users logging in to VTY 0.

Telnet protocol is supported in VTY 0.




Figure 3-3 Network diagram for Telnet configuration (with the authentication mode being scheme)

Console cable


PC AC


# Enter system view, and enable the Telnet service. system-view


# Create a local user named guest and enter local user view.

[Sysname] local-user guest

# Set the authentication password of the local user to 123456 (in plain text).

[Sysname-luser-guest] password simple 123456

# Set the service type to Telnet, and specify that commands of level 2 are available to users logging in to

VTY 0.

[Sysname-luser-guest] authorization-attribute level 2

[Sysname-luser-guest] service-type telnet

[Sysname-luser-guest] quit



# Configure to authenticate users logging in to VTY 0 in the scheme mode.

[Sysname-ui-vty0] authentication-mode scheme




[Sysname-ui-vty0] screen-length 30# Set the maximum number of commands the history command buffer can store to 20.

[Sysname-ui-vty0] history-command max-size 20



Telnet Connection Establishment

Telnetting to an Access Controller from a Terminal

Step1 Log in to the access controller through the management Ethernet interface or VLAN interface.


31/44

3-12

You can assign an IP address to the VLAN interface of the access controller that does not have a

management Ethernet port to make sure the route between the PC and the access controller is valid.

Refer to VLAN Configuration in the Access Volume and MAC Address Table Management

Configurationin the System Volumefor details.

Connect to the console port. Refer to Setting Up the Connection to the Console Port.

Execute the following commands in the terminal window to assign an IP address to the

management Ethernet interface of the access controller.

# Configure the IP address of the management Ethernet interface on the device as 202.38.160.92, with

the subnet mask 255.255.255.0.

system-view

[Sysname] interface M-Ethernet 1/0/1

[Sysname-M-Ethernet1/0/1] ip address 202.38.160.92 255.255.255.0

# Or, configure the IP address of VLAN-interface 1 on the device as 202.38.160.92, with the subnet

mask 255.255.255.0.

system-view

[Sysname] interface Vlan-interface 1

[Sysname-Vlan-interface1] ip address 202.38.160.92 255.255.255.0

Step2 Before Telnet users can log in to the device, corresponding configurations should have been

performed on the device according to different authentication modes for them. Refer to section Telnet

Configuration with Authentication Mode Being None, section Telnet Configuration with Authentication

Mode Being Password, and section Telnet Configuration with Authentication Mode Being Scheme for

more. By default, Telnet users need to pass the password authentication to login.

Step3 Connect your PC to the management Ethernet interface (or Ethernet interface) of the device, as

shown in Figure 3-4. Make sure the route between the PC and the management Ethernet interface (or

Ethernet interface) of the device is available if the PC and the access controller are not in the same

LAN.

Figure 3-4 Network diagram for Telnet connection establishment

Step4 Launch Telnet on your PC, with the IP address of the management Ethernet interface of the device, as

shown in the following figure.


32/44

3-13

Figure 3-5 Launch Telnet

Step5 Enter the password when the Telnet window displays Login authentication and prompts for login

password. The CLI prompt (such as ) appears if the password provided is correct. If all

VTY user interfaces of the access controller are in use, you will fail to establish the connection and

receive the message that says The number of users currently using the system configuration has

reached the maximum. Please wait until one of the users releases the system configuration.. An

access controller can accommodate up to five Telnet connections at same time.

Step6 After successfully Telnetting to the device, you can configure the access controller or display the

information about the access controller by executing corresponding commands. You can also type ? at

any time for help. Refer to the Basic System Configuration.

A Telnet connection will be terminated if you remove or modify the IP address of the management

interface or VLAN interface in the Telnet session.

By default, commands of level 0 are available to Telnet users authenticated by password. Refer to

Basic System Configurationin the System Volumefor information about command level.

