Login
- Table of Contents
-
- 01-Fundamentals Configuration Guide
- 00-Preface
- 01-CLI configuration
- 02-RBAC configuration
- 03-Login management configuration
- 04-FTP and TFTP configuration
- 05-File system management configuration
- 06-Configuration file management configuration
- 07-Software upgrade configuration
- 08-ISSU configuration
- 09-Emergency Shell configuration
- 10-Automatic configuration
- 11-Preprovisioning feature configuration
- 12-Device management configuration
- 13-Tcl configuration
- 14-Management with BootWare
- 15-Python configuration
- 16-License management
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 03-Login management configuration | 347.67 KB |
Using the console port for the first device access
Disabling authentication for console login
Configuring password authentication for console login
Configuring scheme authentication for console login
Configuring common AUX line settings
Configuring the device as a Telnet server
Using the device to log in to a Telnet server
Configuring the device as an SSH server
Using the device to log in to an SSH server
Displaying and maintaining CLI login
Displaying and maintaining Web login
Web login configuration examples
HTTP login configuration example
HTTPS login configuration example
Accessing the device through SNMP
Configuring RESTful access over HTTP
Configuring RESTful access over HTTPS
Controlling user access to the device
Controlling Telnet and SSH logins
Configuring source IP-based Web login control
Configuring command authorization
Configuring command accounting
Login overview
The first time you access the device, you can only log in to the CLI of the default MDC through the console port. After login, you can create non-default MDCs, change console login parameters, or configure other access methods. Table 1 describes the supported login methods, the default login settings, and the minimum configuration requirements.
Non-default MDCs do not have any console ports. To log in to a non-default MDC for the first time, you must perform the following tasks:
· Log in to the default MDC.
· Switch to the non-default MDC by using the switchto mdc command.
After you log in to a non-default MDC, you can configure Telnet login, SSH login, Web, SNMP access, or RESTful access. Then, administrators of the default MDC and those of the non-default MDC can access the non-default MDC through Telnet, SSH, SNMP, Web, or the RESTful API. For more information about MDC, see Virtual Technologies Configuration Guide.
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
Telnet, HTTP-based Web login, and HTTP-based RESTful access are not supported in FIPS mode.
Table 1 Login methods at a glance
|
Login method |
Default settings and minimum configuration requirements |
Login configuration |
|
CLI login: |
|
|
|
· Console login |
By default, console login is enabled and does not require authentication. The default user role is network-admin. To improve device security, configure password or scheme authentication for the AUX line immediately after you log in to the device for the first time. |
|
|
· Telnet login |
By default, Telnet login is disabled. To enable Telnet login, perform the following tasks: · Enable the Telnet server feature. · Assign an IP address to a Layer 3 interface and make sure the interface and the Telnet client can reach each other. · Configure an authentication mode for VTY login users. By default, password authentication is used but no password is configured. · Assign a user role to VTY login users. By default, a VTY login user is assigned the network-operator user role. |
|
|
· SSH login |
By default, SSH login is disabled. To enable SSH login, perform the following tasks: · Enable the SSH server feature and configure SSH attributes. · Assign an IP address to a Layer 3 interface. Make sure the interface and the SSH client can reach each other. · Configure scheme authentication for VTY login users. By default, password authentication is used. · Assign a user role to VTY login users. By default, a VTY login user is assigned the network-operator user role. |
|
|
Web login |
By default, Web login is disabled. To enable Web login, perform the following tasks: · Assign an IP address to a Layer 3 interface. Make sure the interface and the Web user's host can reach each other. · Configure a local user account for Web login and assign a user role to the account. By default, the network-operator user role is assigned to the account. · Assign HTTP or HTTPS service to the user. By default, no service type is assigned to a local user. |
|
|
SNMP access |
By default, SNMP access is disabled. To enable SNMP access, perform the following tasks: · Assign an IP address to a Layer 3 interface. Make sure the interface and the NMS can reach each other. · Configure SNMP basic parameters. |
|
|
RESTful access |
By default, RESTful access is disabled. To enable RESTful access, perform the following tasks: · Assign an IP address to a Layer 3 interface. Make sure the interface and the RESTful access user's host can reach each other. · Enable RESTful access over HTTP or RESTful access over HTTPS. · Configure a local user account for RESTful access and assign a user role to the account. By default, the network-operator user role is assigned to the account. · Assign HTTP or HTTPS service to the user. By default, no service type is assigned to a local user. |
Using the console port for the first device access
The first time you access the device, you can only log in to the CLI through the console port.
To log in through the console port, prepare a console terminal, for example, a PC. Make sure the console terminal has a terminal emulation program, such as HyperTerminal or PuTTY. For information about how to use terminal emulation programs, see the programs' user guides.
To log in through the console port:
1. Connect the DB-9 female connector of the console cable to the serial port of the PC.
2. Identify the console port of the device carefully and connect the RJ-45 connector of the console cable to the console port.
|
|
IMPORTANT: The serial ports on PCs do not support hot swapping. To connect a PC to an operating device, first connect the PC end. To disconnect a PC from an operating device, first disconnect the device end. |
Figure 1 Connecting a terminal to the console port
3. If the PC is off, turn on the PC.
4. On the PC, launch the terminal emulation program, and create a connection that uses the serial port connected to the device. Set the port properties so the port properties match the following console port default settings:
¡ Bits per second—9600 bps.
¡ Flow control—None.
¡ Parity—None.
¡ Stop bits—1.
¡ Data bits—8.
5. Power on the device and press Enter as prompted.
The user view prompt appears. You can enter commands to configure or manage the device. To get help, enter ?.
Configuring CLI login
By default, you can log in to the CLI through the console port. After you log in, you can configure other CLI login methods, including Telnet and SSH.
To prevent illegal access to the CLI and control user behavior, perform the following tasks as required:
· Configure login authentication.
· Assign user roles.
· Configure command authorization and command accounting.
· Use ACLs to filter unauthorized logins.
This chapter describes how to configure and use CLI login methods, including login authentication, user roles, and common user line settings. For more information about command authorization, command accounting, and unauthorized access filtering, see "Controlling user access to the device."
CLI overview
User lines
The device uses user lines (also called user interfaces) to manage CLI sessions and monitor user behavior. For a user line, you can configure access control settings, including the login authentication method and user roles.
The device supports the user lines listed in Table 2. Different user lines require different login methods.
Table 2 CLI login method and user line matrix
|
User line |
Login method |
|
AUX line |
Console port. |
|
Virtual type terminal (VTY) line |
Telnet or SSH. |
User line numbering
Every user line has an absolute number and a relative number.
