01 login configuration
Post on 07-Apr-2018
225 Views
Preview:
TRANSCRIPT
-
8/3/2019 01 Login Configuration
1/44
i
Table of Contents
1 Logging In to an Access Controller Product 1-1
Logging In to an Access Controller Product1-1Introduction to the User Interface1-1
Supported User Interfaces 1-1User Interface Number 1-2Common User Interface Configuration1-2
2 Logging In Through the Console Port2-1Introduction 2-1Setting Up the Connection to the Console Port 2-1Console Port Login Configuration2-4
Common Configuration2-4Console Port Login Configurations for Different Authentication Modes2-5
Console Port Login Configuration with Authentication Mode Being None2-5Configuration Procedure2-5Configuration Example 2-7
Console Port Login Configuration with Authentication Mode Being Password 2-8Configuration Procedure2-8Configuration Example 2-9
Console Port Login Configuration with Authentication Mode Being Scheme2-11Configuration Procedure2-11Configuration Example 2-13
3 Logging In Through Telnet3-1Introduction 3-1
Common Configuration3-2Telnet Configurations for Different Authentication Modes3-2
Telnet Configuration with Authentication Mode Being None 3-3Configuration Procedure3-3Configuration Example 3-4
Telnet Configuration with Authentication Mode Being Password3-5
Configuration Procedure3-5Configuration Example 3-7
Telnet Configuration with Authentication Mode Being Scheme3-8Configuration Procedure3-8Configuration Example 3-10
Telnet Connection Establishment 3-11Telnetting to an Access Controller from a Terminal 3-11Telnetting to Another Access Controller from the Current One3-13
4 Logging In Through the Web-Based Network Management System 4-1Introduction 4-1Setting Up a Web Configuration Environment4-2
-
8/3/2019 01 Login Configuration
2/44
ii
5 Logging In Through an NMS 5-1Introduction 5-1Connection Establishment 5-1
6 Controlling Login Users6-1Introduction 6-1Controlling Telnet Users 6-1
Prerequisites6-1Controlling Telnet Users by SSIDs of Clients6-1Controlling Telnet Users by Source IP Addresses 6-2Controlling Telnet Users by Source and Destination IP Addresses 6-3Controlling Telnet Users by Source MAC Addresses 6-4Configuration Example 6-4
Controlling Network Management Users by Source IP Addresses 6-5Prerequisites6-5Controlling Network Management Users by Source IP Addresses6-5
Configuration Example 6-6
-
8/3/2019 01 Login Configuration
3/44
1-1
Support of the H3C WX series access controllers for features may vary by device model. Refer to
section "Feature Matrices" in Compatibility Matricesfor details.
The interface types and the number of interfaces supported vary by device model. Throughout this
manual, GE interfaces are used in the examples that involve Ethernet interfaces.
The access control engines of the H3C WX3000 series unified switches and the LSBM1WCM2A0
access controller module do not support IPv6-related configurations.
For support of IPv6-related configurations, refer to section "Command Matrices" in Compatibility
Matricesfor details.
The models listed in this manual are not applicable to all regions. Please consult your local sales
office for the models applicable to your region.
1 Logging In to an Access Controller ProductTo log in to an access controller product, go to these sections for information you are interested in:
Logging In to an Access Controller Product
Introduction to the User Interface
Logging In to an Access Controller Product
You can log in to an access controller product in one of the following ways:
Logging in locally through the console port
Telnetting locally or remotely to an Ethernet port
Introduction to the User Interface
Supported User Interfaces
An access controller product supports three types of user interfaces: AUX, console and VTY.
Table 1-1 Description on user interface
User interface Applicable user Port used Description
AUXUsers logging in through theconsole port
Console portEach access controller canaccommodate one AUX user.
ConsoleUsers logging in through theconsole port
Console portEach access controller canaccommodate one console user.
VTY Telnet users and SSH users Ethernet portEach access controller canaccommodate up to five VTY users.
-
8/3/2019 01 Login Configuration
4/44
1-2
User Interface Number
Two kinds of user interface indexes exist: absolute user interface index and relative user interface
index.
1) The absolute user interface indexes are as follows:
AUX user interface: Numbered first, and is 0. Console user interface: Numbered first, and is 0.
VTY user interfaces: Numbered after AUX user interfaces and increases in the step of 1
2) A relative user interface index can be obtained by appending a number to the identifier of a user
interface type. It is generated by user interface type. The relative user interface indexes are as
follows:
AUX user interface: AUX 0
Console user interface: Console 0
VTY user interfaces: VTY 0, VTY 1, VTY 2, and so on.
Common User Interface Configuration
To do Use the command Remarks
Lock the current userinterface
lock
Optional
Execute this command in user view.
A user interface is not locked by default.
Specify to send messages toall user interfaces/a specifieduser interface
send { all | number| typenumber}
Optional
Execute this command in user view.
Disconnect a specified userinterface
free user-interface[ type]number
OptionalExecute this command in user view.
The interface type and quantity supported bythis command vary by device model.
Enter system view system-view
Set the bannerheader { incoming | legal |login | motd | shell }text
Optional
By default, no banner is configured.
Set a system name for theaccess controller product
sysnamestringOptional
The default system name is H3C.
Enter user interface view user-interface [ type]first-number[ last-number]
The interface type and quantity supported bythis command vary by device model.
Define a shortcut key foraborting tasks
escape-key { default |character}
Optional
The default shortcut key combination foraborting tasks is Ctrl+C.
Set the history commandbuffer size
history-command max-sizevalue
Optional
The default history command buffer size is 10.That is, a history command buffer can store upto 10 commands by default.
-
8/3/2019 01 Login Configuration
5/44
1-3
To do Use the command Remarks
Set the timeout time for theuser interface
idle-timeoutminutes[ seconds]
Optional
The default timeout time of a user interface is10 minutes.
With the timeout time being 10 minutes, theconnection to a user interface is terminated if
no operation is performed in the user interfacewithin 10 minutes.
You can use the idle-timeout 0 command todisable the timeout function.
Set the maximum number oflines the screen can contain
screen-lengthscreen-length
Optional
By default, the screen can contain up to 24lines.
You can use the screen-length 0 commandto disable the function to display information inpages.
Make terminal servicesavailable shell
Optional
By default, terminal services are available inall user interfaces.
Set the display type of aterminal
terminal type { ansi | vt100 }
Optional
By default, the terminal display type is ANSI.The device must use the same type of displayas the terminal. If the terminal uses VT 100,the device should also use VT 100.
Display the information aboutthe current user interface/alluser interfaces
display users [ all ] You can execute this command in any view.
Display the physical attributes
and configuration of thecurrent/a specified userinterface
display user-interface [ type| number] [summary ]
You can execute this command in any view.
The interface type and quantity supported bythis command vary by device model.
-
8/3/2019 01 Login Configuration
6/44
2-1
2 Logging In Through the Console PortWhen logging in through the console port, go to these sections for information you are interested in:
Introduction
Setting Up the Connection to the Console Port
Console Port Login Configuration
Console Port Login Configuration with Authentication Mode Being None
Console Port Login Configuration with Authentication Mode Being Password
Console Port Login Configuration with Authentication Mode Being Scheme
Introduction
Support for the console port and AUX port varies by device model.
Logging in through the console port is the most common way to log in to the device. It is also the
prerequisite to configure other login methods. By default, you can log in to the device through itsconsole port only.
To log in to the device through its console port, the related configuration of the user terminal must be in
accordance with that of the console port.
Table 2-1 lists the default settings of a console port.
Table 2-1 The default settings of a console port
Setting Default
Baud rate 9,600 bps
Check mode No check bit
Stop bits 1
Data bits 8
After logging in to the device, you can modify the settings of the console port. Refer to section Console
Port Login Configuration for more information.
Setting Up the Connection to the Console Port
Step1 Connect the serial port of your PC/terminal to the console port of the access controller (AC), as shown
in Figure 2-1.
-
8/3/2019 01 Login Configuration
7/44
2-2
Figure 2-1 Diagram for setting the connection to the console port
Console cable
RS-232 port Console port
PC AC
Step2 If you use a PC to connect to the console port, launch a terminal emulation utility (such as Terminal in
Windows 3.X or HyperTerminal in Windows 9X/Windows 2000/Windows XP) and perform the
configuration shown in Figure 2-2 through Figure 2-4 for the connection to be created. Normally, the
parameters of a terminal are configured as those listed in Table 2-1.
