No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Commissioning Guide

This is NE40E V800R010C10SPC500 Commissioning Guide
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Logging In to the NE40E by Using SSH

Logging In to the NE40E by Using SSH

This section describes how to log in to the NE40E by using SSH. SSH is a secure remote login protocol, which is developed based on the traditional Telnet protocol. Compared with Telnet, SSH is greatly improved in terms of the authentication mode and data transmission security.

Prerequisites

Figure 3-6 Networking diagram of logging in to the NE40E by using SSH

Before logging in to the NE40E by using SSH, complete the following tasks:

  • Ensure that the NE40E is working properly.
  • Log in to the NE40E by using the console interface and configure an IP address for each interface on the NE40E.
  • Ensure that there is a direct or reachable route between the SSH client and the NE40E.
NOTE:

Perform the following configurations on the NE40E that serves as the SSH server:

Procedure

  1. Configure the NE40E to generate a local key pair.
    1. Run the system-view command to enter the system view.
    2. Run the rsa local-key-pair create command to configure the NE40E to generate a local RSA key pair.
  2. Configure a VTY user interface to support SSH.
    1. Run the system-view command to enter the system view.
    2. Run the user-interface { vty first-ui-number | last-ui-number } command to enter the VTY user interface view.
    3. Run the authentication-mode aaa command to specify AAA authentication as the authentication mode.
    4. Run the protocol inbound ssh command to configure SSH as the access protocol in the VTY user interface view.

      NOTE:

      AAA authentication must be configured in the VTY user interface view; otherwise, the protocol inbound ssh command does not take effect.

  3. Run the ssh user user-name command in the system view to create an SSH user.
  4. Run the ssh user user-name authentication-type { password | rsa | dsa | ecc | password-rsa | password-dsa | password-ecc | all } command in the system view to configure an authentication mode for SSH users.

    Perform one of the following operations as needed:

    • Configure password authentication.

      • Run the ssh user user-name authentication-type password command to configure password authentication.

      • Run the ssh authentication-type default password command to configure default password authentication.

      In local authentication or HWTACACS authentication mode, password authentication is recommended if the number of SSH users is small, and default password authentication is recommended if the number of SSH users is large.

    • Configure RSA authentication.

    NOTE:

    By default, you can log in to a device directly using STelnet through the management network port.

    After the device is powered on, the system will automatically bind the management network port to the VPN for exclusive use (__LOCAL_OAM_VPN__) and assign the IP address 192.168.0.1/24 for the management network port.

    You can configure any other IP address in the network segment 192.168.0.0/24 for the terminal. Then, log in to the device using SSH (STelnet) with the default user name root and password Changeme_123 to maintain the device on site.

    After configuring services, change the user name and password immediately to ensure service security. The IP address of the management network port can be changed or deleted. You can shut down the management network port as required.

    The encryption algorithms RSA (RSA-1024 or lower) has a low security, which may bring security risks. If protocols allowed, using more secure encryption algorithms, such as RSA(RSA-2048 or higher) is recommended.

    1. Run the ssh user user-name authentication-type rsa command to configure RSA authentication.
    2. Run the rsa peer-public-key key-name command to enter the public key view.
    3. Run the public-key-code begin command to enter the public key edit view.
    4. Enter illegal hexadecimal hex-data to edit the public key.
    5. Run the public-key-code end command to exit from the public key edit view.

      If illegal hexadecimal data is entered, no key will be generated after the peer-public-key end command is run. If key-name specified in Step b has been deleted in another window, the system will display a message indicating that the key does not exist and return to the system view directly after you run the peer-public-key end command.

    6. Run the peer-public-key end command to return to the system view.
    7. Run the ssh user user-name assign rsa-key key-name command to assign the SSH user a public key.
  5. In password or RSA authentication mode, create a local user with the SSH user name in the AAA view.
    1. Run the aaa command in the system view to enter the AAA view.
    2. Run the local-user user-name password cipher password command to configure the local user name and password.

      NOTE:

      The new password is at least eight characters long and contains at least two of the following types: upper-case letters, lower-case letters, digits, and special characters.

