Typical Login Configuration

S300, S500, S2700, S3700, S5700, S6700, S7700, and S9700 Series Switches Typical Configuration Examples(V100 and V200)

This document provides campus networks typical configuration examples and feature typical configuration examples. "Campus Networks Typical Configuration Examples" provides typical campus network networking modes and a variety of deployment examples."Feature Typical Configuration Examples" provides typical configuration examples of a single feature on a switch. You can configure required features after deploying a campus network.

Rate and give feedback:

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

Typical Login Configuration

Example for Configuring Switch Login Through a Console Port
Example for Configuring Telnet Login (Based on ACL Rules and RADIUS Authentication)
Example for Configuring STelnet Login (Based on RADIUS Authentication)
Example for Configuring the Device as the Telnet Client to Log In to Another Device
Example for Configuring the Device as the STelnet Client to Log In to Another Device
Example for Configuring Switch Login Through the Web System

Example for Configuring Switch Login Through a Console Port

Overview

After a PC is connected to a switch through a dedicated console cable, you can perform login configurations and use the PC to manage the switch.

Logging in through a console port is a basic login mode and forms the basis of other login modes such as Telnet and STelnet. When you log in to a switch for the first time or if you cannot remotely log in to a switch, you can log in to the switch through a console port.

Configuration Notes

Prepare a console cable. If you use a laptop or a PC without a serial port, prepare a USB to serial cable and install the driver stored on the CD-ROM (delivered with the cable) according to instructions.
Install the terminal emulation software on the PC. You can use the built-in HyperTerminal of Windows 2000 on the PC. If no built-in terminal emulation software is available, prepare the terminal emulation software. For details on how to use terminal emulation software, see the related usage guide or online help.
This example applies to switches that support the console interface.

The following uses the command lines and outputs of the S7700 running V200R006C00 as an example.

Networking Requirements

The IT maintenance department of a company purchases S series switches, which are configured by network administrators. A network administrator usually logs in to a new switch through a console port and then performs initial configurations.

As shown in Figure 3-1, the serial port of a PC is connected to the console port of the Switch through a console cable. The user wants to log in to the Switch through the console port and requires local authentication upon the next login. To facilitate remote maintenance on the Switch, the user wants to configure the Telnet function.

Figure 3-1 Networking diagram for configuring switch login through a console port

Configuration Roadmap

The configuration roadmap is as follows:

Configure terminal emulation software, set the connected port and communication parameters, and log in to the Switch.
Configure basic information for the Switch, including the date, time, time zone, and name, to facilitate management.
Configure an authentication mode for the console user interface so that the user is authenticated upon the next login through the console port.
Configure the management IP address and Telnet to facilitate remote maintenance on the Switch.

Procedure

Connect the DB9 female connector of the console cable to the serial port (COM) on the PC, and connect the RJ45 connector to the console port on the switch, as shown in Figure 3-2.
Figure 3-2 Connecting to the switch through the console port
- If you use a laptop or a PC without a serial port, prepare a USB to serial cable. Install the driver stored on the CD-ROM (delivered with the cable) according to instructions, connect the USB-DB9 female connector of the cable to the USB port on the PC, and connect the RJ-45 connector to the console port on the switch.
- If the switch has two MPUs, you can log in to the switch through the console port on either of the two MPUs.
Configure terminal emulation software and log in to the Switch.
Start terminal emulation software on the PC. Establish a connection, and set the connected port and communication parameters. Table 3-4 lists the default attribute settings of a console port.

Table 3-4 Default attribute settings of a console port
Parameter

Default Setting

Baud rate

9600 bit/s

Flow Control

No flow control

Parity

No parity check

Stop bits

1

Data bits

8

Parameter	Default Setting
Baud rate	9600 bit/s
Flow Control	No flow control
Parity	No parity check
Stop bits	1
Data bits	8

Configure basic information for the Switch.

# Set the date, time, time zone, and name.

The time zone varies depending on the location of a switch. Set the time zone based on the site requirements. The following information is only for reference.

<HUAWEI> clock timezone BJ add 08:00:00    //BJ is the name of the time zone, and 08:00:00 indicates that the local time is 8 plus the system default UTC time zone.
<HUAWEI> clock datetime 10:10:00 2014-07-26    //Set the current date and time. Before setting the current time, check the time zone and set a correct time zone offset to ensure the correct local time.
<HUAWEI> system-view
[HUAWEI] sysname Switch    //Set the switch name to Switch.

Configure an authentication mode for the console user interface. (From V200R010 to V200R019, the default authentication mode for the console user interface is AAA authentication. In V200R020 and later versions, the default authentication mode for the console user interface is password authentication. The method of changing the authentication mode is similar and is not provided here.)

# Set the authentication mode of the console interface to AAA, and create a local user.

[Switch] user-interface console 0
[Switch-ui-console0] authentication-mode aaa    //Set the authentication mode of the user to AAA.
[Switch-ui-console0] quit
[Switch] aaa
[Switch-aaa] local-user admin1234 password irreversible-cipher Helloworld@6789    //Create a local user named admin1234 and set its password to Helloworld@6789. Versions earlier than V200R003 support only the cipher keyword but do not support irreversible-cipher.
[Switch-aaa] local-user admin1234 privilege level 15    //Set the user level to 15.
[Switch-aaa] local-user admin1234 service-type terminal    //Set the access type to terminal, that is, console user.
[Switch-aaa] quit

Configure the management IP address and Telnet.

# Configure the management IP address.

[Switch] vlan 10
[Switch-vlan10]  interface vlanif 10    //Configure VLANIF 10 as the management interface.
[Switch-Vlanif10] ip address 10.1.1.1 24
[Switch-Vlanif10] quit
[Switch] interface gigabitethernet 0/0/10    //GE0/0/10 is the physical interface used for logging in to the switch through the web system on a PC. Select an interface based on actual networking requirements.
[Switch-GigabitEthernet0/0/10] port link-type access    //Set the interface type to access.
[Switch-GigabitEthernet0/0/10] port default vlan 10    //Add GE0/0/10 to VLAN 10.
[Switch-GigabitEthernet0/0/10] quit

# Configure the Telnet function.

[Switch] telnet server enable    //Enable Telnet. 
[Switch] telnet server-source -i Vlanif 10    //Configure the source interface of the server as the interface corresponding to 10.1.1.1. Assume that the interface is Vlanif 10.
[Switch] user-interface vty 0 4    //Enter the user interface views of VTY 0 to VTY 4.
[Switch-ui-vty0-4] protocol inbound telnet    //Set the protocol supported by the VTY user interface to Telnet.
[Switch-ui-vty0-4] user privilege level 15    //Set the level of users in VTY 0 to VTY 4 to 15.
[Switch-ui-vty0-4] authentication-mode aaa    //Set the authentication mode of users in VTY 0 to VTY 4 to AAA.
[Switch-ui-vty0-4] quit
[Switch] aaa
[Switch-aaa] local-user admin123 password irreversible-cipher Huawei@6789    //Create a local user named admin1234 and set its password to Huawei@6789. Versions earlier than V200R003 support only the cipher keyword but do not support irreversible-cipher.
[Switch-aaa] local-user admin123 privilege level 15    //Set the user level to 15.
Warning: This operation may affect online users, are you sure to change the user privilege level ?[Y/N]y
[Switch-aaa] local-user admin123 service-type telnet    //Set the access type to telnet, that is, Telnet user.
[Switch-aaa] quit

Verify the configuration.
When logging in to the switch again through the console port after completing the configuration, you need to enter the user name and authentication password configured in the preceding steps to pass identity authentication and log in to the switch successfully. You can also log in to the switch using Telnet.

Configuration Files

Switch configuration file

#
sysname Switch
#
vlan batch 10
#
telnet server enable
telnet server-source -i Vlanif 10
#
clock timezone BJ add 08:00:00
#
aaa
 local-user admin123 password irreversible-cipher %^%#}+ysUO*B&+p'NRQR0{ZW7[GA*Z*!X@o:Va15dxQAj+,$>NP>63de|G~ws,9G%^%#
 local-user admin123 privilege level 15
 local-user admin123 service-type telnet
 local-user admin1234 password irreversible-cipher %^%#}+ysUO*B&+p'NRQR0{ZW7[GA*Z*!X@o:Va15dxQAj+,$>NP>63de|G~ws,9G%^%#
 local-user admin1234 privilege level 15
 local-user admin1234 service-type terminal
#
interface Vlanif10
 ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/10
 port link-type access
 port default vlan 10
#
user-interface con 0
 authentication-mode aaa
user-interface vty 0 4
 authentication-mode aaa
 user privilege level 15 
 protocol inbound telnet
#
return

Example for Configuring Telnet Login (Based on ACL Rules and RADIUS Authentication)

Overview

Telnet login to a switch facilitates remote management and maintenance on the switch so that you do not need to connect a terminal to each switch. By default, you cannot log in to a switch using Telnet. You need to log in to a switch through a console port and configure the Telnet function first. For details, see Example for Configuring Switch Login Through a Console Port.

An Access Control List (ACL) is a packet filter that filters packets based on rules. One or more rules describe the packet matching conditions, such as the source address, destination address, and port number of packets. For packets that match the ACL rules configured on a device, the device forwards or discards these packets according to the policies used by the service module to which the ACL is applied.

RADIUS uses the client/server model in distributed mode and protects a network against unauthorized access. It is often used on networks that require high security and remote user access control. After Telnet login based on RADIUS authentication is configured, a switch sends the user name and password of a login user to the RADIUS server. The RADIUS server then authenticates the user and records the user operations, ensuring network security.

