No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Typical Configuration Examples

CloudEngine 12800, 12800E, 8800, 7800, 6800, and 5800 Series Switches

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring STelnet Login Based on AAA Local Authentication

Configuring STelnet Login Based on AAA Local Authentication

Applicable Products and Versions

This example applies to CE12800, CE6800, and CE5800 series switches running V100R001C00 and later versions.

This example applies to CE7800 series switches running V100R003C00 and later versions.

This example applies to CE8800 series switches running V100R006C00 and later versions.

This example applies to CE12800E series switches running V200R002C50 and later versions.

Networking Requirements

As shown in Figure 2-15, the switch and PC have reachable routes to each other. 10.137.217.203 is the IP address of the management Ethernet interface on the switch.

It is required that users remotely log in to the switch using a secure method and are authenticated without increasing the operating expense (OPEX).

Figure 2-15 Networking diagram for configuring STelnet login based on AAA local authentication

Configuration Roadmap

You can configure STelnet login based on AAA local authentication to meet the requirements. The configuration roadmap is as follows:

  1. Configure AAA local authentication to authenticate login users without increasing the OPEX.
  2. Create an SSH user on the switch and set the authentication mode to password authentication and service type to STelnet to ensure secure remote login.

Precautions

When configuring STelnet login based on AAA local authentication, pay attention to the following points:

  • STelnet V1 has security vulnerabilities. You are advised to log in to the device using STelnet V2.
  • Before configuring STelnet login, install the SSH server login software on the PC. In this example, the third-party software PuTTY is used as the SSH server login software.
  • In V200R005C20, V200R019C00, and later versions, you need to use PuTTY 0.70 or a later version to support more secure algorithms sha2_512 and sha2_256. If the PuTTY tool running a version earlier than 0.70 is used, the PuTTY tool can be connected to the device only after the SSH server has been configured to support the SHA1_96 algorithm using the ssh client hmac command.

Procedure

  1. Configure AAA local authentication.

    # Configure an AAA local authentication scheme and set the authentication mode to local authentication.
    <HUAWEI> system-view
    [~HUAWEI] sysname SSH Server
    [*HUAWEI] commit
    [~SSH Server] aaa
    [~SSH Server-aaa] authentication-scheme sch1   //Create the authentication scheme sch1.
    [*SSH Server-aaa-authen-sch1] authentication-mode local   //Set the authentication mode to local authentication.
    [*SSH Server-aaa-authen-sch1] quit
    # Create a domain and apply the local authentication scheme to the domain.
    [*SSH Server-aaa] domain huawei.com   //Create the domain huawei.com and enter the domain view.
    [*SSH Server-aaa-domain-huawei.com] authentication-scheme sch1   //Apply the authentication scheme sch1 to the domain.
    [*SSH Server-aaa-domain-huawei.com] quit
    [*SSH Server-aaa] quit
    [*SSH Server] commit
    NOTE:

    By default, the global default domain is default_admin.

    In V100R003 and later versions, if the user name without a domain name is required in user authentication, run the default-domain admin domain-name command in the AAA view to configure a global default administrative domain. This command is not supported in V100R001 and V100R002.

  2. Configure STelnet login.

    # Generate a local key pair on the SSH server.

    [~SSH Server] dsa local-key-pair create   //Generate a local DSA host key pair and a server key pair.
    Info: The key name will be: SSH Server_Host_DSA
    Info: The key modulus can be any one of the following : 512, 1024, 2048.
    Info: Key pair generation will take a short while.
    Please input the modulus [default=2048]:2048   //For device security purposes, you are advised to use the default value. In versions from V200R001C00 to V200R019C00, only 2048 bits are supported, and you do not need to enter the value. 
    
