No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S1720GFR, S2700, S5700, and S6720 V200R010C00 Web-based Configuration Guide

This document describes the configuration and maintenance of device through the web network management system. The web network management system provides the functions of viewing device information and managing the entire system, interfaces, services, ACL, QoS, routes, security, and tools.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Web System Login Configuration

Web System Login Configuration

Overview

Definition

The web system can be used to manage devices. The device has an internal web server which provides a GUI for users. Before using the web system to manage and maintain a device, you need to log in to the device through HTTPS from a terminal.

Purpose

You can manage a device using a web system or a command line interface (CLI). On a CLI, you must use commands to manage and maintain the device. The CLI method allows you to implement fine-grained device management, but you have to be familiar with required commands. In comparison, the web system is easier to operate and allows you to manage and maintain the device on a GUI. However, the web system provides only basic routine maintenance and management functions. You can select a proper management method based on actual needs.

To use the CLI, you must log in to the device through a console port or a mini USB port, or using Telnet or STelnet. To use the web system, you must log in to the device through HTTPS.

For details on how to log in to a device through the console port or a mini USB port, or using Telnet or STelnet, see CLI Login Configuration.

Concepts
Before configuring web system login, familiarize yourself with the following concepts:
  • HTTP

    Hypertext Transfer Protocol (HTTP) is used to transfer web page files over the Internet. It runs at the application layer of the TCP/IP protocol stack. The transport layer uses the connection-oriented TCP protocol. HTTP has security vulnerabilities. To avoid potential security risks, the device allows you to log in to the web system only through the more secure Hypertext Transfer Protocol Secure (HTTPS).

  • HTTPS

    HTTPS uses secure sockets layer (SSL) to encrypt data exchanged between the client and device and defines access control policies based on certificate attributes. HTTPS enhances data integrity and transmission security, ensuring that only authorized clients can log in to the device.

  • SSL policy

    An SSL policy defines parameters that the device uses during startup, and is implemented during configuration of HTTPS. During configuration, the corresponding digital certificate on the device is loaded. The SSL policy takes effect only after it is applied to application layer protocols, such as HTTP.

  • Digital certificate

    A digital certificate is issued by a certificate authority (CA) and uses a digital signature to bind a public key with an identity (applicant who possesses the certificate). The digital certificate includes information such as the applicant name, public key, digital signature of the CA, and validity period of the digital certificate. A digital certificate validates the identities of two communicating parties to improve communication reliability.

  • Certificate Authority (CA)

    A CA issues, manages, and revokes digital certificates by checking the validity of digital certificate owners, issuing digital certificates to prevent eavesdropping and tampering, and managing certificates and keys. A globally trusted CA is called a root CA. The root CA can authorize other CAs as subordinate. A CA's identity needs to be verified and is described in a trusted-CA file.

    For example, CA1 is the root CA and issues a certificate for CA2, and CA2 then issues a certificate for CA3. This process proceeds until the final server certificate is issued.

    Assume that CA3 issues the server certificate. A certificate authentication process on the client starts from server certificate authentication:
    • The client first verifies validity of the server certificate based on the CA3 certificate.
    • The client then checks CA2 certificate to verify validity of the CA3 certificate.
    • The client then checks CA1 certificate to verify validity of the CA2 certificate.
    • The server certificate passes the authentication only when the CA2 certificate is verified valid by the CA1 certificate.

    Figure 1-7 shows the certificate issuing and authentication processes.

    Figure 1-7  Certificate issuing and authentication
  • Certificate Revocation List (CRL)

    A CRL is issued by a CA and specifies a list of certificates that have been revoked. Therefore, it should not be relied upon.

    Each digital certificate has a limited lifetime and a CA can revoke a digital certificate to shorten its lifetime. The validity period of a certificate specified in the CRL is shorter than the original validity period of the certificate. If a CA revokes a digital certificate, the key pair defined in the certificate can no longer be used even if the digital certificate does not expire. When a certificate in a CRL expires, the certificate is deleted from the CRL to shorten the CRL.

You can load the CRL and a certificate (trust certificate) with a higher level than the digital certificate on your PC. If they are not loaded, you are prompted to determine whether to trust the server when you attempt to establish a connection with a web server. If you choose to not trust the server, the connection cannot be established. If you choose to trust the server, the connection is established successfully, and the PC cannot verify the digital certificate on the server. However, the confidentiality of data transmitted between the PC and server is ensured. To ensure that you are connecting to a valid web server, you can load a trust certificate and CRL on the PC. For details on how to load trust certificates, refer to the help information in the operating system.

Web System Login Configuration Tasks

You can configure login through the web system in simple mode or secure mode.

Table 1-7 describes configuration tasks of web system login.

Table 1-7  Configuration tasks of web system login

Scenario

Description

Section

Simple Mode

Configure device login through the web system

The device provides a default SSL policy, and the web page file contains a self-signed certificate that is randomly generated. If the default SSL policy and self-signed certificate meet security requirements, you do not need to upload a digital certificate or configure an SSL policy. The configuration of this mode is simple but poses security risks. It applies to scenarios that do not have high security requirements.

Configuring Device Login Through the Web System (Simple Mode)

Secure Mode

Configure device login through the web system

To avoid potential security risks, you can acquire a trust digital certificate and private key file from the CA and manually configure an SSL policy. This mode requires more complex configuration but provides high security. You are recommended to use this mode to configure device login through the web system.

Configuring Device Login Through the Web System (Secure Mode)

Configure access control on web users

To enhance security, you can configure access control on web users to specify clients that can log in to the device through the web system.

Configuring Access Control on Web Users
NOTE:

The device does not provide lifetime management for the self-signed digital certificate, such as update and revocation. To ensure device and certificate security, you are recommended to replace the self-signed certificate with a certificate authority (CA) certificate.

Web System Login Default Configuration

Table 1-8 lists the default configuration of web system login.
Table 1-8  Default configuration of web system login

Parameter

Default Setting

Web page file integrated into system software

Supported

Default SSL policy

Supported

HTTPS service

HTTPS IPv4: enabled

HTTPS IPv6: disabled

Port number of the HTTPS server

443

Timeout period of an HTTPS connection

20 minutes

Web user

By default, the local user admin exists in the system, with the password admin@huawei.com, user level 15, and service type http.