If ACLs and RADIUS authentication are both configured, packets matching ACL rules reach an upper-layer module and then are authenticated in RADIUS mode based on the user name and password. The Telnet login mode based on ACL rules and RADIUS authentication therefore ensures network security.

Configuration Notes

Telnet is an insecure protocol. Using STelnet V2 is recommended.
Ensure that the user terminal has reachable routes to the switch and RADIUS server.
Ensure that the IP address, port number, and shared key of the RADIUS server are configured correctly on the switch and are the same as those on the RADIUS server.
Ensure that a user has been configured on the RADIUS server. In this example, the user admin123@huawei.com (in the format of user name@domain name) and password Example@123 have been configured.
This example applies to all versions of all S series switches.

The following uses the command lines and outputs of the S7700 running V200R006C00 as an example.

Networking Requirements

The network administrator requires remote management and maintenance on a switch and high network security for protecting the network against unauthorized access. To meet the requirements, configure Telnet login based on ACL rules and RADIUS authentication.

As shown in Figure 3-3, the Switch has reachable routes to the administrator and the RADIUS server. The IP address and port number of the RADIUS server are 10.2.1.1/24 and 1812 respectively.

Figure 3-3 Networking diagram for configuring Telnet login based on ACL rules and RADIUS authentication

Configuration Roadmap

The configuration roadmap is as follows:

Configure the Telnet protocol so that users can log in to the Switch using Telnet.
Configure an ACL rule to ensure that only users matching the ACL rule can log in to the Switch.
Configure the RADIUS protocol to implement RADIUS authentication. After the configuration is complete, you can use the user name and password configured on the RADIUS server to log in to the Switch using Telnet, ensuring user login security.

Procedure

Configure Telnet login.

<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] telnet server enable   //Enable Telnet. 
[Switch] telnet server-source -i Vlanif 10    //Configure the source interface of the server as the interface corresponding to 10.1.1.1. Assume that the interface is Vlanif 10.
[Switch] user-interface vty 0 14    //Enter the user interface views of VTY 0 to VTY 14.
[Switch-ui-vty0-14] protocol inbound telnet    //Configure the VTY user interface to support Telnet. By default, switches in V200R006 and earlier versions support Telnet, and switches in V200R007 and later versions support SSH.
[Switch-ui-vty0-14] authentication-mode aaa    //Set the authentication mode of users in VTY 0 to VTY 14 to AAA.
[Switch-ui-vty0-14] user privilege level 15    //Set the level of users in VTY 0 to VTY 14 to 15.
[Switch-ui-vty0-14] quit

Configure a basic ACL rule.

[Switch] acl 2008
[Switch-acl-basic-2008] rule permit source 10.137.217.177 0
[Switch-acl-basic-2008] quit
[Switch] user-interface vty 0 14
[Switch-ui-vty0-14] acl 2008 inbound    //Allow only users matching ACL 2008 in VTY 0 to VTY 14 to log in to the switch.
[Switch-ui-vty0-14] quit

Configure RADIUS authentication.

# Configure a RADIUS server template on the Switch to implement communication with the RADIUS server.

[Switch] radius-server template 1    //Enter the RADIUS server template view.
[Switch-radius-1] radius-server authentication 10.2.1.1 1812    //Configure the RADIUS server.
[Switch-radius-1] radius-server shared-key cipher Huawei@6789    //Set the shared key of the RADIUS server to Huawei@6789.
[Switch-radius-1] quit

If the RADIUS server does not support a user name containing the domain name, run the undo radius-server user-name domain-included command to configure the Switch to send packets carrying a user name without the domain name to the RADIUS server.

# Configure an AAA authentication scheme, with the authentication mode being RADIUS.

[Switch] aaa
[Switch-aaa] authentication-scheme sch1    //Create an authentication scheme named sch1.
[Switch-aaa-authen-sch1] authentication-mode radius    //Set the authentication mode to RADIUS.
[Switch-aaa-authen-sch1] quit

# Create a domain, and apply the AAA authentication scheme and RADIUS server template in the domain.

[Switch-aaa] domain huawei.com    //Create a domain named huawei.com and enter the domain view.
[Switch-aaa-domain-huawei.com] authentication-scheme sch1    //Configure the authentication scheme sch1 for the domain.
[Switch-aaa-domain-huawei.com] radius-server 1    //Apply the RADIUS server template 1 to the domain.
[Switch-aaa-domain-huawei.com] quit
[Switch-aaa] quit

# Configure the domain huawei.com as the default global management domain so that an administrator does not need to enter the domain name for logging in to the Switch.

[Switch] domain huawei.com admin

Verify the configuration.
Choose Start > Run as an administrator. Enter cmd to open the Windows Command Prompt window. Type telnet 10.1.1.1, and press Enter.
```
C:\Documents and Settings\Administrator> telnet 10.1.1.1
```
In the login interface, type the user name admin123 and password Example@123 as prompted and press Enter. Authentication succeeds, and you successfully log in to the Switch using Telnet. (The following information is only for reference.)
```
Login authentication


Username:admin123
Password:
Info: The max number of VTY users is 8, and the number
      of current VTY users on line is 2.
      The current login time is 2014-07-30 09:54:02+08:00. 
<Switch>
```

Configuration Files

Switch configuration file

#
sysname Switch
#
domain huawei.com admin
#
telnet server enable
telnet server-source -i Vlanif 10
#
radius-server template 1
 radius-server shared-key cipher %^%#}+ysUO*B&+p'NRQR0{ZW7[GA*Z*!X@o:Va15dxQAj+,$>NP>63de|G~ws,9G%^%#
 radius-server authentication 10.2.1.1 1812 weight 80
#
acl number 2008
 rule 5 permit source 10.137.217.177 0
#
aaa
 authentication-scheme sch1    
  authentication-mode radius  
 domain huawei.com            
  authentication-scheme sch1     
  radius-server 1 
#
user-interface vty 0 14
 acl 2008 inbound
 authentication-mode aaa
 user privilege level 15 
 protocol inbound telnet 
#
return

Example for Configuring STelnet Login (Based on RADIUS Authentication)

Overview

The Secure Shell (SSH) protocol implements secure remote login on insecure networks, which ensures data integrity and reliability and guarantees secure data transmission. STelnet, based on the SSH protocol, ensures information security and provides powerful authentication function. STelnet protects a switch against attacks such as IP spoofing. By default, you cannot log in to a switch using STelnet. You need to log in to a switch using a console port or Telnet, and configure the STelnet function and user interface parameters first.

RADIUS uses the client/server model in distributed mode and protects a network against unauthorized access. It is often used on networks that require high security and remote user access control. After STelnet login based on RADIUS authentication is configured, a switch sends the user name and password of a login user to the RADIUS server. The RADIUS server then authenticates the user and records the user operations, ensuring network security.

Configuration Notes

STelnet V1 is an insecure protocol. Using STelnet V2 is recommended.
Ensure that the user terminal has SSH server login software installed before configuring STelnet login. In this example, the third-party software PuTTY is used as the SSH server login software.
Ensure that the user terminal has reachable routes to the switch and RADIUS server.
Ensure that the IP address, port number, and shared key of the RADIUS server are configured correctly on the switch and are the same as those on the RADIUS server.
Ensure that a user has been configured on the RADIUS server. In this example, the user admin123@huawei.com (in the format of user name@domain name) and password Example@123 have been configured.
This example applies to all versions of all S series switches.

The following uses the command lines and outputs of the S7700 running V200R006C00 as an example.

Networking Requirements

The network administrator requires remote login to a switch and high network security for protecting the network against unauthorized access. To meet the requirements, configure STelnet login based on RADIUS authentication.

As shown in Figure 3-4, the Switch functions as the SSH server and has a reachable route to the RADIUS server. The IP address and port number of the RADIUS server are 10.2.1.1/24 and 1812 respectively.

Figure 3-4 Networking diagram for configuring STelnet login based on RADIUS authentication

Configuration Roadmap

The configuration roadmap is as follows:

Generate a local key pair on the SSH server to implement secure data exchange between the server and client.
Configure the STelnet protocol so that users can log in to the Switch using STelnet.
Configure the RADIUS protocol to implement RADIUS authentication. After the configuration is complete, you can use the user name and password configured on the RADIUS server to log in to the Switch using STelnet, ensuring user login security.

Procedure

Configure STelnet login.

# Generate a local key pair on the server.

<HUAWEI> system-view
[HUAWEI] sysname Switch
[HUAWEI] dsa local-key-pair create    //Generate a local DSA key pair.
Info: The key name will be: HUAWEI_Host_DSA.
Info: The key modulus can be any one of the following : 1024, 2048.
Info: If the key modulus is greater than 512, it may take a few minutes.
Please input the modulus [default=2048]:
Info: Generating keys...
Info: Succeeded in creating the DSA host keys.

# Configure the VTY user interface.

[Switch] stelnet server enable    //Enable the STelnet server function.
[Switch] ssh server-source -i Vlanif 10    //Configure the source interface of the server as the interface corresponding to 10.1.1.1. Assume that the interface is Vlanif 10.
[Switch] user-interface vty 0 14    //Enter the user interface views of VTY 0 to VTY 14.
[Switch-ui-vty0-14] user privilege level 15    //Set the level of users in VTY 0 to VTY 14 to 15.
[Switch-ui-vty0-14] authentication-mode aaa    //Set the authentication mode of users in VTY 0 to VTY 14 to AAA.
[Switch-ui-vty0-14] protocol inbound ssh    //Configure the user interface views in VTY 0 to VTY 14 to support SSH.
[Switch-ui-vty0-14] quit

# Set the authentication mode of the SSH user admin123 to password authentication, and service type to STelnet.

[Switch] ssh user admin123 authentication-type password    //Set the authentication of the SSH user admin123 to password authentication. 
[Switch] ssh user admin123 service-type stelnet    //Set the service type of the SSH user admin123 to STelnet.