An absolute number uniquely identifies a user line among all user lines. The user lines are numbered starting from 0 and incrementing by 1, in the sequence of AUX and VTY lines. You can use the display line command without any parameters to view supported user lines and their absolute numbers.
A relative number uniquely identifies a user line among all user lines of the same type. The number format is user line type + number. User lines are numbered starting from 0 and incrementing by 1. For example, the first VTY line is VTY 0.
User line assignment
The device assigns user lines to CLI login users depending on their login methods, as shown in Table 2. When a user logs in, the device checks the idle user lines for the login method, and assigns the lowest numbered user line to the user. For example, four VTY lines (0 to 3) are configured, of which VTY 0 and VTY 3 are idle. When a user Telnets to the device, the device assigns VTY 0 to the user.
Each user line can be assigned only to one user at a time. If no user line is available, a CLI login attempt will be rejected.
Login authentication modes
You can configure login authentication to prevent illegal access to the device CLI.
In non-FIPS mode, the device supports the following login authentication modes:
· None—Disables authentication. This mode allows access without authentication and is insecure.
· Password—Requires password authentication. A user must provide the correct password at login.
· Scheme—Uses the AAA module to provide local or remote login authentication. A user must provide the correct username and password at login.
In FIPS mode, the device supports only the scheme authentication mode.
Different login authentication modes require different user line configurations, as shown in Table 3.
Table 3 Configuration required for different login authentication modes
|
Authentication mode |
Configuration tasks |
|
|
None |
Set the authentication mode to none. |
|
|
Password |
1. Set the authentication mode to password. 2. Set a password. |
|
|
Scheme |
1. Set the authentication mode to scheme. 2. Configure login authentication methods in ISP domain view. For more information, see Security Configuration Guide. |
|
User roles
A user is assigned user roles at login. The user roles control the commands available for the user. For more information about user roles, see "Configuring RBAC."
The device assigns user roles based on the login authentication mode and user type.
· In none or password authentication mode, the device assigns the user roles specified for the user line.
· In scheme authentication mode, the device uses the following rules to assign user roles:
¡ For an SSH login user who uses publickey or password-publickey authentication, the device assigns the user roles specified for the local device management user with the same name.
¡ For other users, the device assigns user roles according to the user role configuration of the AAA module. If the AAA server does not assign any user roles and the default user role feature is disabled, a remote AAA authentication user cannot log in.
FIPS compliance
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
Telnet login is not supported in FIPS mode.
Configuring console login
You can connect a terminal to the console port of the device to log in and manage the device, as shown in Figure 2. For the login procedure, see "Using the console port for the first device access."
Figure 2 Logging in through the console port
By default, console login is enabled and does not require authentication. The default user role is network-admin.
To improve device security, configure password or scheme authentication for the AUX line immediately after you log in to the device for the first time.
To configure console login, perform the following tasks:
|
Tasks at a glance |
Remarks |
|
(Required.) Perform one of the following tasks: · Disabling authentication for console login |
In FIPS mode, only the scheme authentication mode is supported. |
|
(Optional.) Configuring common AUX line settings |
N/A |
Console login configuration changes do not take effect for current online users. They take effect only for new login users.
Disabling authentication for console login
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter AUX line view or class view. |
· Enter AUX line view: · Enter AUX line class view: |
A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class. A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view. A setting in user line class view does not take effect for current online users. It takes effect only for new login users. |
|
3. Disable authentication. |
authentication-mode none |
In non-FIPS mode, authentication is disabled for console login by default. In FIPS mode, scheme authentication is enabled by default. |
|
4. Assign a user role. |
user-role role-name |
By default, a console user of the default MDC is assigned the network-admin user role. Non-default MDCs do not support console login. |
After you finish this configuration task, a user can log in through the console port without authentication.
Configuring password authentication for console login
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter AUX line view or class view. |
· Enter AUX line view: · Enter AUX line class view: |
A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class. A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view. A setting in user line class view does not take effect for current online users. It takes effect only for new login users. |
|
3. Enable password authentication. |
authentication-mode password |
In non-FIPS mode, authentication is disabled for console login by default. In FIPS mode, scheme authentication is enabled by default. |
|
4. Set a password. |
set authentication password { hash | simple } password |
By default, no password is set. |
|
5. Assign a user role. |
user-role role-name |
By default, a console user of the default MDC is assigned the network-admin user role. Non-default MDCs do not support console login. |
After you finish this configuration task, a user must provide the configured password when logging in through the console port.
Configuring scheme authentication for console login
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter AUX line view or class view. |
· Enter AUX line view: · Enter AUX line class view: |
A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class. A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view. A setting in user line class view does not take effect for current online users. It takes effect only for new login users. |
|
3. Enable scheme authentication. |
authentication-mode scheme |
In non-FIPS mode, authentication is disabled for console login by default. In FIPS mode, scheme authentication is enabled by default. |
To use scheme authentication, you must also perform the following tasks:
· Configure login authentication methods in ISP domain view.
· For remote authentication, configure a RADIUS, HWTACACS, or LDAP scheme.
· For local authentication, create a local user account and configure the relevant attributes.
For more information, see Security Configuration Guide.
After you finish this configuration task, a user must provide the configured username and password when logging in through the console port.
Configuring common AUX line settings
Some common settings for an AUX line take effect immediately and can interrupt the current session. Use a login method different from console login to log in to the device before you change AUX line settings.
After you change AUX line settings, adjust the settings on the configuration terminal accordingly for a successful login.
