No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Basic Configuration

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the Basic configuration supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
CLI Login Configuration

CLI Login Configuration

You can log in to a device through its console port or mini USB port, or using Telnet, redirection, reverse Telnet, or STelnet to manage and maintain the device.

Overview of CLI Login Methods

You can log in to a device through its console port or mini USB port, or using Telnet or STelnet. After successful login, you can run commands on the command line interface (CLI) to manage and configure the device. You can also log in to another device from the local device using Telnet, STelnet, redirection, or reverse Telnet.

You can log in to a device using one of the CLI methods described in Table 9-1 to configure and manage the device.
Table 9-1  CLI login methods
Login Method Advantages Disadvantages Applicable Scenario Description

Logging In Through the Console Port

A dedicated console cable is used for effective device control.

You cannot remotely log in to a device to maintain it.

  • When you need to configure a device that is powered on for the first time, log in to the device through the console port.
  • If you cannot remotely log in to a device, you can log in through the console port.
  • If a device fails to start, you can enter the BootROM menu through the console port to diagnose the fault or upgrade the device.

Console port login is the basis for other login methods.

By default, you can log in to a device through a console port and has the user level of 15 after login.

Logging In Through the Mini USB Port

If no console port is available on a PC, you can use a mini USB cable to connect the USB port on the PC to the mini USB port of a device and then log in to the device for effective control.

You cannot remotely log in to a device to maintain it.

When you need to configure a device that is powered on for the first time but no console port is available on your PC, log in to the device through the mini USB port.

The device connection for mini USB port login is different from that for console port login but the configurations are the same after login.

Logging In Through Telnet

You can log in to one device using Telnet to remotely manage and maintain several devices without the need to connect each device to a terminal, which facilitates operations.

Data is transmitted using TCP in plain text, which is a potential security risk.

If you need to configure a device remotely, log in to the device using Telnet. Telnet login is typically used with networks that do not require high security.

By default, you cannot log in to a device directly using Telnet. Before using Telnet to log in, you must locally log in to the device through a console port or mini USB port, and perform the following configurations:
  • Configure a reachable route between the user terminal and device. (By default, no management IP address is configured on the device.)
  • Enable the Telnet server function and set parameters.
  • Configure a user interface for Telnet login.

Logging In Through STelnet

The Secure Shell (SSH) protocol provides secure remote logins on insecure networks to ensure data integrity and reliability, and secure data transmission.

The configuration is complex.

You can log in to a device using STelnet on networks with high security requirements. STelnet, based on the SSH protocol, provides powerful authentication functions to ensure information security and protect devices against attacks, such as IP spoofing attacks.

By default, you cannot log in to a device directly using STelnet. Before using STelnet to log in, you must locally log in to the device through a console port or mini USB port or remotely log in using Telnet and perform the following configurations:
  • Configure a reachable route between the user terminal and device. (By default, no management IP address is configured on the device.)
  • Enable the SSH server function and set parameters.
  • Configure a user interface for SSH login.
  • Configure an SSH user.

Logging In Through Redirection

Only remote serial port devices can be managed.

This login method applies only when two devices are connected through serial ports.

To manage a remote device that can transmit data only through a serial port, configure the redirection function on the router. The remote device can be a router, switch, or intelligent electricity meter that supports serial ports.

By default, the redirection function is disabled on a router. To use this function, configure the asynchronous serial port of the router to work in flow mode and enable the redirection function.

Logging In Through Reverse Telnet

Dumb terminals can only be directly connected to a router using asynchronous cables. The reverse Telnet function enables the dumb terminals to establish connections with a remote server through the router.

This login method applies only when two devices are connected through serial ports.

To connect dumb terminals that only have serial ports to a remote server, enable the reverse Telnet service on the router connected to the dumb terminals.

By default, the reverse Telnet function is disabled on a router. To use this function, configure the asynchronous port of the router to work in flow mode and configure parameters for connection between the dumb terminals remote server.

Overview of User Interfaces

The system supports console, TTY, and VTY user interfaces.

When a user logs in to a device through CLI, the system assigns a user interface to manage and monitor the session between the device and user. Each user interface has a user interface view, where you can set parameters, such as the authentication mode and user level. Users logging in through the user interface are restricted by these parameters. Through the parameter configuration, uniform management of various user sessions can be implemented.

The device supports three types of user interfaces:
  • Console user interface: manages and monitors users who log in through the console port. A device provides the EIA/TIA-232 DCE console port. The serial port of a user terminal can be directly connected to the console port of the device for local access. The console user interface is also used to manage and monitor users who log in through a mini USB port.
  • True type terminal (TTY) user interface: manages and monitors users who log in using TTY. The TTY mode is an asynchronous port login method, which can be implemented using the redirection or reverse Telnet function.

  • Virtual type terminal (VTY) user interface: manages and monitors users who log in using VTY. A VTY connection is set up when a user uses Telnet or STelnet to log in to a device.

Relationship Between a User and a User Interface

A user interface is not exclusive to a specific user. User interfaces are used to manage and monitor users that have logged in to the device using a specific method. Although a user interface can only be used by one user at a time, the user interface is not specific to the user.

When a user logs in, the system allocates the idle user interface with the smallest number to the user based on the user's login mode. The login process is restricted by the configuration in the user interface view. For example, when user A logs in through the console port, the login process depends on the configuration in the console user interface view; however, when it logs in through VTY 1, the login process depends on the configuration in the VTY 1 user interface view. If a user logs in to a device using different methods, the user will be allocated different user interfaces. If a user logs in to a device at different time, the user may be allocated different user interfaces.

User Interface Numbering

User interfaces are numbered in either of the following modes:

  • Relative numbering

    The numbering format is user interface type + number.

    This mode uniquely specifies a user interface or a group of user interfaces of the same type. Relative numbering adheres to the following rules:

    • Console user interface numbering: CON 0.

    • TTY user interface numbering: The first TTY user interface is TTY 1, the second TTY user interface is TTY 2, and so on

    • VTY user interface numbering: The first VTY user interface is VTY 0, the second VTY user interface is VTY 1, and so on.

  • Absolute numbering

    This mode uniquely specifies a user interface or a group of user interfaces. You can run the display user-interface command to view user interfaces and their absolute numbers supported by the device.

    Each MPU supports only one console user interface and 15 VTY user interfaces. You can run the user-interface maximum-vty command in the system view to set the maximum number of VTY user interfaces. The default value is 5. By default, numbers VTY 16 to VTY 20 are reserved by the system and are unaffected by the user-interface maximum-vty command.

    Table 9-2 lists the default absolute numbers of the console, TTY and VTY user interfaces.

Table 9-2  Default absolute numbers of the console and VTY user interfaces

User Interface

Description

Absolute Number

Relative Number

Console user interface

Manages and controls users who log in through the console port or mini USB port.

0

0

TTY user interface

Manages and controls users that log in to the device using an asynchronous serial interface.

1 to 128

The first TTY user interface is TTY 1, the second TTY user interface is TTY 2, and so on.

Absolute numbers 1 to 128 map relative numbers TTY 1 to TTY 128.

VTY user interface

Manages and controls users who log in using Telnet or STelnet.

129 to 143

The first VTY user interface is VTY 0, the second VTY user interface is VTY 1, and so on. By default, VTY 0 to VTY 4 are available.

Absolute numbers 129 to 143 map relative numbers VTY 0 to VTY 14.

Authentication Modes for User Interfaces

After you configure an authentication mode for a user interface, the system authenticates users before they access the user interface.

Two authentication modes are available: Authentication, Authorization, and Accounting (AAA) authentication and password authentication.

  • AAA authentication: Users must enter both user names and passwords for login. If either a user name or a password is incorrect, the login fails.

  • Password authentication: Users must enter passwords for login. Only after a user enters the correct password does the device allow the users to log in.

User Levels for User Interfaces

You can manage login users based on their levels. The levels of commands accessible to a user depend on the user level.

  • If password authentication is configured, the levels of commands accessible to a user depend on the level of the user interface through which the user logs in.
  • If AAA authentication is configured, the levels of commands accessible to a user depend on the level of the local user specified in AAA configuration.

Licensing Requirements and Limitations for CLI Login

This section provides licensing requirements and limitations for CLI login.

Involved Network Elements

None

Licensing Requirements

CLI login configuration is a basic feature of a router and is not under license control.

Feature Limitations

For security purposes, after a user successfully logs in to a device in AAA mode, if the login password is the default password admin, Admin@huawei, or Admin@mac (mac is the MAC address of the current device), the system displays the message Warning: The default password is not secure, and it is strongly recommended to change it. to prompt the user to change the default password.

If the default user admin is deleted, another default user also named admin is generated in the system. The password of the new user is admin@huawei.com, the service type of the user is HTTP, and no user level is configured for it.

Configuring Login Through a Console Port

You can connect a PC to the console port of a device and then log in to the device to perform basic configurations and management.

(Optional) Configuring Attributes for the Console User Interface

This section describes how to configure attributes about data transmission and screen display for the console user interface.

Context

The data transmission and screen display attributes of the console user interface are as follows:
  • Data transmission attributes: transmission rate, flow control mode, parity bit, stop bit, and data bit. These attributes determine the data transmission mode used in the console port login process.
  • Screen display attributes: timeout period of a connection, number of rows and columns displayed on a terminal screen, and buffer size for historical commands. These attributes determine terminal screen display for console port login.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run user-interface console 0

    The console user interface view is displayed.

  3. Configure data transmission attributes.

    The data transmission attributes configured on the terminal software must be the same as those on the device.

    1. Run speed speed-value

      The transmission rate is set.

      The default transmission rate is 9600 bit/s.

    2. Run flow-control { hardware | none }

      The flow control mode is set.

      The default flow control mode is set to none, indicating that the flow control function is not performed.

      AR100&AR120&AR150&AR160&AR200 series and AR2220E does not support this command.

    3. Run databits { 7 | 8 }

      The data bit is set.

      The default data bit is 8. Data bit configuration depends on the code type used for information interchange. If standard ASCII codes are used, set the data bit to 7. If extended ASCII codes are used, set the data bit to 8.

    4. Run parity { even | none | odd }

      The parity bit is set.

      The default parity bit is set to none, indicating that the parity check is not performed on the console port. Setting a parity bit improves data security. If packets on the console port fail to pass the parity check, the device discards the packets.

    5. Run stopbits { 1 | 1.5 | 2 }

      The stop bit is set.

      The default stop bit is 1. The stop bit indicates the end of a packet. More stop bits indicate lower transmission efficiency.

  4. Configure screen display attributes.
    1. Run idle-timeout minutes [ seconds ]

      A timeout period is set for a user connection.

      If a connection remains idle for the specified timeout period, the system automatically ends the connection after the timeout period expires.

      The default timeout period is 5 minutes.

      If you set the timeout period of a terminal connection to 0 or too long, the terminal remains logged in to a device, which is a potential security risk. It is recommended that you run the lock command to lock the connection.

    2. Run screen-length screen-length

      The number of rows displayed on a terminal screen is set.

      The default number of rows displayed on a terminal screen is 24.

      The system automatically adjusts the number of terminal screen lines.

    3. Run screen-width screen-width

      The number of columns displayed on a terminal screen is set.

      The default number of columns displayed on a terminal screen is 80. Each character is a column.

    4. Run history-command max-size size-value

      A buffer size is set for historical commands.

      The default buffer size is 10, that is, a maximum of 10 historical commands can be buffered.

Configuring an Authentication Mode for the Console User Interface

You can configure an authentication mode for the console user interface to control user access through the console port, which enhances login security.

Context

The system provides two authentication modes for the console user interface: AAA authentication and password authentication.

  • AAA authentication: Users must enter both user names and passwords for login. If either a user name or a password is incorrect, the login fails.

  • Password authentication: Users must enter passwords for login. Only after a user enters the correct password does the device allow the users to log in.

Procedure

  • Configure AAA authentication.
    1. Run system-view

      The system view is displayed.

    2. Run user-interface console 0

      The console user interface view is displayed.

    3. Run authentication-mode aaa

      The authentication mode is set to AAA authentication.

    4. (Optional) run authentication-domain domain-name

      An authentication domain is configured.

      By default, the authentication domain is default. If you want to change the currently used authentication domain for users on the console user interface, you can run this command.

    5. Run quit

      Exit the console user interface view.

    6. Run aaa

      The AAA view is displayed.

    7. Run local-user user-name password irreversible-cipher password

      A local user account is created and a password is configured.

    8. Run local-user user-name service-type terminal

      The access type of the local user is set to Console.

    9. Run quit

      Exit the AAA view.

  • Configure password authentication.
    1. Run system-view

      The system view is displayed.

    2. Run user-interface console 0

      The console user interface view is displayed.

    3. Run authentication-mode password

      The authentication mode is set to password authentication.

    4. Run set authentication password cipher

      An authentication password is set.

Configuring a User Level for the Console User Interface

This section describes how to configure a user level for the console user interface.

Context

  • You can configure different user levels to control access rights of different users and improve device security.
  • There are 16 user levels numbered from 0 to 15, in ascending order of priority.
  • User levels map command levels. A user can use only the commands of the corresponding level or lower. Table 9-3 describes mappings between user levels and command levels.
    Table 9-3  Mappings between user levels and command levels

    User Level

    Command Level

    Name

    Description

    0

    0

    Visit level

    Commands of this level include commands used for network diagnosis such as ping and tracert commands, and remote access commands such as Telnet.

    1

    0 and 1

    Monitoring level

    Commands of this level are used for system maintenance, including display commands.

    NOTE:

    Some display commands are not available at this level. For example, the display current-configuration and display saved-configuration commands are level-3 management commands. For details about command levels, see the Huawei AR Series Access Routers Command Reference.

    2

    0, 1, and 2

    Configuration level

    Commands of this level are used to configure network services provided directly to users, such as routing and commands of all network layers.

    3 to 15

    0, 1, 2, and 3

    Management level

    Commands of this level are used to control basic system operations and provide support for services, including file system, FTP, TFTP download, user management, command level setting, and debugging commands for fault diagnosis.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run user-interface console 0

    The console user interface view is displayed.

  3. Run user privilege level level

    A user level is set.

    By default, the users on the console user interface are at level 15.

    • If the user level configured for a user interface conflicts with that configured for a user, the user level configured for the user takes precedence.
    • If password authentication is configured, the levels of commands accessible to a user depend on the level of the console user interface through which the user logs in.
    • If AAA authentication is configured, the levels of commands accessible to a user depend on the level of the local user specified in AAA configuration. By default, the level of a local user is 0 in AAA configuration. You can run the local-user user-name privilege level level command in the AAA view to change the level of the local user in AAA configuration.

Logging In to a Device Through the Console Port

You can connect a PC to the console port of a device and then log in to the device.

Context

After completing console user interface configurations on a device, you can log in to the device through the console port. If the console user interface uses the default attribute settings and password authentication, perform the following steps to log in to the device.

Procedure

  1. Connect the DB9 female connector of the console cable to the COM port on the PC, and connect the RJ45 connector to the console port on the device, as shown in Figure 9-1.

    Figure 9-1  Connecting to the device through the console port

  2. Start the terminal emulation software on the PC. Create a connection, select the connected port, and set communication parameters. (This section uses the third-party software SecureCRT as an example.)
    1. Click to establish a connection, as shown in Figure 9-2.

      Figure 9-2  Establishing a connection

    2. Set the connected port and communication parameters, as shown in Figure 9-3.

      Select the connected port based on actual situations. For example, you can view port information in Device Manager in the Windows operating system, and select the connected port.

      Communication parameters of the terminal emulation software must be consistent with the default attribute settings of the console user interface on the device, which are 9600 bit/s baud rate, 8 data bits, 1 stop bit, no parity check, and no flow control.

      By default, no flow control mode is configured on the device. Because RTS/CTS is selected in the software by default, you need to deselect RTS/CTS; otherwise, you cannot enter commands.

      If you modify the serial port communication parameters on the device, you must make the same modifications on the PC and then create a connection again.

      Figure 9-3  Setting the connected port and communication parameters

  3. Click Connect. The following information is displayed, prompting you to enter a password. (In AAA authentication, the system prompts you to enter the user name and password. The following information is only for reference.)

    Login authentication
    
    
    Password:       
    <Huawei>         

    You can run commands to configure the device. Enter a question mark (?) whenever you need help.

Verifying the Configuration

  • Run the display users [ all ] command to check user login information on the user interface.
  • Run the display user-interface console 0 command to check user interface information.
  • Run the display local-user command to check the local user attributes.
  • Run the display access-user command to check information about online users.

Configuring Login Through the Mini USB Port

You can connect a PC to the mini USB port of a device and then log in to the device to perform basic configurations and management.

(Optional) Configuring Attributes for the Console User Interface

This section describes how to configure attributes about data transmission and screen display for the console user interface.

