No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Basic Configuration

AR500, AR510, AR531, AR550, AR1500, and AR2500 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the Basic configuration supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Web System Login Configuration

Web System Login Configuration

This chapter describes how to log in to a device through the web system to manage and maintain the device.

AR routers support the web system. You can run commands to configure a device's management IP address, upload and load the web page file, create a web system account, and configure web system parameters. After the configuration is complete, you can log in to and maintain the device through the web system.

You can also use the default factory settings to directly log in to the web system for device management and maintenance. For details, see Logging In to the Device.

NOTE:

AR502EG-L-PD, AR511CGW-LAV2M3 and AR511EGW-LcAV2 do not support Web.

Overview of Web System Login

This section describes the definition, purpose, and concepts of the web system.

Definition

The web system is a built-in web server on the device and provides a graphical user interface (GUI) for users. Before using the web system to manage and maintain a device, you need to log in to the device from a terminal using Hypertext Transfer Protocol Secure (HTTPS).

Purpose

You can manage a device on the command line interface (CLI) or web system.

  • The CLI mode requires you to use commands to manage and maintain the device. This mode realizes fine-grained device management, but requires you to be familiar with the commands.
  • The web system mode allows you to easily manage and maintain the device on a GUI. However, you can only use this mode to manage and maintain some functions on the device.
You can select a proper management mode based on actual requirements.

To use the CLI, you must log in to the device through the console port or MiniUSB port, or using Telnet or STelnet. To use the web system, you must log in to the device using HTTPS.

NOTE:
For details about how to log in to a device through the console port or MiniUSB port, or using Telnet or STelnet, see CLI Login Configuration.

Licensing Requirements and Limitations for Web System Login

This section provides the configuration precautions of web system login.

Involved Network Elements

None

Licensing Requirements

Web System Login is a basic feature of a router and is not under license control.

Feature Limitations

None

Default Settings for Web System Login

This section describes the default settings for web system login.

Table 9-1 lists the default settings for web system login.

Table 9-1  Default settings for web system login

Parameter

Default Setting

Web page file integrated into system software

Supported

Default SSL policy

Supported

HTTPS service

Enabled

Port number of the HTTPS server

443

HTTPS session timeout interval

10 minutes

Web user

By default, the system has a local user whose user name is admin, password is Admin@huawei, user level is 15, and service type is HTTP.

Access control on web users

None

Configuring Device Login Through the Web System

This section describes how to configure device login through the web system.

Pre-configuration Tasks

Before configuring device login through the web system, complete the following task:

Log in to the device using the CLI mode. For details, see CLI Login Configuration.

Configuration Process

Configuring a Management IP Address for the Device

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    The interface view is displayed.

  3. Run ip address ip-address { mask | mask-length }

    A management IP address is configured.

    NOTE:

    The factory settings of the device include the IP address 192.168.1.1 and subnet mask 255.255.255.0. The access interface is the management interface under which the silkscreen Management or MGMT is printed.

(Optional) Uploading and Loading the Web Page File

Context

The system software contains the web page file. The web page file is loaded on the device when the system software is loaded. If new system software is uploaded to the device, you do not need to perform the following operations.

Under special circumstances, Huawei releases independent web page files matching some system software versions. After obtaining these web page files, you can upload the files to devices using SFTP and other modes, and then load the files on the devices.

Procedure

  1. Upload the web page file.

    You can upload the web page file using SFTP or other modes. For details, see Local File Management.

    NOTE:

    After uploading the web page file, run the dir command in the user view to check whether the web page file on the device has the same size as that on the file server. If not, an exception may occur during file upload. Upload the file again.

  2. Load the web page file.
    1. Run system-view

      The system view is displayed.

    2. Run http server load file-name

      The web page file is loaded.

      By default, the web page file in the system software is loaded on the device.

(Optional) Configuring Web System Parameters

Context

The device can function as an HTTPS server and use the data encryption, identity authentication, and message integrity check mechanisms of the SSL protocol to ensure secure data transmission between the device and users. Users can securely access a remote device on web pages.