To configure password authentication for multiple SSH users, run the ssh authentication-type default password command to specify password authentication as the default authentication mode of SSH users. After this configuration is complete, you do not need to configure the authentication mode and service type for each SSH user, simplifying configuration and improving efficiency.

Configure RADIUS authentication.

# Configure a RADIUS server template on the Switch to implement communication with the RADIUS server.

[Switch] radius-server template 1    //Enter the RADIUS server template view.
[Switch-radius-1] radius-server authentication 10.2.1.1 1812    //Configure the RADIUS server.
[Switch-radius-1] radius-server shared-key cipher Huawei@6789    //Set the shared key of the RADIUS server to Huawei@6789.
[Switch-radius-1] quit

# Configure an AAA authentication scheme, with the authentication mode being RADIUS.

[Switch] aaa
[Switch-aaa] authentication-scheme sch1    //Create an authentication scheme named sch1.
[Switch-aaa-authen-sch1] authentication-mode radius    //Set the authentication mode to RADIUS.
[Switch-aaa-authen-sch1] quit

# Create a domain, and apply the AAA authentication scheme and RADIUS server template in the domain.

[Switch-aaa] domain huawei.com    //Create a domain named huawei.com and enter the domain view.
[Switch-aaa-domain-huawei.com] authentication-scheme sch1    //Configure the authentication scheme sch1 for the domain.
[Switch-aaa-domain-huawei.com] radius-server 1    //Apply the RADIUS server template 1 to the domain.
[Switch-aaa-domain-huawei.com] quit
[Switch-aaa] quit

# Configure the domain huawei.com as the default global management domain so that an administrator does not need to enter the domain name for logging in to the Switch.

[Switch] domain huawei.com admin

Verify the configuration.
# Log in to the Switch using PuTTY on the PC. Enter the IP address of the Switch and set the protocol type to SSH, as shown in Figure 3-5.

Figure 3-5 Connecting to the SSH server using PuTTY

# Click Open. In the login interface, type the user name admin123 and password Example@123 as prompted and press Enter. Authentication succeeds, and you successfully log in to the Switch using STelnet. (The following information is only for reference.)
```
login as: admin123

password:

Info: The max number of VTY users is 8, and the number 
      of current VTY users online is 2.
      The current login time is 2014-07-30 09:54:02+08:00.
<Switch>
```

Configuration Files

Switch configuration file

#
sysname Switch
#
domain huawei.com admin
#
radius-server template 1
 radius-server shared-key cipher %^%#}+ysUO*B&+p'NRQR0{ZW7[GA*Z*!X@o:Va15dxQAj+,$>NP>63de|G~ws,9G%^%#
 radius-server authentication 10.2.1.1 1812 weight 80
#
aaa
 authentication-scheme sch1    
  authentication-mode radius  
 domain huawei.com            
  authentication-scheme sch1     
  radius-server 1 
#
user-interface vty 0 14          
 authentication-mode aaa          
 user privilege level 15    
#
stelnet server enable
ssh server-source -i Vlanif 10
ssh user admin123
ssh user admin123 authentication-type password
ssh user admin123 service-type stelnet
#
return

Example for Configuring the Device as the Telnet Client to Log In to Another Device

Networking Requirements

As shown in Figure 3-6, the PC and Client have reachable routes to each other; Client and Server have reachable routes to each other. The user needs to manage and maintain Server remotely. However, the PC cannot directly log in to Server through Telnet because it has no reachable route to Server. The user can log in to Client through Telnet, and then log in to Server from Client. To prevent unauthorized devices from logging in to Server through Telnet, an ACL needs to be configured to allow only the Telnet connection from Client to Server.

Figure 3-6 Networking diagram of configuring the device as the Telnet client to log in to another device

The Telnet protocol poses a security risk, and therefore the STelnet V2 protocol is recommended.

Configuration Roadmap

The configuration roadmap is as follows:

Configure the Telnet authentication mode on Server.
Configure the login user information on Server.
Configure an ACL on Server to allow Client access.
Log in to Server from Client through Telnet.

Procedure

Configure the Telnet authentication mode and password on Server.

<HUAWEI> system-view
[HUAWEI] sysname Server
[Server] telnet server enable //Enable Telnet.
[Server] telnet server-source -i Vlanif 10    //Configure the source interface of the server as the interface corresponding to 10.2.1.1. Assume that the interface is Vlanif 10.
[Server] user-interface vty 0 4
[Server-ui-vty0-4] user privilege level 15
[Server-ui-vty0-4] protocol inbound telnet
[Server-ui-vty0-4] authentication-mode aaa
[Server-ui-vty0-4] quit

Configure the login user information.

[Server] aaa
[Server-aaa] local-user admin1234 password irreversible-cipher Helloworld@6789
[Server-aaa] local-user admin1234 service-type telnet
[Server-aaa] local-user admin1234 privilege level 3
[Server-aaa] quit

Configure an ACL on Switch2 to allow Client access.

[Server] acl 2000
[Server-acl-basic-2000] rule permit source 10.1.1.1 0
[Server-acl-basic-2000] quit
[Server] user-interface vty 0 4
[Server-ui-vty0-4] acl 2000 inbound
[Server-ui-vty0-4] quit

It is optional to configure an ACL for Telnet services.

Verify the configuration.

# After the preceding configuration, you can log in to Server from Client through Telnet. You cannot log in to Server from other devices.

<HUAWEI> system-view
[HUAWEI] sysname Client
[Client] quit
<Client> telnet 10.2.1.1
Trying 10.2.1.1 ...
Press CTRL+K to abort
Connected to 10.2.1.1 ...

Warning: Telnet is not a secure protocol, and it is recommended to use STelnet.

Login authentication


Username:admin1234
Password:
<Server>

Configuration File

Server configuration file

#
sysname Server
#
telnet server enable
telnet server-source -i Vlanif 10
#
acl number 2000
 rule 5 permit source 10.1.1.1 0
#
aaa
 local-user admin1234 password irreversible-cipher $1a$gRNl~ukoL~0.WU)C2]~2a}Cz/Y0-u8M{j@Ql6/xHryO-Y7m{=A>kWc.-q}>*$
 local-user admin1234 privilege level 3
 local-user admin1234 service-type telnet
#
user-interface vty 0 4
 acl 2000 inbound
 authentication-mode aaa
 user privilege level 15
 protocol inbound telnet 
#
return

Example for Configuring the Device as the STelnet Client to Log In to Another Device

Networking Requirements

The enterprise requires that secure data exchange should be performed between the server and client. As shown in Figure 3-7, two login users client001 and client002 are configured and they use the password and DSA authentication modes respectively to log in to the SSH server.

Figure 3-7 Networking diagram of logging in to another device through STelnet

The STelnet V1 protocol poses a security risk, and therefore the STelnet V2 mode is recommended.

Configuration Roadmap

The configuration roadmap is as follows:

Generate a local key pair on the SSH server to implement secure data exchange between the server and client.
Configure different authentication modes for the SSH users client001 and client002 on the SSH server.
Enable the STelnet service on the SSH server.
Configure the STelnet server type for the SSH users client001 and client002 on the SSH server.
Log in to the SSH server as the client001 and client002 users through STelnet.

Procedure

Generate a local key pair on the server.

<HUAWEI> system-view
[HUAWEI] sysname SSH Server
[SSH Server] dsa local-key-pair create
Info: The key name will be: SSH Server_Host_DSA.
Info: The DSA host key named SSH Server_Host_DSA already exists.
Info: The key modulus can be any one of the following : 1024, 2048.
Info: If the key modulus is greater than 512, it may take a few minutes.
Please input the modulus [default=2048]:
Info: Generating keys........
Info: Succeeded in creating the DSA host keys.

Create an SSH user on the server.

# Configure the VTY user interface.

[SSH Server] user-interface vty 0 4
[SSH Server-ui-vty0-4] authentication-mode aaa
[SSH Server-ui-vty0-4] protocol inbound ssh
[SSH Server-ui-vty0-4] quit

Create an SSH user named client001.

# Create an SSH user named client001 and configure the password authentication mode for the user.

[SSH Server] aaa
[SSH Server-aaa] local-user client001 password irreversible-cipher Example@123
[SSH Server-aaa] local-user client001 privilege level 3
[SSH Server-aaa] local-user client001 service-type ssh
[SSH Server-aaa] quit
[SSH Server] ssh user client001
[SSH Server] ssh user client001 authentication-type password

Create an SSH user named client002.

# Create an SSH user named client002 and configure the DSA authentication mode for the user.

[SSH Server] ssh user client002
[SSH Server] ssh user client002 authentication-type dsa

# Generate a local key pair for Client002.

<HUAWEI> system-view
[HUAWEI] sysname client002
[client002] dsa local-key-pair create
Info: The key name will be: SSH Server_Host_DSA.
Info: The DSA host key named SSH Server_Host_DSA already exists.
Info: The key modulus can be any one of the following : 1024, 2048.
Info: If the key modulus is greater than 512, it may take a few minutes.
Please input the modulus [default=2048]:
Info: Generating keys........
Info: Succeeded in creating the DSA host keys.