Context

The data transmission and screen display attributes of the console user interface are as follows:
  • Data transmission attributes: transmission rate, flow control mode, parity bit, stop bit, and data bit. These attributes determine the data transmission mode used in the MiniUSB port login process.
  • Screen display attributes: timeout period of a connection, number of rows and columns displayed on a terminal screen, and buffer size for historical commands. These attributes determine terminal screen display for MiniUSB port login.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run user-interface console 0

    The console user interface view is displayed.

  3. Configure data transmission attributes.

    The data transmission attributes configured on the terminal software must be the same as those on the device.

    1. Run speed speed-value

      The transmission rate is set.

      The default transmission rate is 9600 bit/s.

    2. Run flow-control { hardware | none }

      The flow control mode is set.

      The default flow control mode is set to none, indicating that the flow control function is not performed.

      AR100&AR120&AR150&AR160&AR200 series and AR2220E does not support this command.

    3. Run databits { 7 | 8 }

      The data bit is set.

      The default data bit is 8. Data bit configuration depends on the code type used for information interchange. If standard ASCII codes are used, set the data bit to 7. If extended ASCII codes are used, set the data bit to 8.

    4. Run parity { even | none | odd }

      The parity bit is set.

      The default parity bit is set to none, indicating that the parity check is not performed on the console port. Setting a parity bit improves data security. If packets on the console port fail to pass the parity check, the device discards the packets.

    5. Run stopbits { 1 | 1.5 | 2 }

      The stop bit is set.

      The default stop bit is 1. The stop bit indicates the end of a packet. More stop bits indicate lower transmission efficiency.

  4. Configure screen display attributes.
    1. Run idle-timeout minutes [ seconds ]

      A timeout period is set for a user connection.

      If a connection remains idle for the specified timeout period, the system automatically ends the connection after the timeout period expires.

      The default timeout period is 5 minutes.

      If you set the timeout period of a terminal connection to 0 or too long, the terminal remains logged in to a device, which is a potential security risk. It is recommended that you run the lock command to lock the connection.

    2. Run screen-length screen-length

      The number of rows displayed on a terminal screen is set.

      The default number of rows displayed on a terminal screen is 24.

      The system automatically adjusts the number of terminal screen lines.

    3. Run screen-width screen-width

      The number of columns displayed on a terminal screen is set.

      The default number of columns displayed on a terminal screen is 80. Each character is a column.

    4. Run history-command max-size size-value

      A buffer size is set for historical commands.

      The default buffer size is 10, that is, a maximum of 10 historical commands can be buffered.

Configuring an Authentication Mode for the Console User Interface

You can configure an authentication mode for the console user interface to control user access through the mini USB port, which enhances login security.

Context

The system provides two authentication modes for the console user interface: AAA authentication and password authentication.

  • AAA authentication: Users must enter both user names and passwords for login. If either a user name or a password is incorrect, the login fails.

  • Password authentication: Users must enter passwords for login. Only after a user enters the correct password does the device allow the users to log in.

Procedure

  • Configure AAA authentication.
    1. Run system-view

      The system view is displayed.

    2. Run user-interface console 0

      The console user interface view is displayed.

    3. Run authentication-mode aaa

      The authentication mode is set to AAA authentication.

    4. (Optional) run authentication-domain domain-name

      An authentication domain is configured.

      By default, the authentication domain is default. If you want to change the currently used authentication domain for users on the console user interface, you can run this command.

    5. Run quit

      Exit the console user interface view.

    6. Run aaa

      The AAA view is displayed.

    7. Run local-user user-name password irreversible-cipher password

      A local user account is created and a password is configured.

    8. Run local-user user-name service-type terminal

      The access type of the local user is set to Console.

    9. Run quit

      Exit the AAA view.

  • Configure password authentication.
    1. Run system-view

      The system view is displayed.

    2. Run user-interface console 0

      The console user interface view is displayed.

    3. Run authentication-mode password

      The authentication mode is set to password authentication.

    4. Run set authentication password cipher

      An authentication password is set.

Configuring a User Level for the Console User Interface

This section describes how to configure a user level for the console user interface.

Context

  • You can configure different user levels to control access rights of different users and improve device security.
  • There are 16 user levels numbered from 0 to 15, in ascending order of priority.
  • User levels map command levels. A user can use only the commands of the corresponding level or lower. Table 9-4 describes mappings between user levels and command levels.
    Table 9-4  Mappings between user levels and command levels

    User Level

    Command Level

    Name

    Description

    0

    0

    Visit level

    Commands of this level include commands used for network diagnosis such as ping and tracert commands, and remote access commands such as Telnet.

    1

    0 and 1

    Monitoring level

    Commands of this level are used for system maintenance, including display commands.

    NOTE:

    Some display commands are not available at this level. For example, the display current-configuration and display saved-configuration commands are level-3 management commands. For details about command levels, see the Huawei AR Series Access Routers Command Reference.

    2

    0, 1, and 2

    Configuration level

    Commands of this level are used to configure network services provided directly to users, such as routing and commands of all network layers.

    3 to 15

    0, 1, 2, and 3

    Management level

    Commands of this level are used to control basic system operations and provide support for services, including file system, FTP, TFTP download, user management, command level setting, and debugging commands for fault diagnosis.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run user-interface console 0

    The console user interface view is displayed.

  3. Run user privilege level level

    A user level is set.

    By default, the users on the console user interface are at level 15.

    • If the user level configured for a user interface conflicts with that configured for a user, the user level configured for the user takes precedence.
    • If password authentication is configured, the levels of commands accessible to a user depend on the level of the console user interface through which the user logs in.
    • If AAA authentication is configured, the levels of commands accessible to a user depend on the level of the local user specified in AAA configuration. By default, the level of a local user is 0 in AAA configuration. You can run the local-user user-name privilege level level command in the AAA view to change the level of the local user in AAA configuration.

Logging In to a Device Through the Mini USB Port

You can connect a PC to the mini USB port of a device and then log in to the device.

Context

After completing console user interface configurations on a device, you can log in to the device through the mini USB port. If the console user interface uses the default attribute settings and password authentication.

Procedure

  1. Install the mini USB driver on the PC.
    1. Use a mini USB cable to connect a PC USB port to the mini USB port of the device.

      If you reinstall the mini USB cable or manually terminate the serial connection when using the mini USB port, open a new serial connection window after the serial connection is restored. The original serial connection window is invalid.

    2. As shown in Figure 9-4, double-click the driver installation file on the PC and click Next.

      Figure 9-4  Running a driver on the PC

    3. As shown in Figure 9-5, select I accept the terms in the license agreement and click Next.

      Figure 9-5  Accepting the terms in the license agreement

    4. As shown in Figure 9-6, click Change to change the driver directory, and click Next.

      Figure 9-6  Specifying the driver directory

    5. As shown in Figure 9-7, click Install and decompress the driver. When the system finishes decompressing the driver, click Finish.

      Figure 9-7  Finishing driver decompression

    6. Find the DISK1 folder in the file decompression path specified in step d, and double-click setup.exe in the folder.
    7. Click Next. Select I accept the terms in the license agreement and click Next to install the driver.
    8. Click Finish to finish installing the driver. Right-click Computer, and choose Manage > Device Manager > Ports(COM&LPT). The system displays TUSB3410 Device indicating the driver that has been installed.

      If there is no TUSB3410 Device in the device manager, reinstall the driver or use another mini USB cable to connect the device to the PC.

  2. Start the terminal emulation software on the PC. Create a connection, select the connected port, and set communication parameters. (This section uses the third-party software SecureCRT as an example.)
    1. Click to establish a connection, as shown in Figure 9-8.

      Figure 9-8  Establishing a connection

    2. Set the connected port and communication parameters, as shown in Figure 9-9.

      Select the connected port based on actual situations. For example, you can view port information in Device Manager in the Windows operating system, and select the connected port.

      Communication parameters of the terminal emulation software must be consistent with the default attribute settings of the console user interface on the device, which are 9600 bit/s baud rate, 8 data bits, 1 stop bit, no parity check, and no flow control.

      By default, no flow control mode is configured on the device. Because RTS/CTS is selected in the software by default, you need to deselect RTS/CTS; otherwise, you cannot enter commands.

      If you modify the serial port communication parameters on the device, you must make the same modifications on the PC and then create a connection again.

      Figure 9-9  Setting the connected port and communication parameters

  3. Click Connect. The following information is displayed, prompting you to enter a password. (In AAA authentication, the system prompts you to enter the user name and password. The following information is only for reference.)

    Login authentication
    
    
    Password:       
    <Huawei>         

    You can run commands to configure the device. Enter a question mark (?) whenever you need help.

Verifying the Configuration

  • Run the display users [ all ] command to check user login information on the user interface.
  • Run the display user-interface console 0 command to check user interface information.
  • Run the display local-user command to check the local user attributes.
  • Run the display access-user command to check information about online users.

Configuring Telnet Login

You can log in to a device using Telnet to manage and configure the device.

The Telnet protocol has security vulnerabilities. It is recommended that you log in to the device using STelnet V2.

(Optional) Configuring Attributes for a VTY User Interface

This section describes how to configure attributes for a VTY user interface.

Context

You can configure attributes for a VTY user interface to control Telnet login and screen display. The attributes of a VTY user interface include the maximum number of VTY user interfaces, timeout period of a user connection, number of rows and columns displayed on a terminal screen, and buffer size for historical commands.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run user-interface maximum-vty number

    The maximum number of VTY user interfaces is set. The value determines the number of users that can concurrently log in to the device using Telnet or STelnet.

    By default, the maximum number of VTY user interfaces is 5.

    • When the maximum number of VTY user interfaces is set to 0, no user (including Telnet and SSH users) can log in to the device through the VTY user interface, and web users cannot log in to the device through the web system either.
    • If the configured maximum number is less than the current maximum number of online users, the system displays a configuration failure message.
    • If the configured maximum number is greater than the current maximum number of online users, you need to configure an authentication mode for additional user interfaces.

  3. Run user-interface vty first-ui-number [ last-ui-number ]

    The VTY user interface view is displayed.

  4. Run shell

    The VTY terminal service is enabled.

    By default, all VTY terminal services are enabled. If you disable the terminal service of a VTY user interface, users cannot log in through the VTY user interface.

  5. Run idle-timeout minutes [ seconds ]

    A timeout period is set for a user connection.

    If a connection remains idle for the specified timeout period, the system automatically terminates the connection after the timeout period expires, which conserves system resources.

    By default, the timeout period is 5 minutes.

    If you set the timeout period of a terminal connection to 0 or too long, the terminal remains logged in to a device, which is a potential security risk. It is recommended that you run the lock command to lock the connection.

  6. Run screen-length screen-length [ temporary ]

    The number of rows displayed on a terminal screen is set.

    If you specify temporary in the command, the configured value takes effect only on the current VTY user interface but does not take effect on the next login on the same user interface or login on other VTY user interfaces.

    The default number of rows is 24.

  7. Run screen-width screen-width

    The number of columns displayed on a terminal screen is set.

    The default number of columns is 80. Each character is a column.

  8. Run history-command max-size size-value

    A buffer size is set for historical commands.

    The default buffer size is 10, that is, a maximum of 10 historical commands can be buffered.

Configuring an Authentication Mode for a VTY User Interface

You can configure an authentication mode for a VTY user interface to control user access through Telnet, which enhances login security.

Context

The system provides two authentication modes for a VTY user interface: AAA authentication and password authentication.

  • AAA authentication: Users must enter both user names and passwords for login. If either a user name or a password is incorrect, the login fails.

  • Password authentication: Users must enter passwords for login. Only after a user enters the correct password does the device allow the users to log in.

Procedure

  • Configure AAA authentication.
    1. Run system-view

      The system view is displayed.

    2. Run user-interface vty first-ui-number [ last-ui-number ]

      The VTY user interface view is displayed.

    3. Run protocol inbound { all | telnet }

      The VTY user interface is configured to support the Telnet protocol.

      By default, a VTY user interface supports the SSH and Telnet protocol.

    4. Run authentication-mode aaa

      The authentication mode is set to AAA authentication.

    5. (Optional) run authentication-domain domain-name

      An authentication domain is configured.

      By default, the authentication domain is default. If you want to change the currently used authentication domain for users on the VTY user interface, you can run this command.

    6. Run quit

      Exit the VTY user interface view.

    7. Run aaa

      The AAA view is displayed.

    8. Run local-user user-name password { cipher | irreversible-cipher } password

      A local user account is created and a password is configured.

    9. Run local-user user-name service-type telnet

      The access type of the local user is set to Telnet.

    10. Run quit

      Exit the AAA view.

  • Configure password authentication.
    1. Run system-view

      The system view is displayed.

    2. Run user-interface vty first-ui-number [ last-ui-number ]

      The VTY user interface view is displayed.

    3. Run protocol inbound { all | telnet }

      The VTY user interface is configured to support the Telnet protocol.

      By default, a VTY user interface supports the SSH and Telnet protocol.

    4. Run authentication-mode password

      The authentication mode is set to password authentication.

    5. Run set authentication password cipher

      An authentication password is set.

Configuring a User Level for a VTY User Interface

This section describes how to configure a user level for a VTY user interface.

Context

  • You can configure different user levels to control access rights of different users and improve device security.
  • There are 16 user levels numbered from 0 to 15, in ascending order of priority.
  • User levels map command levels. A user can use only the commands of the corresponding level or lower. Table 9-5 describes mappings between user levels and command levels.
    Table 9-5  Mappings between user levels and command levels

    User Level

    Command Level

    Name

    Description

    0

    0

    Visit level

    Commands of this level include commands used for network diagnosis such as ping and tracert commands, and remote access commands such as Telnet.

    1

    0 and 1

    Monitoring level

    Commands of this level are used for system maintenance, including display commands.

    NOTE:

    Some display commands are not available at this level. For example, the display current-configuration and display saved-configuration commands are level-3 management commands. For details about command levels, see the Huawei AR Series Access Routers Command Reference.

    2

    0, 1, and 2

    Configuration level

    Commands of this level are used to configure network services provided directly to users, such as routing and commands of all network layers.

    3 to 15

    0, 1, 2, and 3

    Management level

    Commands of this level are used to control basic system operations and provide support for services, including file system, FTP, TFTP download, user management, command level setting, and debugging commands for fault diagnosis.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run user-interface vty first-ui-number [ last-ui-number ]

    The VTY user interface view is displayed.

  3. Run user privilege level level

    A user level is set.

    By default, the users on the VTY user interface are at level 0.

    • If the user level configured for a user interface conflicts with that configured for a user, the user level configured for the user takes precedence.
    • If password authentication is configured, the levels of commands accessible to a user depend on the level of the VTY user interface through which the user logs in.
    • If AAA authentication is configured, the levels of commands accessible to a user depend on the level of the local user specified in AAA configuration. By default, the level of a local user is 0 in AAA configuration. You can run the local-user user-name privilege level level command in the AAA view to change the level of the local user in AAA configuration.

Enabling the Telnet Server Function

In addition to the authentication mode and user level, you need to configure the Telnet server function on a device.

Context

When a device functions as a Telnet server, you can specify the protocol port and source interface of the Telnet server to enhance Telnet connection security.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run telnet [ ipv6 ] server enable

    The Telnet server function is enabled.

    By default, the Telnet server function is disabled on a device.

  3. (Optional) Run telnet server port port-number

    The protocol port number is specified for the Telnet server.

    By default, the protocol port number of the Telnet server is 23.

    You can configure a new protocol port number for a Telnet server to prevent attackers from accessing the server using the default port.

  4. (Optional) Run telnet server permit interface { interface-type interface-number } &<1-5>

    The physical interfaces on the Telnet server to which clients can connect is specified.

  5. (Optional) Run telnet server-source { -a [ ipv6 ] source-ip-address | -i [ ipv6 ] interface-type interface-number }

    The source interface is specified for the Telnet server.

    By default, the source interface of a Telnet server is not specified.

    If the source IP address is not specified for the Telnet server, the device selects a source IP address according to routing entries to send packets. Specify an interface in stable state, such as a loopback interface, as the source interface. Before specifying a source interface, make sure that the Telnet client has a reachable route to the source interface. Otherwise, the configuration will fail.

  6. (Optional) Configure ACL-based Telnet access control.

    • Control access to the local device.

      1. Run acl acl-number

        An ACL is created, and the ACL view is displayed.

        acl-number refers to a basic ACL numbered from 2000 to 2999.

      2. Run rule permit source source-address 0

        ACL rules are configured to prohibit devices except the device specified by source-address from accessing the local device.

      3. Run quit

        Exit the ACL view.

      4. Run user-interface vty first-ui-number [ last-ui-number ]

        The VTY user interface view is displayed.

      5. Run acl [ ipv6 ] acl-number inbound

        The ACL-based Telnet access control is configured for the VTY user interface.

    • Control access of the local device to other devices.
      1. Run acl acl-number

        An ACL is created, and the ACL view is displayed.

        acl-number refers to an advanced ACL numbered from 3000 to 3999.

      2. Run rule deny tcp destination-port eq telnet

        ACL rules are configured to prohibit the local device from accessing other devices.

      3. Run quit

        Exit the ACL view.