Figure 2-2 Create a connection
Figure 2-3 Specify the port used to establish the connection
-
8/3/2019 01 Login Configuration
8/44
2-3
Figure 2-4 Set port parameters terminal window
Step3 Turn on the access controller. You will be prompted to press the Enter key if the access controller
successfully completes POST (power-on self test). The prompt (such as ) appears after the
user presses the Enter key, as shown in Figure 2-5.
Figure 2-5 The terminal window
Step4 You can then configure the access controller or check the information about the access controller by
executing commands. You can also acquire help by type the ? character. Refer to the following
chapters for information about the commands.
-
8/3/2019 01 Login Configuration
9/44
2-4
Console Port Login Configuration
Common Configuration
Table 2-2 lists the common configuration of console port login.
Table 2-2 Common configuration of console port login
Configuration Description
Baud rateOptional
The default baud rate is 9,600 bps.
Check mode
Optional
By default, the check mode of the console port is set tonone, which means no check bit.
Stop bitsOptional
The default stop bits of a console port is 1.
Console portconfiguration
Data bits OptionalThe default data bits of a console port is 8.
AUX/Consoleuser interfaceconfiguration
Configure the commandlevel available to the userslogging in to theAUX/console user interface
Optional
By default, commands of level 3 are available to the userslogging in to the AUX/console user interface.
Define a shortcut key foraborting tasks
Optional
The default shortcut key combination for aborting tasks isCtrl+C.
Define a shortcut key forstarting terminal sessions
Optional
By default, pressing the Enter key starts the terminal
session.
Make terminal servicesavailable
Optional
By default, terminal services are available in all userinterfaces
Set the maximum number oflines the screen can contain
Optional
By default, the screen can contain up to 24 lines.
Set history command buffersize
Optional
By default, the history command buffer can contain up to 10commands.
Terminalconfiguration
Set the timeout time of auser interface
Optional
The default timeout time is 10 minutes.
Modifying the settings of the console port terminates the connection to the console port. To establish
the connection again, you need to modify the configuration of the termination emulation utility running
on your PC accordingly. Refer to Setting Up the Connection to the Console Port for more.
-
8/3/2019 01 Login Configuration
10/44
2-5
Console Port Login Configurations for Different Authentication Modes
Table 2-3 lists console port login configurations for different authentication modes.
Table 2-3 Console port login configurations for different authentication modes
Authenticati
on modeConsole port login configuration Description
NonePerform commonconfiguration
Perform commonconfiguration for consoleport login
Optional
Refer to Common Configuration for more.
Configure thepassword
Configure the passwordfor local authentication
Required
PasswordPerform commonconfiguration
Perform commonconfiguration for consoleport login
Optional
Refer to Common Configuration for more.
Specify to performlocal
authentication orRADIUSauthentication
AAA configurationspecifies whether to
perform localauthentication or RADIUSauthentication
Optional
Local authentication is performed by
default.
Refer to AAA Configurationin the SecurityVolumefor more.
Configure username andpassword
Configure user names andpasswords forlocal/remote users
Required
The user name and password of a localuser are configured on the accesscontroller.
The user name and password of aremote user are configured on theRADIUS server. Refer to user manualof RADIUS server for more.
Manage
AUX/consoleusers
Set service type forAUX/console users Required
Scheme
Perform commonconfiguration
Perform commonconfiguration for consoleport login
Optional
Refer to Common Configuration for more.
Changes of the authentication mode of console port login will not take effect unless you exit and enter
the CLI again.
Console Port Login Configuration with Authentication Mode BeingNone
Configuration Procedure
To do Use the command Remarks
Enter system view system-view
Enter AUX/console user user-interface aux 0
-
8/3/2019 01 Login Configuration
11/44
2-6
To do Use the command Remarks
interface viewuser-interface console 0
Configure not to authenticateusers
authentication-modenone
Required
By default, users logging in through theAUX/console port are not authenticated.
Set the baudrate
speedspeed-value
Optional
The default baud rate of an AUX/console port(also the console port) is 9,600 bps.
Set the checkmode
parity { even | mark |none | odd | space }
Optional
By default, the check mode of a console port isset to none, that is, no check bit.
Set the stopbits
stopbits { 1 | 1.5 | 2 }Optional
The stop bits of an AUX/console port is 1.
Configure theconsole port
Set the databits
databits { 5 | 6 | 7 | 8 }Optional
The default data bits of a console port is 8.
Configure the command levelavailable to users logging in tothe user interface
user privilege level level
Optional
By default, commands of level 3 are availableto users logging in to the AUX/console userinterface.
Define a shortcut key forstarting terminal sessions
activation-keycharacter
Optional
By default, pressing the Enter key starts theterminal session.
Define a shortcut key foraborting tasks
escape-key { default |character}
Optional
The default shortcut key combination foraborting tasks is Ctrl+C.
Make terminal servicesavailable
shell
Optional
By default, terminal services are available in alluser interfaces.
Set the maximum number oflines the screen can contain
screen-lengthscreen-length
Optional
By default, the screen can contain up to 24lines.
You can use the screen-length 0 command todisable the function to display information inpages.
Set the history command buffer
size
history-command
max-sizevalue
Optional
The default history command buffer size is 10.
That is, a history command buffer can store upto 10 commands by default.
Set the timeout time for the userinterface
idle-timeoutminutes[ seconds]
Optional
The default timeout time of a user interface is10 minutes.
With the timeout time being 10 minutes, theconnection to a user interface is terminated ifno operation is performed in the user interfacewithin 10 minutes.
You can use the idle-timeout 0 command todisable the timeout function.
-
8/3/2019 01 Login Configuration
12/44
2-7
Note that the command level available to users logging in to the device depends on both the
authentication-mode none command and the user privilege level levelcommand, as listed in the
following table.
Table 2-4 Determine the command level (A)
Scenario
Authentication mode User type CommandCommand level
The user privilege levellevelcommand not executed
Level 3None(authentication-modenone)
Users logging inthroughAUX/consoleports
The user privilege levellevelcommand already executed
Determined by thelevelargument
Configuration Example
Network requirementsAssume the access controller is configured to allow you to login through Telnet, and your user level is
set to the administrator level (level 3). After you telnet to the access controller, perform configuration to
meet the following.
The user is not authenticated when logging in through the console port.
Commands of level 2 are available to user logging in to the AUX user interface.
The baud rate of the console port is 19,200 bps.
The screen can contain up to 30 lines.
The history command buffer can contain up to 20 commands.
The timeout time of the AUX user interface is 6 minutes.
Figure 2-6 Network diagram for AUX user interface configuration (with the authentication mode being
none)
Configuration procedure
# Enter system view.
system-view
# Enter AUX user interface view.
[Sysname] user-interface aux 0
# Specify not to authenticate the user logging in through the console port.
[Sysname-ui-aux0] authentication-mode none
# Specify commands of level 2 are available to the user logging in to the AUX user interface.
-
8/3/2019 01 Login Configuration
13/44
2-8
[Sysname-ui-aux0] user privilege level 2
# Set the baud rate of the console port to 19,200 bps.
[Sysname-ui-aux0] speed 19200
# Set the maximum number of lines the screen can contain to 30.
[Sysname-ui-aux0] screen-length 30
# Set the maximum number of commands the history command buffer can store to 20.[Sysname-ui-aux0] history-command max-size 20
# Set the timeout time of the AUX user interface to 6 minutes.
[Sysname-ui-aux0] idle-timeout 6
After the above configuration, to ensure a successful login, the console user needs to change the
corresponding configuration of the terminal emulation program running on the PC, to make the
configuration consistent with that on the access controller. Refer to Setting Up the Connection to the
Console Port.
Console Port Login Configuration with Authentication Mode BeingPassword
Configuration Procedure
To do Use the command Remarks
Enter system view system-view
user-interface aux 0Enter AUX/console userinterface view
user-interface console 0
Configure to authenticateusers using the localpassword
authentication-modepassword
Required
By default, users logging in through theconsole port are not authenticated, whileusers logging in through Telnet need to passthe password authentication.
Set the local passwordset authentication password{ cipher | simple } password
Required
Set the baudrate
speedspeed-value
Optional
The default baud rate of an AUX/console port(also the console port) is 9,600 bps.