Access control on web users

None

Configuring Device Login Through the Web System (Simple Mode)

Pre-configuration Tasks
NOTE:

When a device starts without any configuration, HTTP uses the randomly generated self-signed certificate to support HTTPs. The self-signed certificate may bring risks. Therefore, you are advised to replace it with the officially authorized digital certificate. For details about how to replace the certificate, see Configuring Device Login Through the Web System (Secure Mode).

Before configuring login through the web system (simple mode), configure a reachable route between a terminal and the device.

Configuration Process

The following configuration tasks must be performed in sequence.

Uploading and Loading a Web Page File

Context

The system software of the device contains a web page file, and the web page file is pre-loaded to the device before delivery. If you use this web page file, you do not need to perform the following configuration. To upgrade the web page file on the device, log in to Huawei official website to download an independent web page file, upload and load the file to the device.

NOTE:

To obtain a web page file, log in to the Huawei enterprise support website (http://support.huawei.com/enterprise), choose the product model and version, and select a patch version under Public Patch in V and R Version to download the required web page file. The file name is in the format of product name-software version number.web page file version number.web.7z.

After downloading the file, compare the downloaded web page file with that on the website to check whether their sizes are the same. If not, an error may occur during file download. Download the file again.

Each web page file corresponds to a signature file. The method of downloading the signature file is the same as that of downloading the web page file.

Procedure

  1. Upload the web page file.

    You can upload the web page file using SFTP or other modes. For details, see Local File Management.

    NOTE:

    After the file is uploaded to the device, run the dir command in the user view to check whether the uploaded file has the same size as that on the file server. If not, an error may have occurred during file upload. Upload the file again.

  2. (Optional) Run:

    check file-integrity filename signature-filename

    The web page file validity is checked.

  3. Load the web page file.
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      http server load { file-name | default }

      The web page file is loaded.

      By default, the web page file in system software is pre-loaded on the device.

      If default is specified, the web page file in the system software is loaded. If file-name is specified, an independent web page file is loaded.

      NOTE:

      If the system software is upgraded from V200R006 or an earlier version to V200R007 or a later version, but the target software version conflicts with the configuration file for next startup, the device will cancel the configuration of loading the web page file in the original system software after the upgrade, and load the web page file integrated in the new system software by default.

Enabling the HTTPS Service

Context

You can log in to the web system only after the HTTPS service is enabled. To enhance device security, you can change the port number of the HTTPS server to prevent attackers from accessing the server using the default port number. In addition, you can set a timeout period for an HTTPS connection to prevent waste of web channel resources when no operation is performed in a long time.

By default, the HTTPS IPv4 service is enabled on a device but the HTTPS IPv6 service is disabled, the port number of the HTTPS server is 443, the timeout period of an HTTPS connection is 20 minutes, and login requests from all interfaces are accepted. If you use the HTTPS IPv4 service, default port number and timeout period, and accept login requests from all interfaces, do not perform the following configuration. To use the HTTPS IPv6 service, you need to enable it first.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    http [ ipv6 ] secure-server enable

    The HTTPS service is enabled.

    By default, the HTTPS IPv4 service is enabled on a device while the HTTPS IPv6 service is disabled.

  3. Run:

    http [ ipv6 ] secure-server port port-number

    The port number of the HTTPS server is specified.

    The default port number of the HTTPS server is 443.

  4. Run:

    http server-source -i loopback interface-number

    A loopback interface is specified as the source interface of the HTTPS server.

    Before specifying a source interface for an HTTPS server, ensure that the loopback interface to be specified as the source interface has been created. If the loopback interface is not created, the http server-source command cannot be executed.

  5. Run:

    http timeout timeout

    A timeout period is set for HTTPS connections.

    The default timeout period is 20 minutes.

Configuring a Web User and Logging In to the Web System

Context

A web user account can be configured based on the user name, password, level, and access type. After configuration, you can log in to the web system. Enter the user name and password to log in to a web system.

NOTE:

The default upload/download directory is the root directory. You can modify the upload/download directory by running the corresponding command in the AAA view.

Procedure

  1. Configure a web user.
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      aaa

      The AAA view is displayed.

    3. Run:

      local-user user-name password irreversible-cipher password

      A local user name and a password are configured.

      By default, the local user admin exists in the system, with the password admin@huawei.com.

    4. Run:

      local-user user-name service-type http

      The access type of the local user is set to HTTP

      By default, no access type is configured for a local user.

    5. Run:

      local-user user-name privilege level level 

      The local user level is set.

      By default, the level of the local user admin is 15 and the user is an administrator.

      Only level 3 users and higher are administrators with management rights. Level 2 users and below are monitoring users. Administrator users have all operation rights of a web page, and monitoring users can only perform ping and tracert operations.

      After logging in to the web system, monitoring users receive a message, showing their current level and prompts them to raise their user level. Figure 1-8 and Figure 1-9 show the message displayed on the Classics and EasyOperation versions.

      Figure 1-8  Message received by a monitoring user logging in to the Classics web system
      Figure 1-9  Message received by a monitoring user logging in to the EasyOperation web system

  2. Log in to the web system.
    1. Open the web browser on a PC, enter https:// IP address in the address box, and press Enter. The web system login page is displayed. Enter the web user name and password and select a language for the web system, as shown in Figure 1-10.

      IP address specifies the device's management IP address, which can be an IPv4 or IPv6 address, depending on the HTTPS service type.

      To ensure compatibility, a user logging in through HTTP is redirected to https:// IP address if the user enters http:// IP address in the address box.