# Check the public key in the DSA key pair generated on the client.

[client002] display dsa local-key-pair public
=====================================================
Time of Key pair created: 2014-03-03 16:51:28-05:13
Key name: client002_Host
Key modulus : 2048
Key type: DSA encryption Key
Key fingerprint: c0:52:b0:37:4c:b2:64:d1:8f:ff:a1:42:87:09:8c:6f
=====================================================
Key code:
30820109   02820100     CA97BCDE 697CEDE9 D9AB9475 9E004D15 C8B95116     87B79B0C 5698C582 69A9F4D0 45ED0E53 AF2EDEC1     A09DF4BE 459E34B6 6697B85D 2191A00E 92F3A5E7     FB0E73E7 F0212432 E898D979 8EAA491E E2B69727     4B51A2BE CD86A144 16748D1E 4847A814 3FE50862     6EB1AD81 EB49A05E 64F6D186 C4E94CDB 04C53074     B839305A 7F7BCE2C 606F6C91 EA958B6D AC46C12B     8C2B1E03 98F1C09D 3AF2A69D 6867F930 DF992692     9A921682 916273FC 4DD875D4 44BC371E DDBB8F6A     C0A4CDB3 ADDAE853 DB86B9FA DB13CCA9 D8CF6EC1     530CC2F5 697C4707 90829982 4339507F F354FAF9     0F9CD2C2 F7D6FF3D 901D700F F0588104 856B9592     71D773E2 E76E8EEB 431FB60D 60ABC20B   0203     010001
                                          
 Host public key for PEM format code:
---- BEGIN SSH2 PUBLIC KEY ----
AAAAB3NzaC1yc2EAAAADAQABAAABAQDKl7zeaXzt6dmrlHWeAE0VyLlRFoe3mwxW
mMWCaan00EXtDlOvLt7BoJ30vkWeNLZml7hdIZGgDpLzpef7DnPn8CEkMuiY2XmO
qkke4raXJ0tRor7NhqFEFnSNHkhHqBQ/5QhibrGtgetJoF5k9tGGxOlM2wTFMHS4
OTBaf3vOLGBvbJHqlYttrEbBK4wrHgOY8cCdOvKmnWhn+TDfmSaSmpIWgpFic/xN
2HXURLw3Ht27j2rApM2zrdroU9uGufrbE8yp2M9uwVMMwvVpfEcHkIKZgkM5UH/z
VPr5D5zSwvfW/z2QHXAP8FiBBIVrlZJx13Pi526O60Mftg1gq8IL
---- END SSH2 PUBLIC KEY ----

Public key code for pasting into OpenSSH authorized_keys file :
ssh-dsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKl7zeaXzt6dmrlHWeAE0VyLlRFoe3mwxWmMWCaan00EXtDlOvLt7BoJ30vkWeNLZml7hdIZGgDpLzpef7DnPn8CEkMuiY2XmOqkke4raXJ0tRor7NhqFEFnSNHkhHqBQ/5QhibrGtgetJoF5k9tGGxOlM2wTFMHS4OTBaf3vOLGBvbJHqlYttrEbBK4wrHgOY8cCdOvKmnWhn+TDfmSaSmpIWgpFic/xN2HXURLw3Ht27j2rApM2zrdroU9uGufrbE8yp2M9uwVMMwvVpfEcHkIKZgkM5UH/zVPr5D5zSwvfW/z2QHXAP8FiBBIVrlZJx13Pi526O60Mftg1gq8IL dsa-key

# Configure the generated public key in the DSA key pair on the server. The bold part in the display command output indicates the generated public key in the DSA key pair. Copy the key to the server.

The public key must be a hexadecimal string. If it is not a hexadecimal string, convert it into a hexadecimal string in advance.

[SSH Server] dsa peer-public-key dsakey001 encoding-type der
[SSH Server-dsa-public-key] public-key-code begin
Info: Enter "DSA key code" view, return the last view with "public-key-code end".
[SSH Server-dsa-key-code] 30820109
[SSH Server-dsa-key-code] 2820100
[SSH Server-dsa-key-code] CA97BCDE 697CEDE9 D9AB9475 9E004D15 C8B95116
[SSH Server-dsa-key-code] 87B79B0C 5698C582 69A9F4D0 45ED0E53 AF2EDEC1
[SSH Server-dsa-key-code] A09DF4BE 459E34B6 6697B85D 2191A00E 92F3A5E7
[SSH Server-dsa-key-code] FB0E73E7 F0212432 E898D979 8EAA491E E2B69727
[SSH Server-dsa-key-code] 4B51A2BE CD86A144 16748D1E 4847A814 3FE50862
[SSH Server-dsa-key-code] 6EB1AD81 EB49A05E 64F6D186 C4E94CDB 04C53074
[SSH Server-dsa-key-code] B839305A 7F7BCE2C 606F6C91 EA958B6D AC46C12B
[SSH Server-dsa-key-code] 8C2B1E03 98F1C09D 3AF2A69D 6867F930 DF992692
[SSH Server-dsa-key-code] 9A921682 916273FC 4DD875D4 44BC371E DDBB8F6A
[SSH Server-dsa-key-code] C0A4CDB3 ADDAE853 DB86B9FA DB13CCA9 D8CF6EC1
[SSH Server-dsa-key-code] 530CC2F5 697C4707 90829982 4339507F F354FAF9
[SSH Server-dsa-key-code] 0F9CD2C2 F7D6FF3D 901D700F F0588104 856B9592
[SSH Server-dsa-key-code] 71D773E2 E76E8EEB 431FB60D 60ABC20B
[SSH Server-dsa-key-code] 203
[SSH Server-dsa-key-code] 10001
[SSH Server-dsa-key-code] public-key-code end
[SSH Server-dsa-public-key] peer-public-key end

# Bind the DSA public key of the STelnet client to the SSH user client002 on the SSH server.

[SSH Server] ssh user client002 assign dsa-key dsakey001

Enable the STelnet service on the SSH server.

# Enable the STelnet service.

[SSH Server] stelnet server enable  //Enable the STelnet server function. In V200R020 and later versions, you must run the ssh server-source command to set the source interface of the server to the interface using the IP address 10.1.1.1 so that the client can connect to the server through 10.1.1.1.

Configure the STelnet service type for the client001 and client002 users.

[SSH Server] ssh user client001 service-type stelnet
[SSH Server] ssh user client002 service-type stelnet

Connect the STelnet client to the SSH server.

# Enable the first authentication function on the SSH client upon the first login.

Enable the first authentication function for Client001.

<HUAWEI> system-view
[HUAWEI] sysname client001
[client001] ssh client first-time enable

Enable the first authentication function for Client002.

[client002] ssh client first-time enable

# Log in to the SSH server from Client001 in password authentication mode by entering the user name and password.

[client001] stelnet 10.1.1.1
Please input the username:client001
Trying 10.1.1.1 ...
Press CTRL+K to abort
Connected to 10.1.1.1 ...
The server is not authenticated. Continue to access it? [Y/N] :y
Save the server's public key? [Y/N] :y
The server's public key will be saved with the name 10.1.1.1. Please wait...

Please select public key type for user authentication [R for RSA; D for DSA; Enter for Skip publickey authentication; Ctrl_C for Can
cel], Please select [R, D, Enter or Ctrl_C]:d
Enter password:

Enter the password. The following information indicates that you have logged in successfully:

<SSH Server>

# Log in to the SSH server from Client002 in DSA authentication mode.

[client002] stelnet 10.1.1.1 user-identity-key dsa
Please input the username:client002
Trying 10.1.1.1 ...
Press CTRL+K to abort
Connected to 10.1.1.1 ...
Please select public key type for user authentication [R for RSA; D for DSA; Enter for Skip publickey authentication; Ctrl_C for Can
cel], Please select [R, D, Enter or Ctrl_C]:d
<SSH Server>

If the user view is displayed, you have logged in successfully. If the message "Session is disconnected" is displayed, the login fails.

Verify the configuration.

Run the display ssh server status command. You can see that the STelnet service has been enabled. Run the display ssh user-information command. Information about the configured SSH users is displayed.

# Check the status of the SSH server.

[SSH Server] display ssh server status
 SSH version                         :2.0
 SSH connection timeout              :60 seconds
 SSH server key generating interval  :0 hours
 SSH authentication retries          :3 times
 SFTP server                         :Disable
 Stelnet server                      :Enable
 Scp server                          :Disable
 SSH server source                   :0.0.0.0
 ACL4 number                         :0
 ACL6 number                         :0

# Check information about SSH users.

[SSH Server] display ssh user-information
  User 1:
       User Name            : client001
       Authentication-type  : password
       User-public-key-name : -
       User-public-key-type : -
       Sftp-directory       : -
       Service-type         : stelnet
       Authorization-cmd    : No
  User 2:
       User Name            : client002
       Authentication-type  : dsa
       User-public-key-name : dsakey001
       User-public-key-type : dsa
       Sftp-directory       : -
       Service-type         : stelnet
       Authorization-cmd    : No

Configuration File

SSH server configuration file

#
sysname SSH Server
#
dsa peer-public-key dsakey001 encoding-type der
 public-key-code begin
  30820109
    02820100
      CA97BCDE 697CEDE9 D9AB9475 9E004D15 C8B95116 87B79B0C 5698C582 69A9F4D0
      45ED0E53 AF2EDEC1 A09DF4BE 459E34B6 6697B85D 2191A00E 92F3A5E7 FB0E73E7
      F0212432 E898D979 8EAA491E E2B69727 4B51A2BE CD86A144 16748D1E 4847A814
      3FE50862 6EB1AD81 EB49A05E 64F6D186 C4E94CDB 04C53074 B839305A 7F7BCE2C
      606F6C91 EA958B6D AC46C12B 8C2B1E03 98F1C09D 3AF2A69D 6867F930 DF992692
      9A921682 916273FC 4DD875D4 44BC371E DDBB8F6A C0A4CDB3 ADDAE853 DB86B9FA
      DB13CCA9 D8CF6EC1 530CC2F5 697C4707 90829982 4339507F F354FAF9 0F9CD2C2
      F7D6FF3D 901D700F F0588104 856B9592 71D773E2 E76E8EEB 431FB60D 60ABC20B
    0203 
      010001
 public-key-code end
peer-public-key end
#
aaa
 local-user client001 password irreversible-cipher $1a$gRNl~ukoL~0.WU)C2]~2a}Cz/Y0-u8M{j@Ql6/xHryO-Y7m{=A>kWc.-q}>*$
 local-user client001 privilege level 3
 local-user client001 service-type ssh
#
stelnet server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type stelnet
ssh user client002
ssh user client002 authentication-type dsa
ssh user client002 assign dsa-key dsakey001
ssh user client002 service-type stelnet
#
user-interface vty 0 4
 authentication-mode aaa
#
return

Client001 configuration file

#
sysname client001
#
ssh client first-time enable
#
return

Client002 configuration file

#
sysname client002
#
ssh client first-time enable
#
return

Example for Configuring Switch Login Through the Web System

Factory Settings of Web Page Files for S Series Switches

For fixed switches, in V200R006 and later versions, the web page file has been integrated in the system software and loaded. For factory settings of web page files in versions earlier than V200R006, see the following tables.