      4. Run user-interface vty first-ui-number [ last-ui-number ]

        The VTY user interface view is displayed.

      5. Run acl [ ipv6 ] acl-number outbound

        The ACL-based Telnet access control is configured for the VTY user interface.

Logging In to a Device Through Telnet

This section describes how to log in to a device using Telnet.

Context

After completing Telnet server configurations on a device, you can use either Telnet software or Windows Command Prompt on a PC to log in to the device. Assume that AAA authentication is configured and the management IP address of the device is 10.137.217.177. The Windows Command Prompt is used as an example to illustrate the Telnet login process.

Procedure

  1. Enter the Windows Command Prompt window.
  2. Run the telnet ip-address command to log in to the device using Telnet.

    C:\Documents and Settings\Administrator> telnet 10.137.217.177

  3. Press Enter and enter the password and user name configured for AAA authentication. The system does not provide a default user name and password. If authentication succeeds, the CLI is displayed, indicating that you have successfully logged in to the device. (The following information is for reference only.)

    Login authentication
    
    Username:admin1234
    Password:
    <Telnet Server>

Verifying the Configuration

  • Run the display users [ all ] command to check the user interface connections.
  • Run the display tcp status command to check all TCP connections.
  • Run the display telnet server status command to check current Telnet server connections.

(Optional) Using Telnet to Log In to Another Device From the Local Device

This section describes how to use Telnet to log in to another device from the local device.

Context

A device can function as a Telnet server to allow other devices to log in or as a Telnet client to log in to other devices. When a terminal lacks the necessary software or no reachable route exists between the terminal and target device, you can log in to an intermediate device and then use Telnet to log in to the target device from the intermediate device. The intermediate device functions as a Telnet client.

The device can function as a Telnet IPv6 client. You can specify the source address or interface of the Telnet client to ensure security of the management IP address.

As shown in Figure 9-10, a PC connects to a device through network 1 and the device connects to a Telnet server through network 2. The PC cannot directly communicate with the Telnet server. In this situation, you can configure the device as a Telnet client and log in to the Telnet server from the device.
Figure 9-10  Configuring a device as a Telnet client to log in to another device

Pre-configuration Tasks

Before configuring a device as a Telnet client to log in to another device, complete the following tasks:

  • Log in to the device from a terminal.
  • Configure a reachable route between the device and Telnet server.
  • Enable the Telnet server function on the Telnet server.
  • Obtain the Telnet user name, password, and port number configured on the Telnet server.

Procedure

  1. Run system-view

    The system view is displayed.

  2. (Optional) Run telnet client-source { -a source-ip-address | -i interface-type interface-number }

    The source IP address of the Telnet client is set.

    The source address of the Telnet client displayed on the server is the same as that configured in this step.

  3. Run quit

    Exit the system view.

  4. Run either of the following commands to log in to another device based on the network address type.

    • In IPv4 mode, run the telnet [ -a source-ip-address ] host-ip [ port-number ] command to log in to another device as a Telnet client.

    • In IPv6 mode, run the telnet ipv6 [ -a source-ip-address ] host-ipv6 [ -oi interface-type interface-number ] [ port-number ] command to log in to another device as a Telnet IPv6 client.

Configuring STelnet Login

You can log in to a device using STelnet to manage and configure the device.

The STelnet V1 protocol has security vulnerabilities. It is recommended that you log in to the device using STelnet V2.

(Optional) Configuring Attributes for a VTY User Interface

This section describes how to configure attributes for a VTY user interface.

Context

You can configure attributes for a VTY user interface to control STelnet login and screen display. The attributes of a VTY user interface include the maximum number of VTY user interfaces, timeout period of a user connection, number of rows and columns displayed on a terminal screen, and buffer size for historical commands.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run user-interface maximum-vty number

    The maximum number of VTY user interfaces is set. The value determines the number of users that can concurrently log in to the device using Telnet or STelnet.

    By default, the maximum number of VTY user interfaces is 5.

    • When the maximum number of VTY user interfaces is set to 0, no user (including Telnet and SSH users) can log in to the device through the VTY user interface, and web users cannot log in to the device through the web system either.
    • If the configured maximum number is less than the current maximum number of online users, the system displays a configuration failure message.
    • If the configured maximum number is greater than the current maximum number of online users, you need to configure an authentication mode for additional user interfaces.

  3. Run user-interface vty first-ui-number [ last-ui-number ]

    The VTY user interface view is displayed.

  4. Run shell

    The VTY terminal service is enabled.

    By default, all VTY terminal services are enabled. If you disable the terminal service of a VTY user interface, users cannot log in through the VTY user interface.

  5. Run idle-timeout minutes [ seconds ]

    A timeout period is set for a user connection.

    If a connection remains idle for the specified timeout period, the system automatically terminates the connection after the timeout period expires, which conserves system resources.

    By default, the timeout period is 5 minutes.

    If you set the timeout period of a terminal connection to 0 or too long, the terminal remains logged in to a device, which is a potential security risk. It is recommended that you run the lock command to lock the connection.

  6. Run screen-length screen-length [ temporary ]

    The number of rows displayed on a terminal screen is set.

    If you specify temporary in the command, the configured value takes effect only on the current VTY user interface but does not take effect on the next login on the same user interface or login on other VTY user interfaces.

    The default number of rows is 24.

  7. Run screen-width screen-width

    The number of columns displayed on a terminal screen is set.

    The default number of columns is 80. Each character is a column.

  8. Run history-command max-size size-value

    A buffer size is set for historical commands.

    The default buffer size is 10, that is, a maximum of 10 historical commands can be buffered.

Configuring an Authentication Mode for a VTY User Interface

You can configure an authentication mode for a VTY user interface to control user access through STelnet, which enhances login security.

Context

To configure a VTY user interface to support SSH, you must set the authentication mode of the VTY user interface to AAA; otherwise, the protocol inbound ssh command does not take effect.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run user-interface vty first-ui-number [ last-ui-number ]

    The VTY user interface view is displayed.

  3. Run authentication-mode aaa

    The authentication mode is set to AAA authentication.

  4. (Optional) run authentication-domain domain-name

    An authentication domain is configured.

    By default, the authentication domain is default. If you want to change the currently used authentication domain for users on the VTY user interface, you can run this command.

  5. (Optional) If you want to change the currently used authentication domain for users on the VTY user interface, run authentication-domain domain-name

    An authentication domain is configured.

    By default, the authentication domain is default.

  6. Run protocol inbound { all | ssh }

    The VTY user interface is configured to support the SSH protocol.

    By default, a VTY user interface supports the SSH and Telnet protocol.

  7. Run quit

    Return to the system view.

  8. Run ssh user user-name authentication-type { password | rsa | password-rsa | ecc | password-ecc |all }rsa peer-public-key or ecc peer-public-keykey-name public-key-code beginpublic-key-code endpeer-public-key endssh user user-name assign { rsa-key | ecc-key } key-name

    An authentication mode is set for the SSH user.

Configuring a User Level for a VTY User Interface

This section describes how to configure a user level for a VTY user interface.

Context

  • You can configure different user levels to control access rights of different users and improve device security.
  • There are 16 user levels numbered from 0 to 15, in ascending order of priority.
  • User levels map command levels. A user can use only the commands of the corresponding level or lower. Table 9-6 describes mappings between user levels and command levels.
    Table 9-6  Mappings between user levels and command levels

    User Level

    Command Level

    Name

    Description

    0

    0

    Visit level

    Commands of this level include commands used for network diagnosis such as ping and tracert commands, and remote access commands such as Telnet.

    1

    0 and 1

    Monitoring level

    Commands of this level are used for system maintenance, including display commands.

    NOTE:

    Some display commands are not available at this level. For example, the display current-configuration and display saved-configuration commands are level-3 management commands. For details about command levels, see the Huawei AR Series Access Routers Command Reference.

    2

    0, 1, and 2

    Configuration level

    Commands of this level are used to configure network services provided directly to users, such as routing and commands of all network layers.

    3 to 15

    0, 1, 2, and 3

    Management level

    Commands of this level are used to control basic system operations and provide support for services, including file system, FTP, TFTP download, user management, command level setting, and debugging commands for fault diagnosis.

Procedure

  • If a user uses password authentication mode, the user level is configured in the AAA view.

    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run local-user user-name privilege level level

      The local user level is configured.

    4. Run quit

      Return to the system view.

  • If a user uses RSA or ECC authentication mode, the user level is determined by the user level of the VTY interface to which the user logs in.

    1. Run system-view

      The system view is displayed.

    2. Run user-interface vty first-ui-number [ last-ui-number ]

      The VTY user interface view is displayed.

    3. Run user privilege level level

      The user level is configured for the VTY user interface.

      By default, the user level of a VTY user interface is 0.

    • If an SSH user uses all authentication mode and an AAA user with the same name as the SSH user exists, user levels may be different in password, RSA and ECC authentication modes. Configure the user level based on actual requirements.
    • If the user level configured for a user interface conflicts with that configured for a user, the user level configured for the user takes precedence.

Configuring an SSH User

To use STelnet to log in to a device, you need to configure an SSH user. In addition to setting AAA authentication for the VTY user interface, you also need to specify an authentication mode for the SSH user.

Context

SSH users can be authenticated in the following modes: password, Revest-Shamir-Adleman Algorithm (RSA), Elliptic Curves Cryptography (ECC), password-RSA, Password-ECC and all.

  • Password authentication: is based on the user name and password. You need to configure a password for each SSH user in the AAA view. A user must enter the correct user name and password to log in using SSH.
  • Rivest-Shamir-Adleman Algorithm (RSA) authentication: is based on the private key of the client. RSA is a public-key cryptographic system that uses an asymmetric encryption algorithm. An RSA key pair consists of a public key and a private key. You need to copy the public key generated by the client to the SSH server. The SSH server then uses the public key to encrypt data. A maximum of 20 keys can be stored on a device functioning as an SSH client.
  • Elliptic Curves Cryptography (ECC) authentication: is an elliptic curve algorithm. Compared with RSA, ECC features shorter key length, lower computational cost, faster processing speed, smaller storage space, and lower bandwidth requirement under the same security performance.
  • Password-RSA authentication: The SSH server implements both password and RSA authentication on login users. The users must pass both authentication modes to log in.
  • Password-ECC authentication: The SSH server implements both password and ECC authentication on login users. The users must pass both authentication modes to log in.
  • All authentication: The SSH server implements RSA, ECC or password authentication on login users. Users only need to pass either of them to log in.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Configure AAA user information.

    1. Run aaa

      The AAA view is displayed.

    2. Run local-user user-name password { cipher | irreversible-cipher } password

      A local user is created and a password is configured.

    3. Run local-user user-name privilege level level

      A user level is set for the local user.

    4. Run local-user user-name service-type ssh

      A service type is set for the local user.

    5. Run quit

      Return to the system view.

  3. (Optional) Run ssh user default-authentication-type { password | rsa }

    The default authentication mode is configured for SSH users.

    By default, the default authentication mode for SSH users is password authentication except AR161EW, AR161EW-M1, AR169EW, AR169EGW-L, AR2204XE-DC, and AR2204XE. By default, the default authentication mode for SSH users of the AR161EW, AR161EW-M1, AR169EW, AR169EGW-L, AR2204XE-DC, and AR2204XE is RSA authentication.

  4. Run ssh user user-name authentication-type { password | rsa | password-rsa | ecc | password-ecc |all }

    An authentication mode is set for the SSH user.

    • If password authentication is used, the SSH user is the user with the same name as the local user configured in the AAA view.
    • If RSA or ECC authentication is used, you need to configure the public key generated by the SSH client on the SSH server. When the SSH client logs in to the SSH server, the SSH client passes the authentication if the private key of the client matches the configured public key.

      In RSA or ECC authentication mode, the user level configured in the VTY user interface view takes effect.

      1. Run rsa peer-public-key key-name or ecc peer-public-key key-name

        The RSA or ECC public key view is displayed.

      2. Run public-key-code begin

        The public key editing view is displayed.

      3. Enter the public key of the SSH client.

        The entered public key must be a hexadecimal string complying with the public key format. The string is generated by SSH client software. For detailed operations, see the help document of the SSH client software.

      4. Run public-key-code end

        Exit the public key editing view.

      5. Run peer-public-key end

        Return to the system view from the public key view.

      6. Run ssh user user-name assign { rsa-key | ecc-key } key-name

        An RSA or ECC public key is allocated to the SSH user. When logging in to the server, the client enters the SSH user name corresponding to its public key as prompted.

    • If Password-RSA or Password-ECC authentication is used, configure AAA user information and enter the public key generated on the client.
    • If all authentication is used, configure AAA user information or enter the public key generated on the client or perform the two operations together.

Enabling the SSH Server Function

To allow user terminals to establish an SSH connection with a device, log in to the device in another mode and enable the SSH server function on the device.

Context

A device serving as an SSH server must generate a key pair of the same type as the client's key for data encryption and server authentication on the client. The device also supports configuration of rich SSH server attributes for flexible control on SSH login.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run stelnet server enable

    The SSH server function is enabled on the device.

    By default, the SSH server function is disabled.

  3. (Optional) Run ssh server cipher { 3des_cbc | aes128_cbc | aes128_ctr | aes192_ctr | aes256_ctr | blowfish_cbc | des_cbc }*

    An encryption algorithm list is configured for the SSH server.

    Earlier versions of V200R010C10:

    By default, algorithms except des_cbc are included in the encryption algorithm list of the SSH server.

    V200R010C10 and later versions:

    By default, an SSH server supports the following encryption algorithms: aes128_ctr, aes192_ctr, and aes256_ctr.

    The server and client negotiate the algorithm for encrypting packets transmitted between them. You can run the ssh server cipher command to configure the encryption algorithm list of the SSH server. The server compares the encryption algorithm list sent from the client with its own encryption algorithm list, and selects the first matched encryption algorithm for encrypting transmitted packets. If the encryption algorithm lists of the server and client have no common encryption algorithm, the encryption algorithm negotiation fails.

    You are advised not to add the following encryption algorithms to the encryption algorithm list of the SSH server because they provide low security: 3des_cbc, aes128_cbc, blowfish_cbc, and des_cbc.

  4. (Optional) Run ssh server hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 | sha2_256_96 }*

    A check algorithm list is configured for the SSH server.

    Earlier versions of V200R010C10:

    By default, an SSH server supports all the check algorithms.

    V200R010C10 and later versions:

    By default, an SSH server supports the sha2_256 encryption algorithms only.

    The server and client negotiate the algorithm for checking packets transmitted between them. You can run the ssh server hmac command to configure the check algorithm list of the SSH server. The server compares the check algorithm list sent from the client with its own check algorithm list, and selects the first matched check algorithm for checking transmitted packets. If the check algorithm lists of the server and client have no common check algorithm, the check algorithm negotiation fails.

    You are advised not to add the following HMAC check algorithms to the HMAC check algorithm list of the SSH server because they provide low security: sha2_256_96, sha1, sha1_96, md5, and md5_96.

  5. (Optional) Run ssh server key-exchange { dh_group_exchange_sha1 | dh_group14_sha1 | dh_group1_sha1 } *

    A key exchange algorithm list is configured for the SSH server.

    Earlier versions of V200R010C10:

    By default, an SSH server supports all key exchange algorithms.

    V200R010C10 and later versions:

    By default, an SSH server supports the following key exchange algorithms: dh_group_exchange_sha1 and dh_group14_sha1.

    During the negotiation process, the client and server negotiate the key exchange algorithm for packet transmission. You can perform this step to configure a key exchange algorithm list for the SSH server. The server compares the key exchange algorithm list sent by the client with its own key exchange algorithm list, and selects the first key exchange algorithm on the client's list that matches a key exchange algorithm on its own list as the key exchange algorithm for packet transmission. If no algorithm on the client's list matches an algorithm on the server's list, the negotiation fails.

    You are advised not to add the dh_group1_sha1 algorithm to the key exchange algorithm list of the SSH server because it provides low security.

  6. Run rsa local-key-pair create orecc local-key-pair create

    A local RSA or ECC key pair is generated.

    A longer key pair indicates higher security. It is recommended that you use the maximum key pair length.

  7. (Optional) Run ssh server port port-number

    The port number of the SSH server is specified.

    By default, the port number of the SSH server is 22.

    Configuring a port number for an SSH server can prevent attackers from accessing the SSH server using the default port, improving SSH server security.

  8. (Optional) Run ssh server rekey-interval hours

    The interval for updating key pairs is set.

    The default interval is 0, indicating that the key pairs are never updated.

    An SSH server automatically updates key pairs at the configured intervals, which ensures security.

  9. (Optional) Run ssh server timeout seconds

    The timeout period is set for SSH authentication.

    The default timeout period is 60 seconds.

    If a user fails to log in within the timeout period for SSH authentication, the device disconnects the current connection to ensure system security.

  10. (Optional) Run ssh server authentication-retries times

    The maximum number of SSH authentication retries is set.

    The default maximum number of SSH authentication retries is 3.