Telnetting to Another Access Controller from the Current One

You can Telnet to another access controller product from the current one. In this case, the current

access controller product operates as the client, and the other operates as the server. If the

interconnected Ethernet ports of the two access controller products are in the same LAN segment,

make sure the IP addresses of the two management VLAN interfaces to which the two Ethernet ports

belong to are of the same network segment, or the route between the two VLAN interfaces is available.

As shown in Figure 3-6, after Telnetting to an access controller product (labeled as Telnet client), you

can Telnet to another device (labeled as Telnet server) by executing the telnet command and then to

configure the latter.

Figure 3-6 Network diagram for Telnetting to another access controller from the current one


33/44

3-14

Step1 Configure the user name and password for Telnet on the access controller operating as the Telnet

server. Refer to section Telnet Configuration with Authentication Mode Being None, section Telnet

Configuration with Authentication Mode Being Password, and section Telnet Configuration with

Authentication Mode Being Scheme for more. By default, Telnet users need to pass the password

authentication to login.

Step2 Telnet to the access controller operating as the Telnet client.

Step3 Execute this command on the access controller operating as the Telnet client: telnet xxxx,

where xxxxis the IP address or the host name of the access controller operating as the Telnet server.

You can use the ip host to assign a host name to an access controller.

Step4 Enter the password. If the password is correct, the CLI prompt (such as ) appears. If all

VTY user interfaces of the access controller are in use, you will fail to establish the connection and

receive the message that says All user interfaces are used, please try later!.

Step5 After successfully Telnetting to the access controller, you can configure the access controller or display

the information about the access controller by executing corresponding commands. You can also type ?

at any time for help. Refer to BasicSystem Configurationin the System Volume.


34/44

4-1

4 Logging In Through the Web-Based NetworkManagement System

Logging in through the web-based network management system varies by device model. In this chapter,

the access controller engines of the WX3024 unified switches are used in the examples.

When logging in through the Web-based network management system, go to these sections for

information you are interested in:

Introduction

Setting Up a Web Configuration Environment

Introduction

Each H3C WX series access controller product has a Web server built in. It enables you to log in to the

device through a Web browser and then manage and maintain the device intuitively by interacting with

the built-in Web server.

To log in to the access controller product through the built-in Web-based network management system,

you need to perform the related configuration on both the switching engine and the PC operating as the

network management terminal.

Table 4-1 Requirements for logging in to the device through the Web-based network management

system

Item Requirement

The VLAN interface or management interface of the access controller product isassigned an IP address, and the route between the access controller product and theWeb network management terminal is reachable.Access controller

product The user name and password for logging in to the Web-based network managementsystem are configured.

IE is available.PC operating as thenetworkmanagementterminal

The IP address of the VLAN interface of the device, the user name, and the passwordare available.


35/44

4-2

An access controller product has a factory default configuration when it is shipped. With this

configuration, you can input http://192.168.0.100 in the address bar of the browser on a Web network

management terminal (PC), supposing that a route between the Web network management terminal

and the access controller product is available, and the browser will display the login page. Input the

default username, password admin and verification code, select the language, and then you can log in

to the Web interface. If you have saved your configuration file, the device will start up this configuration

file at next boot, and the factory defaults are ineffective.

For the WX5002, WX5002V2, and WX5004, you can log in to the device through the Web-based

network management system.

For the access controller modules LS8M1WCMA0, LSQM1WCMB0, LSBM1WCM2A0,

LSRM1WCM2A1, LSWM1WCM10, and LSWM1WCM20, you can log in to the access controller

modules through the Web-based network management system.

For the WX6103, you can log in to the main control board through the Web-based network

management system. For the login to the switch interface board, see the related section of the

Login Configuration in the H3C WX6103 Access Controller Switch Interface Board Operation

Manual.

For the WX3024, WX3010, and WX3008, you can log in to the access controller engine through the

Web-based network management system. For the login to the switching engine, see the related

section of the Login Configurationin the H3C WX3000 Series Unified Switches Switching Engine

Operation Manual.