Set the
check mode
parity { even | mark | none |
odd | space }
Optional
By default, the check mode of an
AUX/console port is set to none, that is, nocheck bit.
Set the stopbits
stopbits { 1 | 1.5 | 2 }
Optional
The default stop bits of an AUX/console portis 1.
Configurethe consoleport
Set the databits
databits { 5 | 6 | 7 | 8 }
Optional
The default data bits of an AUX/console portis 8.
Configure the commandlevel available to userslogging in to the user
interface
user privilege levellevel
Optional
By default, commands of level 3 are availableto users logging in to the AUX/console userinterface.
-
8/3/2019 01 Login Configuration
14/44
2-9
To do Use the command Remarks
Define a shortcut key forstarting terminal sessions
activation-keycharacter
Optional
By default, pressing the Enter key starts theterminal session.
Define a shortcut key foraborting tasks
escape-key { default |character}
Optional
The default shortcut key combination foraborting tasks is Ctrl+C.
Make terminal servicesavailable to the userinterface
shell
Optional
By default, terminal services are available inall user interfaces.
Set the maximum number oflines the screen can contain
screen-length screen-length
Optional
By default, the screen can contain up to 24lines.
You can use the screen-length 0 commandto disable the function to display informationin pages.
Set history command buffersize
history-command max-sizevalue
Optional
The default history command buffer size is10. That is, a history command buffer canstore up to 10 commands by default.
Set the timeout time for theuser interface
idle-timeoutminutes[ seconds]
Optional
The default timeout time of a user interface is10 minutes.
With the timeout time being 10 minutes, theconnection to a user interface is terminated ifno operation is performed in the userinterface within 10 minutes.
You can use the idle-timeout 0 command to
disable the timeout function.
Note that the level the commands of which are available to users logging in to the device depends on
both the authentication-modepassword and the user privilege levellevelcommand, as listed in the
following table.
Table 2-5 Determine the command level (B)
Scenario
Authentication mode User type CommandCommand level
The user privilege levellevelcommand not executed
Level 3Local authentication(authentication-modepassword)
Users logging in tothe AUX/console userinterface The user privilege levellevel
command already executedDetermined by thelevelargument
Configuration Example
Network requirements
Assume the access controller is configured to allow you to login through Telnet, and your user level is
set to the administrator level (level 3). After you telnet to the access controller, perform configuration tomeet the following.
-
8/3/2019 01 Login Configuration
15/44
2-10
The user is authenticated against the local password when logging in through the console port.
The local password is set to 123456 (in plain text).
The commands of level 2 are available to users logging in to the AUX user interface.
The baud rate of the console port is 19200 bps.
The screen can contain up to 30 lines.
The history command buffer can store up to 20 commands.
The timeout time of the AUX user interface is 6 minutes.
Figure 2-7 Network diagram for AUX user interface configuration (with the authentication mode being
password)
Configuration procedure
# Enter system view.
system-view
# Enter AUX user interface view.
[Sysname] user-interface aux 0
# Specify to authenticate the user logging in through the console port using the local password.
[Sysname-ui-aux0] authentication-mode password
# Set the local password to 123456 (in plain text).
[Sysname-ui-aux0] set authentication password simple 123456
# Specify commands of level 2 are available to the user logging in to the AUX user interface.
[Sysname-ui-aux0] user privilege level 2
# Set the baud rate of the console port to 19,200 bps.
[Sysname-ui-aux0] speed 19200
# Set the maximum number of lines the screen can contain to 30.
[Sysname-ui-aux0] screen-length 30
# Set the maximum number of commands the history command buffer can store to 20.
[Sysname-ui-aux0] history-command max-size 20
# Set the timeout time of the AUX user interface to 6 minutes.
[Sysname-ui-aux0] idle-timeout 6
After the above configuration, to ensure a successful login, the console user needs to change the
corresponding configuration of the terminal emulation program running on the PC, to make the
configuration consistent with that on the access controller. Refer to Setting Up the Connection to the
Console Port for more.
-
8/3/2019 01 Login Configuration
16/44
2-11
Console Port Login Configuration with Authentication Mode BeingScheme
Configuration Procedure
To do Use the command Remarks
Enter system view system-view
Enter thedefault ISPdomain view
domaindomain-name
Specify theAAA schemeto be appliedto the domain
authentication default{ hwtacacs- schemehwtacacs-scheme-name[ local ] | local | none |radius-schemeradius-scheme-name[ local ] }
Configuretheauthentication mode
Quit tosystem view
quit
Optional
By default, the local AAA scheme is applied. Ifyou specify to apply the local AAA scheme, youneed to perform the configuration concerninglocal user as well.
If you specify to apply an existing scheme byproviding the radius-scheme-nameargument,you need to perform the following
configuration as well:
Perform AAA&RADIUS configuration onthe access controller. (Refer to AAAConfiguration in the Security Volume formore.)
Configure the user name and passwordaccordingly on the AAA server. (Refer tothe user manual of AAA server.)
Create a local user (Enterlocal user view.)
local-useruser-nameRequired
No local user exists by default.
Set the authenticationpassword for the local user
password { simple | cipher }password
Required
service-typeterminal
Specify the service type forAUX and console users
authorization-attribute { aclacl-number|callback-numbercallback-number| idle-cutminute| levellevel|user-profileprofile-name|vlanvlan-id| work-directorydirectory-name} *
Required
Quit to system view quit
user-interface aux 0Enter AUX/console userinterface view
user-interface console 0
Configure to authenticateusers locally or remotely
authentication-modescheme [ command-authorization ]
Required
The specified AAA scheme determineswhether to authenticate users locally orremotely.
Users are authenticated locally by default.
-
8/3/2019 01 Login Configuration
17/44
2-12
To do Use the command Remarks
Set thebaud rate
speedspeed-value
Optional
The default baud rate of the AUX/console portis 9,600 bps.
Set the
checkmode
parity { even | mark | none |odd | space }
Optional
By default, the check mode of an AUX/consoleport is set to none, that is, no check bit.
Set thestop bits
stopbits { 1 | 1.5 | 2 }
Optional
The default stop bits of an AUX/console port is1.
Configure theconsole port
Set thedata bits
databits { 5 | 6 | 7 | 8 }Optional
The default data bits of a console port is 8.
Configure the commandlevel available to userslogging in to the userinterface
user privilege level level
Optional
By default, commands of level 3 are availableto users logging in to the AUX/console userinterface.
Define a shortcut key forstarting terminal sessions
activation-keycharacter
Optional
By default, pressing the Enter key starts theterminal session.
Define a shortcut key foraborting tasks
escape-key { default |character}
Optional
The default shortcut key combination foraborting tasks is Ctrl+C.
Make terminal servicesavailable to the userinterface
shell
Optional
By default, terminal services are available in alluser interfaces.
Set the maximum numberof lines the screen cancontain
screen-lengthscreen-length
Optional
By default, the screen can contain up to 24lines.
You can use the screen-length 0 command todisable the function to display information inpages.
Set history command buffersize
history-command max-sizevalue
Optional
The default history command buffer size is 10.That is, a history command buffer can store upto 10 commands by default.
Set the timeout time for theuser interface
idle-timeout minutes[seconds]
Optional
The default timeout time of a user interface is
10 minutes.
With the timeout time being 10 minutes, theconnection to a user interface is terminated ifno operation is performed in the user interfacewithin 10 minutes.
You can use the idle-timeout 0 command todisable the timeout function.
Note that the level of the commands that are available to users logging in to the device depends on the
authentication-modescheme [ command-authorization ] command, as listed in Table 2-6.
-
8/3/2019 01 Login Configuration
18/44
2-13
Table 2-6 Determine the command level
Scenario
Authentication mode User type CommandCommand level
The user privilege levellevelcommand is
not executed, and theauthorization-attribute command doesnot specify the available command level.
Level 0
The defaultcommand levelavailable for localusers is level 0.
authentication-modescheme[ command-authorization ]
Users logging into theAUX/consoleport and passAAA&RADIUSor localauthentication
The user privilege levellevelcommand isnot executed, and theauthorization-attribute commandspecifies the available command level.
Determined by theauthorization-attribute command
Configuration Example
Network requirements
Assume the access controller is configured to allow you to login through Telnet, and your user level is
set to the administrator level (level 3). After you telnet to the access controller, perform configuration to
meet the following.