To configure common settings for an AUX line:
|
Step |
Command |
|
|
N/A |
||
|
2. Enter AUX line view or class view. |
· Enter AUX line view: · Enter AUX line class view: |
A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class. A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view. A setting in user line class view does not take effect for current online users. It takes effect only for new login users. |
|
3. Set the transmission rate. |
speed speed-value |
By default, the transmission rate is 9600 bps. This command is not available in AUX or console line class view. |
|
4. Specify the parity. |
parity { even | mark | none | odd | space } |
By default, a user line does not use parity. This command is not available in AUX line class view. |
|
5. Specify the number of stop bits for a character. |
stopbits { 1 | 1.5 | 2 } |
The default is 1. Stop bits indicate the end of a character. The more the stop bits, the slower the transmission. This command is not available in AUX line class view. |
|
6. Specify the number of data bits for a character. |
databits { 5 | 6 | 7 | 8 } |
The default is 8. Configure this command depending on the character coding type. For example, set the number of data bits to 7 for standard ASCII characters. Set the number of data bits to 8 for extended ASCII characters. Keywords 5 and 6 are not supported in the current software version. This command is not available in AUX line class view. |
|
7. Specify the terminal session activation key. |
activation-key character |
|
|
8. Specify the escape key. |
escape-key { character | default } |
|
|
9. Set the user line locking key. |
lock-key key-string |
By default, no user line locking key is set. |
|
10. Configure the flow control mode. |
flow-control { hardware | none | software } |
By default, flow control is disabled. This command is not available in AUX line class view. |
|
11. Specify the terminal display type. |
terminal type { ansi | vt100 } |
By default, the terminal display type is ANSI. The device supports ANSI and VT100 terminal display types. As a best practice, specify VT100 type on both the device and the configuration terminal. If either side uses the ANSI type, a display problem might occur when a command line has more than 80 characters. For example, a cursor positioning error might occur. |
|
12. Set the maximum number of lines of command output to send to the terminal at a time. |
screen-length screen-length |
By default, the device sends up to 24 lines to the terminal at a time when pausing between screens of output is enabled. To disable pausing between screens of output, set the value to 0. |
|
13. Set the size for the command history buffer. |
history-command max-size value |
|
|
idle-timeout minutes [ seconds ] |
By default, the CLI connection idle-timeout timer is 10 minutes. If no interaction occurs between the device and the user within the idle-timeout interval, the system automatically terminates the user connection on the user line. If you set the timeout timer to 0, the connection will not be aged out. |
|
|
15. Enable the terminal service. |
shell |
Be default, the terminal service is enabled on all user lines. The undo shell command is not supported in AUX line view. |
Configuring Telnet login
The device can act as a Telnet server to allow Telnet login, or as a Telnet client to Telnet to other devices.
By default, Telnet login is disabled on the device. To configure Telnet login, you must first log in to the device through any other method.
|
|
NOTE: Telnet login is not supported in FIPS mode. |
Configuring the device as a Telnet server
|
Tasks at a glance |
|
(Required.) Enabling Telnet server |
|
(Required.) Perform one of the following tasks: · Disabling authentication for Telnet login |
|
(Optional.) Setting the maximum number of concurrent Telnet users |
|
(Optional.) Setting the DSCP value for outgoing Telnet packets |
|
(Optional.) Specifying the Telnet service port number |
|
(Optional.) Configuring common VTY line settings |
Telnet login configuration changes do not take effect for current online users. They take effect only for new login users.
Enabling Telnet server
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable the Telnet server. |
telnet server enable |
By default, the Telnet server is disabled. |
Disabling authentication for Telnet login
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter VTY line view or class view. |
· Enter VTY line view: · Enter VTY line class view: |
A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class. A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view. A setting in user line class view does not take effect for current online users. It takes effect only for new login users. |
|
3. Disable authentication. |
authentication-mode none |
In non-FIPS mode, password authentication is enabled for VTY lines by default. In VTY line view, this command is associated with the protocol inbound command. If you specify a non-default value for one of the two commands, the other command uses the default setting, regardless of the setting in VTY line class view. |
|
4. (Optional.) Assign a user role. |
user-role role-name |
By default, a VTY line user of the default MDC is assigned the network-operator user role. A VTY line user of a non-default MDC is assigned the mdc-operator user role. |
After you finish this configuration task, a user can Telnet to the device without authentication, as shown in the following example:
******************************************************************************
* Copyright (c) 2004-2017 New H3C Technologies Co., Ltd. All rights reserved.*
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
<Sysname>
If the maximum number of login users has been reached, the login attempt fails and the message "All user lines are used, please try later!" appears.
Configuring password authentication for Telnet login
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter VTY line view or class view. |
· Enter VTY line view: · Enter VTY line class view: |
A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class. A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view. A setting in user line class view does not take effect for current online users. It takes effect only for new login users. |
|
3. Enable password authentication. |
authentication-mode password |
In non-FIPS mode, password authentication is enabled for VTY lines by default. In VTY line view, this command is associated with the protocol inbound command. If you specify a non-default value for one of the two commands, the other command uses the default setting, regardless of the setting in VTY line class view. |
|
4. Set a password. |
set authentication password { hash | simple } password |
By default, no password is set. |
|
5. (Optional.) Assign a user role. |
user-role role-name |
By default, a VTY line user of the default MDC is assigned the network-operator user role. A VTY line user of a non-default MDC is assigned the mdc-operator user role. |
After you finish this configuration task, a user must provide the configured password when Telnetting to the device, as shown in the following example:
******************************************************************************
* Copyright (c) 2004-2017 New H3C Technologies Co., Ltd. All rights reserved.*
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
Password:
<Sysname>
If the maximum number of login users has been reached, the login attempt fails and the message "All user lines are used, please try later!" appears.
Configuring scheme authentication for Telnet login
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter VTY line view or class view. |
· Enter VTY line view: · Enter VTY line class view: |
A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class. A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view. A setting in user line class view does not take effect for current online users. It takes effect only for new login users. |
|
3. Enable scheme authentication. |
authentication-mode scheme |
In non-FIPS mode, password authentication is enabled for VTY lines by default. In VTY line view, this command is associated with the protocol inbound command. If you specify a non-default value for one of the two commands, the other command uses the default setting, regardless of the setting in VTY line class view. |
To use scheme authentication, you must also perform the following tasks:
· Configure login authentication methods in ISP domain view.
· For remote authentication, configure a RADIUS, HWTACACS, or LDAP scheme.
· For local authentication, create a local user account and configure the relevant attributes.
For more information, see Security Configuration Guide.
After you finish this configuration task, a user must provide the configured username and password when Telnetting to the device, as shown in the following example:
******************************************************************************
* Copyright (c) 2004-2017 New H3C Technologies Co., Ltd. All rights reserved.*
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
login: admin
Password:
<Sysname>
If the maximum number of login users has been reached, the login attempt fails and the message "All lines are used, please try later!" appears.
Setting the maximum number of concurrent Telnet users
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Set the maximum number of concurrent Telnet users. |
aaa session-limit telnet max-sessions |
The default is 32. Changing this setting does not affect users who are currently online. If the new limit is less than the number of online Telnet users, no additional users can Telnet in until the number drops below the new limit. For more information about this command, see Security Command Reference. |
Setting the DSCP value for outgoing Telnet packets
The DSCP value is carried in the ToS or Traffic class field of an IP or IPv6 packet to indicate the transmission priority of the packet.
To set the DSCP value for outgoing Telnet packets:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Set the DSCP value for outgoing Telnet packets. |
· For a Telnet server running IPv4: · For a Telnet server running IPv6: |
By default, the DSCP value is 48. |
Specifying the Telnet service port number
You can use this feature to change the Telnet service port number.
