No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Logging In to the Device

Logging In to the Device

A user can log in to the device through the console port, Telnet, or STelnet.After login, the device's working mode (Fat, Fit, or cloud mode) is displayed. After login, the user can perform common operations to manage and maintain the device.

Logging In to the Device Through a Console Port

Pre-configuration Tasks

Before logging in to the device through a console port, complete the following tasks:

  • Prepare the console cable.
  • Install the terminal emulation software on the PC.
    NOTE:

    You can use the built-in terminal emulation software (such as the HyperTerminal of Windows 2000/XP) on the PC. If no built-in terminal emulation software is available, use the third-party terminal emulation software. For details, see the software user guide or online help.

Default Configuration
Table 3-17  Default configuration of the device console port
Parameter Default Setting
Transmission rate 9600 bit/s
Flow control mode None
Parity bit None
Stop bit 1
Data bit 8

Procedure

  1. Use the terminal simulation software to log in to the device through a console port.

    1. Insert the DB9 connector of the console cable to the 9-pin serial port on the PC, and insert the RJ45 connector to the console port of the device, as shown in Figure 3-7.

      Figure 3-7  Connecting to the device through the console port

    2. Start the terminal simulation software on the PC. Establish a connection, and set the connected port and communication parameters.

      NOTE:

      A PC may have multiple connection ports; therefore, the port connected through the console cable is selected in this example. Generally, COM1 is selected.

      If the serial port communication parameters of the device are modified, modify the communication parameters on the PC accordingly (ensure that the parameter values are the same) and re-establish the connection.

    3. Press Enter until the system prompts you to enter the password. (The system will prompt you to enter the user name and password in AAA authentication. The following information is only for reference.)

      Login authentication
      
      Password:
      Info: Current mode: Fat (working independently).
      

      You can run commands to configure the device. Enter a question mark (?) whenever you need help.

Checking the Configuration
  • Run the display users [ all ] command to check the user log information on the user interface.
  • Run the display user-interface console 0 command to check the user interface information.
  • Run the display local-user command to check the local user attributes.
  • Run the display access-user command to check the online user information.

Logging In to the Device Through Telnet

Pre-configuration Tasks

Before logging in to the device through Telnet, configure routes between a terminal and the device.

Configuration Process

The Telnet protocol poses a security risk. It is recommended that you run the undo telnet server enable command to disable the Telnet service. The STelnet V2 mode is recommended.

Table 3-18 describes the tasks in the configuration process for login through Telnet.

Table 3-18  Tasks in the configuration process for login through Telnet
No. Task Description Remarks
1 Configuring the Telnet server functions and parameters Enable Telnet server functions and configure the server parameters. Tasks 1, 2, and 3 can be performed in any sequence.
2 Configuring the Telnet user login interface Configure the user level, authentication mode, call-in and call-out permission, and other basic attributes for the VTY user interface.
3 Configuring a local Telnet user (AAA authentication mode) Configure the user name and password when the AAA authentication mode is used.
4 Logging in to the device through Telnet from a terminal Use the Telnet client software to log in to the device from a terminal. -
Default Configuration
Table 3-19  Default settings of the parameters for logging in to the device through Telnet
Parameter Default Setting
Telnet service Upon factory delivery, the Telnet server is disabled
Telnet server port number 23
VTY user interface authentication mode No authentication mode
Protocol supported by the VTY user interface STelnet protocol
User level The default command access level for the VTY user interface is 0
NOTE:
When multiple users operate the device concurrently, configurations may conflict, which causes system errors. To prevent this problem, it is recommended that you run the config lock command in the system view to lock system configurations before performing device operations. After the device operation is complete, you can run the undo config lock command to unlock the system configurations.

Procedure

  • Configuring the Telnet server functions and parameters

    Before connecting to the device through Telnet from a user terminal, make sure that the Telnet service is enabled on the device.

    Table 3-20  Configuring the Telnet server functions and parameters
    Operation Command Description

    Enter the system view.

    system-view

    -

    Enable the Telnet service.

    telnet server enable

    Upon factory delivery, the Telnet service is disabled.