Configure the name of the local user as guest.
Set the authentication password of the local user to 123456 (in plain text).
Set the service type of the local user to Terminal.
Configure to authenticate the user logging in through the console port in the scheme mode.
The commands of level 2 are available to the user logging in to the AUX user interface.
The baud rate of the console port is 19,200 bps.
The screen can contain up to 30 lines.
The history command buffer can store up to 20 commands.
The timeout time of the AUX user interface is 6 minutes.
Figure 2-8 Network diagram for AUX user interface configuration (with the authentication mode being
scheme)
Configuration procedure
# Enter system view.
system-view
# Create a local user named guest and enter local user view.
[Sysname] local-user guest
-
8/3/2019 01 Login Configuration
19/44
2-14
# Set the authentication password to 123456 (in plain text).
[Sysname-luser-guest] password simple 123456
# Set the service type to Terminal, and specify that commands of level 2 are available to the user
logging in to the AUX user interface.
[Sysname-luser-guest] authorization-attribute level 2
[Sysname-luser-guest] service-type terminal
[Sysname-luser-guest] quit
# Enter AUX user interface view.
[Sysname] user-interface aux 0
# Configure to authenticate the user logging in through the console port in the scheme mode.
[Sysname-ui-aux0] authentication-mode scheme
# Set the baud rate of the console port to 19,200 bps.
[Sysname-ui-aux0] speed 19200
# Set the maximum number of lines the screen can contain to 30.
[Sysname-ui-aux0] screen-length 30
# Set the maximum number of commands the history command buffer can store to 20.
[Sysname-ui-aux0] history-command max-size 20
# Set the timeout time of the AUX user interface to 6 minutes.
[Sysname-ui-aux0] idle-timeout 6
After the above configuration, to ensure a successful login, the console user needs to change the
corresponding configuration of the terminal emulation program running on the PC, to make the
configuration consistent with that on the access controller. Refer to Setting Up the Connection to the
Console Port for more.
-
8/3/2019 01 Login Configuration
20/44
3-1
3 Logging In Through TelnetWhen logging in through Telnet, go to these sections for information you are interested in:
Introduction
Telnet Configuration with Authentication Mode Being None
Telnet Configuration with Authentication Mode Being Password
Telnet Configuration with Authentication Mode Being Scheme
Telnet Connection Establishment
Introduction
You can telnet to a remote access controller product to manage and maintain the device. To achieve this,
you need to configure both the device and the Telnet terminal properly.
Table 3-1 Requirements for telnetting to the device
Item Requirement
Start the Telnet Server
The IP address of the VLAN interface and the management interface of the access controllerproduct are configured and the route between the access controller product and the Telnetterminal is available.
Accesscontrollerproduct
The authentication mode and other settings are configured. Refer to Table 3-2 and Table 3-3.
Telnet is running.Telnetterminal
The IP address of the management VLAN of the access controller product is available.
After you log in to the access controller through Telnet, you can issue commands to the access
controller by way of pasting session text, which cannot exceed 2000 bytes, and the pasted
commands must be in the same view; otherwise, the access controller may not execute the
commands correctly.
If the session text exceeds 2000 bytes, you can save it in a configuration file, upload the
configuration file to the access controller and reboot the access controller with this configuration file.
For details, refer to File System Management Configurationin the System Volume.
To log in on the access controller using Telnet based on IPv6 is same as that based on IPv4. Refer
to IPv6 Application Configurationinthe IP Services Volumefor details. Support for the login on the
access controller using Telnet based on IPv6 varies by device model.
-
8/3/2019 01 Login Configuration
21/44
3-2
Common Configuration
Table 3-2 lists the common Telnet configuration.
Table 3-2 Common Telnet configuration
Configuration Description
Configure the commandlevel available to userslogging in to the VTY userinterface
Optional
By default, commands of level 0 are available to userslogging in to a VTY user interface.
Configure the protocols theuser interface supports
Optional
By default, Telnet and SSH protocol are supported.
VTY userinterfaceconfiguration
Set the command that isautomatically executedwhen a user logs into theuser interface
Optional
By default, no command is automatically executed when auser logs into a user interface.
Define a shortcut key foraborting tasks
Optional
The default shortcut key combination for aborting tasks isCtrl+C.
Make terminal servicesavailable
Optional
By default, terminal services are available in all userinterfaces
Set the maximum number oflines the screen can contain
Optional
By default, the screen can contain up to 24 lines.
Set history command buffersize
Optional
By default, the history command buffer can contain up to 10commands.
VTY terminalconfiguration
Set the timeout time of auser interface
Optional
The default timeout time is 10 minutes.
The auto-execute command command may cause you unable to perform common configuration
in the user interface, so use it with caution.
Before executing the auto-execute command command and save your configuration, make sure
you can log in to the access controller in other modes and can cancel the configuration.
Telnet Configurations for Different Authentication Modes
Table 3-3 lists Telnet configurations for different authentication modes.
Table 3-3 Telnet configurations for different authentication modes
Authenticationmode
Telnet configuration Description
NonePerform commonconfiguration
Perform common Telnetconfiguration
Optional
Refer to Table 3-2.
-
8/3/2019 01 Login Configuration
22/44
3-3
Authenticationmode
Telnet configuration Description
Configure thepassword
Configure the password forlocal authentication
Required
PasswordPerform commonconfiguration
Perform common Telnetconfiguration
Optional
Refer to Table 3-2.
Specify to performlocal authenticationor RADIUSauthentication
AAA configurationspecifies whether toperform localauthentication or RADIUSauthentication
Optional
Local authentication is performedby default.
Refer to the AAA Configurationinthe Security Volumefor more.
Configure user nameand password
Configure user names andpasswords for local/remoteusers
Required
The user name and passwordof a local user are configured onthe access controller.
The user name and passwordof a remote user are configured
on the RADIUS server. Refer touser manual of RADIUS serverfor more.
Manage VTY usersSet service type for VTYusers
Required
Scheme
Perform commonconfiguration
Perform common Telnetconfiguration
Optional
Refer to Table 3-2.
Telnet Configuration with Authentication Mode Being None
Configuration Procedure
To do Use the command Remarks
Enter system view system-view
Enter one or more VTY userinterface views
user-interface vtyfirst-number[ last-number]
Configure not to authenticateusers logging in to VTY userinterfaces
authentication-mode none
Required
By default, VTY users are authenticatedafter logging in.
Configure the command levelavailable to users logging in toVTY user interface
user privilege levellevel
Optional
By default, commands of level 0 areavailable to users logging in to VTY userinterfaces.
Configure the protocols to besupported by the VTY userinterface
protocol inbound { all | ssh| telnet }
Optional
By default, both Telnet protocol and SSHprotocol are supported.
Set the command that isautomatically executed when auser logs into the user interface
auto-execute commandtext
Optional
By default, no command is automaticallyexecuted when a user logs into a userinterface.
-
8/3/2019 01 Login Configuration
23/44
3-4
To do Use the command Remarks
Define a shortcut key foraborting tasks
escape-key { default |character}
Optional
The default shortcut key combination foraborting tasks is Ctrl+C.
Make terminal servicesavailable shell
Optional
By default, terminal services are available inall user interfaces.
Set the maximum number oflines the screen can contain
screen-lengthscreen-length
Optional
By default, the screen can contain up to 24lines.
You can use the screen-length 0 commandto disable the function to display informationin pages.
Set the history command buffersize
history-commandmax-sizevalue
Optional
The default history command buffer size is10. That is, a history command buffer canstore up to 10 commands by default.
Set the timeout time of the VTYuser interface
idle-timeoutminutes[ seconds]
Optional
The default timeout time of a user interfaceis 10 minutes.
With the timeout time being 10 minutes, theconnection to a user interface is terminatedif no operation is performed in the userinterface within 10 minutes.
You can use the idle-timeout 0 commandto disable the timeout function.
Note that if you configure not to authenticate the users, the command level available to users logging into the device depends on both the authentication-modenone command and the user privilege level
levelcommand, as listed in Table 3-4.