      Figure 1-10  Web system login page
      NOTE:
      • The operating system required for web system login must be the Windows 7.0, Windows 8.0, Windows 8.1, Windows 10.0, or iOS operating system. The iOS operating system supports only login to the EasyOperation web system, but does not support file uploading and downloading.
      • To log in to the EasyOperation Web system, you must use Microsoft Edge, Internet Explorer 11.0, Firefox 39.0 to 49.0, or Google Chrome 39.0 to 54.0. To log in to the Classic Web system, you must use Internet Explorer 11.0, or Firefox 39.0 to 49.0. If the browser version or browser patch version is not within the preceding ranges, the web page may not be properly displayed. Upgrade the browser and browser patch. In addition, the browser must support JavaScript.
      • When logging in to the web system using the Internet Explorer, ensure that active scripting in the Security tab page is enabled; otherwise, an exception may occur during web system login.
      • The best resolution of the display for web system login is 1316px. If the resolution is less than 1280px, the system displays a prompt message.
      • By default, the earliest SSL version used in SSL policies on the device is TLS1.1. When logging in to the device through the web system, ensure that the SSL version supported by the browser is the same as that supported by the device; otherwise, an exception may occur during web system login. It is recommended that you upgrade the browser based on the displayed page or modify the SSL configuration. Take the Internet Explorer as an example. Choose Tools > Internet Options, and click the Advanced tab to view and select the SSL version.
      • If you use Internet Explorer 8.0 running on Windows XP to log in to the web system, you must configure the RC4 algorithm for the customized SSL cipher suite policy. Otherwise, you will be unable to log in to the web system. To perform this configuration, run the set cipher-suite { tls1_ck_rsa_with_aes_256_sha | tls1_ck_rsa_with_aes_128_sha | tls1_ck_rsa_rc4_128_sha | tls1_ck_dhe_rsa_with_aes_256_sha | tls1_ck_dhe_dss_with_aes_256_sha | tls1_ck_dhe_rsa_with_aes_128_sha | tls1_ck_dhe_dss_with_aes_128_sha | tls12_ck_rsa_aes_256_cbc_sha256 } command.
      • The web system identifies device information based on the Item value in the device's electronic label, but the device hardware driver determines whether to start the device based on the BarCode value. Since the values of BarCode and Item may not be the same, the web system may not read or display the card information.
      • The web system does not support back, forward, and refresh buttons of the browser. You may return to the login page when you use the buttons.
      • If you log in to the Web systems with the same IP address through multiple windows on a browser, only the latest login is saved. If the Web systems have the same IP address and the same port number, the latest login account is displayed on earlier web pages after all the windows are refreshed. If the Web systems have the same IP address but different port numbers, timeout messages are displayed on earlier web pages after all the windows are refreshed.
      • If the software version of the device changes (for example, the device software is upgraded or rolled back), clear the browser cache before using the web system. Otherwise, the web page may be displayed incorrectly.
      • You can click Open Source software Notice to view details of the open source software notice.

    2. Select the layout of the web system.

      The EasyOperation version provides rich graphics and a more user-friendly UI on which users can perform monitoring, configuration, maintenance, and other network operations. The Classics version inherits the web page style of Huawei switches and provides comprehensive configuration and management functions.

      The EasyOperation version is used by default.

    3. Access the password change page of the web system.

      On the web system login page, click GO or press Enter to access the password change page, as shown in Figure 1-11. Change the password and re-log in to the web system as prompted. You can manage and maintain the device after logging in to the web system.

      Figure 1-11  Password change page of the web system
      NOTE:
      • The password change page is displayed during the login process only the first time you log in to the web system.
      • The password change page is also displayed if your password will expire or has expired. To access the web system main page, you must change the password.
      • For security purposes, a password must contain at least two types of the following: lowercase letters, uppercase letters, digits, and special characters (such as ! $ # %). In addition, the password cannot contain spaces or single quotation marks (').

    4. (Optional) Change the default user password.

      If you are logged in as an administrator and the password of the default user admin is admin@huawei.com, the system prompts you to change this password. Figure 1-12 shows the prompt. Click Confirm to display the User Management page on which you can change the password of the default user. Changing this password is recommended to improve security.

      Figure 1-12  Changing the default user
      NOTE:
      • Only when you log in to the web system as an administrator user (level 3 or higher), the dialog box is displayed.

      • A secure password should contain at least two of the following: lowercase letters, uppercase letters, numerals, special characters (such as ! $ # %). In addition, the password cannot contain spaces or single quotation marks (').

Checking the Configuration of Configuring Device Login Through the Web System

Context

After completing the configuration, run the following commands in any view on the CLI to check information about online web users and the HTTPS server.

Procedure

  • Run the display http user [ username username ] command to check online web user information.
  • Run the display http server command to check current HTTPS server information.

Configuring Device Login Through the Web System (Secure Mode)

Pre-configuration Tasks

Before configuring login through the web system (secure mode), complete the following tasks:

  • Configure a reachable route between a terminal and the device.
  • Obtain a digital certificate and private key file from the CA.
Configuration Process

The following configuration tasks must be performed in sequence.

Uploading and Loading a Web Page File

Context

The system software of the device contains a web page file, and the web page file is pre-loaded to the device before delivery. If you use this web page file, you do not need to perform the following configuration. To upgrade the web page file on the device, log in to Huawei official website to download an independent web page file, upload and load the file to the device.

NOTE:

To obtain a web page file, log in to the Huawei enterprise support website (http://support.huawei.com/enterprise), choose the product model and version, and select a patch version under Public Patch in V and R Version to download the required web page file. The file name is in the format of product name-software version number.web page file version number.web.7z.

After downloading the file, compare the downloaded web page file with that on the website to check whether their sizes are the same. If not, an error may occur during file download. Download the file again.

Each web page file corresponds to a signature file. The method of downloading the signature file is the same as that of downloading the web page file.

Procedure

  1. Upload the web page file.

    You can upload the web page file using SFTP or other modes. For details, see Local File Management.

    NOTE:

    After the file is uploaded to the device, run the dir command in the user view to check whether the uploaded file has the same size as that on the file server. If not, an error may have occurred during file upload. Upload the file again.

  2. (Optional) Run:

    check file-integrity filename signature-filename

    The web page file validity is checked.

  3. Load the web page file.
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      http server load { file-name | default }

      The web page file is loaded.

      By default, the web page file in system software is pre-loaded on the device.

      If default is specified, the web page file in the system software is loaded. If file-name is specified, an independent web page file is loaded.

      NOTE:

      If the system software is upgraded from V200R006 or an earlier version to V200R007 or a later version, but the target software version conflicts with the configuration file for next startup, the device will cancel the configuration of loading the web page file in the original system software after the upgrade, and load the web page file integrated in the new system software by default.

Configuring an SSL Policy and Loading a Digital Certificate

Context

To avoid potential security risks, you can acquire a trust digital certificate and a private key file from the CA and manually configure an SSL policy.