To specify the Telnet service port number:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Specify the Telnet service port number. |
· In an IPv4 network: · In an IPv6 network: |
By default, the Telnet service port number is 23. |
Configuring common VTY line settings
For a VTY line, you can specify a command that is to be automatically executed when a user logs in. After executing the specified command, the system automatically disconnects the Telnet session. Typically, you configure the auto-execute command telnet X.X.X.X command on the device so the device redirects a Telnet user to the host at X.X.X.X. The connection to the current device is closed when the user terminates the Telnet connection to X.X.X.X.
To configure common settings for VTY lines:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter VTY line view or class view. |
· Enter VTY line view: · Enter VTY line class view: |
A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class. A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view. A setting in user line class view does not take effect for current online users. It takes effect only for new login users. |
|
3. Enable the terminal service. |
shell |
By default, the terminal service is enabled on all user lines. |
|
4. Specify the supported protocols. |
protocol inbound { all | ssh | telnet } |
By default, Telnet and SSH are supported. A protocol change does not take effect for current online users. It takes effect only for new login users. In VTY line view, this command is associated with the authentication-mode command. If you specify a non-default value for one of the two commands, the other command uses the default setting, regardless of the setting in VTY line class view. |
|
5. Specify the shortcut key for terminating a task. |
escape-key { character | default } |
The default setting is Ctrl+C. |
|
6. Set the user line locking key. |
lock-key key-string |
By default, no user line locking key is set. |
|
7. Specify the terminal display type. |
terminal type { ansi | vt100 } |
The default terminal display type is ANSI. |
|
8. Set the maximum number of lines of command output to send to the terminal at a time. |
screen-length screen-length |
By default, the device sends up to 24 lines to the terminal at a time when pausing between screens of output is enabled. To disable pausing between screens of output, set the value to 0. |
|
9. Set the size for the command history buffer. |
history-command max-size value |
The default size is 10 history commands. |
|
10. Set the CLI connection idle-timeout timer. |
idle-timeout minutes [ seconds ] |
By default, the CLI connection idle-timeout timer is 10 minutes. If no interaction occurs between the device and the user within the idle-timeout interval, the system automatically terminates the user connection on the user line. If you set the timeout timer to 0, the connection will not be aged out. |
|
11. Specify the command to be automatically executed for login users on the user lines. |
auto-execute command command |
By default, no command is specified for auto execution.
Before you configure this command and save the configuration, make sure you can access the CLI to modify the configuration through other VTY user lines or AUX user lines. |
Using the device to log in to a Telnet server
You can use the device as a Telnet client to log in to a Telnet server. If the server is located in a different subnet than the client, make sure the two devices can reach each other.
Figure 3 Telnetting from the device to a Telnet server
To use the device to log in to a Telnet server:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. (Optional.) Specify the source IPv4 address or source interface for outgoing Telnet packets. |
telnet client source { interface interface-type interface-number | ip ip-address } |
By default, no source IPv4 address or source interface is specified. The device uses the primary IPv4 address of the output interface as the source address for outgoing Telnet packets. |
|
3. Exit to user view. |
quit |
N/A |
|
4. Use the device to log in to a Telnet server. |
· Log in to an IPv4 Telnet server: · Log in to an IPv6 Telnet server: |
N/A |
Configuring SSH login
SSH offers a secure method to remote login. By providing encryption and strong authentication, it protects devices against attacks such as IP spoofing and plaintext password interception. For more information, see Security Configuration Guide.
The device can act as an SSH server to allow Telnet login, or as an SSH client to log in to an SSH server.
By default, SSH login is disabled on the device. To configure SSH login, you must first log in to the device through any other method.
Configuring the device as an SSH server
This section provides the SSH server configuration procedure used when the SSH client authentication method is password. For more information about SSH and publickey authentication configuration, see Security Configuration Guide.
To configure the device as an SSH server:
|
Step |
Command |
Remarks |
|
|
1. Enter system view. |
system-view |
N/A |
|
|
2. Create local key pairs. |
· In non-FIPS mode: · In FIPS mode: |
By default, no local key pairs are created. |
|
|
3. Enable the Stelnet server. |
ssh server enable |
By default, the Stelnet server is disabled. |
|
|
4. (Optional.) Create an SSH user and specify the authentication mode. |
· In non-FIPS mode: · In FIPS mode: |
By default, no SSH user is configured on the device. |
|
|
5. Enter VTY line view or class view. |
· Enter VTY line view: · Enter VTY line class view: |
A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class. A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view. A setting in user line class view does not take effect for current online users. It takes effect only for new login users. |
|
|
6. Enable scheme authentication. |
authentication-mode scheme |
In non-FIPS mode, password authentication is enabled for VTY lines by default. In FIPS mode, scheme authentication is enabled for VTY lines by default. In VTY line view, this command is associated with the protocol inbound command. If you specify a non-default value for one of the two commands, the other command uses the default setting, regardless of the setting in VTY line class view. |
|
|
7. (Optional.) Specify the protocols for the user lines to support. |
· In non-FIPS mode: · In FIPS mode: |
In non-FIPS mode, Telnet and SSH are supported by default. In FIPS mode, SSH is supported by default. A protocol change does not take effect for current online users. It takes effect only for new login users. In VTY line view, this command is associated with the authentication-mode command. If you specify a non-default value for one of the two commands, the other command uses the default setting, regardless of the setting in VTY line class view. |
|
|
8. (Optional.) Set the maximum number of concurrent SSH users. |
aaa session-limit ssh max-sessions |
The default is 32. Changing this setting does not affect users who are currently online. If the new limit is less than the number of online SSH users, no additional SSH users can log in until the number drops below the new limit. For more information about this command, see Security Command Reference. |
|
|
9. Exit to system view. |
quit |
N/A |
|
|
10. (Optional.) Configure common settings for VTY lines. |
N/A |
|
|
Using the device to log in to an SSH server
You can use the device as an SSH client to log in to an SSH server. If the server is located in a different subnet than the client, make sure the two devices can reach each other.
Figure 4 Logging in to an SSH server from the device
Perform the following tasks in user view:
|
Task |
Command |
|
Log in to an IPv4 SSH server. |
ssh2 server |
|
Log in to an IPv6 SSH server. |
ssh2 ipv6 server |
To work with the SSH server, you might need to specify a set of parameters. For more information, see Security Configuration Guide.