Table 3-4 Determine the command level when users logging in to the device are not authenticated
Scenario
Authentication mode User type CommandCommand level
The user privilege levellevelcommand not executed
Level 0None(authentication-modenone)
VTY usersThe user privilege levellevel
command already executed
Determined by the level
argument
Configuration Example
Network requirements
Assume that you are a level 3 AUX/console user and want to perform the following configuration for
Telnet users logging in to VTY 0:
Do not authenticate users logging in to VTY 0.
Commands of level 2 are available to users logging in to VTY 0.
Telnet protocol is supported.
The screen can contain up to 30 lines.
-
8/3/2019 01 Login Configuration
24/44
3-5
The history command buffer can contain up to 20 commands.
The timeout time of VTY 0 is 6 minutes.
Figure 3-1 Network diagram for Telnet configuration (with the authentication mode being none)
Console cable
RS-232 port Console port
PC AC
Configuration procedure
# Enter system view, and enable the Telnet service.
system-view
[Sysname] telnet server enable
# Enter VTY 0 user interface view.
[Sysname] user-interface vty 0
# Configure not to authenticate Telnet users logging in to VTY 0.
[Sysname-ui-vty0] authentication-mode none
# Specify commands of level 2 are available to users logging in to VTY 0.
[Sysname-ui-vty0] user privilege level 2
# Configure Telnet protocol is supported.
[Sysname-ui-vty0] protocol inbound telnet
# Set the maximum number of lines the screen can contain to 30.
[Sysname-ui-vty0] screen-length 30
# Set the maximum number of commands the history command buffer can store to 20.[Sysname-ui-vty0] history-command max-size 20
# Set the timeout time to 6 minutes.
[Sysname-ui-vty0] idle-timeout 6
Telnet Configuration with Authentication Mode Being Password
Configuration Procedure
To do Use the command Remarks
Enter system view system-view
Enter one or more VTY userinterface views
user-interface vtyfirst-number[ last-number]
Configure to authenticate userslogging in to VTY user interfacesusing the local password
authentication-modepassword
Required
Set the local passwordset authenticationpassword { cipher | simple }password
Required
Configure the command level
available to users logging in to theuser interface user privilege levellevel
Optional
By default, commands of level 0 areavailable to users logging in to VTY userinterface.
-
8/3/2019 01 Login Configuration
25/44
3-6
To do Use the command Remarks
Configure the protocol to besupported by the user interface
protocol inbound { all | ssh |telnet }
Optional
By default, both Telnet protocol and SSHprotocol are supported.
Set the command that isautomatically executed when auser logs into the user interface
auto-execute command text
Optional
By default, no command is automaticallyexecuted when a user logs into a userinterface.
Define a shortcut key for abortingtasks
escape-key { default |character}
Optional
The default shortcut key combination foraborting tasks is Ctrl+C.
Make terminal services available shell
Optional
By default, terminal services areavailable in all user interfaces.
Set the maximum number of linesthe screen can contain
screen-lengthscreen-length
Optional
By default, the screen can contain up to
24 lines.
You can use the screen-length 0command to disable the function todisplay information in pages.
Set the history command buffersize
history-command max-sizevalue
Optional
The default history command buffer sizeis 10. That is, a history command buffercan store up to 10 commands by default.
Set the timeout time of the userinterface
idle-timeoutminutes[ seconds]
Optional
The default timeout time of a userinterface is 10 minutes.
With the timeout time being 10 minutes,the connection to a user interface isterminated if no operation is performedin the user interface within 10 minutes.
You can use the idle-timeout 0command to disable the timeoutfunction.
Note that if you configure to authenticate the users in the password mode, the command level available
to users logging in to the device depends on both the authentication-modepassword command and
the user privilege levellevelcommand, as listed in Table 3-5.
Table 3-5 Determine the command level when users logging in to the device are authenticated in the
password mode
Scenario
Authentication mode User type CommandCommand level
The user privilege levellevelcommand not executed
Level 0Password(authentication-modepassword)
VTY usersThe user privilege levellevelcommand already executed
Determined by the levelargument
-
8/3/2019 01 Login Configuration
26/44
3-7
Configuration Example
Network requirements
Assume that you are a level 3 AUX/console user and want to perform the following configuration for
Telnet users logging in to VTY 0:
Authenticate users logging in to VTY 0 using the local password.
Set the local password to 123456 (in plain text).
Commands of level 2 are available to users logging in to VTY 0.
Telnet protocol is supported.
The screen can contain up to 30 lines.
The history command buffer can contain up to 20 commands.
The timeout time of VTY 0 is 6 minutes.
Figure 3-2 Network diagram for Telnet configuration (with the authentication mode being password)
Console cable
RS-232 port Console port
PC AC
Configuration procedure
# Enter system view, and enable the Telnet service.
system-view
[Sysname] telnet server enable
# Enter VTY 0 user interface view.
[Sysname] user-interface vty 0
# Configure to authenticate users logging in to VTY 0 using the local password.
[Sysname-ui-vty0] authentication-mode password
# Set the local password to 123456 (in plain text).
[Sysname-ui-vty0] set authentication password simple 123456
# Specify commands of level 2 are available to users logging in to VTY 0.
[Sysname-ui-vty0] user privilege level 2
# Configure Telnet protocol is supported.
[Sysname-ui-vty0] protocol inbound telnet
# Set the maximum number of lines the screen can contain to 30.
[Sysname-ui-vty0] screen-length 30
# Set the maximum number of commands the history command buffer can store to 20.
[Sysname-ui-vty0] history-command max-size 20
# Set the timeout time to 6 minutes.
[Sysname-ui-vty0] idle-timeout 6
-
8/3/2019 01 Login Configuration
27/44
3-8
Telnet Configuration with Authentication Mode Being Scheme
Configuration Procedure
To do Use the command Remarks
Enter system view system-view
Enter thedefault ISPdomain view
domaindomain-name
Configure theAAA schemeto be appliedto the domain
authentication default{ hwtacacs-schemehwtacacs-scheme- name[ local ] | local | none |radius-schemeradius-scheme-name[ local ] }
Configure theauthentication scheme
Quit to systemview
quit
Optional
By default, the local AAA scheme is applied.If you specify to apply the local AAA scheme,you need to perform the configurationconcerning local user as well.
If you specify to apply an existing scheme byproviding the radius-scheme-nameargument, you need to perform the followingconfiguration as well:
Perform AAA&RADIUS configuration onthe access controller. (Refer to AAAConfigurationin the Security Volumeformore.)
Configure the user name and passwordaccordingly on the AAA server. (Refer tothe user manual of AAA server.)
Create a local user and enterlocal user view
local-useruser-name No local user exists by default.
Set the authenticationpassword for the local user
password { simple | cipher }password
Required
Specify the service type forVTY users
service-type telnet [ levellevel]
Required
Quit to system view quit
Enter one or more VTY userinterface views
user-interface vtyfirst-number[ last-number]
Configure to authenticateusers locally or remotely
authentication-modescheme [ command-authorization ]
Required
The specified AAA scheme determineswhether to authenticate users locally orremotely.
Users are authenticated locally by default.
Configure the command levelavailable to users logging in tothe user interface
user privilege levellevel
Optional
By default, commands of level 0 areavailable to users logging in to the VTY user
interfaces.
Configure the supportedprotocol
protocol inbound { all | ssh |telnet }
Optional
Both Telnet protocol and SSH protocol aresupported by default.
Set the command that isautomatically executed when auser logs into the userinterface
auto-execute commandtext
Optional
By default, no command is automaticallyexecuted when a user logs into a userinterface.
Define a shortcut key foraborting tasks
escape-key { default |character}
Optional
The default shortcut key combination foraborting tasks is Ctrl+C.
-
8/3/2019 01 Login Configuration
28/44
3-9
To do Use the command Remarks
Make terminal servicesavailable
shell
Optional
Terminal services are available in all useinterfaces by default.
Set the maximum number oflines the screen can contain
screen-lengthscreen-length
Optional
By default, the screen can contain up to 24lines.
You can use the screen-length 0 commandto disable the function to display informationin pages.
Set history command buffersize
history-command max-sizevalue
Optional
The default history command buffer size is10. That is, a history command buffer canstore up to 10 commands by default.
Set the timeout time for theuser interface
idle-timeoutminutes[ seconds]
Optional
The default timeout time of a user interface is10 minutes.
With the timeout time being 10 minutes, theconnection to a user interface is terminated ifno operation is performed in the userinterface within 10 minutes.
You can use the idle-timeout 0 command todisable the timeout function.