    You can set the maximum number of SSH authentication retries to prevent unauthorized access.

  11. (Optional) Run ssh server compatible-ssh1x enable

    Compatibility with earlier SSH versions is enabled.

    By default, compatibility with earlier SSH versions is disabled on an unconfigured device. When a device is upgraded to a later version, the configuration of the compatibility function is the same as that specified in the configuration file.

    If the SSH server is enabled to be compatible with earlier SSH versions, the system prompts a security risk.

  12. (Optional) Run telnet server-source { -a [ ipv6 ] source-ip-address | -i [ ipv6 ] interface-type interface-number }

    The source interface is specified for the SSH server.

    By default, the source interface of a SSH server is not specified.

    If the source IP address is not specified for the SSH server, the device selects a source IP address according to routing entries to send packets. Specify an interface in stable state, such as a loopback interface, as the source interface. Before specifying a source interface, make sure that the SSH client has a reachable route to the source interface. Otherwise, the configuration will fail.

  13. (Optional) Run ssh server permit interface { interface-type interface-number } &<1-5>

    The physical interfaces on the SSH server to which clients can connect is specified.

    By default, clients can connect to all the physical interfaces on the SSH server.

    To prevent a client from connecting to the SSH server through an unauthorized physical interface, you can run the command to specify physical interfaces on the SSH server to which the client can connect.

Logging In to a Device Through STelnet

This section describes how to log in to a device using STelnet.

Context

After completing SSH user and STelnet server configurations on a device, you can use STelnet software on a PC to log in to the device. Assume that password authentication is configured for SSH users and the management IP address of the device is 10.137.217.203. The third-party software, PuTTY, is used as an example to illustrate the STelnet login process.

Procedure

  1. Start the PuTTY software, enter the device's IP address and port and select the SSH protocol.

    Figure 9-11  Logging in to an SSH server through PuTTY in password authentication mode

  2. Click Open. In the displayed page, enter the user name and password and press Enter to log in to the device through STelnet.

    login as: client001      //Enter the SSH user name.
    Sent username "client001"
    
    client001@10.137.217.203's password:           //Enter the password configured through AAA.
    
    <SSH Server>

Verifying the Configuration

  • Run the display ssh user-information [ username ] command to check information about SSH users on the SSH server. If no SSH user is specified, information about all SSH users logging in to the SSH server is displayed.
  • Run the display ssh server status command to check global configurations of the SSH server.
  • Run the display ssh server session command to check information about sessions between the SSH server and client.

(Optional) Using STelnet to Log In to Another Device from the Local Device

This section describes how to use STelnet to log in to another device from the local device.

Context

A device can function as both an STelnet server and an STelnet client. As an STelnet client, the device can log in to other devices. When a terminal lacks the necessary software or no reachable route exists between the terminal and target device, you can log in to an intermediate device and then use STelnet to log in to the target device from the intermediate device. The intermediate device functions as an STelnet client.

As shown in Figure 9-12, a PC connects to a device through network 1 and the device connects to an STelnet server through network 2. The PC cannot directly communicate with the STelnet server. In this situation, you can configure the device as an STelnet client and log in to the STelnet server from the device.
Figure 9-12  Configuring a device as an STelnet client to log in to another device

Pre-configuration Tasks

Before configuring a device as an STelnet client to log in to another device, complete the following tasks:

  • Log in to the device from a terminal.
  • Configure a reachable route between the device and STelnet server.
  • Enable the STelnet server function on the STelnet server.
  • Obtain the SSH user name and password, server keys, and port number configured on the STelnet server.

Procedure

  1. Generate a local key pair for the SSH client.

    1. Run system-view

      The system view is displayed.

    2. Run rsa local-key-pair create, or ecc local-key-pair create

      A local RSA or ECC key pair is generated. The generated key pair must be of the same type as that of the server.

      You can run the display rsa local-key-pair public or display ecc local-key-pair public command to view information about the public key in the generated RSA or ECC key pair. Configure the public key on the SSH server. For details, see Configuring an SSH User.

    3. Run quit

      Return to the user view.

  2. Configure the mode in which the device connects to the SSH server for the first time.

    When working as an SSH client to connect to an SSH server for the first time, the device cannot validate the SSH server because the public key of the SSH server has not been saved on the client. As a result, the connection fails. You can perform either of the following operations to rectify the connection failure:

    • Enable first-time authentication on the SSH client. This function allows the device to successfully connect to an SSH server for the first time without validating the SSH server's public key. If saving the SSH server's public key is selected during server authentication, the device automatically saves the SSH server's public key after connecting to the server successfully for subsequent server authentication. If saving the SSH server's public key is not selected, the system asks you whether to save the SSH server's public key the next time server authentication is performed.
      1. Run system-view

        The system view is displayed.

      2. Run ssh client first-time enable

        First-time authentication is enabled on the SSH client.

        By default, first-time authentication is disabled on an SSH client.

    • Configure the SSH client to assign a public key to the SSH server. In this mode, the public key generated on the server is directly saved on the client to ensure that the SSH server passes the validity check on the client's first login.
      1. Run system-view

        The system view is displayed.

      2. Run rsa peer-public-key key-name [ encoding-type { der | openssh | pem } ] or ecc peer-public-key key-name encoding-type { der | openssh | pem }

        The RSA or ECC public key view is displayed.

      3. Run public-key-code begin

        The public key editing view is displayed.

      4. Enter the public key of the SSH server.

        The entered public key must be a hexadecimal string complying with the public key format. The string is randomly generated on the SSH server.

        After entering the public key editing view, you can enter the RSA or ECC public key generated by the server on the client.

      5. Run public-key-code end

        Exit the public key editing view.

      6. Run peer-public-key end

        Exit the public key view.

      7. Run ssh client servername assign { rsa-key| ecc-key } key-name

        The RSA or ECC public key is bound to the SSH server.

        If the SSH server's public key saved on the SSH client does not take effect, run the undo ssh client servername assign { rsa-key | ecc-key } command to unbind the RSA or ECC public key from the SSH server and then run the command to assign a new RSA or ECC public key to the SSH server.

  3. Log in to another device.

    Run either of the preceding commands based on the network address type.

    • IPv4 mode:

      run the stelnet [ -a source-address ] host-ip [ port-number ] [ [ -vpn-instance vpn-instance-name ] | [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 | aes128-ctr | aes192-ctr | aes256-ctr } ] | [ prefer_ctos_hmac { sha1 } ] | [ prefer_stoc_cipher { des | 3des | aes128 | aes128-ctr | aes192-ctr | aes256-ctr } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ] command to log in to another device.

    • IPv6 mode:

      run the stelnet ipv6 [ -a source-address ] host-ipv6 [ -oi interface-type interface-number ] [ port-number ] [ [ -vpn6-instance vpn-instance-name ] | [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 | aes128-ctr | aes192-ctr | aes256-ctr } ] | [ prefer_stoc_cipher { des | 3des | aes128 | aes128-ctr | aes192-ctr | aes256-ctr } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ] command to log in to another device.

    When port 22 is specified as the protocol port number for the STelnet server, the STelnet client can log in with no port number specified. If another port number is specified as the protocol port number for the STelnet server, you must specify the port number used by the client to log in.

    When configuring an STelnet client to log in to an SSH server, you can specify the source IP address, select a key exchange algorithm, an encryption algorithm, and an HMAC algorithm, and enable the keepalive function on the client.

    DES, 3DES, MD5, MD5_96, SHA1, and SHA1_96 encryption algorithm cannot ensure security. AES128, AES128-CTR, AES192-CTR or AES256-CTR encryption algorithm is recommended.

Verifying the Configuration

  • Run the display ssh server command to check the mapping between all SSH servers and RSA or ECC public keys on the SSH client

Configuring the Redirection Function for Device Login

After completing redirection configuration, you can log in to a remote serial port device from the local device to configure and manage the remote device.

Pre-configuration Tasks

Before logging in to a device through redirection, complete the following tasks:

  • Start a remote device.
  • Use a TTY user interface: ensuring that the remote device is directly connected to the 8AS card or 2SA card (8AS card is recommended) on the router using an asynchronous serial cable, and the physical and protocol status of the asynchronous serial interface on the router is Up.

    For details about the asynchronous serial cable, see "8AS Cable" or "Serial Cable (CON/RS232)" in the Huawei AR Series Access Routers Get to Know the Product - Hardware Description - Cables.

(Optional) Configuring an Authentication Mode for TTY User Interface

You can configure an authentication mode for TTY user interface to ensure secure login through the redirection function.

Context

The TTY user interface supports AAA authentication and password authentication.

  • AAA authentication: Users must enter both user names and passwords for login. If either a user name or a password is incorrect, the login fails.

  • Password authentication: Users must enter passwords for login. Only after a user enters the correct password does the device allow the users to log in.

Procedure

  • Configure AAA authentication.
    1. Run system-view

      The system view is displayed.

    2. Run user-interface tty tty-number

      The TTY user interface view is displayed.

    3. Run authentication-mode aaa

      The authentication mode is set to AAA authentication.

    4. Run quit

      Exit the Console or TTY user interface view.

    5. Run aaa

      The AAA view is displayed.

    6. Run local-user user-name password { cipher | irreversible-cipher } password

      A local user account is created and a password is configured.

    7. Run local-user user-name service-type telnet

      The access type of the local user is set to Telnet.

    8. Run quit

      Exit the AAA view.

  • Configure password authentication.
    1. Run system-view

      The system view is displayed.

    2. Run user-interface console 0

      The console user interface view is displayed.

      Or run user-interface tty tty-number

      The TTY user interface view is displayed.

    3. Run authentication-mode password

      The authentication mode is set to password authentication.

    4. Run set authentication password cipher

      An authentication password is set.

Logging In to a Device Through Redirection

This section describes how to configure the redirection function and use this function to log in to a remote device.

Context

To manage a remote device that can transmit data only through a serial port, configure the redirection function on the current device.

A remote device can be a router, a switch, an electricity terminal, a finance terminal, or other terminals that use serial ports to transmit data.

  • Managing remote routers and switches

    A device equipped with an 8AS card is used as an example. As shown in Figure 9-13, there are two routers and two switches connected to the device. The redirection function on the device can be used to manage remote devices that can only be managed through serial ports. The asynchronous serial port on the device is connected to the serial ports on the remote devices for users to manage and maintain the remote devices.

    Figure 9-13  Diagram for login through redirection (1)

  • Managing terminals such as intelligent electricity meters, intelligent water meters, and automatic teller machines

    As shown in Figure 9-14, the redirection function is enabled on the device. The device listens to the specified TCP port and receives data packets from the terminals through serial ports. After receiving data packets, the device encapsulates the packets into Ethernet frames so that they can be transmitted over an Ethernet network. This implements the remote data transmission and management on the terminals.

    Figure 9-14  Diagram for login through redirection (2)

Procedure

  1. Enable the redirection function on the router.
    1. Run system-view

      The system view is displayed.

    2. Run interface async interface-number

      The asynchronous interface view is displayed.

    3. Run async mode flow

      The asynchronous serial interface is configured to work in flow mode.

      By default, an asynchronous serial interface works in protocol mode.

    4. Run quit

      Exit from the asynchronous serial interface view.

    5. Run:user-interface tty tty-number

      The TTY user interface view is displayed.

      When configuring the TTY user interface, pay attention to the following points:
      • After an 8AS interface card registers successfully, the device generates random numbers for TTY user interfaces. To view the TTY user interface number mapped to an asynchronous serial port, run the display user-interface command.
      • If the modem function is enabled on a TTY user interface, the redirection function does not take effect on the TTY user interface.

    6. (Optional) Run authentication-mode { password | aaa }

      A user authentication mode is specified.

      For details on configuration of the authentication mode, see Configuring an Authentication Mode for the TTY User Interface.

    7. Run redirect [ ssh ] enable

      The redirection function is enabled.

      By default, the redirection function is disabled.

    8. (Optional) Run transparent-mode enable

      The transparent transmission mode for redirection on the serial port is enabled.

      By default, the transparent transmission mode for redirection on a serial port is disabled.

      The device checks data redirected by a serial port and discards unidentifiable data, damaging the original data. You can run this command to ensure the original data integrity. The device will transparently transmit data without checking it.

    9. Run undo shell

      The terminal service is disabled on the user interface.

      By default, the terminal service is disabled on a TTY user interface.

    10. (Optional) Run redirect binding vpn-instance vpn-instance-name

      The redirection function is associated with a VPN instance.

      By default, the redirection function is not associated with any VPN instance, and all users on public and private networks can use the redirection function to log in to remote devices.

    11. (Optional) Run redirect [ ssh ] listen-port port-number

      A port number is specified for setting up connections through the redirection function.

      By default, the port number that the local device uses to set up a connection with a remote device is 2000 plus tty-number. When the default port number is used by another service, perform this step to set a new port number.

  2. Log in to a device from a terminal through redirection.

    • Telnet mode

      Log in to a device from a terminal through redirection in Telnet mode. The Windows command line is used as an example.

      1. Open the command line window.

      2. Run the telnet host-name port-number command to log in to the device through redirection.

        In the command, host-name is the IP address or host name of the router with the redirection function enabled, and port-number is the default listening port number (2000 plus tty-number) or the port number configured using the redirect listen-port command. (The following information is only for reference.)

        C:\Documents and Settings\Administrator> telnet 10.1.1.1 2042
        Press CTRL_] to quit telnet mode
          Trying 10.1.1.1...
          Connected to 10.1.1.1...
        Login authentication
        
        
        Password:
         <Router>
        
    • STelnet mode

      Log in to a device from a terminal through redirection in STelnet mode. The third-party software PuTTY is used as an example.

      # Log in to the device using PuTTY. Set the protocol type to SSH, Host Name to the IP address or host name of the redirection-enabled router, and Port to the default port number (2000 plus TTY number) or the port number specified using the redirect ssh listen-port command. (The following information is only for reference.)

      Figure 9-15  Using Putty to redirect to a device in STelnet mode

      # Click Open. Enter the user name and password at the prompt, and press Enter. You have logged in to the device. (The following information is only for reference.)

      login as: client001
      client001@10.1.1.1's password:
      
      <Router>
      

Verifying the Configuration

Run the display tcp status command to check the current TCP connection status.

Configuring Reverse Telnet Login

The reverse Telnet function enables dumb terminals that are directly connected to a router using asynchronous serial cables or console cables to log in to a remote server.

Pre-configuration Tasks

Before logging in to a device through reverse Telnet, complete the following tasks:

  • Start a remote device.
  • Use a TTY user interface: ensuring that a dumb terminal is directly connected to the 1SA or 2SA card of the router with an asynchronous cable and the physical status and protocol status of the connected asynchronous interface are Up.
  • Use the console user interface: ensuring that the remote device is directly connected to the console interface on the router.
  • Ensure that there are reachable routes between the router and the remote server.

For details about the asynchronous serial cable, see "SA Cable" in the Huawei AR Series Access Routers Get to Know the Product - Hardware Description - Cables.

Configuring an Authentication Mode for the Console or TTY User Interface

You can configure an authentication mode for the console user interface or a TTY user interface to ensure secure login through the reverse Telnet function.

Context

The console or TTY user interface supports AAA authentication and password authentication.

  • AAA authentication: Users must enter both user names and passwords for login. If either a user name or a password is incorrect, the login fails.

  • Password authentication: Users must enter passwords for login. Only after a user enters the correct password does the device allow the users to log in.

Procedure

  • Configure AAA authentication.
    1. Run system-view

      The system view is displayed.

    2. Run user-interface tty tty-number

      The TTY user interface view is displayed.

    3. Run authentication-mode aaa

      The authentication mode is set to AAA authentication.

    4. Run quit

      Exit the Console or TTY user interface view.

    5. Run aaa

      The AAA view is displayed.

    6. Run local-user user-name password { cipher | irreversible-cipher } password

      A local user account is created and a password is configured.

    7. Run local-user user-name service-type telnet

      The access type of the local user is set to Telnet.

    8. Run quit

      Exit the AAA view.

  • Configure password authentication.
    1. Run system-view

      The system view is displayed.

    2. Run user-interface console 0

      The console user interface view is displayed.

      Or run user-interface tty tty-number

      The TTY user interface view is displayed.

    3. Run authentication-mode password

      The authentication mode is set to password authentication.

    4. Run set authentication password cipher

      An authentication password is set.

Logging In to a Device Through Reverse Telnet (Direct Connection Through an Asynchronous Cable)

This section describes how to configure reverse Telnet and use this function to log in to a device through an asynchronous cable.

Context

As shown in Figure 9-16, a multimedia software terminal (dumb terminal) is connected to the router with an asynchronous cable, and the router is connected to a server. The terminal cannot communicate with the server directly. To enable the dumb terminal to communicate with the server, you can configure reverse Telnet on the router. The router then acts as a client to transmit data from the terminal to the server.
Figure 9-16  Diagram for login through reverse Telnet

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface async interface-number

    The asynchronous serial interface view is displayed.