The device supports certificates in PEM, ASN1, and PFX formats. Certificates have the same content regardless of format.
  • The PEM (.pem) digital certificate is most commonly used. It applies to text transmission between systems.
  • The ASN1 (.der) format is a universal digital certificate format and the default format for most browsers.
  • The PFX (.pfx) format is a universal digital certificate format and a binary format that can be converted into PEM or ASN1 format.

Procedure

  1. Upload the digital certificate and private key file.

    You can upload the digital certificate and private key file using SFTP or other modes and save them to the security directory. If this directory does not exist, run the mkdir security command to create it. For procedure on uploading files, see Local File Management.

    NOTE:

    After the files are uploaded to the device, run the dir command in the user view to check if the uploaded files are the same size as those on the file server. If not, an error may have occurred. Upload the files again.

  2. Configure an SSL policy and load the digital certificate.
    1. Run:

      system-view

      The system view is displayed.

    2. (Optional) Customize SSL cipher suite.

      1. Run:

        ssl cipher-suite-list customization-policy-name

        An SSL cipher suite policy is customized and the view of the cipher suite policy is displayed. If the SSL cipher suite policy already exists, the command directly displays its view.

        By default, no customized SSL cipher suite policy is configured.

        To improve system security, the device only supports secure algorithms. To improve compatibility, the device also allows you to customize cipher suite policies. To customize a cipher suite policy, run the ssl cipher-suite command.

      2. Run:

        set cipher-suite { tls1_ck_rsa_with_aes_256_sha | tls1_ck_rsa_with_aes_128_sha | tls1_ck_rsa_rc4_128_sha | tls1_ck_dhe_rsa_with_aes_256_sha | tls1_ck_dhe_dss_with_aes_256_sha | tls1_ck_dhe_rsa_with_aes_128_sha | tls1_ck_dhe_dss_with_aes_128_sha | tls12_ck_rsa_aes_256_cbc_sha256 }

        The cipher suite for a customized SSL cipher suite policy is configured.

        By default, no customized SSL cipher suite policy is configured.

        To configure cipher suites for a customized SSL cipher suite policy, run the ssl cipher-suite-list command.

        If a customized SSL cipher suite policy is being referenced by an SSL policy, the cipher suites in the customized cipher suite policy can be added, modified, or partially deleted. Deleting all of the cipher suites is not allowed.

      3. Run:

        quit

        Return to the system view.

    3. Run:

      ssl policy policy-name

      An SSL policy is created and the SSL policy view is displayed.

    4. (Optional) Run:

      ssl minimum version { ssl3.0 | tls1.0 | tls1.1 | tls1.2 }

      The minimum version of an SSL policy is set.

      By default, the minimum version of an SSL policy is TLS1.1.

    5. (Optional) Run:

      binding cipher-suite-customization customization-policy-name

      A customized SSL cipher suite policy is bound to an SSL policy.

      By default, no customized cipher suite policy is bound to an SSL policy. Each SSL policy uses a default cipher suite.

      After a customized cipher suite policy is unbound from an SSL policy, the SSL policy uses one of the following default cipher suites:

      • tls1_ck_rsa_with_aes_256_sha
      • tls1_ck_rsa_with_aes_128_sha
      • tls1_ck_dhe_rsa_with_aes_256_sha
      • tls1_ck_dhe_dss_with_aes_256_sha
      • tls1_ck_dhe_rsa_with_aes_128_sha
      • tls1_ck_dhe_dss_with_aes_128_sha
      • tls12_ck_rsa_aes_256_cbc_sha256

      After a customized SSL cipher suite policy is bound to an SSL policy, the device uses an algorithm in the specified cipher suite to perform SSL negotiation.

      The customized cipher suite policy to be bound to an SSL policy contains cipher suites.

      If the cipher suite contains only one type of algorithm (RSA or DSS), the corresponding certificate must be loaded for the SSL policy. This facilitates SSL negotiation.

    6. Load the digital certificate and specify the private key file.

      Only one certificate or certificate chain can be loaded to an SSL policy. (A certificate chain is a list of trust certificates, starting from end entity's certificate and ending at the root CA certificate.) If a certificate or certificate chain has been loaded, run the undo certificate load command to unload the old certificate or certificate chain before loading a new one. Select the corresponding configuration based on the certificate type.

      NOTE:

      When loading a certificate or certificate chain to an SSL policy, ensure that the length of the key pair in the certificate or certificate chain does not exceed 2048 bits. If the key pair length exceeds 2048 bits, the certificate or certificate chain cannot be uploaded to the device.

      • Load a PEM certificate or certificate chain. Run either of the following commands based on whether a user obtains a digital certificate or certificate chain from the CA.
        • Run:

          certificate load pem-cert cert-filename key-pair { dsa | rsa } key-file key-filename auth-code cipher auth-code 

          A PEM digital certificate is loaded and the private key file is specified.

        • Run:

          certificate load pem-chain cert-filename key-pair { dsa | rsa } key-file key-filename auth-code cipher auth-code

          A PEM certificate chain is loaded and the private key file is specified.

      • Run:

        certificate load asn1-cert cert-filename key-pair { dsa | rsa } key-file key-filename

        An ASN1 digital certificate is loaded and the private key file is specified.

      • Run:

        certificate load pfx-cert cert-filename key-pair { dsa | rsa } { mac cipher mac-code | key-file key-filename } auth-code cipher auth-code

        A PFX digital certificate is loaded and the private key file is specified.

      NOTE:

      Before rolling V200R008 or a later version back to an earlier version, back up the SSL private key file.

Enabling the HTTPS Service

Context

Enabling HTTPS service enhances device security, and preserves resources during timeout periods. To log in to the web system in secure mode, bind an SSL policy to the device and enable the HTTPS service. You can change the port number of the HTTPS server to prevent attackers from accessing the server using the default port number. In addition, you can set a timeout period for an HTTPS connection to prevent waste of web channel resources.

By default, only the HTTPS IPv4 service (not HTTPS IPv6) is enabled on a device. On the HTTPS server, port 443 is used, the timeout period of an HTTPS connection is 20 minutes, and login requests from all interfaces are accepted. If you use the HTTPS IPv4 service, default port number, default timeout period, and accept login requests from all interfaces, you only need to bind an SSL policy to the device. To use the HTTPS IPv6 service, you need to enable it first.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    http secure-server ssl-policy policy-name

    An SSL policy is bound to the device.

    policy-name specifies the SSL policy created in Configuring an SSL Policy and Loading a Digital Certificate.