Note that if you configure to authenticate the users in the scheme mode, the command level available to
users logging in to the device depends on the authentication-mode scheme
[ command-authorization ] command, the user privilege level level command, and the
authorization-attribute levelcommand, as listed in Table 3-6.
Table 3-6 Determine the command level when users logging in to the device are authenticated in the
scheme mode
Scenario
Authenticationmode
User type CommandCommand level
The user privilege levellevelcommand is notexecuted, and the authorization-attributelevelcommand does not specify the availablecommand level.
Level 0
The user privilege levellevelcommand is notexecuted, and the authorization-attributelevelcommand specifies the available commandlevel.
Determined by theauthorization-attributelevelcommand
The user privilege levellevelcommand isexecuted, and the authorization-attributelevelcommand does not specify the availablecommand level.
Level 0
authentication-mode scheme[ command-authorization ]
VTY users thatareAAA&RADIUSauthenticated orlocallyauthenticated
The user privilege levellevelcommand isexecuted, and the authorization-attributelevelcommand specifies the available commandlevel.
Determined by theauthorization-attributelevelcommand
-
8/3/2019 01 Login Configuration
29/44
3-10
Scenario
Authenticationmode
User type CommandCommand level
The user privilege levellevelcommand is notexecuted, and the authorization-attributelevelcommand does not specify the available
command level.
The user privilege levellevelcommand is notexecuted, and the authorization-attributelevelcommand specifies the available commandlevel.
Level 0
The user privilege levellevelcommand isexecuted, and the authorization-attributelevelcommand does not specify the availablecommand level.
VTY users thatareauthenticated inthe RSA modeof SSH
The user privilege levellevelcommand isexecuted, and the authorization-attributelevelcommand specifies the available commandlevel.
Determined by theuser privilegelevellevelcommand
The user privilege levellevelcommand is notexecuted, and the authorization-attributelevelcommand does not specify the availablecommand level.
Level 0
The user privilege levellevelcommand is notexecuted, and the authorization-attributelevelcommand specifies the available commandlevel.
Determined by theauthorization-attributelevelcommand
The user privilege levellevelcommand isexecuted, and the authorization-attributelevelcommand does not specify the availablecommand level.
Level 0
VTY users thatareauthenticated inthe passwordmode of SSH
The user privilege levellevelcommand isexecuted, and the service-type commandspecifies the available command level.
Determined by theservice-typecommand
Refer to AAA Configurationand SSH 2.0 Configuration in the Security Volumefor information about
AAA-RADIUS-HWTACACS and SSH.
Configuration Example
Network requirements
Assume that you are a level 3 AUX/console user and want to perform the following configuration for
Telnet users logging in to VTY 0:
Configure the name of the local user as guest.
Set the authentication password of the local user to 123456 (in plain text).
Set the service type of VTY users to Telnet.
Configure to authenticate users logging in to VTY 0 in scheme mode.
-
8/3/2019 01 Login Configuration
30/44
3-11
The commands of level 2 are available to users logging in to VTY 0.
Telnet protocol is supported in VTY 0.
The screen can contain up to 30 lines.
The history command buffer can store up to 20 commands.
The timeout time of VTY 0 is 6 minutes.
Figure 3-3 Network diagram for Telnet configuration (with the authentication mode being scheme)
Console cable
RS-232 port Console port
PC AC
Configuration procedure
# Enter system view, and enable the Telnet service. system-view
[Sysname] telnet server enable
# Create a local user named guest and enter local user view.
[Sysname] local-user guest
# Set the authentication password of the local user to 123456 (in plain text).
[Sysname-luser-guest] password simple 123456
# Set the service type to Telnet, and specify that commands of level 2 are available to users logging in to
VTY 0.
[Sysname-luser-guest] authorization-attribute level 2
[Sysname-luser-guest] service-type telnet
[Sysname-luser-guest] quit
# Enter VTY 0 user interface view.
[Sysname] user-interface vty 0
# Configure to authenticate users logging in to VTY 0 in the scheme mode.
[Sysname-ui-vty0] authentication-mode scheme
# Configure Telnet protocol is supported.
[Sysname-ui-vty0] protocol inbound telnet
# Set the maximum number of lines the screen can contain to 30.
[Sysname-ui-vty0] screen-length 30# Set the maximum number of commands the history command buffer can store to 20.
[Sysname-ui-vty0] history-command max-size 20
# Set the timeout time to 6 minutes.
[Sysname-ui-vty0] idle-timeout 6
Telnet Connection Establishment
Telnetting to an Access Controller from a Terminal
Step1 Log in to the access controller through the management Ethernet interface or VLAN interface.
-
8/3/2019 01 Login Configuration
31/44
3-12
You can assign an IP address to the VLAN interface of the access controller that does not have a
management Ethernet port to make sure the route between the PC and the access controller is valid.
Refer to VLAN Configuration in the Access Volume and MAC Address Table Management
Configurationin the System Volumefor details.
Connect to the console port. Refer to Setting Up the Connection to the Console Port.
Execute the following commands in the terminal window to assign an IP address to the
management Ethernet interface of the access controller.
# Configure the IP address of the management Ethernet interface on the device as 202.38.160.92, with
the subnet mask 255.255.255.0.
system-view
[Sysname] interface M-Ethernet 1/0/1
[Sysname-M-Ethernet1/0/1] ip address 202.38.160.92 255.255.255.0
# Or, configure the IP address of VLAN-interface 1 on the device as 202.38.160.92, with the subnet
mask 255.255.255.0.
system-view
[Sysname] interface Vlan-interface 1
[Sysname-Vlan-interface1] ip address 202.38.160.92 255.255.255.0
Step2 Before Telnet users can log in to the device, corresponding configurations should have been
performed on the device according to different authentication modes for them. Refer to section Telnet
Configuration with Authentication Mode Being None, section Telnet Configuration with Authentication
Mode Being Password, and section Telnet Configuration with Authentication Mode Being Scheme for
more. By default, Telnet users need to pass the password authentication to login.
Step3 Connect your PC to the management Ethernet interface (or Ethernet interface) of the device, as
shown in Figure 3-4. Make sure the route between the PC and the management Ethernet interface (or
Ethernet interface) of the device is available if the PC and the access controller are not in the same
LAN.
Figure 3-4 Network diagram for Telnet connection establishment
Step4 Launch Telnet on your PC, with the IP address of the management Ethernet interface of the device, as
shown in the following figure.
-
8/3/2019 01 Login Configuration
32/44
3-13
Figure 3-5 Launch Telnet
Step5 Enter the password when the Telnet window displays Login authentication and prompts for login
password. The CLI prompt (such as ) appears if the password provided is correct. If all
VTY user interfaces of the access controller are in use, you will fail to establish the connection and
receive the message that says The number of users currently using the system configuration has
reached the maximum. Please wait until one of the users releases the system configuration.. An
access controller can accommodate up to five Telnet connections at same time.
Step6 After successfully Telnetting to the device, you can configure the access controller or display the
information about the access controller by executing corresponding commands. You can also type ? at
any time for help. Refer to the Basic System Configuration.
A Telnet connection will be terminated if you remove or modify the IP address of the management
interface or VLAN interface in the Telnet session.
By default, commands of level 0 are available to Telnet users authenticated by password. Refer to
Basic System Configurationin the System Volumefor information about command level.
Telnetting to Another Access Controller from the Current One
You can Telnet to another access controller product from the current one. In this case, the current
access controller product operates as the client, and the other operates as the server. If the
interconnected Ethernet ports of the two access controller products are in the same LAN segment,
make sure the IP addresses of the two management VLAN interfaces to which the two Ethernet ports
belong to are of the same network segment, or the route between the two VLAN interfaces is available.
As shown in Figure 3-6, after Telnetting to an access controller product (labeled as Telnet client), you
can Telnet to another device (labeled as Telnet server) by executing the telnet command and then to
configure the latter.
Figure 3-6 Network diagram for Telnetting to another access controller from the current one
-
8/3/2019 01 Login Configuration
33/44
3-14
Step1 Configure the user name and password for Telnet on the access controller operating as the Telnet
server. Refer to section Telnet Configuration with Authentication Mode Being None, section Telnet
Configuration with Authentication Mode Being Password, and section Telnet Configuration with
Authentication Mode Being Scheme for more. By default, Telnet users need to pass the password
authentication to login.