  3. Run async mode flow

    The asynchronous serial interface is configured to work in flow mode.

    By default, an asynchronous serial interface works in protocol mode.

  4. Run quit

    Exit from the asynchronous serial interface view.

  5. Run user-interface tty tty-number

    The TTY user interface view is displayed.

    After a 1SA, or a 2SA interface card registers successfully, the device generates random numbers for TTY user interfaces. To view the TTY user interface number mapped to an asynchronous serial port, run the display user-interface command.

    If the modem function is enabled on a TTY user interface, the reverse Telnet function does not take effect on the TTY user interface.

  6. Run undo shell

    The terminal service is disabled on the user interface.

    By default, the terminal service is disabled on a TTY user interface.

  7. Run connect host [ port-number ] [ -a source-ip-address | -i interface-type interface-number ] [ -t interval ]

    Configure connection parameters on the router to enable the dumb terminal to set up a connection with the remote server through the router.

    By default, a dumb terminal cannot set up a connection with a remote server.

  8. (Optional) Run exline-breaker enable

    The router is enabled to add line breakers in output information.

    By default, the function of adding a line break is disabled.

    To configure the calling end to add line break \n when sending carriage return line break \r\n so that the calling and called ends have the same data, perform this step to enable the function of adding a line break.

  9. Connect the dumb terminal to the router using an asynchronous cable and log in to the remote server from the terminal.

Verifying the Configuration

Run the display tcp status command to check the current TCP connection status.

Configuring Reverse Telnet Login (Direct Connection Through a Console Cable)

This section describes how to configure reverse Telnet and use this function to log in to a device through a console cable.

Context

As shown in Figure 9-17, a multimedia software terminal (dumb terminal) is connected to the console interface of the router through a console cable, and the router is connected to a server. The terminal cannot communicate with the server directly. To enable the dumb terminal to communicate with the server, you can configure reverse Telnet on the router. The router then acts as a client to transmit data from the terminal to the server.
Figure 9-17  Networking for login through reverse Telnet

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run user-interface console 0

    The console user interface view is displayed.

  3. Run connect host [ port-number ] [ -a source-ip-address | -i interface-type interface-number ] [ -t interval ]

    The dumb terminal is configured to set up a connection with the remote server through the router.

    By default, a dumb terminal cannot set up a connection with a remote server.

  4. (Optional) Run exline-breaker enable

    The function of adding a line break is enabled.

    By default, the function of adding a line break is disabled.

    To configure the calling end to add line break \n when sending carriage return line break \r\n so that the calling and called ends have the same data, perform this step to enable the function of adding a line break.

  5. Run undo shell

    The terminal service is disabled on the console user interface.

    By default, the terminal service is enabled on the console user interface.

    For the device with the Config button, you can also press and hold down the config button for less than 5s, the terminal service on the console user interface will be switched between shell and undo shell once.

  6. Connect the dumb terminal to the console interface of the router using a console cable and log in to the remote server from the terminal.

Verifying the Configuration

Run the display tcp status command to check the current TCP connection status.

Typical Operations After Login

After logging in to a device through a console port or mini USB port, or using Telnet or STelnet, you can perform service configurations and the following common operations on the device.

Displaying Online Users

After logging in to a device, you can view user login information of each user interface.

Run the display users [ all ] command to view the user login information of user interfaces.

Setting an Authentication Password for Switching User Levels

AR3200 series routers do not support this function in active/standby switchover scenarios.

Users at a higher level can set an authentication password used to switch a user from a lower level to a higher level. If a user wants to use a command whose level is higher than the user level, the user can use the authentication password to switch to the higher level.

  1. Run the system-view command to enter the system view.
  2. Run the super password [ level user-level ] cipher command to set an authentication password used to switch a user from a lower level to a higher level.

Switching User Levels

AR3200 series routers do not support this function in active/standby switchover scenarios.

You need to enter a password when switching from a low user level to a higher one.

  1. Run the super [ level ] command in the user view to switch the user level.

    If the entered target user level is lower than or equal to the current user level, the system directly sets the entered user level as the target user level, and displays a message. If the target level is higher than the current user level, the system asks the user to enter the authentication password.

  2. Enter the password as prompted.

    If the password is correct, you will switch to a higher user level. If you enter an incorrect password three times consecutively, the system returns to the user view and the user level remains unchanged.

Sending Messages to Other User Interfaces

You can send messages from the current user interface to other user interfaces.

  1. Run the send { all | ui-number | ui-type ui-number1 } command to enable message exchange between user interfaces.
  2. Enter the message to send as prompted. Press Ctrl+Z or Enter to end message input and press Ctrl+C to end the current operation.
  3. At the system prompt, choose Y to send the message and N to cancel message sending.

Automatically Searching for the undo Command in the Upper-level View

When you run the undo command not registered with the current view, the system returns to the upper-level view to search for this undo command. If the undo command can be found, it takes effect. If the undo command cannot be found, the system continues to search for it in the next upper-level view until the system view.

  1. Run the system-view command to display the system view.

  2. Run the matched upper-view command to enable the undo command to run in the upper-level view.

    By default, the undo command does not automatically match the upper-level view.

    The matched upper-view command is only valid for current login users who run this command.

    You are not advised to configure the undo command to automatically match the upper-level view, unless necessary.

Locking a User Interface

When you need to temporarily leave the operation terminal, lock the user interface to prevent unauthorized users from operating the terminal.

  1. Run the lock command to lock the user interface.
  2. Enter the lock password and confirm password as prompted.
    <Huawei> lock
    Enter Password(<8-128>):
    Confirm Password:
    Info: The terminal is locked.

    After you run the lock command, the system prompts you to enter the lock password and confirm password. If the two passwords are the same, the current interface is locked successfully.

    To unlock the user interface, you must press Enter and enter the correct login password as prompted.

Configuration Examples for CLI Login

This section describes examples of logging in to a device through a console port, Telnet, or STelnet.

Example for Logging In to the Device Through a Console Port

Networking Requirements

If a user cannot remotely log in to a device, the user will attempt to log in through the console port. By default, a user only needs to pass password authentication to log in to the device from the console user interface. To prevent unauthorized users from accessing the device, change the authentication mode of the console user interface to AAA authentication.

Figure 9-18  Networking diagram of user login through a console port

Configuration Roadmap

The configuration roadmap is as follows:

  1. Use the terminal simulation software to log in to the device through a console port.
  2. Configure the authentication mode of the console user interface.

You can use the built-in terminal emulation software (such as the HyperTerminal of Windows 2000) on the PC. If no built-in terminal emulation software is available, use the third-party terminal emulation software. For details, see the software user guide or online help.

Procedure

  1. Use the terminal simulation software to log in to the device through a console port.
    1. Insert the DB9 connector of the console cable delivered with the product to the 9-pin serial port on the PC, and insert the RJ45 connector to the console port of the device, as shown in Figure 9-19.

      Figure 9-19  Connecting to the device through the console port

    2. Start the terminal emulation software on the PC. Create a connection, select the connected port, and set communication parameters.

      A PC may have multiple connection interfaces; therefore, the interface connected through the console cable is selected in this example. Generally, COM1 is selected.

      If the serial port communication parameters of the device are modified, modify the communication parameters on the PC accordingly (ensure that the parameter values are the same) and re-establish the connection.

    3. Press Enter until the system prompts you to enter the password. (The system will prompt you to enter the user name and password in AAA authentication. The following information is only for reference.)

      Login authentication
      
      
      Password:

      You can run commands to configure the device. Enter a question mark (?) whenever you need help.

  2. Configure the authentication mode of the console user interface.

    <Huawei> system-view
    <Huawei> sysname Router
    [Router] user-interface console 0
    [Router-ui-console0] authentication-mode aaa
    [Router-ui-console0] user privilege level 15
    [Router-ui-console0] quit
    [Router] aaa
    [Router-aaa] local-user admin1234 password irreversible-cipher Helloworld@6789
    [Router-aaa] local-user admin1234 privilege level 3
    [Router-aaa] local-user admin1234 service-type terminal

    After the preceding operations, you can re-log in to the device on the console user interface only by entering the user name admin1234 and password Helloworld@6789.

Configuration Files

#
sysname Router
#
aaa
 local-user admin1234 password irreversible-cipher %@%@HW=5%Mr;:2)/RX$FnU1HLO%-TBMp4wn%;~\#%iAut}_~O%0L%@%@
 local-user admin1234 privilege level 3
 local-user admin1234 service-type terminal
#
user-interface con 0
 authentication-mode aaa
#
return

Example for Configuring a Security Policy to Limit Telnet Login

Networking Requirements

As shown in Figure 9-20, the PC and the server (Huawei device) are reachable to each other. To implement easy remote configuration and management of the device, configure AAA authentication for Telnet users on the server and configure an ACL security policy that allows only users in compliance with the security policy to log in to the device.

Figure 9-20  Networking diagram for Configuring a Security Policy to Limit Telnet Login

The Telnet protocol poses a security risk, and therefore the STelnet V2 protocol is recommended.

Configuration Roadmap

The following configurations are performed on the Router. The configuration roadmap is as follows:

  1. Configure the Telnet login mode to implement remote network device maintenance.

  2. Configure an ACL security policy to ensure that only users in compliance with the security policy can log in to the device.

  3. Configure the administrator's user name and password and the AAA authentication mode to ensure that only users passing the authentication can log in to the device.

Procedure

  1. Set the server listening port number and enable the server function.

    <Huawei> system-view
    [Huawei] sysname Telnet Server
    [Telnet Server] telnet server enable
    [Telnet Server] telnet server port 1025

  2. Set the VTY user interface parameters.

    # Set the maximum number of VTY user interfaces.

    [Telnet Server] user-interface maximum-vty 8

    # Set the IP address of the device to which the user is allowed to log in.

    [Telnet Server] acl 2001
    [Telnet Server-acl-basic-2001] rule permit source 10.1.1.1 0
    [Telnet Server-acl-basic-2001] quit
    [Telnet Server] user-interface vty 0 7
    [Telnet Server-ui-vty0-7] acl 2001 inbound

    # Configure the terminal attributes of the VTY user interface.

    [Telnet Server-ui-vty0-7] shell
    [Telnet Server-ui-vty0-7] idle-timeout 20
    [Telnet Server-ui-vty0-7] screen-length 30
    [Telnet Server-ui-vty0-7] history-command max-size 20

    # Configure the user authentication mode of the VTY user interface.

    [Telnet Server-ui-vty0-7] authentication-mode aaa
    [Telnet Server-ui-vty0-7] quit

  3. Configure the login user information.

    # Configure the login authentication mode.

    [Telnet Server] aaa
    [Telnet Server-aaa] local-user admin1234 password irreversible-cipher Helloworld@6789
    [Telnet Server-aaa] local-user admin1234 service-type telnet
    [Telnet Server-aaa] local-user admin1234 privilege level 3
    [Telnet Server-aaa] quit

  4. Configure the client login.

    Enter commands at the command line prompt to log in to the device through Telnet.

    C:\Documents and Settings\Administrator> telnet 10.137.217.177 1025

    Press Enter, and enter the user name and password in the login window. If the authentication is successful, the command line prompt of the user view is displayed. The user view configuration environment is displayed.

    Login authentication
    
    Username:admin1234
    Password:
    <Telnet Server>

Configuration Files

Telnet server configuration file

#
 sysname Telnet Server
#
acl number 2001
 rule 5 permit source 10.1.1.1 0
#
aaa
 local-user admin1234 password irreversible-cipher %^%#*~Br";[g6Pv5Zf>$~{hY+N!`{$<[Y{;l02P)B,EBz\1FN!c+%^%#
 local-user admin1234 privilege level 3
 local-user admin1234 service-type telnet
#
 telnet server enable
 telnet server port 1025
#
user-interface maximum-vty 8
user-interface vty 0 7
 acl 2001 inbound
 authentication-mode aaa
 history-command max-size 20
 idle-timeout 20 0
 screen-length 30
#
return

Example for Logging In to the Device Through STelnet

Networking Requirements

As shown in Figure 9-21, users require secure remote login, but Telnet cannot provide a secure authentication method. In this scenario, STelnet can be configured to ensure security of remote login. PC1 and PC2 have reachable routes to the SSH server, and 10.137.217.203 is the IP address of the management interface on the SSH server. Two login users client001 and client002 need to be configured on the SSH server. PC1 uses the account of client001 to log in to the SSH server through password authentication; PC2 uses the account of client002 to log in to the SSH server through RSA authentication. Configure a security policy to ensure that only PC1 and PC2 can be used to log in to the device.

Figure 9-21  Networking diagram of logging in to the device through STelnet

The STelnet V1 protocol poses a security risk, and therefore the STelnet V2 mode is recommended.

Configuration Roadmap

The configuration roadmap is as follows:

  1. Install the SSH server software on PC1. Install the key pair generation software, public key conversion software, and SSH server login software on PC2.

  2. Generate a local key pair on the SSH server to implement secure data exchange between the server and client.

  3. Configure different authentication modes for the SSH users client001 and client002 on the SSH server.

  4. Enable the STelnet service on the SSH server.

  5. Configure a security policy to ensure that only PC1 and PC2 can be used to log in to the device.
  6. Configure the STelnet server type for the SSH users client001 and client002 on the SSH server.

  7. Log in to the SSH server as the client001 and client002 users through STelnet.

Procedure

  1. Generate a local key pair on the server.

    <Huawei> system-view
    [Huawei] sysname SSH Server
    [SSH Server] rsa local-key-pair create
    The key name will be: Host
    RSA keys defined for Host already exist.
    Confirm to replace them? (y/n):y
    The range of public key size is (512 ~ 2048).
    NOTES: If the key modulus is less than 2048,
           It will introduce potential security risks.
    Input the bits in the modulus[default = 2048]:2048
    Generating keys...
    ......................................................................................+++
    ....+++
    .......................................++++++++
    ..............++++++++
    

  2. Create an SSH user on the server.

    # Configure the VTY user interface.

    [SSH Server] user-interface vty 0 4
    [SSH Server-ui-vty0-4] authentication-mode aaa
    [SSH Server-ui-vty0-4] protocol inbound ssh
    [SSH Server-ui-vty0-4] quit
    • Create an SSH user named client001.

      # Create an SSH user named client001 and configure the password authentication mode for the user.

      [SSH Server] aaa
      [SSH Server-aaa] local-user client001 password irreversible-cipher Huawei@123
      [SSH Server-aaa] local-user client001 privilege level 3
      [SSH Server-aaa] local-user client001 service-type ssh
      [SSH Server-aaa] quit
      [SSH Server] ssh user client001 authentication-type password
    • Create an SSH user named client002.

      # Create an SSH user named client002 and configure the RSA authentication mode for the user.

      [SSH Server] aaa
      [SSH Server-aaa] local-user client002 password irreversible-cipher Helloworld@6789
      [SSH Server-aaa] local-user client002 privilege level 3
      [SSH Server-aaa] local-user client002 service-type ssh
      [SSH Server-aaa] quit
      [SSH Server] ssh user client002 authentication-type rsa

      # Generate a local key pair of the client on PC2.

      1. Run puttygen.exe on the client. It is used to generate the public and private key files.

        Select SSH2 RSA and click Generate. By moving the cursor in the blank area to generated the key.

        Figure 9-22  PuTTY Key Generate page (1)

        After the key is generated, click Save public key to save the key in the key.pub file.

        Figure 9-23  PuTTY Key Generate page (2)

        Click Save private key. The PuTTYgen Warning dialog box is displayed. Click Yes. The private key is saved in the private.ppk file.

        Figure 9-24  PuTTY Key Generate page (3)

      2. Run sshkey.exe on the client. Convert the generated public key to the character string required for the device.

        Open the key.pub file required by SSH that is generated in the previous step.

        Figure 9-25  ssh key converter page (1)

        Click Convert(C). You can see the public keys before and after conversion.