The device has the web system function enabled before delivery and provides a default SSL policy. The web page file contains the SSL certificate. Therefore, you do not need to perform the following operations.

For security purposes, you are advised to obtain a new digital certificate from a CA and manually configure an SSL policy. For details, see Configuring the Device as an HTTPS Server in the Huawei AR Series IOT Gateway Configuration Guide - Security. The details are not mentioned here.

Procedure

  1. Run system-view

    The system view is displayed.

  2. (Optional) Run set insecure-protocol enable

    Insecure management protocols HTTP and Telnet are allowed to be used.

    By default, insecure management protocols HTTP and Telnet can be used .

  3. Run http server enable

    The web system function is enabled.

    By default, the web system function is enabled on the device.

  4. Run http server-source { -a source-ip-address | -i interface-type interface-number }

    The source IP address of the web system is configured.

    By default, the source IP address of the web system is not configured.

    If the source IP address is not specified for the web system, the device selects a source IP address according to routing entries to send packets. Specify an interface in stable state, such as a loopback interface, as the source interface. Before specifying a source interface, ensure that clients have reachable routes to the source interface. Otherwise, the configuration will fail.

  5. Run http secure-server port port-number

    The port number of the HTTPS server is configured .

    The default port number of the HTTPS server is 443.

    If the default port number is used, attackers may access this port continuously, consuming bandwidth resources and degrading security performance of the server. As a result, authorized users cannot access the device. If the default port number is used by another service, users cannot log in to the device through the web system.

  6. Run http secure-server manager-port port-number

    The management port of the HTTPS server is enabled and the management port number is set.

    By default, the management port of the HTTPS server is disabled.

    You can run this command to enable the management port of the HTTPS server and set the management port number, and then can manage the router.

    NOTE:

    Only users at level 3 and higher levels can log in to the web platform through the management port.

  7. Run http server max-online-users max-online-users

    The maximum number of concurrent online users in the web system is set.

    By default, the maximum number of concurrent online users in the web system is 5.

    You can configure the maximum number of concurrent online users in the web system to restrict the number of users who access the web system at the same time.

  8. Run http timeout timeout

    The HTTPS session timeout interval is set.

    By default, the HTTPS session timeout interval is 10 minutes.

    By default, only five users can concurrently log in to the device through the web system. If a web user logs in to the device but does not perform any operations for a long time, the user occupies web channel resources and other users may fail to log in to the device. You can set a proper HTTPS session timeout interval so that web channel resources can be released in a timely manner.

  9. Configure ACL-based access control for the web system.
    1. Run acl [ number ] acl-number

      A numbered ACL is created and the ACL view is displayed.

    2. Configure an ACL rule.

      The command for configuring rules for a basic ACL differs from that for configuring rules for an advanced ACL.

      • For a basic ACL, run rule [ rule-id ] { deny | permit } [ source { source-address source-wildcard | any } | vpn-instance vpn-instance-name | [ fragment | none-first-fragment ] | logging | time-range time-name ] *

      • For an advanced ACL, run rule [ rule-id ] { deny | permit } ip [ destination { destination-address destination-wildcard | any } | source { source-address source-wildcard | any } | logging | time-range time-name | vpn-instance vpn-instance-name | [ dscp dscp | [ tos tos | precedence precedence ] * ] | [ fragment | none-first-fragment ] ] *

    3. Run quit

      Return to the system view.

    4. Run http acl acl-number

      An ACL is configured for the HTTPS server.

      By default, no ACL is configured for the HTTPS server, that is, web users using any clients can establish HTTPS connections with the device.

  10. Run http server permit interface { interface-type interface-number } &<1-5>

    An interface is configured to allow clients to access the web system.

    By default, all interfaces on the device allow clients to access the web system.

    To prevent unauthorized clients from accessing the web system through an interface, you can run this command to specify an interface that allows clients to access the web system.