Step2 Telnet to the access controller operating as the Telnet client.
Step3 Execute this command on the access controller operating as the Telnet client: telnet xxxx,
where xxxxis the IP address or the host name of the access controller operating as the Telnet server.
You can use the ip host to assign a host name to an access controller.
Step4 Enter the password. If the password is correct, the CLI prompt (such as ) appears. If all
VTY user interfaces of the access controller are in use, you will fail to establish the connection and
receive the message that says All user interfaces are used, please try later!.
Step5 After successfully Telnetting to the access controller, you can configure the access controller or display
the information about the access controller by executing corresponding commands. You can also type ?
at any time for help. Refer to BasicSystem Configurationin the System Volume.
-
8/3/2019 01 Login Configuration
34/44
4-1
4 Logging In Through the Web-Based NetworkManagement System
Logging in through the web-based network management system varies by device model. In this chapter,
the access controller engines of the WX3024 unified switches are used in the examples.
When logging in through the Web-based network management system, go to these sections for
information you are interested in:
Introduction
Setting Up a Web Configuration Environment
Introduction
Each H3C WX series access controller product has a Web server built in. It enables you to log in to the
device through a Web browser and then manage and maintain the device intuitively by interacting with
the built-in Web server.
To log in to the access controller product through the built-in Web-based network management system,
you need to perform the related configuration on both the switching engine and the PC operating as the
network management terminal.
Table 4-1 Requirements for logging in to the device through the Web-based network management
system
Item Requirement
The VLAN interface or management interface of the access controller product isassigned an IP address, and the route between the access controller product and theWeb network management terminal is reachable.Access controller
product The user name and password for logging in to the Web-based network managementsystem are configured.
IE is available.PC operating as thenetworkmanagementterminal
The IP address of the VLAN interface of the device, the user name, and the passwordare available.
-
8/3/2019 01 Login Configuration
35/44
4-2
An access controller product has a factory default configuration when it is shipped. With this
configuration, you can input http://192.168.0.100 in the address bar of the browser on a Web network
management terminal (PC), supposing that a route between the Web network management terminal
and the access controller product is available, and the browser will display the login page. Input the
default username, password admin and verification code, select the language, and then you can log in
to the Web interface. If you have saved your configuration file, the device will start up this configuration
file at next boot, and the factory defaults are ineffective.
For the WX5002, WX5002V2, and WX5004, you can log in to the device through the Web-based
network management system.
For the access controller modules LS8M1WCMA0, LSQM1WCMB0, LSBM1WCM2A0,
LSRM1WCM2A1, LSWM1WCM10, and LSWM1WCM20, you can log in to the access controller
modules through the Web-based network management system.
For the WX6103, you can log in to the main control board through the Web-based network
management system. For the login to the switch interface board, see the related section of the
Login Configuration in the H3C WX6103 Access Controller Switch Interface Board Operation
Manual.
For the WX3024, WX3010, and WX3008, you can log in to the access controller engine through the
Web-based network management system. For the login to the switching engine, see the related
section of the Login Configurationin the H3C WX3000 Series Unified Switches Switching Engine
Operation Manual.
Setting Up a Web Configuration Environment
Step1 Before logging in to the access controller engine of the WX3024 (AC in Figure 4-1) through the
Web-based network management system, assign an IP address to the switching engine (for devices
providing management Ethernet ports, you can configure the IP address on the management Ethernet
interface), and configure Web network management user name and authentication password.
# Assign an IP address to the access controller engine of the WX3024.
system-view
[Sysname] interface Vlan-interface 1
[Sysname-Vlan-interface1] ip address 192.168.0.100 24
[Sysname-Vlan-interface1] quit
# Create a Web user account, setting both the user name and the password to admin and the user level
to 3 (manage level).
[Sysname] local-user admin
[Sysname-luser-admin] service-type telnet
[Sysname-luser-admin] authorization-attribute level 3
[Sysname-luser-admin] password simple admin
[Sysname-luser-admin] quit
Step2 Configure the management IP address for the switching engine of the WX3024 (Optional).# After configuring the IP address, you can go to the Web interface of the switching engine from the
Web interface of the access controller engine. 192.168.0.101 is the management IP address of the
-
8/3/2019 01 Login Configuration
36/44
4-3
switching engine, and slot 0 is the slot number of the switching engine. Currently, only the WX3000
series support this function.
[Sysname] oap management-ip 192.168.0.101 slot 0
Step3 Set up a Web configuration environment, as shown in Figure 4-1.
Figure 4-1 Set up a Web configuration environment
Internet
PC AC
Step4 Log in to the switching engine through IE. Launch IE on the Web-based network management terminal
(your PC) and enter http://192.168.0.100 in the address bar. (Make sure the route between the
Web-based network management terminal and the switching engine is available.)
Step5 When the login authentication interface (as shown in Figure 4-2) appears, enter the user name and the
password admin, type the verify code, and then click Login to bring up the main page of the
Web-based network management system.
Figure 4-2 The login page of the Web-based network management system
-
8/3/2019 01 Login Configuration
37/44
5-1
5 Logging In Through an NMSWhen logging in through an NMS, go to these sections for information you are interested in:
Introduction
Connection Establishment
Introduction
You can also log in to an access controller through an NMS (network management station), and then
configure and manage the access controller through the agent module on the access controller.
The agent here refers to the server-side software running on network devices (access controllers).
SNMP (Simple Network Management Protocol) is applied between the NMS and the agent.
To log in to an access controller through an NMS, you need to perform related configuration on both the
NMS and the device.
Table 5-1 Requirements for logging in to the device through an NMS
Item Requirement
The IP address of the management VLAN of the access controller is configured. The routebetween the NMS and the access controller is available.Access
controllerThe basic SNMP functions are configured. (Refer to SNMP Configurationin the SystemVolumefor more.)
NMS The NMS is properly configured. (Refer to the user manual of your NMS for more.)
Connection Establishment
Figure 5-1 Network diagram for logging in through an NMS
-
8/3/2019 01 Login Configuration
38/44
6-1
6 Controlling Login UsersTo control login users, go to these sections for information you are interested in:
Introduction
Controlling Telnet Users
Controlling Network Management Users by Source IP Addresses
Introduction
An access controller provides ways to control different types of login users, as listed in Table 6-1.
Table 6-1 Ways to control different types of login users
Login mode Control method Implementation Related section
By SSIDs of clients Through WLAN ACLControlling Telnet Users by SSIDsof Clients
By source IP addresses Through basic ACLsControlling Telnet Users by SourceIP Addresses
By source, destination IPaddresses, protocolscarried over IP, andprotocol features
Through advanced ACLsControlling Telnet Users by Sourceand Destination IP Addresses
Telnet
By source MAC addresses Through Layer 2 ACLs
Controlling Telnet Users by Source
MAC Addresses
SNMP By source IP addresses Through basic ACLsControlling Network ManagementUsers by Source IP Addresses
Controlling Telnet Users
Prerequisites
The controlling policy against Telnet users is determined, including the wireless clients, source and
destination IP addresses to be controlled and the controlling actions (permitting or denying).
Controlling Telnet Users by SSIDs of Clients
Controlling Telnet users by service set identifiers (SSIDs) is achieved by matching WLAN ACLs with
packets based on SSIDs of clients. WLAN ACLs are numbered from 100 to 199. Refer to ACL
Configurationin the Security Volumefor information about defining an ACL.
To do Use the command Remarks
Enter system view system-view
Create a WLAN ACL and enterWLAN ACL view acl numberacl-number Required
-
8/3/2019 01 Login Configuration
39/44
6-2
To do Use the command Remarks
Define a rule for the WLAN ACLrule [ rule-id] { permit | deny }[ ssidssid-name]
Required
Quit to system view quit
Enter user interface view user-interface [ type] first-number[ last-number]
The interface type and quantitysupported by this command varyby device model.
Apply the WLAN ACL to controlTelnet users by SSIDs of WLANclients
aclacl-numberinbound
Required
The inbound keyword filters theusers trying to Telnet to the currentaccess controller.
Support for this command dependson the supported interface type.
Controlling Telnet Users by Source IP Addresses
Controlling Telnet users by source IP addresses is achieved by applying basic ACLs, which are
numbered from 2000 to 2999. Refer to ACL Configurationin the Security Volumefor information about
defining an ACL.