    (Optional) Configuring the listening port of the Telnet server

    telnet server port port-number

    The default listening port number is 23.

    After the listening port number of the Telnet server is changed, attackers do not know the new listening port number. This effectively prevents attackers from accessing the listening port.

    (Optional) Specify physical interfaces on the Telnet server to which clients can connect.

    telnet server permit interface { interface-type interface-number } &<1-5>

    By default, clients can connect to all the physical interfaces on the Telnet server.

  • Configuring the Telnet user login interface

    Configure the user level, call-in and call-out permission, and other basic attributes for the VTY user interface.

    Table 3-21  Configuring the Telnet user login interface
    Operation Command Description

    Enter the system view.

    system-view

    -

    Enter the VTY user interface view.

    user-interface vty first-ui-number [ last-ui-number ]

    -

    Configure the user level for the user interface.

    user privilege level level

    The default user level for the VTY user interface is 0.

    To run the commands of a higher level, configure a higher user level.

    If the user level configured for the user interface conflicts with the user's operation permission, the user permission takes precedence.

    Configure the user authentication mode.

    authentication-mode { password | aaa }

    The password and AAA authentication modes are supported. Configure either authentication mode as required.

    For details on the password authentication mode, see Configuring a user authentication mode for the VTY user interface. The AAA authentication mode is recommended.

    Configure the VTY user interface to support the Telnet protocol.

    protocol inbound { all | telnet }

    By default, the VTY user interface supports the SSH protocol.

    (Optional) Configure restrictions on ACL-based logins on the user interface.

    For details, see (Optional) Configuring Restrictions on ACL-based Logins on the VTY User Interface.

    By default, login permissions are not restricted.

    Configure this action to prevent a user with a certain address or address segment from logging in to the device or prevent a user who has logged in to the device from logging in to another device.

    (Optional) Configure other attributes of the user interface.

    For details, see Configuring the Maximum Number of VTY User Interfaces and Configuring Terminal Attributes for the VTY User Interface.

    Use the default settings for other attributes of the VTY user interface. You can configure attributes based on the usage requirements.

  • Configuring a local Telnet user (AAA authentication mode)

    Configure the administrator's user name and password to ensure that only the administrator can log in to the device.

    Table 3-22  Configuring a local Telnet user (AAA authentication mode)
    Operation Command Description

    Enter the system view.

    system-view

    -

    Enter the AAA view.

    aaa

    -

    Configure the local user name and password.

    local-user user-name password irreversible-cipher password

    -

    Configure the service type for the local user.

    local-user user-name service-type telnet

    -

    Configure the level for the local user.

    local-user user-name privilege level level

    After login, a user can only run the commands at levels equal to or lower than the user level, which ensures the device security.

    If the user level configured for the user interface conflicts with the user's operation permission, the user permission takes precedence.

  • Logging in to the device through Telnet from a terminal

    You can use Windows command line prompts or third-party software to log in to the device through Telnet from a terminal. Windows command line prompts are used as an example.

    Perform the following operations on the terminal:

    1. Access the command line window.

    2. Run the telnet ip-address port command to log in to the device through Telnet.

      C:\Documents and Settings\Administrator> telnet 10.137.217.177 1025
    3. Press Enter and enter the password and the user name configured for the AAA authentication mode in the login window. If authentication is successful, the command-line prompt of the user view is displayed and you have successfully logged in to the device. (The following information is only for reference.)

      Login authentication
      
      Username:admin1234
      Password:
      Info: Current mode: Fat (working independently).
      <Telnet Server>

Checking the Configuration
  • Run the display users [ all ] command to check the connections on the user interface.
  • Run the display tcp status command to check all TCP connections.
  • Run the display telnet server status command to check the current connections of the Telnet server.

Logging In to the Device Through STelnet

Pre-configuration Tasks

Before logging in to the device through STelnet, complete the following tasks:

  • Configure routes between a terminal and the device.
  • Install the SSH client software on the terminal.
Configuration Process

The STelnet V1 protocol poses a security risk, and therefore the STelnet V2 mode is recommended.