        Figure 9-26  ssh key converter page (2)

      # Enter the RSA public key generated on PC2 to the SSH server.
      [SSH Server] rsa peer-public-key rsakey001
      [SSH Server-rsa-public-key] public-key-code begin
      [SSH Server-rsa-key-code] 30820108 02820101 00DD8904 1A5E30AA 976F384B 5DB366A7
      [SSH Server-rsa-key-code] 048C0E79 06EC6B08 8BB9567D 75914B5B 4EA7B2E5 1938D118
      [SSH Server-rsa-key-code] 4B863A38 BA7E0F0D BE5C5AE4 CA55B192 B531AC48 B07D21E3
      [SSH Server-rsa-key-code] 62E3F2A5 8C04C443 CF51CF51 136B5B9E 812AB1B7 1250EB24
      [SSH Server-rsa-key-code] A4AE5083 A1DB18EC E2395C9B B806E8F0 0BE24FB5 16958784
      [SSH Server-rsa-key-code] 403B617F 8AAAB1F8 C6DE8C3C F09E4D23 7D1C17BF 4AAF09C4
      [SSH Server-rsa-key-code] 74C083AF 17CD3075 3396B322 32C57FF0 B1991971 02F1033B
      [SSH Server-rsa-key-code] 81AA6D47 44520F23 685FAF72 04BA4B6E 615EF224 14E64E2A
      [SSH Server-rsa-key-code] 331EEB7F 188D9805 96DBFD30 0C947A5A BA879DC4 F848B769
      [SSH Server-rsa-key-code] 513C35CD B52B2917 02B77693 F79910EE 5287F252 977F985E
      [SSH Server-rsa-key-code] 5F186C94 93F26780 4E7F5F9D 5287350A 0A4F4988 1BF6AB7C
      [SSH Server-rsa-key-code] 1B020125
      [SSH Server-rsa-key-code] public-key-code end
      [SSH Server-rsa-public-key] peer-public-key end

      # Bind the RSA public key of the STelnet client to the SSH user client002 on the SSH server.

      [SSH Server] ssh user client002 assign rsa-key rsakey001

  3. Enable the STelnet service on the SSH server.

    # Enable the STelnet service.

    [SSH Server] stelnet server enable

  4. Configure a security policy to ensure that only PC1 and PC2 can be used to log in to the device.

    [SSH Server] acl 2001
    [SSH Server-acl-basic-2001] rule permit source 10.137.217.10 0
    [SSH Server-acl-basic-2001] rule permit source 10.137.217.20 0
    [SSH Server-acl-basic-2001] rule deny source 10.137.217.30 0
    [SSH Server-acl-basic-2001] quit
    [SSH Server] user-interface vty 0 4
    [SSH Server-ui-vty0-4] acl 2001 inbound
    [SSH Server-ui-vty0-4] quit

  5. Verify the configuration.

    • Log in to the SSH server as the client001 user from PC1 using the password authentication mode.

      # Use the PuTTY software to log in to the device, enter the device IP address, and select the SSH protocol type.
      Figure 9-27  PuTTY Configuration page - password authentication mode

      # Click Open. Enter the user name and password at the prompt, and press Enter. You have logged in to the SSH server.

      login as: client001
      Sent username "client001"
      
      client001@10.137.217.203's password:
      
      <SSH Server>
    • Log in to the SSH server as the client002 user from PC2 using the RSA authentication mode.

      # Use the PuTTY software to log in to the device, enter the device IP address, and select the SSH protocol type.

      Figure 9-28  PuTTY Configuration page - RSA authentication mode (1)

      # Choose Connection > SSH in the navigation tree. The page shown in Figure 9-29 is displayed. Select 2 for Preferred SSH protocol version

      Figure 9-29  PuTTY Configuration page - RSA authentication mode (2)

      # Choose Connection > SSH > Auth in the navigation tree. The page shown in Figure 9-30 is displayed. Select the private.ppk file corresponding to the public key configured on the server.

      Figure 9-30  PuTTY Configuration page - RSA authentication mode (3)

      # Click Open. Enter the user name at the prompt, and press Enter. You have logged in to the SSH server. The following information is for reference only.
      login as: client002
      Authenticating with public key "rsa-key"
      
      <SSH Server>

Configuration Files

SSH server configuration file

#
 sysname SSH Server
#
acl number 2001
 rule 5 permit source 10.137.217.10 0 
 rule 10 permit source 10.137.217.20 0 
 rule 15 deny source 10.137.217.30 0
#
 rsa peer-public-key rsakey001
  public-key-code begin
   30820107
     02820100
       DD89041A 5E30AA97 6F384B5D B366A704 8C0E7906 EC6B088B B9567D75 914B5B4E
       A7B2E519 38D1184B 863A38BA 7E0F0DBE 5C5AE4CA 55B192B5 31AC48B0 7D21E362
       E3F2A58C 04C443CF 51CF5113 6B5B9E81 2AB1B712 50EB24A4 AE5083A1 DB18ECE2
       395C9BB8 06E8F00B E24FB516 95878440 3B617F8A AAB1F8C6 DE8C3CF0 9E4D237D
       1C17BF4A AF09C474 C083AF17 CD307533 96B32232 C57FF0B1 99197102 F1033B81
       AA6D4744 520F2368 5FAF7204 BA4B6E61 5EF22414 E64E2A33 1EEB7F18 8D980596
       DBFD300C 947A5ABA 879DC4F8 48B76951 3C35CDB5 2B291702 B77693F7 9910EE52
       87F25297 7F985E5F 186C9493 F267804E 7F5F9D52 87350A0A 4F49881B F6AB7C1B
     0201
       25
  public-key-code end
 peer-public-key end
#
aaa
 local-user client001 password irreversible-cipher %^%#*~Br";[g6Pv5Zf>$~{hY+N!`{$<[Y{;l02P)B,EBz\1FN!c+%^%#
 local-user client001 privilege level 3
 local-user client001 service-type ssh
 local-user client002 password irreversible-cipher %^%#HW=5%Mr;:2)/RX$FnU1HLO%-TBMp4wn%;~\#%iAut}_~O%0L%^%#
 local-user client002 privilege level 3
 local-user client002 service-type ssh
#
 ssh user client002 assign rsa-key rsakey001
 ssh user client002 authentication-type rsa
 stelnet server enable
#
user-interface vty 0 4
 acl 2001 inbound
 authentication-mode aaa
 protocol inbound ssh
#
return

Example for Configuring the Device as the Telnet Client to Log In to Another Device

Networking Requirements

As shown in Figure 9-31, the PC and Router1 have reachable routes to each other; Router1 and Router2 have reachable routes to each other. The user needs to manage and maintain Router2 remotely. However, the PC cannot directly log in to Router2 through Telnet because it has no reachable route to Router2. The user can log in to Router1 through Telnet, and then log in to Router2 from Router1. To prevent unauthorized devices from logging in to Router2 through Telnet, an ACL needs to be configured to allow only the Telnet connection from Router1 to Router2.

Figure 9-31  Networking diagram of configuring the device as the Telnet client to log in to another device

The Telnet protocol poses a security risk, and therefore the STelnet V2 protocol is recommended.

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure the Telnet authentication mode and password on Router2.
  2. Configure the Router2 to allow Router1 access with ACL.
  3. Log in to Router2 from Router1 through Telnet.

Procedure

  1. Configure the Telnet authentication mode and password on Router2.

    <Huawei> system-view
    [Huawei] sysname Router2
    [Router2] telnet server enable
    [Router2] user-interface vty 0 4
    [Router2-ui-vty0-4] user privilege level 3
    [Router2-ui-vty0-4] authentication-mode aaa
    [Router2-ui-vty0-4] quit

  2. Configure the login user information.

    [Router2] aaa
    [Router2-aaa] local-user admin1234 password irreversible-cipher Helloworld@6789
    [Router2-aaa] local-user admin1234 service-type telnet
    [Router2-aaa] local-user admin1234 privilege level 3
    [Router2-aaa] quit

  3. Configure the Router2 to allow Router1 access with ACL.

    [Router2] acl 2000
    [Router2-acl-basic-2000] rule permit source 10.1.1.1 0
    [Router2-acl-basic-2000] quit
    [Router2] user-interface vty 0 4
    [Router2-ui-vty0-4] acl 2000 inbound
    [Router2-ui-vty0-4] quit

    It is optional to configure an ACL for Telnet services.

  4. Verify the configuration.

    # After the preceding configuration, you can log in to Router2 from Router1 through Telnet. You cannot log in to Router2 from other devices. The following information is for reference only.

    <Huawei> system-view
    [Huawei] sysname Router1
    [Router1] quit
    <Router1> telnet 10.2.1.1
    Login authentication
    
    Username:admin1234
    Password:
    
    <Router2>

Configuration Files

Router2 configuration file

#
 sysname Router2
#
acl number 2000
 rule 5 permit source 10.1.1.1 0
#
aaa
 local-user admin1234 password irreversible-cipher %^%#*~Br";[g6Pv5Zf>$~{hY+N!`{$<[Y{;l02P)B,EBz\1FN!c+%^%#
 local-user admin1234 privilege level 3
 local-user admin1234 service-type telnet
#
 telnet server enable
#
user-interface vty 0 4
 acl 2000 inbound
 authentication-mode aaa
 user privilege level 3
#
return

Example for Configuring the Device as the STelnet Client to Log In to Another Device

Networking Requirements

The enterprise requires that secure data exchange should be performed between the server and client. As shown in Figure 9-32, two login users Client001 and Client002 are configured and they use the password and RSA authentication modes respectively to log in to the SSH server. A new port number is configured and the default port number is not used.

Figure 9-32  Networking diagram of logging in to another device through STelnet

The STelnet V1 protocol poses a security risk, and therefore the STelnet V2 mode is recommended.

Configuration Roadmap

The configuration roadmap is as follows:

  1. Generate a local key pair on the SSH server to implement secure data exchange between the server and client.

  2. Configure different authentication modes for the SSH users client001 and client002 on the SSH server.

  3. Enable the STelnet service on the SSH server.

  4. Configure the STelnet server type for the SSH users client001 and client002 on the SSH server.

  5. Set the SSH server listening port number on the SSH server to prevent attackers from accessing the SSH service standard port and ensure security.

  6. Log in to the SSH server as the client001 and client002 users through STelnet.

Procedure

  1. Generate a local key pair on the server.

    <Huawei> system-view
    [Huawei] sysname SSH Server
    [SSH Server] rsa local-key-pair create
    The key name will be: Host
    RSA keys defined for Host already exist.
    Confirm to replace them? (y/n):y
    The range of public key size is (512 ~ 2048).
    NOTES: If the key modulus is less than 2048,
           It will introduce potential security risks.
    Input the bits in the modulus[default = 2048]:2048
    Generating keys...
    ......................................................................................+++
    ....+++
    .......................................++++++++
    ..............++++++++
    

  2. Create an SSH user on the server.

    # Configure the VTY user interface.

    [SSH Server] user-interface vty 0 4
    [SSH Server-ui-vty0-4] authentication-mode aaa
    [SSH Server-ui-vty0-4] protocol inbound ssh
    [SSH Server-ui-vty0-4] quit
    • Create an SSH user named client001.

      # Create an SSH user named client001 and configure the password authentication mode for the user.

      [SSH Server] aaa
      [SSH Server-aaa] local-user client001 password irreversible-cipher Huawei@123
      [SSH Server-aaa] local-user client001 privilege level 3
      [SSH Server-aaa] local-user client001 service-type ssh
      [SSH Server-aaa] quit
      [SSH Server] ssh user client001 authentication-type password
    • Create an SSH user named client002.

      # Create an SSH user named client002 and configure the RSA authentication mode for the user.

      [SSH Server] aaa
      [SSH Server-aaa] local-user client002 password irreversible-cipher Helloworld@6789
      [SSH Server-aaa] local-user client002 privilege level 3
      [SSH Server-aaa] local-user client002 service-type ssh
      [SSH Server-aaa] quit
      [SSH Server] ssh user client002 authentication-type rsa

      # Generate a local key pair for Client002.

      <Huawei> system-view
      [Huawei] sysname client002
      [client002] rsa local-key-pair create
      The key name will be: Host
      RSA keys defined for Host already exist.
      Confirm to replace them? (y/n):y
      The range of public key size is (512 ~ 2048).
      NOTES: If the key modulus is less than 2048,
             It will introduce potential security risks.
      Input the bits in the modulus[default = 2048]:2048
      Generating keys...
      ......................................................................................+++
      ....+++
      .......................................++++++++
      ..............++++++++
      
      # Check the public key in the RSA key pair generated on the client.
      [client002] display rsa local-key-pair public
      
      =====================================================
      Time of Key pair created: 2012-08-06 17:17:37+00:00
      Key name: Host
      Key type: RSA encryption Key
      =====================================================
      Key code:
      30820109
        02820100
          CB0E88EC A1C2CFEA F97126F9 36919C08 0455127B
          A3A48594 69517096 35626F55 E4FAF0EB FDA2B9E9
          5E417B2B E09F38B0 D26FCA73 FE2E3FC4 DFBEC8CF
          4ED0C909 E8D975E6 FFC73C81 D13FE71E 759DC805
          B0F0E877 4FC9288E BE1E197C 2A7186B0 B56F5573
          3A5EA588 29C63E3B 20D56233 8E63278D F941734F
          6B359C69 BBAE5A52 EB842179 04B4204D 5DB31D72
          97F0C085 DA771F66 0AAADC28 D264CEB9 5BADA92C
          CDE9F116 D6D99C48 CEBA3A1D 868B053A 32941D85
          CCAA9796 A4B55760 0A8108ED DB45DA12 F61634C9
          59431600 341FEDEF 5379D565 A8D1953D DEA018A2
          72F99FFC 63DE04BF 2A6219BD DF13D705 27D63DEF
          83D556BC 5B44D983 8D5EA126 C1EB71CB 
        0203
          010001
      
      =====================================================
      Time of Key pair created: 2012-08-06 17:17:44+00:00
      Key name: Server
      Key type: RSA encryption Key
      =====================================================
      Key code:
      3067
        0260
          DF8AFF3C 28213B94 2292852E E98657EE 11DE5AF4
          8A176878 CDD4BD31 55E05735 3080F367 A83A9034
          47D534CA 81250C1D 35401DC3 464E9E5F A50202CF
          A7AD09CD AC3F531C A763F0A0 4C8E51B9 18755400
          76AF4A78 225C92C3 01FE0DFF 06908363
        0203
          010001 
      # Configure the RSA public key on the SSH server. (Information in bold in the display command output is the RSA public key. Copy the information to the server.)
      [SSH Server] rsa peer-public-key rsakey001
      [SSH Server-rsa-public-key] public-key-code begin
      [SSH Server-rsa-key-code] 30820109
      [SSH Server-rsa-key-code] 02820100
      [SSH Server-rsa-key-code] CB0E88EC A1C2CFEA F97126F9 36919C08 0455127B
      [SSH Server-rsa-key-code] A3A48594 69517096 35626F55 E4FAF0EB FDA2B9E9
      [SSH Server-rsa-key-code] 5E417B2B E09F38B0 D26FCA73 FE2E3FC4 DFBEC8CF
      [SSH Server-rsa-key-code] 4ED0C909 E8D975E6 FFC73C81 D13FE71E 759DC805
      [SSH Server-rsa-key-code] B0F0E877 4FC9288E BE1E197C 2A7186B0 B56F5573
      [SSH Server-rsa-key-code] 3A5EA588 29C63E3B 20D56233 8E63278D F941734F
      [SSH Server-rsa-key-code] 6B359C69 BBAE5A52 EB842179 04B4204D 5DB31D72
      [SSH Server-rsa-key-code] 97F0C085 DA771F66 0AAADC28 D264CEB9 5BADA92C
      [SSH Server-rsa-key-code] CDE9F116 D6D99C48 CEBA3A1D 868B053A 32941D85
      [SSH Server-rsa-key-code] CCAA9796 A4B55760 0A8108ED DB45DA12 F61634C9
      [SSH Server-rsa-key-code] 59431600 341FEDEF 5379D565 A8D1953D DEA018A2
      [SSH Server-rsa-key-code] 72F99FFC 63DE04BF 2A6219BD DF13D705 27D63DEF
      [SSH Server-rsa-key-code] 83D556BC 5B44D983 8D5EA126 C1EB71CB
      [SSH Server-rsa-key-code] 0203
      [SSH Server-rsa-key-code] 010001
      [SSH Server-rsa-key-code] public-key-code end
      [SSH Server-rsa-public-key] peer-public-key end

      # Bind the RSA public key of the STelnet client to the SSH user client002 on the SSH server.

      [SSH Server] ssh user client002 assign rsa-key rsakey001

  3. Enable the STelnet service on the SSH server.

    # Enable the STelnet service.

    [SSH Server] stelnet server enable

  4. Configure a new listening port number on the SSH server.

    [SSH Server] ssh server port 1025

  5. Connect the STelnet client to the SSH server.

    # Enable the first authentication function on the SSH client upon the first login.

    Enable the first authentication function for Client001.

    <Huawei> system-view
    [Huawei] sysname client001
    [client001] ssh client first-time enable

    Enable the first authentication function for Client002.

    [client002] ssh client first-time enable

    # Log in to the SSH server from Client001 in password authentication mode by entering the user name and password.

    [client001] stelnet 10.1.1.1 1025
    Please input the username:client001
    Trying 10.1.1.1 ...
    Press CTRL+K to abort
    Connected to 10.1.1.1 ...
    The server is not authenticated. Continue to access it?(y/n)[n]:y
    Save the server's public key?(y/n)[n]:y
    The server's public key will be saved with the name 10.1.1.1. Please wait...
    
    Enter password:   

    Enter the password. The following information indicates that you have logged in successfully:

    <SSH Server>

    # Log in to the SSH server from Client002 in RSA authentication mode.

    [client002] stelnet 10.1.1.1 1025
    Please input the username:client002
    Trying 10.1.1.1 ...
    Press CTRL+K to abort
    Connected to 10.1.1.1 ...
    The server is not authenticated. Continue to access it?(y/n)[n]:y
    Save the server's public key?(y/n)[n]:y
    The server's public key will be saved with the name 10.1.1.1. Please wait...
    