  3. Run:

    http [ ipv6 ] secure-server enable

    The HTTPS service is enabled.

    By default, the HTTPS IPv4 service is enabled on a device while the HTTPS IPv6 service is disabled.

  4. Run:

    http [ ipv6 ] secure-server port port-number

    The port number of the HTTPS server is specified.

    The default port number of the HTTPS server is 443.

  5. Run:

    http server-source -i loopback interface-number

    A loopback interface is specified as the source interface of the HTTPS server.

    Before specifying a source interface for an HTTPS server, ensure that the loopback interface has been created. If the loopback interface is not created, the http server-source command cannot be correctly executed.

  6. Run:

    http timeout timeout

    A timeout period is set for HTTPS connections.

    The default timeout period is 20 minutes.

Configuring a Web User and Logging In to the Web System

Context

A web user account can be configured based on the user name, password, level, and access type. After configuration, you can log in to the web system. Enter the user name and password to log in to a web system.

NOTE:

The default upload/download directory is the root directory. You can modify the upload/download directory by running the corresponding command in the AAA view.

Procedure

  1. Configure a web user.
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      aaa

      The AAA view is displayed.

    3. Run:

      local-user user-name password irreversible-cipher password

      A local user name and a password are configured.

      By default, the local user admin exists in the system, with the password admin@huawei.com.

    4. Run:

      local-user user-name service-type http

      The access type of the local user is set to HTTP

      By default, no access type is configured for a local user.

    5. Run:

      local-user user-name privilege level level 

      The local user level is set.

      By default, the level of the local user admin is 15 and the user is an administrator.

      Only level 3 users and higher are administrators with management rights. Level 2 users and below are monitoring users. Administrator users have all operation rights of a web page, and monitoring users can only perform ping and tracert operations.

      After logging in to the web system, monitoring users receive a message, showing their current level and prompts them to raise their user level. Figure 1-13 and Figure 1-14 show the message displayed on the Classics and EasyOperation versions.

      Figure 1-13  Message received by a monitoring user logging in to the Classics web system
      Figure 1-14  Message received by a monitoring user logging in to the EasyOperation web system

  2. Log in to the web system.
    1. Open the web browser on a PC, enter https:// IP address in the address box, and press Enter. The web system login page is displayed. Enter the web user name and password and select a language for the web system, as shown in Figure 1-15.

      IP address specifies the device's management IP address, which can be an IPv4 or IPv6 address, depending on the HTTPS service type.

      To ensure compatibility, a user logging in through HTTP is redirected to https:// IP address if the user enters http:// IP address in the address box.

      Figure 1-15  Web system login page
      NOTE:
      • The operating system required for web system login must be the Windows 7.0, Windows 8.0, Windows 8.1, Windows 10.0, or iOS operating system. The iOS operating system supports only login to the EasyOperation web system, but does not support file uploading and downloading.
      • To log in to the EasyOperation Web system, you must use Microsoft Edge, Internet Explorer 11.0, Firefox 39.0 to 49.0, or Google Chrome 39.0 to 54.0. To log in to the Classic Web system, you must use Internet Explorer 11.0, or Firefox 39.0 to 49.0. If the browser version or browser patch version is not within the preceding ranges, the web page may not be properly displayed. Upgrade the browser and browser patch. In addition, the browser must support JavaScript.
      • When logging in to the web system using the Internet Explorer, ensure that active scripting in the Security tab page is enabled; otherwise, an exception may occur during web system login.
      • The best resolution of the display for web system login is 1316px. If the resolution is less than 1280px, the system displays a prompt message.
      • By default, the earliest SSL version used in SSL policies on the device is TLS1.1. When logging in to the device through the web system, ensure that the SSL version supported by the browser is the same as that supported by the device; otherwise, an exception may occur during web system login. It is recommended that you upgrade the browser based on the displayed page or modify the SSL configuration. Take the Internet Explorer as an example. Choose Tools > Internet Options, and click the Advanced tab to view and select the SSL version.
      • If you use Internet Explorer 8.0 running on Windows XP to log in to the web system, you must configure the RC4 algorithm for the customized SSL cipher suite policy. Otherwise, you will be unable to log in to the web system. To perform this configuration, run the set cipher-suite { tls1_ck_rsa_with_aes_256_sha | tls1_ck_rsa_with_aes_128_sha | tls1_ck_rsa_rc4_128_sha | tls1_ck_dhe_rsa_with_aes_256_sha | tls1_ck_dhe_dss_with_aes_256_sha | tls1_ck_dhe_rsa_with_aes_128_sha | tls1_ck_dhe_dss_with_aes_128_sha | tls12_ck_rsa_aes_256_cbc_sha256 } command.
      • The web system identifies device information based on the Item value in the device's electronic label, but the device hardware driver determines whether to start the device based on the BarCode value. Since the values of BarCode and Item may not be the same, the web system may not read or display the card information.
      • The web system does not support back, forward, and refresh buttons of the browser. You may return to the login page when you use the buttons.
      • If you log in to the Web systems with the same IP address through multiple windows on a browser, only the latest login is saved. If the Web systems have the same IP address and the same port number, the latest login account is displayed on earlier web pages after all the windows are refreshed. If the Web systems have the same IP address but different port numbers, timeout messages are displayed on earlier web pages after all the windows are refreshed.
      • If the software version of the device changes (for example, the device software is upgraded or rolled back), clear the browser cache before using the web system. Otherwise, the web page may be displayed incorrectly.
      • You can click Open Source software Notice to view details of the open source software notice.

    2. Select the layout of the web system.

      The EasyOperation version provides rich graphics and a more user-friendly UI on which users can perform monitoring, configuration, maintenance, and other network operations. The Classics version inherits the web page style of Huawei switches and provides comprehensive configuration and management functions.

      The EasyOperation version is used by default.

    3. Access the password change page of the web system.

      On the web system login page, click GO or press Enter to access the password change page, as shown in Figure 1-16. Change the password and re-log in to the web system as prompted. You can manage and maintain the device after logging in to the web system.