Table 3-23 describes the tasks in the configuration process for login through STelnet.

Table 3-23  Tasks in the configuration process for login through STelnet
No. Task Description Remarks
1 Configuring the STelnet server functions and parameters Generate the local server key pair, enable the STelnet server function, and set the server parameters including the listening port, key pair updating interval, and SSH authentication timeout interval and retries. Tasks 1, 2, and 3 can be performed in any sequence.
2 Configuring the SSH user login interface Configure the user level, authentication mode, whether to support the SSH protocol, and other basic attributes for the VTY user interface.
3 Configuring an SSH user Configure the SSH user name, password, authentication mode, and service type.
4 Logging in to the device through STelnet Use the SSH client software to log in to the device from a terminal. -
Default Configuration
Table 3-24  Default settings of the parameters for logging in to the device through STelnet
Parameter Default Setting
STelnet service Enabled
SSH server port number 22
Interval for updating the SSH server key pair 0 hours, indicating that the key pair is never updated
Timeout interval for SSH authentication 60 seconds
Maximum number of SSH authentication retries 3
SSH server's compatibility with earlier versions Disabled
VTY user interface authentication mode No authentication mode
Protocol supported by the VTY user interface STelnet protocol
SSH user authentication mode No authentication mode supported
SSH user service type No service type supported
Whether the SSH server assigns a public key to a user No public key assigned
User level The default command access level for the VTY user interface is 0
NOTE:
When multiple users operate the device concurrently, configurations may conflict, which causes system errors. To prevent this problem, it is recommended that you run the config lock command in the system view to lock system configurations before performing device operations. After the device operation is complete, you can run the undo config lock command to unlock the system configurations.

Procedure

  • Configuring the STelnet server functions and parameters

    Table 3-25  Configuring the STelnet server functions and parameters
    Operation Command Description

    Enter the system view.

    system-view -

    Generate a local key pair.

    rsa local-key-pair create, ecc local-key-pair create

    Run the display rsa local-key-pair public, display ecc local-key-pair public command to view the public key in the local RSA or ECC key pair. Configure the public key on the SSH server.

    NOTE:

    There are security risks if the configured local key pair length is smaller than 1024 bits. You are advised to use the local key pair with the default length 2048 bits.

    Enable the STelnet service.

    stelnet server enable

    By default, the STelnet service is enabled.

    After you disable the STelnet service on the SSH server, all clients that have logged in through STelnet are disconnected.

    (Optional) Set the encryption algorithm list for the SSH server.

    ssh server secure-algorithms cipher { 3des | aes128 | aes128_ctr | aes256_cbc | aes256_ctr } *

    By default, an SSH server supports two encryption algorithms: AES128_CTR and AES256_CTR.

    An SSH server and a client need to negotiate an encryption algorithm for the packets exchanged between them. You can run the ssh server secure-algorithms cipher command to configure an encryption algorithm list for the SSH server. After the list is configured, the server matches the encryption algorithm list of a client against the local list after receiving a packet from the client and selects the first encryption algorithm that matches the local list. If no encryption algorithms in the list of the client match the local list, the negotiation fails.

    NOTE:

    Do not add 3des to the list because they provide the lowest security among the supported encryption algorithms.

    (Optional) Set the HMAC algorithm list for the SSH server.

    ssh server secure-algorithms hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 | sha2_256_96 } *

    By default, an SSH server supports the SHA2_256 HMAC algorithm.

    An SSH server and a client need to negotiate an HMAC algorithm for the packets exchanged between them. You can run the ssh server secure-algorithms hmac command to configure an HMAC algorithm list for the SSH server. After the list is configured, the server matches the HMAC algorithm list of a client against the local list after receiving a packet from the client and selects the first HMAC algorithm that matches the local list. If no HMAC algorithms in the list of the client match the local list, the negotiation fails.

    NOTE:

    Do not add md5, sha1, md5_96, sha1_96, or sha2_256_96 to the HMAC algorithm list because they provide the lowest security among the supported HMAC algorithms.