Displaying and maintaining CLI login
Execute display commands in any view.
|
Task |
Command |
Remarks |
|
Display online CLI users. |
display users [ all ] |
N/A |
|
Display user line information. |
display line [ num1 | { aux | vty } num2 ] [ summary ] |
N/A |
|
Display the packet source setting for the Telnet client. |
display telnet client |
N/A |
|
Release a user line. |
free line { num1 | { aux | vty } num2 } |
Multiple users can log in to the device to simultaneously configure the device. When necessary, you can execute this command to release some connections. You cannot use this command to release the connection you are using. This command is available in user view. |
|
Lock the current user line and set the password for unlocking the line. |
lock |
By default, the system does not lock any user lines. This command is not supported in FIPS mode. This command is available in user view. |
|
Lock the current user line and enable unlocking authentication. |
lock reauthentication |
By default, the system does not lock any user lines or initiate reauthentication. To unlock the locked user line, you must press Enter and provide the login password to pass reauthentication. This command is available in any view. |
|
Send messages to user lines. |
send { all | num1 | { aux | vty } num2 } |
This command is available in user view. |
Configuring Web login
The device provides a built-in Web server that supports HTTP (1.0 and 1.1) and HTTPS. You can use a Web browser to log in to and configure the device.
HTTPS uses SSL to ensure the integrity and security of data exchanged between the client and the server, and is more secure than HTTP. You can define a certificate-based access control policy to allow only legal clients to access the Web interface.
Web login is disabled by default. To configure Web login, you must first log in through the console port.
FIPS compliance
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
HTTP is not supported in FIPS mode.
Configuring HTTP login
|
Step |
Command |
Remarks |
|
1. (Optional.) Specify a fixed verification code for Web login. |
web captcha verification-code |
By default, no fixed verification code is configured. A Web user must enter the verification code displayed on the login page at login. |
|
2. Enter system view. |
system-view |
N/A |
|
3. Enable the HTTP service. |
ip http enable |
By default, the HTTP service is disabled. |
|
4. (Optional.) Specify the HTTP service port number. |
ip http port port-number |
The default HTTP service port number is 80. |
|
5. (Optional.) Set the Web connection idle-timeout timer. |
web idle-timeout minutes |
N/A |
|
6. (Optional.) Specify the maximum number of online HTTP users. |
aaa session-limit http max-sessions |
The default is 32. Changing this setting does not affect users who are currently online. If the new setting is less than the number of online HTTP users, no additional HTTP users can log in until the number drops below the new limit. For more information about this command, see Security Command Reference. |
|
7. (Optional.) Enable Web operation logging. |
webui log enable |
By default, Web operation logging is disabled. |
|
8. Create a local user and enter local user view. |
local-user user-name [ class manage ] |
By default, no local user is configured. |
|
9. Configure a password for the local user. |
· In non-FIPS mode: · In FIPS mode: |
A password is saved in hashed form. By default, no password is configured for a local user. · In non-FIPS mode, the local user can pass authentication after entering the correct username and passing attribute checks. · In FIPS mode, the local user cannot pass authentication. For security purposes, configure a password for the local user. |
|
10. Assign a user role to the local user. |
authorization-attribute user-role user-role |
The default user role is network-operator for a Web user. |
|
11. Specify the HTTP service for the local user. |
service-type http |
By default, no service type is specified for a local user. |
Configuring HTTPS login
The device supports the following HTTPS login modes:
· Simplified mode—The device uses a self-signed certificate (a certificate that is generated and signed by the device itself) and the default SSL settings. The device operates in simplified mode after you enable HTTPS service on the device.
· Secure mode—The device uses a certificate signed by a CA and a set of user-defined security protection settings to ensure security. For the device to operate in secure mode, you must perform the following tasks:
¡ Enable HTTPS service on the device.
¡ Specify an SSL server policy for the service.
¡ Configure PKI domain-related parameters.
Simplified mode is simple to configure but has potential security risks. Secure mode is more complicated to configure but provides a higher level of security.
For more information about SSL and PKI, see Security Configuration Guide.
Follow these guidelines when you configure HTTPS login:
· If the HTTPS service and the SSL VPN service use the same port number, they must use the same SSL server policy. If they use different SSL server policies, only one of them can be enabled.
· If the HTTPS service and the SSL VPN service use the same port number and the same SSL server policy, perform the following tasks:
¡ Disable the two services before you modify the SSL server policy.
¡ Enable the two services again after the modification.
If you do not do so, the SSL server policy will not take effect.
To configure HTTPS login:
|
Step |
Command |
Remarks |
|
1. (Optional.) Specify a fixed verification code for Web login. |
web captcha verification-code |
By default, no fixed verification code is configured. A Web user must enter the verification code displayed on the login page at login. |
|
2. Enter system view. |
system-view |
N/A |
|
3. (Optional.) Apply an SSL server policy to control HTTPS access. |
ip https ssl-server-policy policy-name |
By default, no SSL server policy is applied. The HTTP service uses a self-signed certificate. Disabling the HTTPS service removes the SSL service policy application. To enable the HTTPS service again, you must reconfigure this command again. If the HTTPS service has been enabled, any changes to the associated SSL server policy do not take effect. For the changes to take effect, you must disable HTTP and HTTPS, and then apply the policy and enable HTTP and HTTPS again. |
|
4. Enable the HTTPS service. |
ip https enable |
By default, HTTPS is disabled. Enabling the HTTPS service triggers the SSL handshake negotiation process. · If the device has a local certificate, the SSL handshake negotiation succeeds and the HTTPS service starts up. · If the device does not have a local certificate, the certificate application process starts. Because the certificate application process takes a long time, the SSL handshake negotiation might fail and the HTTPS service might not be started. To solve the problem, execute this command again until the HTTPS service is enabled. |
|
5. (Optional.) Apply a certificate-based access control policy to control HTTPS access. |
ip https certificate access-control-policy policy-name |
By default, no certificate-based access control policy is applied for HTTPS access control. For clients to log in through HTTPS, you must configure the client-verify enable command and a minimum of one permit rule in the associated SSL server policy. For more information about certificate-based access control policies, see the chapter on PKI in Security Configuration Guide. |
|
6. (Optional.) Specify the HTTPS service port number. |
ip https port port-number |
The default HTTPS service port number is 443. |
|
7. (Optional.) Set the HTTPS login authentication mode. |
web https-authorization mode { auto | manual } |
By default, manual authentication mode is used for HTTPS login. |
|
8. (Optional.) Set the Web connection idle-timeout timer. |
web idle-timeout minutes |
N/A |
|
9. (Optional.) Specify the maximum number of online HTTPS users. |
aaa session-limit https max-sessions |
The default is 32. Changing this setting does not affect users who are currently online. If the new setting is less than the number of online HTTPS users, no additional HTTPS users can log in until the number drops below the new limit. For more information about this command, see Security Command Reference. |
|
10. (Optional.) Enable Web operation logging. |
webui log enable |
By default, Web operation logging is disabled. |
|
11. Create a local user and enter local user view. |
local-user user-name [ class manage ] |
By default, no local user is configured. |
|
12. Configure a password for the local user. |
· In non-FIPS mode: · In FIPS mode: |
The password is saved in hashed form. By default, no password is configured for a local user. · In non-FIPS mode, the local user can pass authentication after entering the correct username and passing attribute checks. · In FIPS mode, the local user cannot pass authentication. For security purposes, configure a password for the local user. |
|
13. Assign a user role to the local user. |
authorization-attribute user-role user-role |
The default user role is network-operator for a Web user. |
|
14. Specify the HTTPS service for the local user. |
service-type https |
By default, no service type is specified for a local user. |
Displaying and maintaining Web login
Execute display commands in any view and the free web users command in user view.