    NOTE:
    You can only run the http server permit interface command to configure Layer 3 physical interfaces and Layer 3 VLANIF interfaces.

(Optional) Setting the Storage Directory of the Logo Image on the Web Page

Context

The device supports customization of the logo image on the web page. You can change the logo image based on actual requirements so that the logo image on the web page is more beautiful.

The logo image must be stored using the required file name and size in the subdirectory for storing the logo image. After the storage directory of the logo image on the web page is set, the device automatically reads the file under the directory and changes the logo image on the web page.

Store three files with different pixel sizes of the required logo image in the created subdirectory, and name them as required. Name the image with the pixel size 16x16 logo1.png, the image with the pixel size 21x22 logo2.png, and the image with the pixel size 44x44 logo3.png.

Procedure

  1. Run mkdir directory

    A subdirectory is created for storing the logo image under the directory logo-path of the default working directory on the device.

  2. Run system-view

    The system view is displayed.

  3. Run set logo-path subpathname

    The storage directory of the logo image on the web page is set.

    By default, the storage directory of the Huawei logo image is used.

Creating a Web System Account

Context

You can log in to the web system only after entering the correct user name and password. The network administrator can configure the user name, password, level, and service type to create a web system user. After the configuration is complete, you can log in to the web system using the configured web system account.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run aaa

    The AAA view is displayed.

  3. Run local-user user-name password irreversible-cipher password

    A web system user name and password are configured.

    By default, the system has a local user whose user name is admin and password is Admin@huawei. You can directly use the user name and password to log in to the web system. After login, the system forcibly prompts you to change the password to ensure security. To ensure device security, do not set other passwords to Admin@huawei.

  4. Run local-user user-name service-type http

    The service type is set to HTTP.

    By default, the service type of the local user admin is HTTP.

  5. Run local-user user-name privilege level level

    The user level is configured.

    By default, the level of the local user admin is 15, that is, the local user is a super administrator.

    NOTE:
    If the level of a user is 0 or no level is configured for the user, the user does not have the right to log in to the web system. The mapping between user levels and users is as follows:
    • If the user level is 1, the user is a common administrator.
    • If the user level is 2, the user is an enterprise administrator.
    • If the user level is 3 to 15, the user is a super administrator.

  6. Run quit

    Return to the system view.

Logging In to the Web System

Context

As shown in Figure 9-1, a PC connects to a router through an IP network. After configuring the router's IP address, web system parameters, and a web system account, you can configure and manage the router on the PC through the web system.

Figure 9-1  Web system networking

Procedure

  1. Open the browser on the PC. Windows IE8.0 is used in this example. Enter https://ip address in the address box and press Enter. The web system login page is displayed, as shown in Figure 9-2.

    Figure 9-2  Web system login page

  2. Enter login information.

    1. Select a language.

      Currently, the web system supports English and Chinese, and automatically uses a language based on the browser.

    2. Enter the user name and password.
      • The default user name for logging in to the web system is admin, and the default password is Admin@huawei.
      • The default user name for logging in to the voice self-service system is User Name of the configured voice user, and the default password is Admin@huawei.
    3. Click Login.

      The system displays a message about login failure in situations shown in Figure 9-3.

      Figure 9-3  Login failure

      Check the cause of the login failure based on the prompt message. If the number of incorrect password attempts reaches the upper limit, the current account will be locked. By default, a locked account is automatically unlocked after 5 minutes.

    NOTE:

    After a user logs in, the web system automatically displays the last login time, IP address, and login mode of the user.

  3. Change the login password.

    The system asks you to change the password in the following situations, as shown in Figure 9-4.