    (Optional) Set the key exchange algorithm list for the SSH server.

    ssh server key-exchange { dh_group_exchange_sha1 | dh_group14_sha1 | dh_group1_sha1 } *

    By default, an SSH server supports the Diffie-hellman-group14-sha1 algorithm.

    The client and server negotiate the key exchange algorithm used for packet transmission. You can run the ssh server key-exchange command to configure a key exchange algorithm list on the SSH server. The SSH server compares the configured key exchange algorithm list with the counterpart sent by the client and then selects the first matched key exchange algorithm for packet transmission. If the key exchange algorithm list sent by the client does not match any algorithm in the key exchange algorithm list configured on the server, the negotiation fails.

    NOTE:
    The security levels of key exchange algorithms are as follows, from high to low: dh_group_exchange_sha1, dh_group14_sha1, and dh_group1_sha1. The dh_group_exchange_sha1 algorithm is recommended.

    (Optional) Set the listening port of the SSH server.

    ssh server port port-number

    The default listening port number is 22.

    If a new listening port number is set, the SSH server terminates all established STelnet connections, and uses the new port number to listen on new requests for Stelnet connections. This prevents attackers from accessing the standard SSH service port and ensures security.

    (Optional) Set the interval for updating a key pair.

    ssh server rekey-interval hours

    The default interval for updating the SSH server key pair is 0, indicating that the key pair is never updated.

    The server key pair is automatically updated at the configured interval, which ensures security.

    (Optional) Set the SSH authentication timeout interval.

    ssh server timeout seconds

    The default timeout interval for SSH authentication is 60 seconds.

    If you have not logged in successfully within the timeout interval for SSH authentication, the current connection is terminated to ensure security.

    (Optional) Set the number of SSH authentication retries.

    ssh server authentication-retries times

    The default number of SSH authentication retries is 3.

    The number of SSH authentication retries is set to prevent access from unauthorized users.

    (Optional) Enable the compatibility with SSH protocols of earlier versions.

    ssh server compatible-ssh1x enable

    By default, the server's compatibility with earlier versions is disabled.

    (Optional) Specify physical interfaces on the SSH server to which clients can connect.

    ssh server permit interface { interface-type interface-number } &<1-5>

    By default, clients can connect to all the physical interfaces on the SSH server.

  • Configuring the SSH user login interface

    Configure the VTY user interface for login to support the SSH protocol before logging in to the device through SSH.

    Table 3-26  Configuring the SSH user login interface
    Operation Command Description

    Enter the system view.

    system-view -

    Enter the VTY user interface view.

    user-interface vty first-ui-number [ last-ui-number ] -

    Configure the AAA authentication mode for the VTY user interface.

    authentication-mode aaa

    By default, password authentication is used for console port login and aaa authentication is used for login on the VTY user interface.

    To configure the VTY user interface to support SSH, configure the AAA authentication mode for the VTY user interface. If the AAA authentication mode is not set, the protocol inbound ssh command does not take effect.

    Configure the VTY user interface to support the SSH protocol.

    protocol inbound { all | ssh }

    By default, the VTY user interface supports the SSH protocol.

    If the VTY user interface does not support the SSH protocol, you cannot log in to the device through STelnet.

    (Optional) Configure other attributes of the VTY user interface.

    For details, see Configuring VTY User Interfaces.

    Other user interface attributes include the maximum number of user interfaces, terminal attributes, and user level. These attributes have default values, and you do not need to set them. You can configure attributes based on the usage requirements.

  • Configuring SSH user information

    Configure SSH user information including the authentication mode. Authentication modes including RSA, password, password-rsa, ECC, password-ecc and all are supported.
    • The password-rsa authentication mode consists of the password and RSA authentication modes.
    • The all authentication mode indicates that SSH users only need to authenticated by password, or RSA.
    • The password-ecc authentication mode consists of the password and ECC authentication modes.
    • The all authentication mode indicates that SSH users only need to authenticated by ECC, password, or RSA.
    NOTE:
    If the SSH user uses the password authentication mode, only the SSH server needs to generate the RSA key. If the SSH user uses the RSA authentication mode, both the SSH server and client need to generate the RSA key and save and configure the public key of the peer end locally.
    Table 3-27  Configuring SSH user information
    Operation Command Description