      Figure 1-16  Password change page of the web system
      NOTE:
      • The password change page is displayed during the login process only the first time you log in to the web system.
      • The password change page is also displayed if your password will expire or has expired. To access the web system main page, you must change the password.
      • For security purposes, a password must contain at least two types of the following: lowercase letters, uppercase letters, digits, and special characters (such as ! $ # %). In addition, the password cannot contain spaces or single quotation marks (').

    4. (Optional) Change the default user password.

      If you are logged in as an administrator and the password of the default user admin is admin@huawei.com, the system prompts you to change this password. Figure 1-17 shows the prompt. Click Confirm to display the User Management page on which you can change the password of the default user. Changing this password is recommended to improve security.

      Figure 1-17  Changing the default user
      NOTE:
      • Only when you log in to the web system as an administrator user (level 3 or higher), the dialog box is displayed.

      • A secure password should contain at least two of the following: lowercase letters, uppercase letters, numerals, special characters (such as ! $ # %). In addition, the password cannot contain spaces or single quotation marks (').

Checking the Configuration of Configuring Device Login Through the Web System

Context

After completing the configuration, run the following commands in any view on the CLI to check information about the SSL policy, loaded digital certificate, online web users, and current HTTPS server.

Procedure

  • Run the display ssl policy [ policy-name ] command to check the configured SSL policy and loaded digital certificate.
  • Run the display http user [ username username ] command to check online web user information.
  • Run the display http server command to check current HTTPS server information.

Configuring Access Control on Web Users

Context

To further enhance security, you can configure an HTTPS access control list to allow only specified web users to log in to the device. Commands can also be run to force idle users from occupying resources for too long.

ACL/ACL6 rules:
  • If the ACL/ACL6 rule is permit, clients matching the rule are permitted to set up HTTPS connections with the local device.

  • If the ACL/ACL6 rule is deny, clients matching the rule are forbidden to set up HTTPS connections with the local device.

  • If an ACL/ACL6 rule is configured but packets from a client do not match the rule, the client is not allowed to set up HTTPS connections with the local device.

  • If no ACL/ACL6 rule is configured, any clients are permitted to set up HTTPS connections with the local device.

Procedure

  1. Run the system-view command to enter the system view.
  2. Configure an ACL/ACL6 on the HTTPS server.

    • Configure an HTTPS IPv4 ACL as follows:
      1. Run the acl [ number ] acl-number command to enter the ACL view.

        HTTPS IPv4 supports basic and advanced ACLs. If a basic ACL is configured, the value of acl-number ranges from 2000 to 2999. If an advanced ACL is configured, the value of acl-number ranges from 3000 to 3999.

      2. Configure an ACL.

        The commands for configuring basic and advanced ACLs are different.

        • Command for configuring a basic ACL:

          rule [ rule-id ] { deny | permit } [ source { source-address source-wildcard | any } | fragment | logging | time-range time-name | vpn-instance vpn-instance-name ] *

        • Command for configuring an advanced ACL:

          rule [ rule-id ] { deny | permit } { protocol-number | tcp } [ destination { destination-address destination-wildcard | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | fragment | logging | source { source-address source-wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name | ttl-expired | vpn-instance vpn-instance-name ] *

      3. Run the quit command to return to the system view.

      4. Run the http acl acl-number command to configure an HTTPS IPv4 ACL.

        By default, no ACL is configured on the HTTPS IPv4 server, that is, all web clients can set up HTTPS IPv4 connections with the server.

    • Configure an HTTPS IPv6 ACL6 as follows:
      1. Run the acl ipv6 [ number ] acl6-number command to enter the ACL6 view.

        HTTPS IPv6 supports basic and advanced ACL6s. If a basic ACL6 is configured, the value of acl6-number ranges from 2000 to 2999. If an advanced ACL6 is configured, the value of acl6-number ranges from 3000 to 3999.

      2. Configure an ACL6.

        The commands for configuring basic and advanced ACL6s are different.

        • Command for configuring a basic ACL6:

          rule [ rule-id ] { deny | permit } [ fragment | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | time-range time-name | vpn-instance vpn-instance-name ] *

        • Command for configuring an advanced ACL6:

          rule [ rule-id ] { deny | permit } { tcp | protocol-number } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | fragment | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | source-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name | vpn-instance vpn-instance-name ] *

      3. Run the quit command to return to the system view.

      4. Run the http ipv6 acl acl-number command to configure an HTTPS IPv6 ACL.

        By default, no ACL6 is configured on the HTTPS IPv6 server, that is, all web clients can set up HTTPS IPv6 connections with the server.

  3. (Optional) Run the free http user-id user-id command to force a web user offline.

    Currently, the device supports a maximum of five concurrent online web users. The value of user-id ranges from 89 to 93. If a user occupies the web channel resources but performs no operation in a long time, other users may fail to log in. To prevent this situation, run the command to force idle web users to go offline and release the occupied channel resources.

Web System Login Configuration Examples

Example for Configuring Device Login Through the Web System (Secure Mode)
Networking Requirements

As shown in Figure 1-18, the device functions as an HTTPS server (an HTTPS IPv4 server is used as an example in this section) and is reachable to the PC. The management IP address of the HTTPS server is 192.168.0.1/24.

Users want to manage and maintain the device through the web system and have high security requirements. They have obtained the server digital certificate 1_servercert_pem_dsa.pem and private key file 1_serverkey_pem_dsa.pem from the CA.

Figure 1-18  Networking diagram for configuring device login through the web system (secure mode)

Configuration Roadmap

Loading an independent web page file is used as an example in this section. The configuration roadmap is as follows:

  1. Securely upload necessary files to the server through SFTP, including the web page file, server digital certificate, and private key file.

  2. Load the web page file and digital certificate.

  3. Bind an SSL policy and enable the HTTPS service.

  4. Configure a web user and enter the web login page.

Procedure

  1. Upload files to the device through SFTP.

    # Generate a local key pair on the server and enable the SFTP server function.

    <HUAWEI> system-view
    [HUAWEI] sysname HTTPS-Server
    [HTTPS-Server] dsa local-key-pair create
    Info: The key name will be: HTTPS-Server_Host_DSA.
    Info: The key modulus can be any one of the following : 1024, 2048.
    Info: If the key modulus is greater than 512, it may take a few minutes.
    Please input the modulus [default=2048]:2048
    Info: Generating keys...
    Info: Succeeded in creating the DSA host keys. 
    [HTTPS-Server] sftp server enable

    # Configure the VTY user interface on the server.

    [HTTPS-Server] user-interface vty 0 4
    [HTTPS-Server-ui-vty0-4] authentication-mode aaa
    [HTTPS-Server-ui-vty0-4] protocol inbound ssh
    [HTTPS-Server-ui-vty0-4] quit

    # Configure an SSH user, including its authentication mode, service type, service authorized directory and password, user level, and access type.