    • If the login password expires, the system forcibly requires you to change the password.
    • If you log in to the system for the first time after the password is changed by another user, the system forcibly requires you to change the password.
    • If you log in to the system within the password expiration notification period, the system notifies you of the password expiration time and advises you to change the password.
    Figure 9-4  Password change page
    NOTE:
    • If the parameters are marked with a red asterisk (*), the system forcibly requires you to change the password. After changing the password, click OK. If the password is changed successfully, the system displays the message "Your password has been modified successfully". Click OK. The login page is displayed. If you do not change the password, click Cancel. The login page is displayed and you cannot log in to the web system.
    • If the parameters are not marked with a red asterisk (*), the system asks you to change the password. After changing the password, click OK. If the password is changed successfully, the system displays the message "Your password has been modified successfully". Click OK. The login page is displayed. If you do not change the password, click Cancel. The Device Information page is displayed.

  4. Click Logout in the upper right corner of the page to return to the login page.
  5. If you do not perform any operations within a period (10 minutes by default) after logging in to the web system, the system automatically logs you out. Click OK to return to the login page.

Verifying the Configuration

Context

After completing the configuration, run the following commands in any view on the CLI to check information about online web users and the web system.

Procedure

  1. Run the display http server command to check information about the web system.
  2. Run the display http user [ username username ] command to check information about online web users.

Configuration Examples for Web System Login

This section provides an example for configuring device login through the web system.

Example for Configuring Device Login Through the Web System

Networking Requirements

As shown in Figure 9-5, there are reachable routes between the device and PC. It is required that the device be managed and maintained through the web system.

Figure 9-5  Networking diagram for configuring device login through the web system

Configuration Roadmap

The configuration roadmap is as follows:

  1. Log in to the device through the console port.
  2. Configure a management IP address for the device.
  3. Create a web system account.
  4. Enable the web system function.
  5. Log in to the web system.

Procedure

  1. Log in to the device through the console port. For details, see Logging In to a Device for the First Time Through a Console Port.
  2. Configure a management IP address for the device.

    <Huawei> system-view
    [Huawei] interface gigabitethernet 0/0/0
    [Huawei-GigabitEthernet0/0/0] ip address 10.1.1.1 24
    [Huawei-GigabitEthernet0/0/0] quit
    

  3. Configure a web user.

    [Huawei] aaa
    [Huawei-aaa] local-user admin password irreversible-cipher Helloworld@6789
    [Huawei-aaa] local-user admin privilege level 15
    [Huawei-aaa] local-user admin service-type http
    [Huawei-aaa] quit
    NOTE:

    Before configuring a web user, you can run the display this command in the AAA view to check user names of local users. Ensure that the user name of the configured web user does not conflict with that of an existing local user; otherwise, the new web user may overwrite the existing local user.

  4. Configure the web system.

    # Enable the web system function.

    [Huawei] http server enable
      This operation will take several minutes, please wait.........................................................
    Info: Succeeded in starting the HTTP server
    [Huawei] quit

  5. Log in to the web system.

    Open the web browser on the PC, enter https://10.1.1.1 in the address box, and press Enter. The web system login page is displayed, as shown in Figure 9-6.

    Figure 9-6  Web system login page

    Enter the web user name and password, and click Login or press Enter. The web system homepage is displayed.

  6. Verify the configuration.

    # After the configuration is complete, you can successfully log in to the device through the web system.

    # Run the display http server command on the device to check the SSL policy name and HTTPS server status.

    <Huawei> display http server
      HTTP server status    : Enabled        (default: disable)
      HTTP server port      : 80             (default: 80)
      HTTP timeout interval : 10             (default: 10 minutes)
      Current online users  : 0                   
      Maximum users allowed : 5         
      HTTPS server status   : Enabled        (default: disable)
      HTTPS server port     : 443            (default: 443)
      HTTPS SSL Policy      : 

Configuration Files

Configuration file of the device

#
 pki-realm default
#
aaa
 local-user admin password irreversible-cipher %^%#R!d3>ji-.u1+N2gSK>3&2P1AM6jfU:"x/3g[5U,lvqP+sf=70+%^E7,,SF7+%^%#
 local-user admin privilege level 15
 local-user admin service-type http
#
interface GigabitEthernet0/0/0
 ip address 10.1.1.1 255.255.255.0
#
 http server enable
#
return

Common Misconfigurations

This section describes common faults caused by incorrect configurations and provides the troubleshooting procedure.