    Enter the system view.

    system-view

    -

    Enter the AAA view.

    aaa

    -

    Create SSH users.

    local-user user-name password irreversible-cipher password

    -

    Configure the SSH user level.

    local-user user-name privilege level level

    -

    Configure the service type for SSH user.

    local-user user-name service-type ssh

    -

    Return to the system view.

    quit

    -

    Configure the authentication mode for SSH users.

    ssh user user-name authentication-type { password | rsa | password-rsa | ecc | password-ecc | all }

    -
    If any one of the following authentication modes is configured for SSH users:
    • rsa
    • password-rsa
    • ecc
    • password-ecc

    Enter the RSA public key view.

    rsa peer-public-key key-name [ encoding-type { der | openssh | pem } ]

    -

    Enter the ECC public key view.

    ecc peer-public-key key-name encoding-type { der | openssh | pem }

    -

    Enter the public key editing view.

    public-key-code begin

    -

    Edit the public key.

    hex-data

    • The public key must be a hexadecimal character string in the public key format generated by the SSH client software. For details, see SSH client software help.
    • Copy and paste the RSA public key to the device that functions as the SSH server.

    Quit the public key editing view.

    public-key-code end

    -

    Return to the system view.

    peer-public-key end

    -

    Assign an RSA public key to an SSH user.

    ssh user user-name assign { rsa-key | ecc-key } key-name

    -

  • Logging in to the device through STelnet

    Use the SSH client software to log in to the device through STelnet from a terminal. The third-party software PuTTY is used as an example here. You can download the PuTTY from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html.

    # Use the PuTTY software to log in to the device, enter the device IP address, and select the SSH protocol type.
    Figure 3-8  PuTTY Configuration page

    # Click Open. Enter the user name and password at the prompt, and press Enter. You have logged in to the SSH server. (The following information is only for reference.)

    login as: admin
    Sent username "admin"
    
    admin@169.254.1.1's password:
    
    Info: Current mode: Fat (working independently).
    <SSH Server>

Checking the Configuration
  • Run the display ssh user-information [ username ] command to check information about an SSH user on the SSH server. If no SSH user is specified, this command displays information about all SSH users on the SSH server.
  • Run the display ssh server status command to check the global SSH server configuration.
  • Run the display ssh server session command to check the sessions connected to the SSH client on the SSH server.

Common Operations After Login

After logging in to the device, you can operate and manage the device.

  • Displaying online users

    After login, you can check the information about online users.

    • Run the display users [ all ] command to check the online user information.

  • Automatically searching for the undo command in the upper-level view

    When you run the undo command not registered with the current view, the system returns to the upper-level view to search for this undo command. If the undo command can be found, it takes effect. If the undo command cannot be found, the system continues to search for it in the next upper-level view until the system view.

    1. Run the system-view command to display the system view.

    2. Run the matched upper-view command to enable the undo command to run in the upper-level view.

      By default, the undo command does not automatically match the upper-level view.

      NOTE:

      The matched upper-view command is only valid for current login users who run this command.

      You are not advised to configure the undo command to automatically match the upper-level view, unless necessary.

  • Locking a user interface

    When you leave the operation terminal temporarily, you can lock the user interface to prevent unauthorized users from logging in to the terminal.

    1. Run the lock command to lock the user interface.
    2. Enter the lock password and confirm password.
      <Huawei> lock
      Info: A plain text password is a string of 8 to 128 case-sensitive characters and must be a combination of at least two of the follow
      ing: uppercase letters A to Z, lowercase letters a to z, digits, and special characters (including spaces and the following :`~!@#$%
      ^&*()-_=+|[{}];:'",<.>/?).
      Enter Password:
      Confirm Password:
      Info: The terminal is locked.

      After you run the lock command, the system prompts you to enter the lock password and confirm password. If the two passwords are the same, the current interface is locked successfully.

      To unlock the user interface, you must press Enter and enter the correct lock password as prompted.

Translation
Download
Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 117237

Downloads: 309

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next