For modular switches:

For factory settings of web page files in versions earlier than V200R006, see the following tables.
The system software of V200R006 and later versions (except the system software used by SRUAs and SRUBs of V200R020C00 and later versions, for example, S7700-V200R020C00SPC300-SRUA&B.cc) has integrated and loaded the web page file.
In V200R020C00 and later versions, the system software used by SRUAs and SRUBs does not integrate the web page file; to use the web function, obtain the web page file, upload it to the root directory of the storage device, and run the http server load filename command to load the file.

Table 3-5 Factory settings of web page files for fixed switches

Product Model	V100R006C05	V200R001	V200R002	V200R003	V200R005
S2700-SI/S2700-EI	A web page file is saved in the storage medium, but is not loaded.	-	-	-	-
S2710-SI	A web page file is saved in the storage medium, but is not loaded.	-	-	-	-
S2750-EI	-	-	-	A web page file is saved in the storage medium, and is loaded.	The system software contains a web page file that is loaded.
S3700-SI/S3700-EI	A web page file is saved in the storage medium, but is not loaded.	-	-	-	-
S3700-HI	-	The storage medium does not contain a web page file.	-	-	-
S5710-C-LI	-	The storage medium does not contain a web page file.	-	-	-
S5700-EI/S5700-SI	-	The storage medium does not contain a web page file.	A web page file is saved in the storage medium, but is not loaded.	A web page file is saved in the storage medium, and is loaded.	The system software contains a web page file that is loaded for the Classics web system, but does not contain a web page file for the EasyOperation web system.
S5700-LI/S5700S-LI	-	The storage medium does not contain a web page file.	A web page file is saved in the storage medium, but is not loaded.	A web page file is saved in the storage medium, and is loaded. NOTE: The web page file for the S5700-10P-LI needs to be loaded manually.	The system software contains a web page file that is loaded.
S5710-EI	-	The storage medium does not contain a web page file.	A web page file is saved in the storage medium, but is not loaded.	A web page file is saved in the storage medium, and is loaded.	The system software contains a web page file that is loaded for the Classics web system, but does not contain a web page file for the EasyOperation web system.
S5700-HI	-	The storage medium does not contain a web page file.	A web page file is saved in the storage medium, but is not loaded.	A web page file is saved in the storage medium, and is loaded.	The system software contains a web page file that is loaded for the Classics web system, but does not contain a web page file for the EasyOperation web system.
S5710-HI	-	-	A web page file is saved in the storage medium, but is not loaded.	A web page file is saved in the storage medium, and is loaded.	The system software contains a web page file that is loaded for the Classics web system, but does not contain a web page file for the EasyOperation web system.
S6700-EI	-	The storage medium does not contain a web page file.	A web page file is saved in the storage medium, but is not loaded.	A web page file is saved in the storage medium, and is loaded.	The system software contains a web page file that is loaded for the Classics web system, but does not contain a web page file for the EasyOperation web system.

Table 3-6 Factory settings of web page files for modular switches

Product Model	V200R001	V200R002	V200R003	V200R005
S7700	The storage medium does not contain a web page file.	A web page file is saved in the storage medium, but is not loaded.	A web page file is saved in the storage medium, and is loaded.	The system software contains a web page file that is loaded.
S9700	The storage medium does not contain a web page file.	A web page file is saved in the storage medium, but is not loaded.	A web page file is saved in the storage medium, and is loaded.	The system software contains a web page file that is loaded.

A hyphen (-) indicates that the version is not available for the model.

Example for Configuring Switch Login Through the Web System (V200R001)

Overview

The web system uses the built-in web server on a switch to provide a GUI through which users can perform switch management and maintenance. Users can log in to the web system from terminals using HTTPS.

Configuration Notes

This example applies to V200R001 of all S series switches.

The following uses the command lines and outputs of the S5700-EI running V200R001C00 as an example.

Networking Requirements

As shown in Figure 3-8, a switch functions as the HTTPS server. The user wants to log in to the web system using HTTPS to manage and maintain the switch. The user has obtained the server digital certificate 1_servercert_pem_dsa.pem and private key file 1_serverkey_pem_dsa.pem from the CA.

Figure 3-8 Networking diagram for configuring switch login through the web system

Configuration Roadmap

The configuration roadmap is as follows:

Configure a management IP address for remotely transferring files and logging in to the switch through the web system.
Upload the required files to the HTTPS server through FTP, including the web page file, server digital certificate, and private key file.
Load the web page file and digital certificate.
Bind an SSL policy and enable the HTTPS service.
Configure a web user and enter the web system login page.

FTP is an insecure protocol. Using SFTP V2, SCP, or FTPS is recommended.

Procedure

Obtain the web page file.
The following methods are available:
- Obtain the web page file from a Huawei agent.
- Download the web page file from the Huawei enterprise technical support website (http://support.huawei.com/enterprise). In V200R001, the web page file is named in the format of product name-software version.web page file version.web.zip.
Check whether the size of the obtained web page file is the same as the file size displayed on the website. If not, an exception may occur during file download. Download the file again.

Configure a management IP address.

<HUAWEI> system-view
[HUAWEI] sysname HTTPS_Server
[HTTPS_Server] vlan 10
[HTTPS_Server-vlan10] quit
[HTTPS_Server] interface vlanif 10   //Configure VLANIF 10 as the management interface.
[HTTPS_Server-Vlanif10] ip address 192.168.0.1 24   //Configure the IP address and deploy the route based on the network plan to ensure reachability between the PC and switch.
[HTTPS_Server-Vlanif10] quit
[HTTPS_Server] interface gigabitethernet 0/0/10   //In this example, GE0/0/10 is the physical interface used for logging in to the switch through the web system on a PC. Select an interface based on actual networking requirements.
[HTTPS_Server-GigabitEthernet0/0/10] port link-type access   //Set the interface type to access.
[HTTPS_Server-GigabitEthernet0/0/10] port default vlan 10   //Add the interface to VLAN 10.
[HTTPS_Server-GigabitEthernet0/0/10] quit

Upload the web page file and digital certificate to the HTTPS server through FTP.

# Configure VTY user interfaces on the HTTPS server.

[HTTPS_Server] user-interface vty 0 14   //Enter VTY user interfaces 0 to 14.
[HTTPS_Server-ui-vty0-14] authentication-mode aaa   //Set the authentication mode of users in VTY user interfaces 0 to 14 to AAA.
[HTTPS_Server-ui-vty0-14] quit

# Configure the FTP function for the switch and information about an FTP user, including the password, user level, service type, and authorized directory.

[HTTPS_Server] ftp server enable   //Enable the FTP server function.
[HTTPS_Server] aaa
[HTTPS_Server-aaa] local-user client001 password cipher Helloworld@6789   //Set the login password to Helloworld@6789.
[HTTPS_Server-aaa] local-user client001 privilege level 15   //Set the user level to 15.
[HTTPS_Server-aaa] local-user client001 service-type ftp   //Set the user service type to FTP.
[HTTPS_Server-aaa] local-user client001 ftp-directory flash:/   //Set the FTP authorized directory to flash:/.
[HTTPS_Server-aaa] quit
[HTTPS_Server] quit

# Log in to the HTTPS server from the PC through FTP and upload the web page file and digital certificate to the HTTPS server.

Connect the PC to the switch using FTP. Enter the user name client001 and password Helloworld@6789 and set the file transfer mode to binary.

The following example assumes that the PC runs the Windows XP operating system.

C:\Documents and Settings\Administrator> ftp 192.168.0.1
Connected to 192.168.0.1.
220 FTP service ready.
User (192.168.0.1:(none)): client001
331 Password required for client001.
Password:
230 User logged in.
ftp> binary   //Set the file transfer mode to binary. By default, files are transferred in ASCII mode.
200 Type set to I.
ftp>

Upload the web page file and digital certificate to the HTTPS server from the PC.

ftp> put web.zip    //Upload the web page file. The web.zip file is used as an example here.
200 Port command okay.
150 Opening BINARY mode data connection for web.zip
226 Transfer complete.
ftp: 1308478 bytes sent in 11 Seconds 4.6Kbytes/sec.

ftp> put 1_servercert_pem_dsa.pem
200 Port command okay.
150 Opening BINARY mode data connection for 1_servercert_pem_dsa.pem
226 Transfer complete.
ftp: 1302 bytes sent in 2 Seconds 4.6Kbytes/sec.

ftp> put 1_serverkey_pem_dsa.pem
200 Port command okay.
150 Opening BINARY mode data connection for 1_serverkey_pem_dsa.pem
226 Transfer complete.
ftp: 951 bytes sent in 1 Second 4.6Kbytes/sec.