    <SSH Server>

    The user enters the user view, indicating that login succeeds.

  6. Verify the configuration.

    # Attackers fail to log in to the SSH server using the default listening port number 22.

    [client002] stelnet 10.1.1.1
    Please input the username:client002
    Trying 10.1.1.1 ...
    Press CTRL+K to abort
    Error: Failed to connect to the remote host.

    # Run the display ssh server status commands. You can see that the STelnet service has been enabled. Run the display ssh user-information command. Information about the configured SSH users is displayed.

    # Check the status of the SSH server.

    [SSH Server] display ssh server status
     SSH version                         :1.99
     SSH connection timeout              :60 seconds
     SSH server key generating interval  :0 hours
     SSH Authentication retries          :3 times
     SFTP Server                         :Disable
     Stelnet server                      :Enable
     SSH server port                     :1025

    # Check information about SSH users.

    [SSH Server] display ssh user-information
    -------------------------------------------------------------------------------
     Username         Auth-type          User-public-key-name
     -------------------------------------------------------------------------------
     client001        password           null
     client002        rsa                rsakey001
     -------------------------------------------------------------------------------

Configuration Files

  • SSH server configuration file

    #
     sysname SSH Server
    #
     rsa peer-public-key rsakey001
      public-key-code begin
       30820109
         02820100
           E4653DA4 68032D8A B419276E 5B32743C 181FC72E AEDA3173 578EBE00 68606ED6
           D1A79735 90043220 2492B6B1 CB96BD4C E74A3209 96A829E4 EFD550FA 70855E0F
           CC622FD5 D76AD6D3 FF07F87D 19D77E06 0224D05E 481B639F 5CFB5E84 AE9FF40A
           CA2ABD4F F00B6316 6EFDADA4 7945CCC9 04C65675 22AE45C3 A2822708 AA764A40
           FBAC61F6 FB42F90C F55B1FA7 B51A58BB 4ACACD2E 7764FCCE E3B296FC 1380C0C0
           5E4A6BEE 92FB7793 E6D66E64 A3E4D581 8462C601 83C22BBF BFDF9B33 78840397
           99946916 356103D8 A791AE04 95C8A11C 3490E857 6363115B EF6A162C 6B8593A5
           8ECF3A3F 6C562154 D93B010C 932C3D18 1573F8CB D626EEA7 54F0C4E2 642BA909
         0203
           010001
      public-key-code end
     peer-public-key end
    #
    aaa
     local-user client001 password irreversible-cipher %^%#HW=5%Mr;:2)/RX$FnU1HLO%-TBMp4wn%;~\#%iAut}_~O%0L%^%#
     local-user client001 privilege level 3
     local-user client001 service-type ssh
     local-user client002 password irreversible-cipher %^%#*~Br";[g6Pv5Zf>$~{hY+N!`{$<[Y{;l02P)B,EBz\1FN!c+%^%#
     local-user client002 privilege level 3
     local-user client002 service-type ssh
    #
     ssh user client002 assign rsa-key rsakey001
     ssh user client002 authentication-type rsa
     stelnet server enable
     SSH server port 1025
    #
    user-interface vty 0 4
     authentication-mode aaa
     protocol inbound ssh
    #
    return
  • Client001 configuration file

    #
     sysname client001
    #
    ssh client first-time enable
    #
    return
  • Client002 configuration file

    #
     sysname client002
    #
    ssh client first-time enable
    #
    return

Example for Logging In to Another Device Through Redirection

Networking Requirements

In telecommunication and financial fields, some terminals provide only access through the serial port or cannot access the Internet using Telnet. The serial port redirection of the router enables you to configure and manage terminals connected to the router through Telnet.

As shown in Figure 9-33, the asynchronous serial port on RouterA connects to the console port on RouterB through an asynchronous serial cable. You can log in to RouterB through RouterA from the remote PC in vpna. RouterA functions as the serial port server and there is a reachable route between the remote PC and RouterA. You can log in to RouterB connected to RouterA from the remote PC using the IP address and specified port number.

For details about the asynchronous serial cable, see "8AS Cable" in the Huawei AR Series Access Routers Get to Know the Product - Hardware Description - Cables.

Figure 9-33  Networking diagram for redirection configuration

Configuration Roadmap

The configuration roadmap is as follows:

  1. Connect the console port of RouterB to an asynchronous serial port of RouterA.
  2. Enable the redirection function on RouterA.

Procedure

  1. Configure the asynchronous serial port to work in flow mode.

    <Huawei> system-view
    [Huawei] sysname RouterA
    [RouterA] interface async 2/0/1
    [RouterA-Async2/0/1] async mode flow
    

  2. Obtain the TTY user interface number corresponding to the asynchronous serial port.

    [RouterA] display user-interface 
      Idx  Type     Tx/Rx      Modem Privi ActualPrivi Auth  Int                    
      0    CON 0    9600       -     15    -           N     -                      
      41   TTY 41   9600       inout 0     -           N     2/0/0                  
      42   TTY 42   9600       -     0     -           N     2/0/1                  
      43   TTY 43   9600       -     0     -           N     2/0/2                  
      44   TTY 44   9600       -     0     -           N     2/0/3                  
      45   TTY 45   9600       -     0     -           N     2/0/4                  
      46   TTY 46   9600       -     0     -           N     2/0/5                  
      47   TTY 47   9600       -     0     -           N     2/0/6                  
      48   TTY 48   9600       -     0     -           N     2/0/7                  
    + 129  VTY 0               -     15    4           N     -                      
      130  VTY 1               -     15    -           N     -                      
      131  VTY 2               -     15    -           N     -                      
      132  VTY 3               -     15    -           N     -                      
      133  VTY 4               -     15    -           N     -                      
      145  VTY 16              -     0     -           P     -                      
      146  VTY 17              -     0     -           P     -                      
      147  VTY 18              -     0     -           P     -                      
      148  VTY 19              -     0     -           P     -                      
      149  VTY 20              -     0     -           P     -                      

  3. Configuring a VPN Instance vpna.

    [RouterA] ip vpn-instance vpna
    [RouterA-vpn-instance-vpna] route-distinguisher 1:1
    [RouterA-vpn-instance-vpna-af-ipv4] vpn-target 111:1 export-extcommunity
    [RouterA-vpn-instance-vpna-af-ipv4] vpn-target 111:1 import-extcommunity
    [RouterA-vpn-instance-vpna-af-ipv4] quit
    [RouterA-vpn-instance-vpna] quit
    [RouterA] interface gigabitethernet 0/0/1
    [RouterA-GigabitEthernet0/0/1] ip binding vpn-instance vpna 
    [RouterA-GigabitEthernet0/0/1] ip address 10.1.1.1 255.255.255.0
    [RouterA-GigabitEthernet0/0/1] quit

  4. Enable the redirection function on RouterA and associate the redirection function with the VPN instance vpna.

    [RouterA] user-interface tty 42
    [RouterA-ui-tty42] undo shell
    [RouterA-ui-tty42] redirect enable
    [RouterA-ui-tty42] redirect binding vpn-instance vpna
    [RouterA-ui-tty42] authentication-mode password
    [RouterA-ui-tty42] set authentication password cipher
    Enter Password(<8-128>):
    Confirm password:
    [RouterA-ui-tty42] quit
    [RouterA] quit

    If the redirection function is not associated with the VPN instance to which the private users belong, all users on public and private networks can log in to RouterB.

  5. Check the port number allocated to the TTY user interface.

    <RouterA> display tcp status
    TCPCB    Tid/Soid Local Add:port        Foreign Add:port      VPNID  State      
    19fde824 9  /2    0.0.0.0:22            0.0.0.0:0             23553  Listening  
    19fde6c0 9  /1    0.0.0.0:23            0.0.0.0:0             23553  Listening  
    19fde130 109/1    0.0.0.0:80            0.0.0.0:0             23553  Listening  
    19fdef18 9  /4    0.0.0.0:2042         0.0.0.0:0             23553  Listening  
    19fde55c 7  /1    0.0.0.0:7547          0.0.0.0:0             0      Listening  
    19fdf07c 9  /9    10.137.217.211:23     10.138.77.61:2567     0      Established
    19fdf344 9  /10   10.137.217.211:23     10.138.77.69:2824     0      Time_Wait 

  6. Verify the configuration.

    # Run the telnet 10.1.1.1 2042 command on the PC to log in to RouterB. By default, the port number is 2000 plus tty-number.

    C:\Documents and Settings\Administrator> telnet 10.1.1.1 2042
    Press CTRL_] to quit telnet mode      
      Trying 10.1.1.1...                     
      Connected to 10.1.1.1...        
    Login authentication
    
    
    Password:
     <RouterB>
    

Configuration Files

  • Configuration file of RouterA

    #
     sysname RouterA
    #                            
    ip vpn-instance vpna           
     ipv4-family                                
      route-distinguisher 1:1
      vpn-target 111:1 export-extcommunity
      vpn-target 111:1 import-extcommunity           
    # 
    interface Async2/0/1
     async mode flow
    #
    interface GigabitEthernet0/0/1
     ip binding vpn-instance vpna 
     ip address 10.1.1.1 255.255.255.0
    #
    user-interface tty 42
     authentication-mode password
     set authentication password cipher %^%##N&)XdgB87~RcnU9upv6,.d;,uXe*#IeE-ywBaSmj:\@.d>,%^%#
     redirect enable
     redirect binding vpn-instance vpna
    #
    return

Example for Configuring an NMS to Communicate with a Device by SSH over a VPN

This section provides an example for configuring an NMS to communicate with a device by SSH over a VPN.

Networking Requirements

On the network shown in Figure 9-34, an NMS, Router A, and AAA server are connected over a VPN. The NMS is integrated with the SSH client and SFTP server functions. The SSH client uses SSH to log in to and communicate with the Router A. The SFTP server uses SFTP for file transfer with the Router A functioning as an SFTP client.

Figure 9-34  Networking diagram for configuring an NMS to communicate with a device by SSH over a VPN

The interfaces are bound to the same VPN instance.

Precautions

Ensure that the route between the device and NMS is reachable.

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure a VPN instance.
  2. Bind the interfaces connecting the device to the NMS and HWTACACS server to the VPN instance.
  3. Configure a default VPN instance used by the NMS to manage the device.
  4. Configure an HWTACACS server.
  5. Configure a local AAA user and set its access mode to SSH and authentication mode to HWTACACS.
  6. Configure an SSH user and set its authentication and service modes.
  7. Configure an SNMPv3 USM user to allow the NMS to access the device.
  8. Configure an SFTP client to use SFTP for file transfer.

Procedure

  1. Configure a VPN instance.

    <Huawei> system-view
    [Huawei] sysname RouterA
    [RouterA] ip vpn-instance vrf1
    [RouterA-vpn-instance-vrf1] ipv4-family
    [RouterA-vpn-instance-vrf1-af-ipv4] route-distinguisher 22:1
    [RouterA-vpn-instance-vrf1-af-ipv4] vpn-target 111:1 both
    [RouterA-vpn-instance-vrf1-af-ipv4] quit
    [RouterA-vpn-instance-vrf1] quit
    

  2. Bind interfaces to the VPN instance.

    [RouterA] interface gigabitethernet 1/0/0
    [RouterA-GigabitEthernet1/0/0] ip binding vpn-instance vrf1
    [RouterA-GigabitEthernet1/0/0] ip address 10.1.1.2 255.255.255.0
    [RouterA-GigabitEthernet1/0/0] quit
    [RouterA] interface gigabitethernet 2/0/0
    [RouterA-GigabitEthernet2/0/0] ip binding vpn-instance vrf1
    [RouterA-GigabitEthernet2/0/0] ip address 10.2.1.2 255.255.255.0
    [RouterA-GigabitEthernet2/0/0] quit
    [RouterA] interface gigabitethernet 3/0/0
    [RouterA-GigabitEthernet3/0/0] ip binding vpn-instance vrf1
    [RouterA-GigabitEthernet3/0/0] ip address 10.3.1.1 255.255.255.0
    [RouterA-GigabitEthernet3/0/0] quit

  3. Configure a default VPN instance used by the NMS to manage the device.

    [RouterA] set net-manager vpn-instance vrf1

    The VPN configured using this command affects the following service modules on the device: TFTP client, FTP client, SFTP client, SCP client, Info Center, SNMP, PM, IP FPM, and TACACS. To access the public network, you must set the public-net parameter.

  4. Configure an HWTACACS server.

    # Enable the HWTACACS function and configure an HWTACACS server template named ht.

    [RouterA] hwtacacs enable
    [RouterA] hwtacacs-server template ht

    # Configure an IP address and a VPN instance to which the HWTACACS accounting server is bound for the primary HWTACACS authentication and authorization server.

    [RouterA-hwtacacs-ht] hwtacacs-server authentication 10.2.1.1 vpn-instance vrf1
    [RouterA-hwtacacs-ht] hwtacacs-server authorization 10.2.1.1 vpn-instance vrf1

    # Configure a key for the server.

    [RouterA-hwtacacs-ht] hwtacacs-server shared-key cipher it-is-my-secret123
    [RouterA-hwtacacs-ht] quit

    # Enter the AAA view.

    [RouterA] aaa

    # Configure an authentication scheme named scheme1 and set the authentication mode to HWTACACS authentication.

    [RouterA-aaa] authentication-scheme scheme1
    [RouterA-aaa-authen-scheme1] authentication-mode hwtacacs
    [RouterA-aaa-authen-scheme1] quit

    # Configure an authorization scheme named scheme2 and set the authorization mode to HWTACACS authorization.

    [RouterA-aaa] authorization-mode scheme2
    [RouterA-aaa-authen-scheme2] authorization-mode hwtacacs
    [RouterA-aaa-authen-scheme2] quit

    # Configure the huawei domain. Use the scheme1 authentication scheme, scheme2 authorization scheme, and ht template in the domain.

    [RouterA-aaa] domain huawei
    [RouterA-aaa-domain-huawei] authentication-scheme scheme1
    [RouterA-aaa-domain-huawei] authorization-mode scheme2
    [RouterA-aaa-domain-huawei] hwtacacs-server ht
    [RouterA-aaa-domain-huawei] quit

  5. Create a local AAA user named sshuser001. Set the access mode to SSH and authentication mode to HWTACACS.

    # Configure a local user named sshuser001 in the huawei domain. After the configuration is complete, the sshuser001 user uses the authentication and authorization modes in the huawei domain.

    [RouterA-aaa] local-user sshuser001@huawei password
    Please configure the password (8-128)
    Enter Password:                                                                 
    Confirm Password:
    [RouterA-aaa] local-user sshuser001@huawei service-type ssh
    [RouterA-aaa] quit

  6. Configure authentication for the SSH user.

    [RouterA] ssh user sshuser001 authentication-type password

  7. Enable the STelnet.

    [RouterA] stelnet server enable

  8. Configure an SNMPv3 USM user to allow the NMS to access the device.

    # Enable the SNMP agent function.

    [RouterA] snmp-agent

    # Set the SNMP version to SNMPv3.

    [RouterA] snmp-agent sys-info version v3

    # Configure a MIB view.

    [RouterA] snmp-agent mib-view iso include iso

    # Configure a user group and users in the group, and authenticate and encrypt user data.

    [RouterA] snmp-agent group v3 admin privacy write-view iso notify-view iso read-view iso
    [RouterA] snmp-agent usm-user v3 nms-admin group admin
    [RouterA] snmp-agent usm-user v3 nms-admin authentication-mode sha
    Please configure the authentication password (10-255)
    Enter Password:
    Confirm Password: 
    [RouterA] snmp-agent usm-user v3 nms2-admin privacy-mode aes128
    Please configure the privacy password (10-255)
    Enter Password:
    Confirm Password:

    # Configure the alarm function.

    [RouterA] snmp-agent target-host trap-hostname aaa address 10.1.1.1 trap-paramsnam abc
    [RouterA] snmp-agent trap enable

  9. Enable the device functioning as an SFTP client to transfer files with the NMS functioning as an SFTP server over the VPN.

    [RouterA] ssh client first-time enable
    [RouterA] sftp 10.1.1.1
    [RouterA] put aaa.cfg

  10. Verify the configuration.

    After completing the configuration, perform the following operations to check whether the configuration takes effect.