Setting Up a Web Configuration Environment

Step1 Before logging in to the access controller engine of the WX3024 (AC in Figure 4-1) through the

Web-based network management system, assign an IP address to the switching engine (for devices

providing management Ethernet ports, you can configure the IP address on the management Ethernet

interface), and configure Web network management user name and authentication password.

# Assign an IP address to the access controller engine of the WX3024.

system-view

[Sysname] interface Vlan-interface 1

[Sysname-Vlan-interface1] ip address 192.168.0.100 24

[Sysname-Vlan-interface1] quit

# Create a Web user account, setting both the user name and the password to admin and the user level

to 3 (manage level).

[Sysname] local-user admin

[Sysname-luser-admin] service-type telnet

[Sysname-luser-admin] authorization-attribute level 3

[Sysname-luser-admin] password simple admin

[Sysname-luser-admin] quit

Step2 Configure the management IP address for the switching engine of the WX3024 (Optional).# After configuring the IP address, you can go to the Web interface of the switching engine from the

Web interface of the access controller engine. 192.168.0.101 is the management IP address of the


36/44

4-3

switching engine, and slot 0 is the slot number of the switching engine. Currently, only the WX3000

series support this function.

[Sysname] oap management-ip 192.168.0.101 slot 0

Step3 Set up a Web configuration environment, as shown in Figure 4-1.

Figure 4-1 Set up a Web configuration environment

Internet

PC AC

Step4 Log in to the switching engine through IE. Launch IE on the Web-based network management terminal

(your PC) and enter http://192.168.0.100 in the address bar. (Make sure the route between the

Web-based network management terminal and the switching engine is available.)

Step5 When the login authentication interface (as shown in Figure 4-2) appears, enter the user name and the

password admin, type the verify code, and then click Login to bring up the main page of the

Web-based network management system.

Figure 4-2 The login page of the Web-based network management system


37/44

5-1

5 Logging In Through an NMSWhen logging in through an NMS, go to these sections for information you are interested in:

Introduction

Connection Establishment

Introduction

You can also log in to an access controller through an NMS (network management station), and then

configure and manage the access controller through the agent module on the access controller.

The agent here refers to the server-side software running on network devices (access controllers).

SNMP (Simple Network Management Protocol) is applied between the NMS and the agent.

To log in to an access controller through an NMS, you need to perform related configuration on both the

NMS and the device.

Table 5-1 Requirements for logging in to the device through an NMS

Item Requirement

The IP address of the management VLAN of the access controller is configured. The routebetween the NMS and the access controller is available.Access

controllerThe basic SNMP functions are configured. (Refer to SNMP Configurationin the SystemVolumefor more.)

NMS The NMS is properly configured. (Refer to the user manual of your NMS for more.)

Connection Establishment

Figure 5-1 Network diagram for logging in through an NMS


38/44

6-1

6 Controlling Login UsersTo control login users, go to these sections for information you are interested in:

Introduction

Controlling Telnet Users

Controlling Network Management Users by Source IP Addresses

Introduction

An access controller provides ways to control different types of login users, as listed in Table 6-1.

Table 6-1 Ways to control different types of login users

Login mode Control method Implementation Related section

By SSIDs of clients Through WLAN ACLControlling Telnet Users by SSIDsof Clients

By source IP addresses Through basic ACLsControlling Telnet Users by SourceIP Addresses

By source, destination IPaddresses, protocolscarried over IP, andprotocol features

Through advanced ACLsControlling Telnet Users by Sourceand Destination IP Addresses

Telnet

By source MAC addresses Through Layer 2 ACLs

Controlling Telnet Users by Source

MAC Addresses

SNMP By source IP addresses Through basic ACLsControlling Network ManagementUsers by Source IP Addresses

Controlling Telnet Users

Prerequisites

The controlling policy against Telnet users is determined, including the wireless clients, source and

destination IP addresses to be controlled and the controlling actions (permitting or denying).

Controlling Telnet Users by SSIDs of Clients

Controlling Telnet users by service set identifiers (SSIDs) is achieved by matching WLAN ACLs with

packets based on SSIDs of clients. WLAN ACLs are numbered from 100 to 199. Refer to ACL

Configurationin the Security Volumefor information about defining an ACL.