Device Login Through the Web System Fails

Symptom

The device cannot be logged in through the web system.

Procedure

  1. Check whether the device and client can ping each other.

    Access the Windows Command Prompt and run the ping command to check whether the PC and device are reachable to each other. If the system displays "Request time out", the target device is unreachable.

    Check whether the physical interface that receives ping packets is blocked. If the physical interface is not blocked, check whether the correct gateway address is configured on the device, and whether the device and PC are on the same network segment. If they are on different network segments, run the ip address ip-address { mask | mask-length } command in the interface view to reconfigure the management IP address of the device in the target network segment.

  2. Check whether the login address is correct.

    Check the IP address:port in https://IP address entered in the address box of the browser. If the IP address is incorrect, enter the correct one to log in to the web system.

  3. Check whether the HTTPS service is enabled.

    Run the display this command in the system view to check whether the http secure-server enable configuration exists. If not, the HTTPS service is disabled. Run the http secure-server enable command in the system view to enable the HTTPS service.

  4. Check whether the number of online web users reaches the maximum.

    Run the display http server command in any view to check the maximum number of access users allowed by the web system. Run the display http user command in any view to check the number of online web users. If the number of online web users reaches the maximum number of access users allowed by the web system, you can log in to the device only after other users go offline.

  5. Check whether the IP address is correctly configured.

    Run the display this command in the interface view to check whether the configured IP address is correct. If not, run the ip address ip-address { mask | mask-length } command in the interface view to reconfigure the management IP address of the device.

  6. Check whether the web user is correctly configured.

    Run the display this command in the AAA view to check whether the web user is correctly configured.

    • If the local-user user-name password irreversible-cipher password configuration exists, an AAA user named user-name is configured.
    • If the local-user user-name privilege level level configuration exists, the level of the user user-name is level.
    • If the local-user user-name service-type http configuration exists, the service type of the user user-name is HTTP.
    If any of the preceding configurations does not exist, run the following commands in the AAA view:
    • Run the local-user user-name password irreversible-cipher password command to configure the web user name and password.
    • Run the local-user user-name privilege level level command to set the web user level.
    • Run the local-user user-name service-type http command to set the web user's service type to HTTP.

  7. Check whether access control on web users is configured on the device.

    Run the display this command in the system view to check whether the http acl acl-number configuration exists. If so, record the value of acl-number.

    Run the display acl acl-number command in any view to check whether the web user's client IP address is denied in the ACL. If so, run the undo rule rule-id command in the ACL view to delete the deny rule, and run the corresponding command to modify the ACL so that the web user's client IP address is allowed.

The Web System Page Is Not Completely Displayed After Successful Device Login Through the Web System

Symptom

After successful device login through the web system, the web system page is not completely displayed, or only several options are displayed.

Procedure

  1. Check whether the web user level is too low.

    If the user level is 1, the user is a common administrator and can only access Device Information and change the password in User Management. If the user level is 2, the user is an enterprise administrator and has most operating rights in the web system. If the user level is 3 to 15, the user is a super administrator and has all operating rights in the web system.

    Run the display this command in the AAA view to check the web user level. If the value of level is too small in the local-user user-name privilege level level configuration, some functions cannot be displayed in the web system. Run the local-user user-name privilege level level command in the AAA view to set the web user level to 3 or higher so that the web user has all operating rights in the web system.

  2. Check whether the device version is correct.

    Run the display version command in any view to check the device version. If the value of Version is too small in the VRP (R) software, Version Version configuration, the device does not support some functions in the web system. Upgrade the device to a proper version.

Translation
Download
Updated: 2019-08-09

Document ID: EDOC1100034225

Views: 46411

Downloads: 101

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next