|
Task |
Command |
|
Display online Web users. |
display web users |
|
Display Web interface navigation tree information. |
display web menu [ chinese ] |
|
Display HTTP service configuration and status information. |
display ip http |
|
Display HTTPS service configuration and status information. |
display ip https |
|
Log off online Web users. |
free web users { all | user-id user-id | user-name user-name } |
Web login configuration examples
HTTP login configuration example
Network requirements
As shown in Figure 5, the PC and the device can communicate over the IP network.
Configure the device to allow the PC to log in by using HTTP.
Configuration procedure
# Create a local user named admin. Set the password to admin, the service type to HTTP, and the user role to network-admin.
[Sysname] local-user admin
[Sysname-luser-manage-admin] service-type http
[Sysname-luser-manage-admin] authorization-attribute user-role network-admin
[Sysname-luser-manage-admin] password simple admin
[Sysname-luser-manage-admin] quit
# Enable HTTP.
[Sysname] ip http enable
Verifying the configuration
1. On the PC, run the IE browser and enter the IP address of the device in the address bar.
2. On the login page, enter the username, password, and verification code. Select English and click Login.
After you pass authentication, the homepage appears and you can configure the device.
HTTPS login configuration example
Network requirements
As shown in Figure 6, the host, device, and CA can communicate over the IP network.
Perform the following tasks to allow only authorized users to access the device's Web interface:
· Configure the device as the HTTPS server and request a certificate for the device.
· Configure the host as the HTTPS client and request a certificate for the host.
Configuration procedure
In this example, the CA runs Windows Server and has the SCEP add-on installed.
1. Configure the device (HTTPS server):
# Create PKI entity en and set entity parameters.
<Device> system-view
[Device] pki entity en
[Device-pki-entity-en] common-name http-server1
[Device-pki-entity-en] fqdn ssl.security.com
[Device-pki-entity-en] quit
# Create PKI domain 1 and set domain parameters.
[Device] pki domain 1
[Device-pki-domain-1] ca identifier new-ca
[Device-pki-domain-1] certificate request url http://10.1.2.2/certsrv/mscep/mscep.dll
[Device-pki-domain-1] certificate request from ra
[Device-pki-domain-1] certificate request entity en
# Configure the PKI domain to use the 1024-bit long RSA key pair hostkey for both signing and encryption.
[Device-pki-domain-1] public-key rsa general name hostkey length 1024
[Device-pki-domain-1] quit
# Create RSA local key pairs.
[Device] public-key local create rsa
# Retrieve the CA certificate.
[Device] pki retrieve-certificate domain 1 ca
# Configure the device to request a local certificate through SCEP.
[Device] pki request-certificate domain 1
# Create SSL server policy myssl. Specify PKI domain 1 for the SSL server policy, and enable certificate-based SSL client authentication.
[Device] ssl server-policy myssl
[Device-ssl-server-policy-myssl] pki-domain 1
[Device-ssl-server-policy-myssl] client-verify enable
[Device-ssl-server-policy-myssl] quit
# Create certificate attribute group mygroup1. Configure a certificate attribute rule that matches statements with the new-ca string in the distinguished name of the subject name.
[Device] pki certificate attribute-group mygroup1
[Device-pki-cert-attribute-group-mygroup1] attribute 1 issuer-name dn ctn new-ca
[Device-pki-cert-attribute-group-mygroup1] quit
# Create certificate-based access control policy myacp. Configure a certificate access control rule that uses the matching criteria in certificate attribute group mygroup1.
[Device] pki certificate access-control-policy myacp
[Device-pki-cert-acp-myacp] rule 1 permit mygroup1
[Device-pki-cert-acp-myacp] quit
# Associate SSL server policy myssl with the HTTPS service.
[Device] ip https ssl-server-policy myssl
# Use certificate-based access control policy myacp to control HTTPS access.
[Device] ip https certificate access-control-policy myacp
# Enable the HTTPS service.
[Device] ip https enable
# Create local user usera. Set the password to 123, the service type to HTTPS, and the user role to network-admin.
[Device] local-user usera
[Device-luser-usera] password simple 123
[Device-luser-usera] service-type https
[Device-luser-usera] authorization-attribute user-role network-admin
2. Configure the host (HTTPS client):
# On the host, run the IE browser and enter http://10.1.2.2/certsrv in the address bar.
# Request a certificate for the host as prompted.
Verifying the configuration
1. On the host, enter https://10.1.1.1 in the browser's address bar, and select the certificate issued by new-ca.
2. When the Web login page appears, enter the username usera and password 123 to log in to the Web interface.
For more information about PKI and SSL configuration commands and the public-key local create rsa command, see Security Command Reference.
Accessing the device through SNMP
You can run SNMP on an NMS to access the device MIB and perform Get and Set operations to manage and monitor the device.
The device supports SNMPv1, SNMPv2c, and SNMPv3, and can cooperate with various network management software products. However, the device and the NMS must use the same SNMP version.
By default, SNMP access is disabled. To configure SNMP access, you must first log in to the device through any other method.
For more information about SNMP, see Network Management and Monitoring Configuration Guide.
Configuring RESTful access
The device provides the Representational State Transfer application programming interface (RESTful API). Based on this API, you can use programming languages such as Python, Ruby, or Java to write programs to perform the following tasks:
· Send RESTful requests to the device to pass authentication.
· Use RESTful API operations to configure and manage the device. RESTful API operations include Get, Put, Post, and Delete.
The device supports using HTTP or HTTPS to transfer RESTful packets.
RESTful access is disabled by default. To configure RESTful access, you must first log in through the console port.
FIPS compliance
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
RESTful access over HTTP is not supported in FIPS mode.