Create a WLAN ACL and enterWLAN ACL view acl numberacl-number Required


39/44

6-2


Define a rule for the WLAN ACLrule [ rule-id] { permit | deny }[ ssidssid-name]

Required


Enter user interface view user-interface [ type] first-number[ last-number]

The interface type and quantitysupported by this command varyby device model.

Apply the WLAN ACL to controlTelnet users by SSIDs of WLANclients

aclacl-numberinbound

Required

The inbound keyword filters theusers trying to Telnet to the currentaccess controller.

Support for this command dependson the supported interface type.

Controlling Telnet Users by Source IP Addresses

Controlling Telnet users by source IP addresses is achieved by applying basic ACLs, which are

numbered from 2000 to 2999. Refer to ACL Configurationin the Security Volumefor information about

defining an ACL.



Create a basic ACL or enter basicACL view

acl [ ipv6 ] numberacl-number[ match-order { config | auto } ]

Required

As for the acl number command,the config keyword is specified by

default.

Support for the IPv6 addressesvary by device model.

Define rules for the ACL

rule [ rule-id] { permit | deny }[ source{ sour-addr sour-wildcard| any } | time-rangetime-name|fragment | logging ]*

Required


Enter user interface viewuser-interface [ type] first-number[ last-number]

The interface type and quantitysupported by this command vary

by device model.


40/44

6-3


Apply the ACL to control Telnetusers by source IP addresses

acl [ ipv6 ] acl-number{ inbound |outbound }

Required


The outbound keyword filters the

users trying to Telnet to otheraccess controllers from the currentaccess controller.

The interface type supported bythis command varies by devicemodel.

Support for the IPv6 addressesdepends on the device model.

Controlling Telnet Users by Source and Destination IP Addresses

Controlling Telnet users by source and destination IP addresses is achieved by applying advanced

ACLs, which are numbered from 3000 to 3999. Refer to ACL Configurationin the Security Volumefor

information about defining an ACL.



Create an advanced ACL or enteradvanced ACL view

acl [ ipv6 ] numberacl-number[ name acl-name] [ match-order{ auto | config } ]

Required

As for the acl number command,the config keyword is specified bydefault.

Support for the IPv6 addressesvaries by device model.

Define rules for the ACLrule [ rule-id] { permit | deny }rule-string

Required

You can define rules as needed tofilter by specific source anddestination IP addresses.




Apply the ACL to control Telnetusers by specified source anddestination IP addresses

acl [ ipv6 ] acl-number{ inbound |outbound }

Required


The outbound keyword filters theusers trying to Telnet to otheraccess controllers from the currentaccess controller.

The interface type supported bythis command varies by devicemodel.

Support for the IPv6 addressesdepends on the device model.


41/44

6-4

Controlling Telnet Users by Source MAC Addresses

Controlling Telnet users by source MAC addresses is achieved by applying Layer 2 ACLs, which are

numbered from 4000 to 4999. Refer to ACL Configurationin the Security Volumefor information about

defining an ACL.



Create a basic ACL or enter basicACL view

aclnumberacl-number[ nameacl-name] [ match-order { auto |config } ]

As for the acl number command,the config keyword is specified bydefault.

Define rules for the ACLrule [ rule-id] { permit | deny }rule-string

Required

You can define rules as needed tofilter by specific source MACaddresses.




Apply the ACL to control Telnetusers by source MAC addresses

aclacl-numberinbound

Required




Only the Telnet users sourced from the IP address of 10.110.100.52 and 10.110.100.46 are permitted to

log in to the access controller.

Figure 6-1 Network diagram for controlling Telnet users using ACLs

IP network

AC

Host A

10.110.100.52/24

Host B

10.110.100.46/24


# Define a basic ACL.

system-view

[Sysname] acl number 2000 match-order config

[Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0


[Sysname-acl-basic-2000] rule 3 deny


42/44

6-5

[Sysname-acl-basic-2000] quit

# Apply the ACL to only permit Telnet users sourced from the IP addresses of 10.110.100.52 and

10.110.100.46 to access the access controller..