# Run the dir command on the Switch to check whether the web page file and digital certificate exist in the current storage directory.

If the sizes of the web page file and digital certificate in the current storage directory on the switch is different from those on the PC, an exception may occur during file transfer. Upload the files again.

# Create the subdirectory security on the HTTPS server and copy the digital certificate and private key file to the subdirectory.

<HTTPS_Server> mkdir security
<HTTPS_Server> copy 1_servercert_pem_dsa.pem security
Copy flash:/1_servercert_pem_dsa.pem to flash:/security/1_servercert_pem_dsa.pem?[Y/N]:y
100%  complete
Info: Copied file flash:/1_servercert_pem_dsa.pem to flash:/security/1_servercert_pem_dsa.pem...Done. 
<HTTPS_Server> copy 1_serverkey_pem_dsa.pem security
Copy flash:/1_serverkey_pem_dsa.pem to flash:/security/1_serverkey_pem_dsa.pem?[Y/N]:y
100%  complete
Info: Copied file flash:/1_serverkey_pem_dsa.pem to flash:/security/1_serverkey_pem_dsa.pem...Done.

# Run the dir command in the security subdirectory to check the digital certificate.

<HTTPS_Server> cd security
<HTTPS_Server> dir
Directory of flash:/security/

  Idx  Attr     Size(Byte)  Date        Time       FileName
    0  -rw-          1,200  Sep 26 2013 22:35:37   1_servercert_pem_dsa.pem
    1  -rw-            736  Sep 26 2013 22:36:11   1_serverkey_pem_dsa.pem

30,008 KB total (348 KB free)

Load the web page file and digital certificate.

# Load the web page file.

<HTTPS_Server> system-view
[HTTPS_Server] http server load web.zip

# Create an SSL policy and load the PEM digital certificate.

[HTTPS_Server] ssl policy http_server
[HTTPS_Server-ssl-policy-http_server] certificate load pem-cert 1_servercert_pem_dsa.pem key-pair dsa key-file 1_serverkey_pem_dsa.pem auth-code 123456
[HTTPS_Server-ssl-policy-http_server] quit

# After the preceding configurations are complete, run the display ssl policy command on the HTTPS server to check detailed information about the loaded digital certificate.

[HTTPS_Server] display ssl policy

       SSL Policy Name: http_server
     Policy Applicants: 
         Key-pair Type: DSA
 Certificate File Type: PEM
      Certificate Type: certificate
  Certificate Filename: 1_servercert_pem_dsa.pem
     Key-file Filename: 1_serverkey_pem_dsa.pem
             Auth-code: 123456
                   MAC:
              CRL File:
       Trusted-CA File:

Bind an SSL policy and enable the HTTPS service.

Disable the HTTP service before enabling the HTTPS service.

[HTTPS_Server] undo http server enable   //Disable the HTTP service.
[HTTPS_Server] http secure-server ssl-policy http_server   //Bind an SSL policy named http_server to the HTTP server.
[HTTPS_Server] http secure-server enable   //Enable the HTTPS service.

Configure a web user and enter the web system login page.
# Configure a web user.
```
[HTTPS_Server] aaa
[HTTPS_Server-aaa] local-user admin password cipher Helloworld@6789   //Create a local user named admin and set its password to Helloworld@6789.
[HTTPS_Server-aaa] local-user admin privilege level 15   //Set the user level to 15.
[HTTPS_Server-aaa] local-user admin service-type http   //Set the access type to http, that is, web user.
[HTTPS_Server-aaa] quit
```
# Enter the web system login page.

Open the web browser on the PC, type https://192.168.0.1 in the address box, and press Enter. The web system login page is displayed, as shown in Figure 3-9.

You can log in to the web system using the Internet Explorer (6.0 or 8.0) or Firefox (3.5) browsers. If the browser version or browser patch version is not within the preceding ranges, the web page may be displayed incorrectly. Additionally, the web browser used to log in to the web system must support JavaScript.

Enter the user name, password, and verification code. Click Login. The web system home page is displayed.

Figure 3-9 Web system login page

Verify the configuration.

Run the display http server command to view the SSL policy name and the HTTPS server status.

[HTTPS_Server] display http server
   HTTP Server Status              : disabled
   HTTP Server Port                : 80(80)
   HTTP Timeout Interval           : 20
   Current Online Users            : 0
   Maximum Users Allowed           : 5
   HTTP Secure-server Status       : enabled
   HTTP Secure-server Port         : 443(443)
   HTTP SSL Policy                 : http_server

Configuration Files

HTTPS_Server configuration file

#
sysname HTTPS_Server
#
FTP server enable
#
vlan batch 10
#
undo http server enable
http server load web.zip
http secure-server ssl-policy http_server
http secure-server enable
#
aaa
 local-user admin password cipher %$%$_h,hW_!nJ!2gXkH9v$X)+,#w%$%$ 
 local-user admin privilege level 15
 local-user admin service-type http
 local-user client001 password cipher %$%$jD,QKAhe{Yd9kD9Fqi#I+QH~%$%$
 local-user client001 privilege level 15
 local-user client001 ftp-directory flash:/
 local-user client001 service-type ftp
#
interface Vlanif10
 ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet0/0/10
 port link-type access
 port default vlan 10
# 
user-interface vty 0 14
 authentication-mode aaa
#
ssl policy http_server
 certificate load pem-cert 1_servercert_pem_dsa.pem key-pair dsa key-file 1_serverkey_pem_dsa.pem auth-code 123456
#
return

Example for Configuring Switch Login Through the Web System (V100R006C05&V200R002&V200R003)

Overview

Configuration Notes

This example applies to V100R006C05, V200R002, and V200R003 of all S series switches.

The following uses the command lines and outputs of the S5700-EI running V200R002C00 as an example.

Networking Requirements

As shown in Figure 3-10, a switch functions as the HTTPS server. The user wants to log in to the web system using HTTPS to manage and maintain the switch.

Figure 3-10 Networking diagram for configuring switch login through the web system

Configuration Roadmap

The configuration roadmap is as follows:

The web page file is delivered with a switch. For all switches in V100R006C05&V200R002 and S5700-10P-LI switches in V200R003C00, you need to load the web page file. Fixed switches excluding S5700-10P-LI in V200R003 have loaded the web page file before delivery. Step 2 can be skipped.

A switch provides a default SSL policy and has a randomly generated self-signed digital certificate in the web page file. If the default SSL policy and self-signed digital certificate can meet security requirements, you do not need to upload a digital certificate or manually configure an SSL policy, simplifying configuration. The following configuration uses the default SSL policy provided by the switch as an example.

Configure a management IP address for logging in to the switch through the web system.
Load the web page file.
Configure a web user and enter the web system login page.

Procedure

Configure a management IP address.

<HUAWEI> system-view
[HUAWEI] sysname HTTPS_Server
[HTTPS_Server] vlan 10
[HTTPS_Server-vlan10] quit
[HTTPS_Server] interface vlanif 10    //Configure VLANIF 10 as the management interface.
[HTTPS_Server-Vlanif10] ip address 192.168.0.1 24    //Configure the IP address and deploy the route based on the network plan to ensure reachability between the PC and switch.
[HTTPS_Server-Vlanif10] quit
[HTTPS_Server] interface gigabitethernet 1/0/10    //In this example, GE1/0/10 is the physical interface used for logging in to the switch through the web system on a PC. Select an interface based on actual networking requirements.
[HTTPS_Server-GigabitEthernet1/0/10] port link-type access    //Set the interface type to access.
[HTTPS_Server-GigabitEthernet1/0/10] port default vlan 10    //Add the interface to VLAN 10.
[HTTPS_Server-GigabitEthernet1/0/10] quit

Load the web page file.
- Run the dir command to view the name of the web page file carried by the switch.
- In V100R006C05, the web page file is named in the format of product name-software version.web page file version.web.zip. In V200R002 and V200R003, the web page file is named in the format of product name-software version.web page file version.web.7z.
```
[HTTPS_Server] http server load web.7z    //Upload the web page file. The web.7z file is used as an example here.
```

Enable the HTTPS service.

[HTTPS_Server] http secure-server enable    //The HTTPS service is enabled by default and does not require manual configuration. If the HTTPS service is manually disabled, run this command to enable it.

Configure a web user and enter the web system login page.
# Configure a web user.
```
[HTTPS_Server] aaa
[HTTPS_Server-aaa] local-user admin password cipher Helloworld@6789   //Create a local user named admin and set its password to Helloworld@6789.
[HTTPS_Server-aaa] local-user admin privilege level 15   //Set the user level to 15.
[HTTPS_Server-aaa] local-user admin service-type http   //Set the access type to http, that is, web user.
[HTTPS_Server-aaa] quit
```
# Enter the web system login page.

Open the web browser on the PC, type https://192.168.0.1 in the address box, and press Enter. The web system login page is displayed, as shown in Figure 3-11.

You can use the Internet Explorer (6.0 – 9.0), Firefox (3.5 – 17.0) browsers to log in to the web system for V100R006C05, use the Internet Explorer (8.0), Firefox (3.6) browsers to log in to the web system for V200R001C00, use the Internet Explorer (6.0 – 9.0), Firefox (3.5 – 17.0) browsers to log in to the web system for V2100R003C00. If the browser version or browser patch version is not within the preceding ranges, the web page may be displayed incorrectly. Additionally, the web browser used to log in to the web system must support JavaScript.

Enter the user name, password, and verification code. Click Login. The web system home page is displayed.

Figure 3-11 Web system login page

Verify the configuration.

Run the display http server command to view the status of the HTTPS server.