Configuring RESTful access over HTTP
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable RESTful access over HTTP. |
restful http enable |
By default, RESTful access over HTTP is disabled. |
|
3. Create a local user and enter local user view. |
local-user user-name [ class manage ] |
By default, no local user is configured. |
|
4. Configure a password for the local user. |
password [ { hash | simple } password ] |
The password is saved in hashed form. By default, no password is configured for a local user. |
|
5. (Optional.) Assign a user role to the local user. |
authorization-attribute user-role user-role |
The default user role is network-operator for a RESTful access user. |
|
6. Specify the HTTP service for the local user. |
service-type http |
By default, no service type is specified for a local user. |
Configuring RESTful access over HTTPS
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable RESTful access over HTTPS. |
restful https enable |
By default, RESTful access over HTTPS is disabled. |
|
3. Create a local user and enter local user view. |
local-user user-name [ class manage ] |
By default, no local user is configured. |
|
4. Configure a password for the local user. |
· In non-FIPS mode: · In FIPS mode: |
The password is saved in hashed form. By default, no password is configured for a local user. |
|
5. (Optional.) Assign a user role to the local user. |
authorization-attribute user-role user-role |
The default user role is network-operator for a RESTful access user. |
|
6. Specify the HTTPS service for the local user. |
service-type https |
By default, no service type is specified for a local user. |
Controlling user access to the device
Use ACLs to prevent unauthorized access, and configure command authorization and accounting to monitor and control user behavior. For more information about ACLs, see ACL and QoS Configuration Guide.
FIPS compliance
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
Telnet and HTTP are not supported in FIPS mode.
Controlling Telnet and SSH logins
Use different types of ACLs to filter Telnet and SSH logins by different match criteria:
· Basic ACL (2000 to 2999)—Source IP address.
· Advanced ACL (3000 to 3999)—Source IP address and destination IP address.
· Ethernet frame header ACL (4000 to 4999)—Source MAC address.
If an applied ACL does not exist or does not have any rules, no user login restriction is applied. If the ACL exists and has rules, only users permitted by the ACL can access the device through Telnet or SSH.
Configuration procedures
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Apply an ACL to filter Telnet logins. |
· telnet server acl [ mac ] acl-number · telnet server ipv6 acl { ipv6 | mac } acl-number |
By default, no ACL is used to filter Telnet logins. |
|
3. (Optional.) Enable logging for Telnet login attempts that are denied by the Telnet login control ACL. |
telnet server acl-deny-log enable |
By default, logging is disabled for Telnet login attempts that are denied by the Telnet login control ACL. |
To control SSH logins:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Apply an ACL to filter SSH logins. |
· ssh server acl [ mac ] acl-number · ssh server ipv6 acl { ipv6 | mac } acl-number |
By default, no ACL is used to filter SSH logins. For more information about these two commands, see Security Command Reference. |
|
3. (Optional.) Enable logging for SSH login attempts that are denied by the SSH login control ACL. |
ssh server acl-deny-log enable |
By default, logging is disabled for SSH login attempts that are denied by the SSH login control ACL. For more information about this command, see Security Command Reference. |
Configuration example
Network requirements
As shown in Figure 8, the device is a Telnet server.
Configure the device to permit only Telnet packets sourced from Host A and Host B.
Configuration procedure
# Configure an ACL to permit packets sourced from Host A and Host B.
<Sysname> system-view
[Sysname] acl basic 2000 match-order config
[Sysname-acl-ipv4-basic-2000] rule 1 permit source 10.110.100.52 0
[Sysname-acl-ipv4-basic-2000] rule 2 permit source 10.110.100.46 0
[Sysname-acl-ipv4-basic-2000] quit
# Apply the ACL to filter Telnet logins.
[Sysname] telnet server acl 2000
Controlling Web logins
Use a basic ACL (2000 to 2999) to filter HTTP and HTTPS traffic by source IP address. Only Web users whose IP addresses are permitted by the ACL can access the device. If the ACL does not exist or does not have any rules, no user login restriction is applied.
You can also log off suspicious Web users.
Configuring source IP-based Web login control
Web login requests contain usernames and passwords. For security purposes, the device always uses HTTPS to transfer Web login requests. Only users that are permitted by the following ACLs can access the device through HTTP:
· ACL applied to the HTTPS service.
· ACL applied to the HTTP service.
To configure source IP-based Web login control:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Apply a basic ACL for Web access control. |
· ip http acl { acl-number | name acl-name } · ip https acl { acl-number | name acl-name } |
By default, no ACL is applied to the HTTP or HTTPS service. |
Logging off online Web users
To log off online Web users, execute the following command in user view:
|
Task |
Command |
|
Log off online Web users. |
free web-users { all | user-id user-id | user-name user-name } |
Configuration example
Network requirements
As shown in Figure 9, the device is an HTTP server.
Configure the device to provide HTTP service only to Host B.
Configuration procedure
# Create an ACL and configure rule 1 to permit packets sourced from Host B.
<Sysname> system-view
[Sysname] acl basic 2030 match-order config
[Sysname-acl-ipv4-basic-2030] rule 1 permit source 10.110.100.52 0
# Apply the ACL to the HTTP service so only a Web user on Host B can access the device.
[Sysname] ip http acl 2030
Controlling SNMP access
Use a basic ACL (2000 to 2999) to control SNMP access by source IP address. To access the requested MIB view, an NMS must use a source IP address permitted by the ACL. If the ACL does not exist or does not have any rules, no user login restriction is applied.
Configuration procedure
To control SNMPv1 or SNMPv2c access:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure the SNMP access right. |
· (Method 1.) Create an SNMP community and specify ACLs for the community: ¡ In VACM mode: ¡ In RBAC mode: · (Method 2.) Create an SNMPv1/v2c group and add a user to the group, specifying ACLs for the group and user: a. snmp-agent group { v1 | v2c } group-name [ read-view view-name ] [ write-view view-name ] [ notify-view view-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } | acl ipv6 { ipv6-acl-number | name ipv6-acl-name } ] * b. snmp-agent usm-user { v1 | v2c } user-name group-name [ acl { ipv4-acl-number | name ipv4-acl-name } | acl ipv6 { ipv6-acl-number | name ipv6-acl-name } ] * |
For more information about SNMP, see Network Management and Monitoring Configuration Guide. |
To control SNMPv3 access:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create an SNMPv3 group, specifying ACLs for the group. |
In non-FIPS mode: In FIPS mode: |
N/A |
|
3. Create an SNMPv3 user, specifying ACLs for the user. |
In non-FIPS mode: · In VACM mode: · In RBAC mode: In FIPS mode: · In VACM mode: · In RBAC mode: |
For more information about SNMP, see Network Management and Monitoring Configuration Guide. |
Configuration example
Network requirements
As shown in Figure 10, the device is running SNMP.
Configure the device to allow Host A and Host B to access the device through SNMP.