    # Display the SNMP version.

    [RouterA] display snmp-agent sys-info version
       SNMP version running in the system:
               SNMPv3
    

    # Display information about an SNMPv3 user.

    [RouterA] display snmp-agent usm-user
       User name: nms-admin,
       Engine ID: 800007DB0300259E0370C3 active
       Group-name: admin
       Authentication mode: sha
       Privacy mode: aes128
       User state: Active
    

Configuration Files

  • Router A configuration file

    #
    sysname RouterA
    #
    hwtacacs enable
    #
    ip vpn-instance vrf1
     ipv4-family
      route-distinguisher 22:1
      vpn-target 111:1 export-extcommunity
      vpn-target 111:1 import-extcommunity
    #
    hwtacacs-server template ht
     hwtacacs-server authentication 10.2.1.1 vpn-instance vrf1
     hwtacacs-server authorization 10.2.1.1 vpn-instance vrf1
     hwtacacs-server shared-key cipher %^%#x@ZaCImt|X79[^A&]DEYC6[>U]OD(8n&BVHvsu2R{=zVSySB'|H[;I`|ef#%^%#
    #
    aaa
     local-user sshuser001@huawei password irreversible-cipher $1c$\h[;D"`M79$GN]A=y;*4EFG%t>vIJI=rJvxWe/V%Xbd;(J+AzC+$
     local-user sshuser001@huawei service-type ssh
     #
     authentication-scheme scheme1
      authentication-mode hwtacacs
     #
     authorization-scheme scheme2
      authorization-mode hwtacacs
     #
     accounting-scheme default0
     #
     accounting-scheme default1
     #
     domain huawei
      authentication-scheme scheme1
      authorization-scheme scheme2
      hwtacacs-server ht
    #
    interface GigabitEthernet1/0/0
     undo shutdown
     ip binding vpn-instance vrf1
     ip address 10.1.1.2 255.255.255.0
    interface GigabitEthernet2/0/0
     undo shutdown
     ip binding vpn-instance vrf1
     ip address 10.2.1.2 255.255.255.0
    interface GigabitEthernet3/0/0
     undo shutdown
     ip binding vpn-instance vrf1
     ip address 10.3.1.1 255.255.255.0
    #
    snmp-agent
    snmp-agent local-engineid 800007DB0300313D6A1FA0
    #
    snmp-agent sys-info version v3
    snmp-agent group v3 admin privacy write-view iso notify-view iso read-view iso
    snmp-agent target-host trap-hostname aaa address 10.1.1.1 trap-paramsnam abc
    #
    snmp-agent mib-view iso include iso
    snmp-agent usm-user v3 nms-admin group admin
    snmp-agent usm-user v3 nms-admin authentication-mode sha %#%##/L&Fd]S.!i*S7<\jCh2DkfkE4+:<%Wap|8zZWwPL+[a>h$wy>VJsp9(L{%B%#%#
    snmp-agent usm-user v3 nms-admin privacy-mode aes128 %#%#CM-]HDuhH6VX)**J<186nf({M823f(0Z73++7(A#%,1jODj}D>_HS>W,'Ss=%#%#
    #
    stelnet server enable
    ssh user sshuser001 authentication-type password
    #
    ssh client first-time enable
    #
    return

Troubleshooting CLI Login

This section describes common faults caused by incorrect configurations and provides the corresponding troubleshooting procedures.

Failing to Log In Through the Console Port

Fault Description

Login through the console port fails.

Procedure

  1. Check whether the serial port parameters are correctly configured. (The third-party software SecureCRT is used as an example here.)

    Check whether a correct serial port is connected. Some PCs provide multiple serial ports with corresponding numbers. When connecting a serial port, ensure that the correct serial port number is selected.

    Check that the serial port settings on the PC are the same as the console port settings on the device, as shown in Figure 9-35. The default console port settings are as follows:
    • Baud rate: 9600
    • Data bits: 8
    • Stop bits: 1
    • Parity: None
    • Flow control: None
    Figure 9-35  Setting the connected port and communication parameters

  2. Check whether the serial cable is securely connected. If necessary, replace the current cable with a properly-functioning one.

Failing to Log In Through Telnet

Fault Description

The Telnet server fails to be logged in through Telnet.

Procedure

  1. Check whether the number of login users reaches the upper limit.

    Log in to the device through the console port and run the display users command to check whether all VTY user interfaces are in use. By default, the maximum number of VTY user interfaces is 5. You can run the display user-interface maximum-vty command to check the maximum number of login users allowed by the device.

    If the number of login users reaches the upper limit, run the user-interface maximum-vty 15 command to increase the maximum number of login users to 15.

  2. Check whether an ACL is configured in the VTY user interface view (Telnet IPv4 is used as an example).

    Run the user-interface vty command on the Telnet server to enter the user interface view and then run the display this command to check whether an ACL is configured in the VTY user interface view. If so, record the ACL number.

    Run the display acl acl-number command on the Telnet server to check whether the IP address of the Telnet client is denied in the ACL. If so, run the undo rule rule-id command in the ACL view to delete the deny rule and then run the corresponding command to modify the ACL and permit the IP address of the client.

  3. Check whether the access protocol is correctly configured in the VTY user interface view.

    Run the user-interface vty command on the Telnet server to enter the user interface view and then run the display this command to check whether protocol inbound is set to telnet or all. By default, the system supports the SSH and Telnet protocol. If not, run the protocol inbound { telnet | all } command to allow Telnet users to connect to the device.

  4. Check whether an authentication mode is set for login users in the user interface view.

    • If password authentication is configured using the authentication-mode password command, you must enter the password upon login.

    • If AAA authentication is configured using the authentication-mode aaa command, you must run the local-user command to create a local AAA user.

Failing to Log In Through STelnet

Fault Description

The SSH server fails to be logged in through STelnet.

Procedure

  1. Check whether the SSH service is enabled on the SSH server.

    Log in to the SSH server through the console port or using Telnet and run the display ssh server status command to check the SSH server configuration.

    If the STelnet service is disabled, run the stelnet server enable command to enable the STelnet service on the SSH server.

  2. Check whether the access protocol is correctly configured in the VTY user interface view.

    Run the user-interface vty command on the SSH server to enter the user interface view and then run the display this command to check whether protocol inbound is set to ssh or all. If not, run the protocol inbound { ssh | all } command to allow STelnet users to log in to the device.

  3. Check whether an RSA public key is configured on the SSH server.

    A local key pair must be configured when the device works as the SSH server.

    Run the display rsa local-key-pair public command on the SSH server to check the current key pair. If no information is displayed, no key pair is configured on the server. Run the rsa local-key-pair create command to create a key pair.

    To ensure high security, it is recommended that the RSA authentication mode be not used.

  4. Check whether an SSH user is configured on the SSH server.

    Run the display ssh user-information command to view the SSH user configuration. If no configuration is available, run the ssh user authentication-type commands in the system view to create an SSH user and set an authentication mode for the SSH user.

  5. Check whether the number of login users on the SSH server reaches the upper limit.

    Log in to the device through the console port and run the display users command to check whether all VTY user interfaces are in use. By default, the maximum number of VTY user interfaces is 5. You can run the display user-interface maximum-vty command to check the maximum number of login users allowed by the device.

    If the number of login users reaches the upper limit, run the user-interface maximum-vty 15 command to increase the maximum number of login users to 15.

  6. Check whether an ACL is bound to the VTY user interface of the SSH server.

    Run the user-interface vty command on the SSH server to enter the user interface view and then run the display this command to check whether an ACL is configured on the VTY user interface. If so, record the ACL number.

    Run the display acl acl-number command on the SSH server to check whether the IP address of the STelnet client is denied in the ACL. If so, run the undo rule rule-id command in the ACL view to delete the deny rule and then run the corresponding command to modify the ACL and permit the IP address of the client.

  7. Check the SSH version on the SSH client and server.

    Run the display ssh server status command on the SSH server to check the SSH version.

    If the SSHv1 client logs in, run the ssh server compatible-ssh1x enable command to enable the version compatibility function on the server.

  8. Check whether first-time authentication is enabled on the SSH client.

    Run the display this command in the system view on the SSH client to check whether first-time authentication is enabled on the SSH client.

    If not, the initial login of the SSH client fails because validity check on the public key of the SSH server fails. Run the ssh client first-time enable command to enable first-time authentication on the SSH client.

FAQ About CLI Login

This section describes common problems you may encounter during the configuration and provides the solutions to these problems.

What Is the Default Login Password?

You can query the device's default password using the default account query tool. Enter http://support.huawei.com/onlinetoolsweb/pqt/index.jsp?domain=0 in the address bar of the browser, press Enter, and then the default account query page is displayed.

For service security purposes, you are advised to change the default password of the device.

  • Logging in through the console port or Telnet
    Table 9-7  Default passwords for console port or Telnet login in different versions

    Version

    Product Model

    Default User Name

    Default Password

    Default Level

    V200R003

    ALL

    admin

    admin

    15

    V200R005C00-V200R005C20

    ALL

    admin

    Admin@huawei or admin

    15

    V200R005C30-V300R003C10

    ALL

    admin

    Admin@huawei

    15

    V300R019C00-latest version

    ALL

    admin

    admin@huawei.com

    15

  • Web login
    Table 9-8  Default passwords for web login in different versions

    Version

    Product Model

    Default User Name

    Default Password

    Default Level

    V200R003

    ALL

    admin

    admin

    15

    V200R005C00-V200R005C20

    ALL

    admin

    Admin@huawei or admin

    15

    V200R005C30-V300R003C10

    ALL

    admin

    Admin@huawei

    15

    V300R019C00-latest version

    ALL

    admin

    admin@huawei.com

    15

  • BootROM menu login
    Table 9-9  Default passwords for BootROM menu login to devices of different versions

    Version

    Product Model

    Default User Name

    Default Password

    Default Level

    V200R003

    ALL

    None

    huawei

    None

    V200R005C30-latest version

    ALL

    admin

    Admin@huawei

    15

What If I Forget the Password for Console Port Login?

Procedure

When you forget the password for logging in through the console port, use either of the following two methods to set a new password.

Logging In to the Device Through STelnet/Telnet to Set a New Password

It is recommended that you use STelnet V2 to log in to the device.

The following uses the command lines and outputs of logging in to the device using STelnet as an example. After logging in to the device through STelnet, perform the following operations.

# Take password authentication as an example. Set the password to Huawei@123.

<Huawei> system-view
[Huawei] user-interface console 0
[Huawei-ui-console0] authentication-mode password
[Huawei-ui-console0] set authentication password cipher
Warning: The "password" authentication mode is not secure, and it is strongly re
commended to use "aaa" authentication mode.
Enter Password(<8-128>):
Confirm password: 
[Huawei-ui-console0] return
<Huawei> save

# Take AAA authentication as an example. Set the user name and password to admin123 and Huawei@123, respectively.

<Huawei> system-view
[Huawei] user-interface console 0
[Huawei-ui-console0] authentication-mode aaa
[Huawei-ui-console0] quit
[Huawei] aaa
[Huawei-aaa] local-user admin123 password irreversible-cipher Huawei@123
[Huawei-aaa] local-user admin123 privilege level 15
[Huawei-aaa] local-user admin123 service-type terminal
[Huawei-aaa] return
<Huawei> save

Clearing the Lost Password Using the BootROM Menu

You can use the BootROM menu of the device to clear the lost password for console port login. After starting the device, set a new password and save your configuration. Perform the following steps.

  1. Connect the terminal to the console port of the device and restart the device. When the following message is displayed, press Ctrl+B and enter the BootROM password to enter the BootROM menu.

    Press Ctrl+B to break auto startup ...  1 
    
    Enter Password:       //Enter the BootROM password.
  2. In the BootROM menu, select Password Manager and then Clear the console login password.
  3. Then select the Return and Default Startup options in turn to restart the device.
  4. After the system starts, you can log in through the console port without password authentication. After logging in to the system, set an authentication mode and password for the console user interface as required. The configuration is similar to that of Logging In to the Device Through STelnet/Telnet to Set a New Password, and is not provided here.

    Configuring the authentication mode and password for the console user interface is necessary; otherwise, after the device is restarted, users still need to be authenticated using the original password when they log in to the device through the console port.

More Information

  • When you log in to the device through STelnet/Telnet to set a new password: Ensure that you have an STelnet/Telnet account and administrator rights.
  • When you clear the lost password using the BootROM Menu, if you do not press Ctrl+B within the timeout (several seconds), you have to restart the router again.

What If I Forget the Password for Telnet Login?

Procedure

If you forget the Telnet login password, log in to the device through the console port and set a new password for Telnet login.

# Take password authentication for VTY0 login as an example. Set the password to Huawei@123.

<Huawei> system-view
[Huawei] user-interface vty 0
[Huawei-ui-vty0] authentication-mode password
[Huawei-ui-vty0] set authentication password cipher
Warning: The "password" authentication mode is not secure, and it is strongly re
commended to use "aaa" authentication mode.
Enter Password(<8-128>):
Confirm password: 
[Huawei-ui-vty0] user privilege level 15
[Huawei-ui-vty0] return
<Huawei> save

# Take AAA authentication for VTY0 login as an example. Set the user name and password to admin123 and Huawei@123, respectively.

<Huawei> system-view
[Huawei] user-interface vty 0
[Huawei-ui-vty0] protocol inbound telnet
[Huawei-ui-vty0] authentication-mode aaa
[Huawei-ui-vty0] quit
[Huawei] aaa
[Huawei-aaa] local-user admin123 password irreversible-cipher Huawei@123
[Huawei-aaa] local-user admin123 service-type telnet
[Huawei-aaa] local-user admin123 privilege level 15
[Huawei-aaa] return
<Huawei> save

More Information

By default, a user only needs to pass password authentication to log in to the device from the console user interface. To prevent unauthorized users from accessing the device, change the authentication mode of the console user interface to AAA authentication.

How Do I Configure Screen Display?

  • Setting the number of rows displayed on a screen

    Run the screen-length screen-length [ temporary ] command in the user view or user interface view to set the number of rows to be displayed on a screen.

    You must specify temporary when running the command in the user view. The configured value takes effect only on the current VTY user interface but does not take effect on the next login on the same user interface or login on other VTY user interfaces.

    The default number of rows to be displayed on a screen is 24.

  • Setting the number of columns displayed on a screen

    Run the screen-width screen-width command in any view to set the number of columns to be displayed on a screen.

    The default number of columns to be displayed on a screen is 80. Each character is a column.

How Do I Force an Online User to Go Offline?

You can run the free user-interface { ui-number | ui-type ui-number1 } command to remove a user from a specified user interface, that is, disconnect the user from the device.

This command does not take effect for the current user. For example, if the user interface of the current user is VTY 2, the free user-interface vty 2 command does not take effect and the system displays an error message.

<Huawei> free user-interface 0
Warning: User interface Console1 will be freed. Continue? [Y/N]:y

What Are System Users of AR Routers?

Table 9-10 lists the user accounts in the system.

Table 9-10  User accounts

User

Usage Description

Remarks

root

The root user is the default user in the system and cannot be accessed from an external system.

This account cannot be used to log in to the system directly.

When this account is used to run a command, the system automatically checks and authenticates the account.

huawei

The huawei user is used to execute application programs. This user is a system user and cannot be used to log in to the system.

This account cannot be used to log in to the system directly.

When this account is used to run a command, the system automatically checks and authenticates the account.

python

The python user is used to run Python scripts in the system and cannot be accessed from an external system.

This account cannot be used to log in to the system directly.

When this account is used to run a command, the system automatically checks and authenticates the account.

bin

On Linux, this user is a built-in user, which does not have a password and cannot be used to log in to the system.

This account cannot be used.

daemon

On Linux, this user is a built-in user, which does not have a password and cannot be used to log in to the system.

This account cannot be used.

lp

On Linux, this user is a built-in user, which does not have a password and cannot be used to log in to the system.

This account cannot be used.

sync

On Linux, this user is a built-in user, which does not have a password and cannot be used to log in to the system.

This account cannot be used.

mail

On Linux, this user is a built-in user, which does not have a password and cannot be used to log in to the system.

This account cannot be used.

uucp

On Linux, this user is a built-in user, which does not have a password and cannot be used to log in to the system.

This account cannot be used.

games

On Linux, this user is a built-in user, which does not have a password and cannot be used to log in to the system.

This account cannot be used.

sys

On Linux, this user is a built-in user, which does not have a password and cannot be used to log in to the system.

This account cannot be used.

man

On Linux, this user is a built-in user, which does not have a password and cannot be used to log in to the system.

This account cannot be used.

news

On Linux, this user is a built-in user, which does not have a password and cannot be used to log in to the system.

This account cannot be used.

proxy

On Linux, this user is a built-in user, which does not have a password and cannot be used to log in to the system.

This account cannot be used.

www-data

On Linux, this user is a built-in user, which does not have a password and cannot be used to log in to the system.

This account cannot be used.

backup

On Linux, this user is a built-in user, which does not have a password and cannot be used to log in to the system.

This account cannot be used.

list

On Linux, this user is a built-in user, which does not have a password and cannot be used to log in to the system.

This account cannot be used.

irc

On Linux, this user is a built-in user, which does not have a password and cannot be used to log in to the system.

This account cannot be used.

gnats

On Linux, this user is a built-in user, which does not have a password and cannot be used to log in to the system.

This account cannot be used.

nobody

On Linux, this user is a built-in user, which does not have a password and cannot be used to log in to the system.

This account cannot be used.

Translation
Download
Updated: 2019-11-21

Document ID: EDOC1100034066

Views: 90032

Downloads: 487

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next