[HTTPS_Server] display http server
   HTTP Server Status              : enabled
   HTTP Server Port                : 80(80)
   HTTP Timeout Interval           : 20
   Current Online Users            : 0
   Maximum Users Allowed           : 5
   HTTP Secure-server Status       : enabled
   HTTP Secure-server Port         : 443(443)
   HTTP SSL Policy                 : Default

Configuration Files

HTTPS_Server configuration file

#
sysname HTTPS_Server
#
vlan batch 10
#
http server load web.7z
#
aaa
 local-user admin password cipher %$%$+8;_RIkI680;]{;b/Vo&T/l>%$%$ 
 local-user admin privilege level 15
 local-user admin service-type http
#
interface Vlanif10
 ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/10
 port link-type access
 port default vlan 10
#
return

Example for Configuring Switch Login Through the Web System (V200R005)

Overview

The web system is available in EasyOperation and Classics versions.

The EasyOperation version provides rich graphics and a more user-friendly UI on which users can perform monitoring, configuration, maintenance, and other network operations.
The Classics version inherits the web page style of Huawei switches and provides comprehensive configuration and management functions.

Configuration Notes

This example applies to V200R005 of all S series switches.

The following uses the command lines and outputs of the S5700-HI running V200R005 as an example.

Networking Requirements

As shown in Figure 3-12, a switch functions as the HTTPS server. The user wants to log in to the web system using HTTPS to manage and maintain the switch.

Figure 3-12 Networking diagram for configuring switch login through the web system

Configuration Roadmap

The system software of the following switch models in V200R005 has integrated and loaded the web page file (including the EasyOperation and Classics editions). You only need to configure a web user and enter the web system login page.

Modular switch: all models
Fixed switch: S2750, S5700-LI, S5700S-LI

The Classics web page file has been loaded on the S5700-SI, S5700-EI, S5710-EI, S5700-HI, S5710-HI, and S6700-EI in V200R005, and has been loaded. To use the Classics web system, you only need to configure a web user and enter the web system login page. To use the EasyOperation web system, perform the configuration based on the following roadmap:

Configure a management IP address for remotely transferring files and logging in to the switch through the web system.
Upload the web page file to the HTTPS server through FTP.
Load the web page file.
Configure a web user and enter the web system login page.

FTP is an insecure protocol. Using SFTP V2, SCP, or FTPS is recommended.

Procedure

Obtain the web page file.
The following methods are available:
- Obtain the web page file from a Huawei agent.
- Download the web page file from the Huawei enterprise technical support website (http://support.huawei.com/enterprise).
  - For a fixed switch, download the system software containing the web page file.
  - For a modular switch, download the web page file.
  - In V200R005, the web page file is named in the format of product name-software version.web page file version.web.7z.
Check whether the size of the obtained web page file is the same as the file size displayed on the website. If not, an exception may occur during file download. Download the file again.

Configure a management IP address.

<HUAWEI> system-view
[HUAWEI] sysname HTTPS_Server
[HTTPS_Server] vlan 10
[HTTPS_Server-vlan10] quit
[HTTPS_Server] interface vlanif 10   //Configure VLANIF 10 as the management interface.
[HTTPS_Server-Vlanif10] ip address 192.168.0.1 24   //Configure the IP address and deploy the route based on the network plan to ensure reachability between the PC and switch.
[HTTPS_Server-Vlanif10] quit
[HTTPS_Server] interface gigabitethernet 0/0/10   //In this example, GE0/0/10 is the physical interface used for logging in to the switch through the web system on a PC. Select an interface based on actual networking requirements.
[HTTPS_Server-GigabitEthernet0/0/10] port link-type access   //Set the interface type to access.
[HTTPS_Server-GigabitEthernet0/0/10] port default vlan 10   //Add the interface to VLAN 10.
[HTTPS_Server-GigabitEthernet0/0/10] quit

Upload the web page file to the HTTPS server through FTP.

# Configure VTY user interfaces on the HTTPS server.

[HTTPS_Server] user-interface vty 0 14   //Enter VTY user interfaces 0 to 14.
[HTTPS_Server-ui-vty0-14] authentication-mode aaa   //Set the authentication mode of users in VTY user interfaces 0 to 14 to AAA.
[HTTPS_Server-ui-vty0-14] quit

# Configure the FTP function for the switch and information about an FTP user, including the password, user level, service type, and authorized directory.

[HTTPS_Server] ftp server enable   //Enable the FTP server function.
[HTTPS_Server] aaa
[HTTPS_Server-aaa] local-user client001 password irreversible-cipher Helloworld@6789   //Set the login password to Helloworld@6789.
[HTTPS_Server-aaa] local-user client001 privilege level 15   //Set the user level to 15.
[HTTPS_Server-aaa] local-user client001 service-type ftp   //Set the user service type to FTP.
[HTTPS_Server-aaa] local-user client001 ftp-directory flash:/   //Set the FTP authorized directory to flash:/.
[HTTPS_Server-aaa] quit

# Log in to the HTTPS server from the PC through FTP and upload the web page file to the HTTPS server.

Connect the PC to the switch using FTP. Enter the user name client001 and password Helloworld@6789 and set the file transfer mode to binary.

The following example assumes that the PC runs the Windows XP operating system.

C:\Documents and Settings\Administrator> ftp 192.168.0.1
Connected to 192.168.0.1.
220 FTP service ready.
User (192.168.0.1:(none)): client001
331 Password required for client001.
Password:
230 User logged in.
ftp> binary   //Set the file transfer mode to binary. By default, files are transferred in ASCII mode.
200 Type set to I.
ftp>

Upload the web page file to the HTTPS server from the PC.

ftp> put web.7z    //Upload the web page file. The web.7z file is used as an example here.
200 Port command okay.
150 Opening BINARY mode data connection for web.zip
226 Transfer complete.
ftp: 1308478 bytes sent in 11 Seconds 4.6Kbytes/sec.

If the size of the web page file in the current directory on the switch is different from that on the PC, an exception may occur during file transfer. Upload the web page file again.

Load the web page file.

# Load the web page file.

[HTTPS_Server] http server load web.7z    //Load the web page file.

Enable the HTTPS service.

[HTTPS_Server] http secure-server enable    //The HTTPS service is enabled by default and does not require manual configuration. If the HTTPS service is manually disabled, run this command to enable it.

Configure a web user and enter the web system login page.
# Configure a web user.
```
[HTTPS_Server] aaa
[HTTPS_Server-aaa] local-user admin password irreversible-cipher Helloworld@6789    //Set the login password to Helloworld@6789.
[HTTPS_Server-aaa] local-user admin privilege level 15    //Set the user level to 15.
[HTTPS_Server-aaa] local-user admin service-type http    //Set the user service type to HTTP.
[HTTPS_Server-aaa] quit
```
# Enter the web system login page.

Open the web browser on the PC, type https://192.168.0.1 in the address box, and press Enter. The web system login page is displayed, as shown in Figure 3-13.

Enter the web user name admin and password Helloworld@6789, and click GO or press Enter. The web system home page is displayed. The EasyOperation web system is logged in by default.

Figure 3-13 Web system login page

Verify the configuration.

Run the display http server command to view the status of the HTTPS server.

[HTTPS_Server] display http server
   HTTP Server Status              : enabled
   HTTP Server Port                : 80(80)
   HTTP Timeout Interval           : 20
   Current Online Users            : 0
   Maximum Users Allowed           : 5
   HTTP Secure-server Status       : enabled
   HTTP Secure-server Port         : 443(443)
   HTTP SSL Policy                 : Default
   HTTP IPv6 Server Status         : disabled
   HTTP IPv6 Server Port           : 80(80)
   HTTP IPv6 Secure-server Status  : disabled
   HTTP IPv6 Secure-server Port    : 443(443)

Configuration Files

HTTPS_Server configuration file

#
sysname HTTPS_Server
#
FTP server enable
#
vlan batch 10
#
http server load web.7z
#
aaa
 local-user admin password irreversible-cipher %@%@wU:(2j8~r8Htyu3.]',NwU`Td[-A9~9"%4Kvhm'0RV[/U`Ww%@%@
 local-user admin privilege level 15
 local-user admin service-type http
 local-user client001 password irreversible-cipher %@%@5d~9:M^ipCfL\iB)EQd>,,ajwsi[\ad,saejin[qndi83Uwe%@%@
 local-user client001 privilege level 15
 local-user client001 ftp-directory flash:/
 local-user client001 service-type ftp
#
interface Vlanif10
 ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/10
 port link-type access
 port default vlan 10
#
user-interface vty 0 14
 authentication-mode aaa
#
return

Example for Configuring Switch Login Through the Web System (V200R006 and later versions)

Overview

The web system is available in EasyOperation and Classics versions.

The EasyOperation version provides rich graphics and a more user-friendly UI on which users can perform monitoring, configuration, maintenance, and other network operations.
The Classics version inherits the web page style of Huawei switches and provides comprehensive configuration and management functions.

In V200R011C10 and later versions, the Classics version is not supported.

Configuration Notes

This example applies to V200R006 and later versions of all S series switches.

The following uses the command lines and outputs of the S5720-EI running V200R008C00 as an example.

Networking Requirements

As shown in Figure 3-14, a switch functions as the HTTPS server. The user wants to log in to the web system using HTTPS to manage and maintain the switch.

Figure 3-14 Networking diagram for configuring switch login through the web system

Configuration Roadmap

The configuration roadmap is as follows:

The system software of the switch has integrated and loaded the web page file. No manual configuration is required.
A switch provides a default SSL policy and has a randomly generated self-signed digital certificate in the web page file. If the default SSL policy and self-signed digital certificate can meet security requirements, you do not need to upload a digital certificate or manually configure an SSL policy, simplifying configuration. The following configuration uses the default SSL policy provided by the switch as an example.
Configure a management IP address for logging in to the switch through the web system.
Configure a web user and enter the web system login page.

