No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Basic Configuration

S2720, S5700, and S6720 V200R013C00

This document describes the configurations of Basic, including CLI Overview, EasyDeploy Configuration, USB-based Deployment Configuration, Logging In to a Device for the First Time, CLI Login Configuration, Web System Login Configuration, File Management, Configuring System Startup, BootLoad Menu Operation.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Overview of Authentication Modes and User Levels

Overview of Authentication Modes and User Levels

Authentication Modes for User Interfaces

Authentication modes for console port login and Telnet login depend on those configured for user interfaces. There are three authentication modes for user interfaces:

  • AAA authentication: Users must enter a correct user name and password for login.
  • Password authentication: Users must enter a correct password for login.
  • None authentication: Users can directly log in to a switch without entering any information.

    If non-authentication is used, any user can be successfully authenticated without the need of entering the user name and password. Therefore, you are not advised to use non-authentication for device or network security purposes.

    To prevent brute force attacks, the system uses a delayed login mechanism regardless of the authentication mode. This mechanism prevents login for 5 seconds if the first login fails. Each subsequent failure increases the delay by a further 5 seconds.

Authentication Modes for SSH Users

STelnet login requires user interfaces to support SSH. Therefore, the user interfaces must use AAA authentication.

Authentication modes for SSH users depend on those supported by SSH. SSH supports eight authentication modes, namely, password, RSA, DSA, ECC, Password-RSA, Password-DSA, Password-ECC, all.

  • Password authentication: is based on the user name and password. You need to configure a password for each SSH user in the AAA view. A user must enter the correct user name and password to log in using SSH.
  • Revest-Shamir-Adleman Algorithm (RSA) authentication: is based on the private key of the client. RSA is a public-key cryptographic system that uses an asymmetric encryption algorithm. An RSA key pair consists of a public key and a private key. You need to copy the public key in the client-generated RSA key pair to the server. The server then uses the public key to encrypt data.
  • Digital Signature Algorithm (DSA): is similar to RSA authentication. DSA uses the digital signature algorithm to encrypt data.
  • Elliptic Curve Cryptography (ECC) authentication: Compared with RSA authentication, ECC authentication provides a shorter key, lighter calculation workload, and faster processing speed, and requires smaller storage space and lower bandwidth on the basis of the same security performance.
  • Password-RSA authentication: The SSH server implements both password and RSA authentication on login users. The users must pass both authentication modes to log in.
  • Password-DSA authentication: The SSH server implements both password and DSA authentication on login users. The users must pass both authentication modes to log in.
  • Password-ECC authentication: The SSH server implements both password and ECC authentication on login users. The users must pass both authentication modes to log in.
  • All authentication: The SSH server implements public key or private key authentication on login users. Users only need to pass either of them to log in.

User Levels

The system can perform hierarchical management over login users. Levels of commands that a user can use depend on the user level. The user level is determined by the authentication mode for the user interface or the local AAA user. For details, see Table 6-3.

Table 6-3  User levels for different login methods

Login Method

Authentication Mode for User Access

Factor for Determining the User Level

Command

Console port login

Mini USB port login

Telnet login

User interface: AAA authentication

Level of a local AAA user

local-user user-name privilege level level

User interface: password authentication

User interface level

user privilege level level

User interface: none authentication

User interface level

user privilege level level

STelnet login

Authentication mode for SSH users: password authentication

Level of a local AAA user

local-user user-name privilege level level

Authentication mode for SSH users: RSA, DSA, and ECC authentication

User interface level

user privilege level level

Authentication mode for SSH users: password-rsa, password-dsa, and password-ecc authentication

Level of a local AAA user

local-user user-name privilege level level

Authentication mode for SSH users: all authentication

Deploy the authentication mode as required.

NOTE:

If an SSH user uses all authentication mode and an AAA user with the same name as the SSH user exists, user levels may be different in password, RSA, DSA and ECC authentication modes. Configure the user level based on actual authentication requirements.

-

Relationships Between User Levels and Command Levels

Command levels are classified into the visit level, monitoring level, configuration level, and management level in ascending order, corresponding to levels 0, 1, 2, and 3. Table 6-4 shows the mappings between user levels and command levels.
Table 6-4  Mappings between user levels and command levels

User Level

Command Level

Name

Description

0

0

Visit level

Commands of this level include commands used for network diagnosis such as ping and tracert commands, and commands that are used to access a remote device such as a Telnet client.

1

0 and 1

Monitoring level

Commands of this level are used for system maintenance, including display commands.

NOTE:

Some display commands are not at this level. For example, the display current-configuration and display saved-configuration commands are at level 3.

2

0, 1, and 2

Configuration level

Commands of this level are used for service configuration.

3 to 15

0, 1, 2, and 3

Management level

Commands of this level are used to control basic system operations and provide support for services, including file system, FTP, TFTP download, user management, command level setting, and debugging commands for fault diagnosis.

Translation
Download
Updated: 2019-04-04

Document ID: EDOC1100066063

Views: 34196

Downloads: 696

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next