    Info: Generating keys...
    Info: Succeeded in creating the DSA host keys.
    [*SSH Server] commit

    # Configure the VTY user interface.

    [~SSH Server] user-interface vty 0 4   //Enter the user interface views of VTY 0 to VTY 4.
    [~SSH Server-ui-vty0-4] user privilege level 3   //Set the user level to 3 for VTY 0 to VTY 4.
    [*SSH Server-ui-vty0-4] authentication-mode aaa   //Set the authentication mode to AAA authentication for VTY 0 to VTY 4.
    [*SSH Server-ui-vty0-4] protocol inbound ssh   //Configure VTY 0 to VTY 4 to support SSH.
    [*SSH Server-ui-vty0-4] quit  
    

    # Create the SSH user client001 and configure the user to be authenticated in the domain huawei.com.

    [*SSH Server] aaa
    [*SSH Server-aaa] local-user client001@huawei.com password irreversible-cipher Huawei@123   //Configure the local user name and password.
    [*SSH Server-aaa] local-user client001@huawei.com level 3   //Set the local user level to 3.
    [*SSH Server-aaa] local-user client001@huawei.com service-type ssh   //Set the service type of the local user to SSH.
    [*SSH Server-aaa] quit

    # Set the authentication mode of the SSH user to password authentication and service type to STelnet.

    [*SSH Server] ssh user client001@huawei.com authentication-type password   //Set the authentication mode of the SSH user to password authentication.
    [*SSH Server] ssh user client001@huawei.com service-type stelnet   //Set the service type of the SSH user to STelnet.

    # Enable the STelnet service on the SSH server.

    [*SSH Server] stelnet server enable
    [*SSH Server] commit

Verifying the Configuration

After the preceding configurations are complete, PCs can log in to the SSH server using PuTTY.
NOTE:

The output information of different versions may be different. Therefore, the output information on your device may be different from that provided in this example. The output information in this example is for reference only.

# Log in to the SSH server using PuTTY, enter the SSH server's IP address, and select the SSH protocol.

Figure 2-16 Logging in to the SSH server in password authentication mode using PuTTY

# Click Open. In the displayed interface, enter client001@huawei.com (user name @ domain name) and Huawei@123 (password), and press Enter to pass local authentication in the domain huawei.com and log in to the SSH server.

login as: client001@huawei.com   //Enter user name@domain name. If the domain name is not entered here when the preceding configuration is used, local authentication is performed for the user in the default_admin domain.
client001@huawei.com@10.137.217.203's password:   //Enter the password.


Info: The max number of VTY users is 21, the number of current VTY users online is 1, and total number of terminal users online is 2.
      The current login time is 2015-02-09 14:17:16.
      First login successfully.
<SSH Server>

Configuration Files

Configuration file of the SSH server (excluding the V200R002C50 and V200R003C00 versions)

#
sysname SSH Server
#
aaa
 local-user client001@huawei.com password irreversible-cipher $1a$v!=.5/:(q-$xL=\K+if"'S}>k7vGP5$_ox0B@ys7.'DBHL~3*aN$  //The ciphertext format provided here is for example only. The format may vary depending on the system software version. 
 local-user client001@huawei.com service-type ssh
 local-user client001@huawei.com level 3
 #
 authentication-scheme sha1
 #
 domain huawei.com
  authentication-scheme sha1
#
stelnet server enable
ssh user client001@huawei.com
ssh user client001@huawei.com authentication-type password
ssh user client001@huawei.com service-type stelnet
#
user-interface vty 0 4
 authentication-mode aaa
 user privilege level 3
 protocol inbound ssh
#
return

Configuration file of the SSH server (V200R002C50 and V200R003C00 versions)

#
sysname SSH Server
#
aaa
 local-user client001@huawei.com password irreversible-cipher $1a$v!=.5/:(q-$xL=\K+if"'S}>k7vGP5$_ox0B@ys7.'DBHL~3*aN$  //The ciphertext format provided here is for example only. The format may vary depending on the system software version. 
 local-user client001@huawei.com service-type ssh
 local-user client001@huawei.com level 3
 #
 authentication-scheme sha1
 #
 domain huawei.com
  authentication-scheme sha1
#
stelnet ipv4 server enable
stelnet ipv6 server enable
ssh user client001@huawei.com
ssh user client001@huawei.com authentication-type password
ssh user client001@huawei.com service-type stelnet
#
user-interface vty 0 4
 authentication-mode aaa
 user privilege level 3
 protocol inbound ssh
#
return
Download
Updated: 2019-10-14

Document ID: EDOC1000039339

Views: 147506

Downloads: 7821

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next