Procedure

Configure a management IP address.

<HUAWEI> system-view
[HUAWEI] sysname HTTPS_Server
[HTTPS_Server] vlan 10
[HTTPS_Server-vlan10] quit
[HTTPS_Server] interface vlanif 10    //Configure VLANIF 10 as the management interface.
[HTTPS_Server-Vlanif10] ip address 192.168.0.1 24    //Configure the IP address and deploy the route based on the network plan to ensure reachability between the PC and switch.
[HTTPS_Server-Vlanif10] quit
[HTTPS_Server] interface gigabitethernet 1/0/10    //In this example, GE1/0/10 is the physical interface used for logging in to the switch through the web system on a PC. Select an interface based on actual networking requirements.
[HTTPS_Server-GigabitEthernet1/0/10] port link-type access    //Set the interface type to access.
[HTTPS_Server-GigabitEthernet1/0/10] port default vlan 10    //Add the interface to VLAN 10.
[HTTPS_Server-GigabitEthernet1/0/10] quit

Enable the HTTPS service.

[HTTPS_Server] http secure-server enable    //The HTTPS service is enabled by default and does not require manual configuration. If the HTTPS service is manually disabled, run this command to enable it.
[HTTPS_Server] http server-source -i Vlanif 10    //Set the source interface of the server to VLANIF 10 so that the client can connect to the server through 192.168.0.1.

Configure a web user and enter the web system login page.

# Configure a web user.

[HTTPS_Server] aaa
[HTTPS_Server-aaa] local-user admin password irreversible-cipher Helloworld@6789    //Set the login password to Helloworld@6789.
[HTTPS_Server-aaa] local-user admin privilege level 15    //Set the user level to 15.
Warning: This operation may affect online users, are you sure to change the user privilege level ?[Y/N]Y
[HTTPS_Server-aaa] local-user admin service-type http    //Set the user service type to HTTP.
[HTTPS_Server-aaa] quit

# Enter the web system login page.

Open the web browser on the PC, type https://192.168.0.1 in the address box, and press Enter. The web system login page is displayed, as shown in Figure 3-15.

Table 3-7 lists browser versions required for login to a switch through the web system. If the browser version or browser patch version is not within the preceding ranges, the web page may not be properly displayed. Upgrade the browser and browser patch. In addition, the browser must support JavaScript.

Enter the web user name admin and password Helloworld@6789, and click GO or press Enter. The web system home page is displayed. The EasyOperation web system is logged in by default.

Table 3-7 Mapping between the product version and browser version

Product Version	Browser Version for EasyOperation Web System	Browser Version for Classic Web System
V200R006	IE 8.0 to 11.0, Firefox 12.0 to 28.0, or Chrome 23.0 to 34.0	IE 8.0 to 11.0, or Firefox 12.0 to 28.0
V200R007	IE 8.0 to 11.0, Firefox 12.0 to 32.0, or Chrome 23.0 to 37.0	IE 8.0 to 11.0, or Firefox 12.0 to 32.0
V200R008	IE 10.0, IE 11.0, Firefox 31.0 to 35.0, or Chrome 30.0 to 39.0	IE 10.0, IE 11.0, or Firefox 31.0 to 35.0
V200R009	IE 10.0, IE 11.0, Firefox 35.0 to 45.0, or Chrome 34.0 to 49.0	IE 10.0, IE 11.0, or Firefox 35.0 to 45.0
V200R010	Microsoft Edge, IE 10.0, IE 11.0, Firefox 39.0 to 49.0, or Chrome 39.0 to 54.0	IE 10.0, IE 11.0, or Firefox 39.0 to 49.0
V200R011C10	Microsoft Edge, IE 10.0, IE 11.0, Firefox 53.0 to 59.0, or Chrome 54.0 to 66.0	–
V200R012(C00&C20)	Microsoft Edge, IE 10.0, IE 11.0, Firefox 53.0 to 59.0, or Chrome 54.0 to 66.0	–
V200R013C00	Microsoft Edge, IE 10.0, IE 11.0, Firefox 58.0 to 62.0, or Chrome 60.0 to 69.0	–
V200R013C02	Microsoft Edge, IE10.0, IE11.0, Firefox 61.0 to Firefox 66.0, or Chrome 64.0 to Chrome 73.0	–
V200R019C00	Microsoft Edge, IE10.0, IE11.0, Firefox 61.0 to Firefox 66.0, or Chrome 64.0 to Chrome 73.0	–
V200R019C10	Microsoft Edge, IE10.0, IE11.0, Firefox 61.0 to Firefox 66.0, or Chrome 64.0 to Chrome 73.0	–
V200R020C00	Microsoft Edge, IE10.0, IE11.0, Firefox 61.0 to Firefox 66.0, or Chrome 64.0 to Chrome 73.0	–
V200R020C10	Microsoft Edge, IE10.0, IE11.0, Firefox 61.0 to Firefox 66.0, or Chrome 64.0 to Chrome 73.0	–
V200R021C00	Microsoft Edge, IE10.0, IE11.0, Firefox 85.0 to Firefox 89.0, or Chrome 82.0 to Chrome 91.0	–
V200R021C00SPC600	Microsoft Edge, IE10.0, IE11.0, Firefox 85.0 to Firefox 89.0, or Chrome 82.0 to Chrome 91.0	–
V200R021C01	Microsoft Edge, IE10.0, IE11.0, Firefox 85.0 to Firefox 89.0, or Chrome 82.0 to Chrome 91.0	–
V200R021C10	Microsoft Edge, IE10.0, IE11.0, Firefox 85.0 to Firefox 89.0, or Chrome 82.0 to Chrome 91.0	–
V200R022C00	Microsoft Edge, IE10.0, IE11.0, Firefox 97.0 to Firefox 101.0, or Chrome 93.0 to Chrome 102.0	–
V200R022C10	Microsoft Edge, IE10.0, IE11.0, Firefox 97.0 to Firefox 101.0, or Chrome 93.0 to Chrome 102.0	–

Figure 3-15 Web system login page

Verify the configuration.

Run the display http server command to view the status of the HTTPS server.

[HTTPS_Server] display http server
   HTTP Server Status              : enabled
   HTTP Server Port                : 80(80)
   HTTP Timeout Interval           : 20
   Current Online Users            : 0
   Maximum Users Allowed           : 5
   HTTP Secure-server Status       : enabled
   HTTP Secure-server Port         : 443(443)
   HTTP SSL Policy                 : Default
   HTTP IPv6 Server Status         : disabled
   HTTP IPv6 Server Port           : 80(80)
   HTTP IPv6 Secure-server Status  : disabled
   HTTP IPv6 Secure-server Port    : 443(443)
   HTTP server source address      : 0.0.0.0  //This field displays HTTP server source interface in V200R020 and later versions.

Configuration Files

HTTPS_Server configuration file

#
sysname HTTPS_Server
#
vlan batch 10
#
aaa
 local-user admin password irreversible-cipher %#%#wU:(2j8~r8Htyu3.]',NwU`Td[-A9~9"%4Kvhm'0RV[/U`Ww%#%#
 local-user admin privilege level 15
 local-user admin service-type http
#
interface Vlanif10
 ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/10
 port link-type access
 port default vlan 10
#
return

Example for Configuring Switch Login Through a Console Port
Example for Configuring Telnet Login (Based on ACL Rules and RADIUS Authentication)
Example for Configuring STelnet Login (Based on RADIUS Authentication)
Example for Configuring the Device as the Telnet Client to Log In to Another Device
Example for Configuring the Device as the STelnet Client to Log In to Another Device
Example for Configuring Switch Login Through the Web System

Translation

Español 日本語 Русский 简体中文

Download

Updated: 2023-07-29

Document ID: EDOC1000069520

Downloads: 41273

Average rating:

This Document Applies to these Products

Related Version

Digital Signature File

Digital Signature Authentication Mode

Enterprise

Huawei Cloud

Carrier

Consumer

Corporate

Example for Configuring Switch Login Through a Console Port

Overview

Configuration Notes

Networking Requirements

Configuration Roadmap

Procedure

Configuration Files

Related Content

Example for Configuring Telnet Login (Based on ACL Rules and RADIUS Authentication)

Overview

Configuration Notes

Networking Requirements

Configuration Roadmap

Procedure

Configuration Files

Related Content

Example for Configuring STelnet Login (Based on RADIUS Authentication)

Overview

Configuration Notes

Networking Requirements

Configuration Roadmap

Procedure

Configuration Files

Related Content

Example for Configuring the Device as the Telnet Client to Log In to Another Device

Networking Requirements

Configuration Roadmap

Procedure

Configuration File

Example for Configuring the Device as the STelnet Client to Log In to Another Device

Networking Requirements

Configuration Roadmap

Procedure

Configuration File

Example for Configuring Switch Login Through the Web System

Factory Settings of Web Page Files for S Series Switches

Example for Configuring Switch Login Through the Web System (V200R001)

Overview

Configuration Notes

Networking Requirements

Configuration Roadmap

Procedure

Configuration Files

Example for Configuring Switch Login Through the Web System (V100R006C05&V200R002&V200R003)

Overview

Configuration Notes

Networking Requirements

Configuration Roadmap

Procedure

Configuration Files

Example for Configuring Switch Login Through the Web System (V200R005)

Overview

Configuration Notes

Networking Requirements

Configuration Roadmap

Procedure

Configuration Files

Related Content

Example for Configuring Switch Login Through the Web System (V200R006 and later versions)

Overview

Configuration Notes

Networking Requirements

Configuration Roadmap

Procedure

Configuration Files

Related Version

Related Documents

Digital Signature File