    3. Run the local-user user-name level level command to configure the priority of the local user.
    4. Run the local-user user-name service-type ssh command to configure the local user access type.
    5. Run the quit command to exit from the AAA view.
  6. Run the ssh user username service-type { sftp | stelnet | snetconf | all } command in the system view to configure a service type for the SSH user.
  7. Run the stelnet server enable command in the system view to enable STelnet.
  8. Run the commit command in the system view to commit the configuration.

Commissioning Results

Log in to the NE40E by using SSH. This section describes only the SSH login by using the PuTTY program.

In this example, the IP address of the NE40E is 192.168.1.1; the SSH user name is client001; the password is Root@123.

  1. As shown in the following figure, set the IP address of the NE40E to 192.168.1.1 and the login protocol to SSH.

    Figure 3-7 Login by using the PuTTY program

  2. Enter the user name client001 and the password Root@123.

    Figure 3-8 Login by using the PuTTY program

Troubleshooting

If the SSH login fails, perform the following operations:

  1. Check the network connectivity.

    Run the ping command to check the network connectivity.

    • If the ping fails, the network connection cannot be established. To locate and rectify the fault, see The Ping Operation Fails.
    • If the ping succeeds, go to Step 2.
  2. Check that SSH services are enabled.

    Run the display ssh server status command to view the configuration of the SSH server.

    <HUAWEI> display ssh server status
    SSH Version                                : 2.0
    SSH authentication timeout (Seconds)       : 60
    SSH authentication retries (Times)         : 3
    SSH server key generating interval (Hours) : 0
    SSH version 1.x compatibility              : Enable
    SSH server keepalive                       : Disable
    SFTP IPv4 server                           : Disable
    SFTP IPv6 server                           : Disable
    STELNET IPv4 server                        : Disable
    STELNET IPv6 server                        : Disable
    SNETCONF IPv4 server                       : Enable
    SNETCONF IPv6 server                       : Enable
    SNETCONF IPv4 server port(830)             : Disable
    SNETCONF IPv6 server port(830)             : Disable
    SCP IPv4 server                            : Enable
    SCP IPv6 server                            : Enable
    SSH server DES                             : Disable
    SSH IPv4 server port                       : 22
    SSH IPv6 server port                       : 22
    SSH server source address                  : 10.1.1.1
    SSH ipv6 server source address             : 0::0 
    SSH ipv6 server source vpnName             : 
    ACL name                                   :
    ACL number                                 :
    ACL6 name                                  :
    ACL6 number                                :
    SSH server ip-block                        : Enable
    
    NOTE:

    If SSH services are enabled, go to Step 3.

    The command output shows that the SFTP, STelnet and SNetconf server are not enabled. The user can log in to the server through SSH only after SSH services are enabled in the system. Run the following commands to enable the SSH server.

    <HUAWEI> system-view
    [~HUAWEI] sftp server enable
    [~HUAWEI] stelnet server enable
    [~HUAWEI] snetconf server enable
  3. Check that the access protocol configured in the VTY user interface view is correct.

    [~HUAWEI] user-interface vty 0 4
    [~HUAWEI-ui-vty0-4] display this
     user-interface vty 0 4
     authentication-mode aaa
     user privilege level 3
     idle-timeout 0 0
     protocol inbound all

    By default, the user access protocol is Telnet. If the user access protocol is set to Telnet, the user cannot log in to the server through SSH; if the user access protocol is set to SSH or "all", the user can log in to the server through SSH.

    • If the user access protocol is Telnet, go to Step 4.
    • If the user access protocol is SSH or "all", go to Step 5.
  4. Run protocol inbound { SSH | all } command to configure the user access protocol to SSH or "all".

    [~HUAWEI] user-interface vty 0 4
    [~HUAWEI-ui-vty0-4] protocol inbound ssh
  5. Check that the RSA public key is configured.

    When the device as an SSH server, the device must be configured with a local key pair.

    Run the display rsa local-key-pair public command to check whether the key pair is configured on the current server. If the key pair is not configured, run the rsa local-key-pair create command to create it.

    [~HUAWEI] rsa local-key-pair create
    The key name will be:SSH Server_Host 
    The range of public key size is (2048 ~ 2048). 
    NOTE: Key pair generation will take a short while. 
    
  6. Check that the user service type, authentication type, and authentication service type (for password authentication only) are configured.

    • Create an SSH user.