[Sysname] user-interface vty 0 4

[Sysname-ui-vty0-4] acl 2000 inbound


You can manage an access controller through network management software. Network management

users can access controllers through SNMP.

You need to perform the following two operations to control network management users by source IP

addresses.

Defining an ACL

Applying the ACL to control users accessing the access controller through SNMP

Prerequisites

The controlling policy against network management users is determined, including the source IP

addresses to be controlled and the controlling actions (permitting or denying).


Controlling network management users by source IP addresses is achieved by applying basic ACLs,

which are numbered from 2000 to 2999. Refer to ACL Configuration in the Security Volume for

information about defining an ACL.



Create a basic ACL orenter basic ACL view

aclnumberacl-number[ name acl-name][ match-order { auto | config } ]

As for the acl numbercommand, the configkeyword is specified bydefault.

Define rules for the ACLrule [ rule-id] { permit | deny } [ source{ sour-addr sour-wildcard| any } | time-rangetime-name| fragment | logging ]*

Required


Apply the ACL whileconfiguring the SNMPcommunity name

snmp-agent community { read | write }community-name[ aclacl-number| mib-viewview-name] *

Required

Apply the ACL whileconfiguring the SNMPgroup name

snmp-agent group { v1 | v2c } group-name[ read-viewread-view] [ write-viewwrite-view][ notify-viewnotify-view] [ aclacl-number]

snmp-agent groupv3group-name[ authentication | privacy ] [ read-viewread-view] [ write-viewwrite-view][ notify-viewnotify-view] [ aclacl-number]

Required


43/44

6-6


Apply the ACL whileconfiguring the SNMP username

snmp-agent usm-user { v1 | v2c } user-namegroup-name[ aclacl-number]

snmp-agent usm-userv3user-namegroup-name[ cipher ] [ authentication-mode{ md5 | sha } auth-password[ privacy-mode

{ des56 | aes128 }priv-password] ] [ aclacl-number]

Required

You can specify different ACLs while configuring the SNMP community name, the SNMP group

name and the SNMP user name.

Refer to SNMP Configurationin the System Volumefor SNMP-related commands.

As SNMP community name is a feature of SNMPv1 and SNMPv2c, the specified ACLs in the command

that configures SNMP community names (the snmp-agent community command) take effect in the

network management systems that adopt SNMPv1 or SNMPv2c.

Similarly, as SNMP group name and SNMP user name are features of SNMPv2c and the higher SNMP

versions, the specified ACLs in the commands that configure SNMP group names (the snmp-agent

group command and the snmp-agent groupv3 command) and SNMP user names (the snmp-agent

usm-user command and the snmp-agent usm-user v3 command) take effect in the network

management systems that adopt SNMPv2c or higher SNMP versions. If you configure both the SNMP

group name and the SNMP user name and specify ACLs in the two operations, the access controller

will filter network management users by both SNMP group name and SNMP user name.



Only SNMP users sourced from the IP addresses of 10.110.100.52 and 10.110.100.46 are permitted to

access the access controller.

Figure 6-2 Network diagram for controlling SNMP users using ACLs

IP network

AC

Host A

10.110.100.52/24

Host B

10.110.100.46/24


# Define a basic ACL. system-view

[Sysname] acl number 2000 match-order config


44/44



[Sysname-acl-basic-2000] rule 3 deny

[Sysname-acl-basic-2000] quit

# Apply the ACL to only permit SNMP users sourced from the IP addresses of 10.110.100.52 and

10.110.100.46 to access the access controller.

[Sysname] snmp-agent community read aaa acl 2000

[Sysname] snmp-agent group v2c groupa acl 2000

[Sysname] snmp-agent usm-user v2c usera groupa acl 2000

01 login configuration

Documents