Configuration procedure
# Create an ACL to permit packets sourced from Host A and Host B.
<Sysname> system-view
[Sysname] acl basic 2000 match-order config
[Sysname-acl-ipv4-basic-2000] rule 1 permit source 10.110.100.52 0
[Sysname-acl-ipv4-basic-2000] rule 2 permit source 10.110.100.46 0
[Sysname-acl-ipv4-basic-2000] quit
# Associate the ACL with the SNMP community and the SNMP group.
[Sysname] snmp-agent community read aaa acl 2000
[Sysname] snmp-agent group v2c groupa acl 2000
[Sysname] snmp-agent usm-user v2c usera groupa acl 2000
Configuring command authorization
By default, commands available for a user depend only on the user's user roles. When the authentication mode is scheme, you can configure the command authorization feature to further control access to commands.
After you enable command authorization, a user can use only commands that are permitted by both the AAA scheme and user roles.
The command authorization method can be different from the user login authorization method.
This section provides the procedure for configuring command authorization. To make the command authorization feature take effect, you must configure a command authorization method in ISP domain view. For more information, see Security Configuration Guide.
Configuration procedure
To configure command authorization:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter user line view or user line class view. |
· Enter user line view: · Enter user line class view: |
A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class. A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view. A setting in user line class view does not take effect for current online users. It takes effect only for new login users. |
|
3. Enable scheme authentication. |
authentication-mode scheme |
In non-FIPS mode, authentication is disabled for AUX lines, and password authentication is enabled for VTY lines by default. In FIPS mode, scheme authentication is enabled by default. In VTY line view, this command is associated with the protocol inbound command. If you specify a non-default value for one of the two commands, the other command uses the default setting, regardless of the setting in VTY line class view. |
|
4. Enable command authorization. |
command authorization |
By default, command authorization is disabled, and the commands available for a user only depend on the user role. If the command authorization command is configured in user line class view, command authorization is enabled on all user lines in the class. You cannot configure the undo command authorization command in the view of a user line in the class. |
Configuration example
Network requirements
As shown in Figure 11, Host A needs to log in to the device to manage the device.
Configure the device to perform the following operations:
· Allow Host A to Telnet in after authentication.
· Use the HWTACACS server to control the commands that the user can execute.
· If the HWTACACS server is not available, use local authorization.
Configuration procedure
# Assign IP addresses to relevant interfaces. Make sure the device and the HWTACACS server can reach each other. Make sure the device and Host A can reach each other. (Details not shown.)
# Enable the Telnet server.
<Device> system-view
[Device] telnet server enable
# Enable scheme authentication for user lines VTY 0 through VTY 63.
[Device] line vty 0 63
[Device-line-vty0-63] authentication-mode scheme
# Enable command authorization for the user lines.
[Device-line-vty0-63] command authorization
[Device-line-vty0-63] quit
# Create HWTACACS scheme tac.
[Device] hwtacacs scheme tac
# Configure the scheme to use the HWTACACS server at 192.168.2.20:49 for authentication and authorization.
[Device-hwtacacs-tac] primary authentication 192.168.2.20 49
[Device-hwtacacs-tac] primary authorization 192.168.2.20 49
# Set the shared keys to expert.
[Device-hwtacacs-tac] key authentication simple expert
[Device-hwtacacs-tac] key authorization simple expert
# Remove domain names from usernames sent to the HWTACACS server.
[Device-hwtacacs-tac] user-name-format without-domain
[Device-hwtacacs-tac] quit
# Configure the system-defined domain (system).
[Device] domain system
# Use HWTACACS scheme tac for login user authentication and command authorization. Use local authentication and local authorization as the backup method.
[Device-isp-system] authentication login hwtacacs-scheme tac local
[Device-isp-system] authorization command hwtacacs-scheme tac local
[Device-isp-system] quit
# Create local user monitor. Set the simple password to 123, the service type to Telnet, and the default user role to level-1.
[Device] local-user monitor
[Device-luser-manage-monitor] password simple 123
[Device-luser-manage-monitor] service-type telnet
[Device-luser-manage-monitor] authorization-attribute user-role level-1
Configuring command accounting
Command accounting uses the HWTACACS server to record all executed commands to monitor user behavior on the device.
If command accounting is enabled but command authorization is not, every executed command is recorded. If both command accounting and command authorization are enabled, only authorized commands that are executed are recorded.
The command accounting method can be the same as or different from the command authorization method and user login authorization method.
This section provides only the procedure for configuring command accounting. To make the command accounting feature take effect, you must configure a command accounting method in ISP domain view. For more information, see Security Configuration Guide.
Configuration procedure
To configure command accounting:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter user line view or user line class view. |
· Enter user line view: · Enter user line class view: |
A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class. A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view. A setting in user line class view does not take effect for current online users. It takes effect only for new login users. |
|
3. Enable scheme authentication. |
authentication-mode scheme |
In non-FIPS mode, authentication is disabled for AUX lines, and password authentication is enabled for VTY lines by default. In FIPS mode, scheme authentication is enabled by default. In VTY line view, this command is associated with the protocol inbound command. If you specify a non-default value for one of the two commands, the other command uses the default setting, regardless of the setting in VTY line class view. |
|
4. Enable command accounting. |
command accounting |
By default, command accounting is disabled. The accounting server does not record the commands executed by users. If the command accounting command is configured in user line class view, command accounting is enabled on all user lines in the class. You cannot configure the undo command accounting command in the view of a user line in the class. |
Configuration example
Network requirements
As shown in Figure 12, users need to log in to the device to manage the device.
Configure the device to send commands executed by users to the HWTACACS server to monitor and control user operations on the device.
Configuration procedure
# Enable the Telnet server.
<Device> system-view
[Device] telnet server enable
# Enable command accounting for user line AUX 0.
[Device] line aux 0
[Device-line-aux0] command accounting
[Device-line-aux0] quit
# Enable command accounting for user lines VTY 0 through VTY 63.
[Device] line vty 0 63
[Device-line-vty0-63] command accounting
[Device-line-vty0-63] quit
# Create HWTACACS scheme tac.
[Device] hwtacacs scheme tac
# Configure the scheme to use the HWTACACS server at 192.168.2.20:49 for accounting.
[Device-hwtacacs-tac] primary accounting 192.168.2.20 49
# Set the shared key to expert.
[Device-hwtacacs-tac] key accounting simple expert
# Remove domain names from usernames sent to the HWTACACS server.
[Device-hwtacacs-tac] user-name-format without-domain
[Device-hwtacacs-tac] quit
# Configure the system-defined domain (system) to use the HWTACACS scheme for command accounting.
[Device] domain system
[Device-isp-system] accounting command hwtacacs-scheme tac
[Device-isp-system] quit