To do Use the command Remarks
Enter system view system-view
Create a basic ACL or enter basicACL view
acl [ ipv6 ] numberacl-number[ match-order { config | auto } ]
Required
As for the acl number command,the config keyword is specified by
default.
Support for the IPv6 addressesvary by device model.
Define rules for the ACL
rule [ rule-id] { permit | deny }[ source{ sour-addr sour-wildcard| any } | time-rangetime-name|fragment | logging ]*
Required
Quit to system view quit
Enter user interface viewuser-interface [ type] first-number[ last-number]
The interface type and quantitysupported by this command vary
by device model.
-
8/3/2019 01 Login Configuration
40/44
6-3
To do Use the command Remarks
Apply the ACL to control Telnetusers by source IP addresses
acl [ ipv6 ] acl-number{ inbound |outbound }
Required
The inbound keyword filters theusers trying to Telnet to the currentaccess controller.
The outbound keyword filters the
users trying to Telnet to otheraccess controllers from the currentaccess controller.
The interface type supported bythis command varies by devicemodel.
Support for the IPv6 addressesdepends on the device model.
Controlling Telnet Users by Source and Destination IP Addresses
Controlling Telnet users by source and destination IP addresses is achieved by applying advanced
ACLs, which are numbered from 3000 to 3999. Refer to ACL Configurationin the Security Volumefor
information about defining an ACL.
To do Use the command Remarks
Enter system view system-view
Create an advanced ACL or enteradvanced ACL view
acl [ ipv6 ] numberacl-number[ name acl-name] [ match-order{ auto | config } ]
Required
As for the acl number command,the config keyword is specified bydefault.
Support for the IPv6 addressesvaries by device model.
Define rules for the ACLrule [ rule-id] { permit | deny }rule-string
Required
You can define rules as needed tofilter by specific source anddestination IP addresses.
Quit to system view quit
Enter user interface viewuser-interface [ type] first-number[ last-number]
The interface type and quantitysupported by this command varyby device model.
Apply the ACL to control Telnetusers by specified source anddestination IP addresses
acl [ ipv6 ] acl-number{ inbound |outbound }
Required
The inbound keyword filters theusers trying to Telnet to the currentaccess controller.
The outbound keyword filters theusers trying to Telnet to otheraccess controllers from the currentaccess controller.
The interface type supported bythis command varies by devicemodel.
Support for the IPv6 addressesdepends on the device model.
-
8/3/2019 01 Login Configuration
41/44
6-4
Controlling Telnet Users by Source MAC Addresses
Controlling Telnet users by source MAC addresses is achieved by applying Layer 2 ACLs, which are
numbered from 4000 to 4999. Refer to ACL Configurationin the Security Volumefor information about
defining an ACL.
To do Use the command Remarks
Enter system view system-view
Create a basic ACL or enter basicACL view
aclnumberacl-number[ nameacl-name] [ match-order { auto |config } ]
As for the acl number command,the config keyword is specified bydefault.
Define rules for the ACLrule [ rule-id] { permit | deny }rule-string
Required
You can define rules as needed tofilter by specific source MACaddresses.
Quit to system view quit
Enter user interface viewuser-interface [ type] first-number[ last-number]
The interface type and quantitysupported by this command varyby device model.
Apply the ACL to control Telnetusers by source MAC addresses
aclacl-numberinbound
Required
The inbound keyword filters theusers trying to Telnet to the currentaccess controller.
Configuration Example
Network requirements
Only the Telnet users sourced from the IP address of 10.110.100.52 and 10.110.100.46 are permitted to
log in to the access controller.
Figure 6-1 Network diagram for controlling Telnet users using ACLs
IP network
AC
Host A
10.110.100.52/24
Host B
10.110.100.46/24
Configuration procedure
# Define a basic ACL.
system-view
[Sysname] acl number 2000 match-order config
[Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0
[Sysname-acl-basic-2000] rule 2 permit source 10.110.100.46 0
[Sysname-acl-basic-2000] rule 3 deny
-
8/3/2019 01 Login Configuration
42/44
6-5
[Sysname-acl-basic-2000] quit
# Apply the ACL to only permit Telnet users sourced from the IP addresses of 10.110.100.52 and
10.110.100.46 to access the access controller..
[Sysname] user-interface vty 0 4
[Sysname-ui-vty0-4] acl 2000 inbound
Controlling Network Management Users by Source IP Addresses
You can manage an access controller through network management software. Network management
users can access controllers through SNMP.
You need to perform the following two operations to control network management users by source IP
addresses.
Defining an ACL
Applying the ACL to control users accessing the access controller through SNMP
Prerequisites
The controlling policy against network management users is determined, including the source IP
addresses to be controlled and the controlling actions (permitting or denying).
Controlling Network Management Users by Source IP Addresses
Controlling network management users by source IP addresses is achieved by applying basic ACLs,
which are numbered from 2000 to 2999. Refer to ACL Configuration in the Security Volume for
information about defining an ACL.
To do Use the command Remarks
Enter system view system-view
Create a basic ACL orenter basic ACL view
aclnumberacl-number[ name acl-name][ match-order { auto | config } ]
As for the acl numbercommand, the configkeyword is specified bydefault.
Define rules for the ACLrule [ rule-id] { permit | deny } [ source{ sour-addr sour-wildcard| any } | time-rangetime-name| fragment | logging ]*
Required
Quit to system view quit
Apply the ACL whileconfiguring the SNMPcommunity name
snmp-agent community { read | write }community-name[ aclacl-number| mib-viewview-name] *
Required
Apply the ACL whileconfiguring the SNMPgroup name
snmp-agent group { v1 | v2c } group-name[ read-viewread-view] [ write-viewwrite-view][ notify-viewnotify-view] [ aclacl-number]
snmp-agent groupv3group-name[ authentication | privacy ] [ read-viewread-view] [ write-viewwrite-view][ notify-viewnotify-view] [ aclacl-number]
Required
-
8/3/2019 01 Login Configuration
43/44
6-6
To do Use the command Remarks
Apply the ACL whileconfiguring the SNMP username
snmp-agent usm-user { v1 | v2c } user-namegroup-name[ aclacl-number]
snmp-agent usm-userv3user-namegroup-name[ cipher ] [ authentication-mode{ md5 | sha } auth-password[ privacy-mode
{ des56 | aes128 }priv-password] ] [ aclacl-number]
Required
You can specify different ACLs while configuring the SNMP community name, the SNMP group
name and the SNMP user name.
Refer to SNMP Configurationin the System Volumefor SNMP-related commands.
As SNMP community name is a feature of SNMPv1 and SNMPv2c, the specified ACLs in the command
that configures SNMP community names (the snmp-agent community command) take effect in the
network management systems that adopt SNMPv1 or SNMPv2c.
Similarly, as SNMP group name and SNMP user name are features of SNMPv2c and the higher SNMP
versions, the specified ACLs in the commands that configure SNMP group names (the snmp-agent
group command and the snmp-agent groupv3 command) and SNMP user names (the snmp-agent
usm-user command and the snmp-agent usm-user v3 command) take effect in the network
management systems that adopt SNMPv2c or higher SNMP versions. If you configure both the SNMP
group name and the SNMP user name and specify ACLs in the two operations, the access controller
will filter network management users by both SNMP group name and SNMP user name.
Configuration Example
Network requirements
Only SNMP users sourced from the IP addresses of 10.110.100.52 and 10.110.100.46 are permitted to
access the access controller.
Figure 6-2 Network diagram for controlling SNMP users using ACLs
IP network
AC
Host A
10.110.100.52/24
Host B
10.110.100.46/24
Configuration procedure
# Define a basic ACL. system-view
[Sysname] acl number 2000 match-order config
-
8/3/2019 01 Login Configuration
44/44
[Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0
[Sysname-acl-basic-2000] rule 2 permit source 10.110.100.46 0
[Sysname-acl-basic-2000] rule 3 deny
[Sysname-acl-basic-2000] quit
# Apply the ACL to only permit SNMP users sourced from the IP addresses of 10.110.100.52 and
10.110.100.46 to access the access controller.
[Sysname] snmp-agent community read aaa acl 2000
[Sysname] snmp-agent group v2c groupa acl 2000
[Sysname] snmp-agent usm-user v2c usera groupa acl 2000
top related