    [HTTPS-Server] ssh user client001 authentication-type password
    [HTTPS-Server] ssh user client001 service-type sftp
    [HTTPS-Server] ssh user client001 sftp-directory flash:
    [HTTPS-Server] aaa
    [HTTPS-Server-aaa] local-user client001 password irreversible-cipher Helloworld@6789
    [HTTPS-Server-aaa] local-user client001 privilege level 15
    [HTTPS-Server-aaa] local-user client001 service-type ssh
    [HTTPS-Server-aaa] quit
    [HTTPS-Server] quit

    # Log in to the HTTPS server through SFTP from the terminal and upload the digital certificate and web page file to the server.

    The SSH client software must be installed on the terminal before login. Third-party software OpenSSH and Windows Command Prompt window are used as examples in this section.

    NOTE:
    • Ensure that the OpenSSH version you use is compatible with the terminal's operating system; otherwise, you may fail to log in to the switch through SFTP.
    • For details on how to install OpenSSH, see the instruction of the software.

    • You need to use OpenSSH commands for login through OpenSSH. For details on how to use the OpenSSH commands, see the help document of the software.

    • OpenSSH commands can be used in the Windows Command Prompt window only after the OpenSSH software is installed.

    Open the Windows Command Prompt window and run the sftp client001@192.168.0.1 command to enter the working directory of the SFTP server. You can access the device through SFTP. (The following information is for reference only.)

    C:\Documents and Settings\Administrator> sftp client001@192.168.0.1
    Connecting to 192.168.0.1...
    The authenticity of host '192.168.0.1 (192.168.0.1)' can't be established.
    DSA key fingerprint is 46:b2:8a:52:88:42:41:d4:af:8f:4a:41:d9:b8:4f:ee.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '192.168.0.1' (DSA) to the list of known hosts.
    User Authentication
    Password:
    sftp>

    Upload the digital certificate and web page file from the terminal to the server.

    sftp> put web.7z
    Uploading web.7z to /web.7z 
    web.7z                              100%   1308478   4.6KB/s   00:11
    sftp> put 1_servercert_pem_dsa.pem
    Uploading 1_servercert_pem_dsa.pem to /1_servercert_pem_dsa.pem 
    1_servercert_pem_dsa.pem            100%   1302      4.6KB/s   00:02
    
    sftp> put 1_serverkey_pem_dsa.pem
    Uploading 1_serverkey_pem_dsa.pem to /1_serverkey_pem_dsa.pem 
    1_serverkey_pem_dsa.pem             100%   951       4.6KB/s   00:01
    # Run the dir command on the device to check whether the digital certificate and web page file exist in the current storage directory.
    NOTE:

    If the sizes of the digital certificate and web page file in the current storage directory are different from sizes of those on the server, an error may have occurred during file transfer. Upload the files again.

    # Create the subdirectory security on the server and copy the digital certificate and private key file to the subdirectory.

    <HTTPS-Server> mkdir security
    <HTTPS-Server> copy 1_servercert_pem_dsa.pem security
    <HTTPS-Server> copy 1_serverkey_pem_dsa.pem security

    # Run the dir command in the security subdirectory to check the digital certificate.

    <HTTPS-Server> cd security
    <HTTPS-Server> dir
    Directory of flash:/security/
    
      Idx  Attr     Size(Byte)  Date        Time       FileName
        0  -rw-          1,302  Apr 13 2011 14:29:31   1_servercert_pem_dsa.pem
        1  -rw-            951  Apr 13 2011 14:29:49   1_serverkey_pem_dsa.pem
    
    65,233 KB total (7,287 KB free)

  2. Load the web page file and digital certificate.

    # Load the web page file.

    <HTTPS-Server> system-view
    [HTTPS-Server] http server load web.7z

    # Create an SSL policy and load the PEM digital certificate.

    [HTTPS-Server] ssl policy http_server
    [HTTPS-Server-ssl-policy-http_server] certificate load pem-cert 1_servercert_pem_dsa.pem key-pair dsa key-file 1_serverkey_pem_dsa.pem auth-code cipher 123456
    [HTTPS-Server-ssl-policy-http_server] quit

    # After the preceding configurations are complete, run the display ssl policy command on the HTTPS server to check detailed information about the loaded certificate.

    [HTTPS-Server] display ssl policy
    
           SSL Policy Name: http_server
         Policy Applicants: Config-Webs
             Key-pair Type: DSA
     Certificate File Type: PEM
          Certificate Type: certificate
      Certificate Filename: 1_servercert_pem_dsa.pem
         Key-file Filename: 1_serverkey_pem_dsa.pem
                 Auth-code: ******
                       MAC:
                  CRL File:
           Trusted-CA File:
               Issuer Name:
       Validity Not Before:
        Validity Not After:

  3. Bind an SSL policy to the device and enable the HTTPS service.

    # Bind an SSL policy to the device.

    [HTTPS-Server] http secure-server ssl-policy http_server

    # Enable the HTTPS service.

    [HTTPS-Server] http secure-server enable

  4. Configure a web user and enter the web login page.

    # Configure a web user.

    [HTTPS-Server] aaa
    [HTTPS-Server-aaa] local-user admin password irreversible-cipher Helloworld@6789
    [HTTPS-Server-aaa] local-user admin privilege level 15
    [HTTPS-Server-aaa] local-user admin service-type http
    [HTTPS-Server-aaa] quit
    NOTE:

    Before configuring a web user, you can run the display this command in the AAA view to check user names of local users. Ensure that the user name of the configured web user does not conflict with that of an existing local user. Otherwise, the new web user will overwrite the existing local user.

    # Enter the web login page.

    Open the web browser on the PC, enter https://192.168.0.1 in the address box, and press Enter to enter the web login page, as shown in Figure 1-19.

