Figure 1-56 Login screen

Then, the device displays a prompt, for example, <HUAWEI>, indicating the user view.

You can enter commands to configure the device or view its running status. Enter a question mark (?) when you need help.

#
acl name ACL_VTY basic       //Create a basic ACL.
 description ACL_FOR_VTY    //Configure a description for the ACL to prevent misuse of the ACL.
 rule 10 permit vpn-instance MGT source 10.7.16.0 0.0.0.255  //Allow a user at 10.7.16.0/24 to log in to the device.
 rule 20 permit vpn-instance MGT source 10.8.34.135 0      //Allow a user at 10.8.34.135/32 to log in to the device.
 .... //Add the IP addresses of other users who are allowed to log in as required.
#
user-interface vty 0 14
 acl ACL_VTY inbound          //Configure permission control on the user interface to allow only users who satisfy a specified ACL rule to access the device.
 authentication-mode aaa      //Specify the authentication mode as AAA authentication.
 idle-timeout 5 0             //Set the VTY interface to be disconnected if it is idle for more than 5 minutes 0 seconds.
 protocol inbound ssh         //Set the VTY interface to support only the SSH protocol.
#

1. Configure HWTACACS.

   #
   hwtacacs-server template for_aaa             //Configure an HWTACACS server template.
    hwtacacs-server authentication 10.7.35.63 vpn-instance MGT  //Set the IP address of the primary HWTACACS authentication server.
    hwtacacs-server authentication 10.7.35.64 vpn-instance MGT secondary  //Set the IP address of the secondary HWTACACS authentication server.
    hwtacacs-server authorization 10.7.35.63 vpn-instance MGT       //Set the IP address of the primary HWTACACS authorization server.
    hwtacacs-server authorization 10.7.35.64 vpn-instance MGT secondary //Set the IP address of the secondary HWTACACS authorization server.
    hwtacacs-server shared-key cipher %^%#BG%G;uUm2ns<(X5@mt^%#2eIf1^Jqz#%^:,;N>D)`y4(#b%#  //Specify a shared key displayed in ciphertext.
    hwtacacs-server user-name original //Set the username format of the HWTACACS server to be the same as that entered by the user.
   #

2. Configure AAA.

   #
   aaa
    local-user admin password irreversible-cipher %^%#8[*1[4M;$e{}F$iU6_f*MWX"I:7a)-e}F$i1[4M;$e{ M;$e{}F$"I:7a)$i    //Create a local user admin and set the login password of the user to an irreversible ciphertext key.
    local-user admin service-type ssh               //Configure the admin user to access only in SSH mode.
    local-user admin level 3                       //Set the level of admin to level 3 (management level).
    local-user admin state block fail-times 3 interval 5  //Set admin to be locked out for 5 minutes after three consecutive failed login attempts.
   .... //Add other users who are allowed to log in as required. For details, see the preceding configuration method of the admin user.
   #
    authentication-scheme default            //Configure an AAA authentication template.
     authentication-mode local hwtacacs      //Configure an authentication mode of local authentication first and then HWTACACS authentication.
    #
    authorization-scheme default            //Configure an AAA authorization template.
     authorization-mode local hwtacacs      //Configure an authorization mode of local authorization first and then HWTACACS authorization.
     authorization-cmd 0 hwtacacs local      //Set the level-0 CLI authorization mode to HWTACACS authorization first and then local authorization. That is, if the HWTACACS server does not respond, the CLI authorization is performed locally.
     authorization-cmd 1 hwtacacs local
     authorization-cmd 3 hwtacacs local
     authorization-cmd 15 hwtacacs local
   #
    domain default_admin
     authorization-scheme default           //Apply the configured AAA authentication template.
     accounting-scheme default              //Apply the configured AAA authorization template.
     hwtacacs-server for_aaa                //Apply the configured HWTACACS server template.
   #

#
ssh authentication-type default password   //Configure password authentication as the default authentication mode for SSH users.
ssh user admin     //Create an SSH user named admin.
ssh user admin authentication-type password  //Configure password authentication for the admin user.
ssh user admin service-type stelnet          //Configure the service type for the admin user.
… …  //Add other SSH users as required. For details, see the preceding configuration method of the admin user.
ssh authorization-type default aaa       //Set the authorization type of SSH connections to AAA.
#
ssh client first-time enable      //Enable initial authentication for the SSH client, so that the validity of the public key of the SSH server is not checked when a user logs in to the SSH server for the first time. After the login, the system automatically allocates and saves a public key for authentication upon next login.
#

#
stelnet server enable
#

This section uses PuTTY running on a PC as an example to describe how to log in to a device.

1. As shown in Figure 1-57, set the IP address of the management interface (GE 0/0/0 or Ethernet 0/0/0) to 192.168.0.1 and set the login mode to SSH. For a non-box-shaped device, you need to configure the IP address of the management interface on the device to be logged in through the console port in advance.

   If STelnet is used to log in to a box-shaped device that is powered on for the first time:

   • The IP address of the management network port (GE 0/0/0 or Ethernet 0/0/0) is 192.168.0.1.
   • If the device has accessed the network when it is powered on for the first time, the IP address 192.168.0.1 is automatically changed to the IP address obtained through DHCP during the startup.
   • By default, the username is root, and the password is Changeme_123. After logging in to the device, change the password promptly. After logging in to the device, change the default password promptly.
   Figure 1-57 Logging in to the device using PuTTY (1)
   

2. Enter the username and password.
   Figure 1-58 Logging in to the device using PuTTY (2)