      [~HUAWEI] ssh user abc
      [~HUAWEI] ssh user abc authentication-type all
      [~HUAWEI] ssh user abc service-type all
      [~HUAWEI] ssh user abc sftp-directory cfcard:/ssh

      Configure the same SSH user in the AAA view and configure the authentication server type.

      [~HUAWEI] aaa
      [~HUAWEI-aaa] local-user abc password cipher Huawei@123
      [~HUAWEI-aaa] local-user abc service-type ssh
      [~HUAWEI-aaa] quit
    • Configure password authentication as the default authentication mode for the SSH user.

      [~HUAWEI] ssh authentication-type default password

      Configure the same SSH user in the AAA view and configure the authentication server type.

      [~HUAWEI] aaa
      [~HUAWEI-aaa] local-user abc password cipher Huawei@123
      [~HUAWEI-aaa] local-user abc service-type ssh
      [~HUAWEI-aaa] quit
  7. Check that the number of users logging in to the server reaches the upper threshold.

    Both SSH users and Telnet users log in to the server through VTY channels. The number of available VTY channels ranges from 0 to 21. When the number of users attempt to log in to the server through VTY channels is greater than 21, the new connection cannot be established between the user and the server.

    Log in to the server through a console interface and then run the display users command to check whether all the current VTY channels have been used. By default, a maximum of 5 users can log in to the server through VTY channels.

    [~HUAWEI] display user-interface maximum-vty
     Maximum of VTY user:5
    [~HUAWEI] display users
      User-Intf    Delay    Type   Network Address     AuthenStatus    AuthorcmdFlag
    + 34  VTY 0   00:00:00  TEL    10.134.146.150            pass           yes     
      Username : huawei@123                                                         
                                                                                    
      35  VTY 1   00:12:17  TEL    10.179.179.127            pass           yes     
      Username : huawei@123                                                         
                                                                                    
      36  VTY 2   00:00:00  TEL    10.136.138.221            not pass       no      
      Username : Unspecified 

    If the number of users logging in to the server reaches the upper threshold, you can run the user-interface maximum-vty vty-number command to increase the maximum number of users allowed to log in to the server through VTY channels up to 21.

    [~HUAWEI] user-interface maximum-vty 18
  8. Check that an ACL is configured in the VTY user interface view.

    If an ACL is configured and the IP address of the client to be permitted is not specified in the ACL, the user cannot log in to the server through SSH. To enable a user with a specific IP address to log in to the server through SSH, you need to permit the IP address of the user in the ACL.

  9. Check the SSH version.

    Run the display ssh server status command to check the SSH version.

    <HUAWEI> display ssh server status
    SSH Version                                : 2.0
    SSH authentication timeout (Seconds)       : 60
    SSH authentication retries (Times)         : 3
    SSH server key generating interval (Hours) : 0
    SSH version 1.x compatibility              : Enable
    SSH server keepalive                       : Disable
    SFTP IPv4 server                           : Disable
    SFTP IPv6 server                           : Disable
    STELNET IPv4 server                        : Disable
    STELNET IPv6 server                        : Disable
    SNETCONF IPv4 server                       : Enable
    SNETCONF IPv6 server                       : Enable
    SNETCONF IPv4 server port(830)             : Disable
    SNETCONF IPv6 server port(830)             : Disable
    SCP IPv4 server                            : Enable
    SCP IPv6 server                            : Enable
    SSH server DES                             : Disable
    SSH IPv4 server port                       : 22
    SSH IPv6 server port                       : 22
    SSH server source address                  : 10.1.1.1
    SSH ipv6 server source address             : 0::0 
    SSH ipv6 server source vpnName             : 
    ACL name                                   :
    ACL number                                 :
    ACL6 name                                  :
    ACL6 number                                :
    SSH server ip-block                        : Enable
    
    • If the client logging in to the server adopts SSHv1, the version compatible capability needs to be enabled on the server.
      <HUAWEI> system-view
      [~HUAWEI] ssh server compatible-ssh1x enable
    • If the client logging in to the server adopts SSHv2, go to Step 10.

  10. Enable the initial authentication function on the SSH client.

    [~HUAWEI] ssh client first-time enable
  11. Contact Huawei technical support personnel for the following:

    • Results of the preceding troubleshooting procedures.
    • Configuration files, log files, and alarm files of the devices.
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055014

Views: 4737

Downloads: 63

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next