    Enter the web user name and password and click GO or press Enter to enter the web system home page.

    Figure 1-19  Web system login page

  5. Verify the configuration.

    After the configurations are complete, you can log in to the device through the web system.

    Run the display http server command on the device to check the SSL policy name and the HTTPS server status.

    [HTTPS-Server] display http server
       HTTP Server Status              : enabled
       HTTP Server Port                : 80(80)
       HTTP Timeout Interval           : 20
       Current Online Users            : 1
       Maximum Users Allowed           : 5
       HTTP Secure-server Status       : enabled
       HTTP Secure-server Port         : 443(443)
       HTTP SSL Policy                 : http_server
       HTTP IPv6 Server Status         : disabled
       HTTP IPv6 Server Port           : 80(80)
       HTTP IPv6 Secure-server Status  : disabled
       HTTP IPv6 Secure-server Port    : 443(443)
       HTTP server source address      : 0.0.0.0

Configuration Files

HTTPS-Server configuration file

#
sysname HTTPS-Server
#
http server load web.7z
http secure-server ssl-policy http_server
#
aaa
 local-user admin password irreversible-cipher $1a$#R!d3>ji-.u1+N2gSK>3&2P1AM6jfU:"x/3g[5U,lvqP+sf=70+%^E7,,SF7$
 local-user admin privilege level 15
 local-user admin service-type http
 local-user client001 password irreversible-cipher $1a$L@[C7B11%"H&\fS;qETS`zGI#RyJ%+A2KzP'.k[0tQ{=Cq5s43s&f^L\In6K$
 local-user client001 privilege level 15
 local-user client001 service-type ssh
#
sftp server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type sftp
ssh user client001 sftp-directory flash:
#
user-interface vty 0 4
 authentication-mode aaa
#
ssl policy http_server
 certificate load pem-cert 1_servercert_pem_dsa.pem key-pair dsa key-file 1_serverkey_pem_dsa.pem auth-code cipher %^%#0|:yF=]P~Afis516)rO,3Yu<@/3e]
KFg.q@LG50%%^%# 
#
return

Web System Login Common Misconfigurations

Web System Login Failure
Symptom

In a web system login failure, the device and client can ping each other, but the device cannot be logged in through the web system.

Procedure

  1. Check whether the HTTPS service is enabled.

    • HTTPS IPv4:

      By default, the HTTPS IPv4 service is enabled. Run the display this command in the system view to check whether the undo http secure-server enable command configuration exists. If it does, the HTTPS IPv4 service is disabled.

      You can run the http secure-server enable command in the system view to enable the HTTPS IPv4 service.

    • HTTPS IPv6:

      By default, the HTTPS IPv6 service is disabled. You can run the http ipv6 secure-server enable command in the system view to enable the HTTPS IPv6 service.

  2. Check whether the number of online web users is at its maximum.

    Run the display http user command on the device to check whether the number of current online web users has reached 5.

    Currently, the device supports a maximum of five concurrent online web users. If an idle user occupies web channel resources, other users may fail to log in. You can run the free http user-id user-id command to force the user offline.

  3. Check whether access control is configured for web users on the device.

    • HTTPS IPv4:

      Run the display this command in the system view to check whether the http acl acl-number command configuration exists. If so, record the value of acl-number.

      Run the display acl acl-number command in any view to check whether the IPv4 address of the web client is denied in the ACL. If so, run the undo rule rule-id command in the ACL view to delete the deny rule. Then, modify the ACL and permit the IPv4 address of the web client.

    • HTTPS IPv6:

      Run the display this command in the system view to check whether the http ipv6 acl acl6-number command configuration exists. If so, record the value of acl6-number.

      Run the display acl ipv6 acl6-number command in any view to check whether the IPv6 address of the web client is denied in the ACL. If so, run the undo rule rule-id command in the ACL6 view to delete the deny rule. Then, modify the ACL6 and permit the IPv6 address of the web client.

  4. Check whether web user access type is correct.

    Run the display this command in the AAA view to check whether the access type of the web user is HTTP. If local-user user-name service-type http exists in the command output, the access type of user-name is HTTP. If local-user user-name service-type http does not exist in the command output, run the local-user user-name service-type http command in the AAA view to set the access type of the web user to HTTP.

FAQ

How Do I Obtain the Web Page File?

If the system software of the switch contains a web page file that is loaded, you do not need to obtain a web page file again. If the system software does not contain a web page file or you need to upgrade the web page file, log in to Huawei official website to download a separate web page file and upload the web page file to the switch.

To obtain a web page file, log in to the Huawei enterprise support website (http://support.huawei.com/enterprise), choose the product model and version, and select a patch version under Public Patch in V and R Version to download the required web page file. The file name is in the format of product name-software version number.web page file version number.web.7z.

After downloading the file, compare the downloaded web page file with that on the website to check whether their sizes are the same. If not, an error may occur during file download. Download the file again.

Why Only a Few Options Are Available on the Web System?

The user level of the login web user is low.

Web users of level 2 or lower are monitoring users and can use only the ping and tracert functions. Web users of level 3 or higher are administrator users and have all operation rights of a web page.

You can run the local-user user-name privilege level level command in AAA view to set the user level of the login user to level 3 or higher. The login user then has all operation rights of a web page.

How Do I Change the Password for Web Login?

If you forget or want to change the web login password, log in to the switch through the console port, Telnet, or STelnet and set a new password after login.

The Telnet protocol has security vulnerabilities. It is recommended that you log in to the device through the console port or using STelnet V2.

# Set the user name and password to admin123 and Huawei@123, respectively.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] local-user admin123 password irreversible-cipher Huawei@123
[HUAWEI-aaa] local-user admin123 service-type http
[HUAWEI-aaa] local-user admin123 privilege level 15
[HUAWEI-aaa] return
<HUAWEI> save
What Is the Difference Between Web and HTTP?

Hypertext Transfer Protocol (HTTP) is used to transfer web page files over the Internet. It runs at the application layer of the TCP/IP protocol stack. The transport layer uses the connection-oriented TCP protocol.

Conclusively, HTTP is a protocol while web is a device management method. Using the web system to manage and maintain devices requires the HTTP protocol.

Translation
Download
Updated: 2019-08-21

Document ID: EDOC1000114003

Views: 51179

Downloads: 1061

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next