Web System Login Configuration

The system view is displayed.

The interface view is displayed.

A management IP address is configured.

The factory settings of the device include the IP address 192.168.1.1 and subnet mask 255.255.255.0. The access interface is the management interface under which the silkscreen Management or MGMT is printed.

You can upload the web page file using SFTP or other modes. For details, see Local File Management.

After uploading the web page file, run the dir command in the user view to check whether the web page file on the device has the same size as that on the file server. If not, an exception may occur during file upload. Upload the file again.

1. Run system-view

   The system view is displayed.

2. Run http server load file-name

   The web page file is loaded.

   By default, the web page file in the system software is loaded on the device.

The system view is displayed.

Insecure management protocols HTTP and Telnet are allowed to be used.

By default, insecure management protocols HTTP and Telnet can be used.

V300R019C00:

Only the AR651C and AR651F-Lite support this function.

V300R019C10 and later versions:

Only the AR651K, AR651, AR651-X8, AR651C, AR651F-Lite, AR651U-A4, AR651W-X4, AR651W-8P, AR651W, AR657W, AR6120, AR6121K, AR6121E, AR6121, AR6120-VW, AR6140K-9G-2AC, AR6140E-9G-2AC, and AR6140-9G-2AC support this function.

Only the AR6120-S, AR6140-S, AR6121-S, and AR6121C-S support this function.

An interface is configured to allow clients to access the web system.

By default, users can access the web system only through the management interface on a device.

To prevent unauthorized clients from accessing the web system through an interface, you can run this command to specify an interface that allows clients to access the web system.

This command does not take effect on the MEth management port. The device always allows you to access the web system through the MEth management port. In the factory default settings of the device, you are allowed to access the web system through the WLAN-radio interface and management port of the device.

In the factory default settings of the device running V300R019C00, users are not allowed to access the web system through the WLAN-radio interface on the AR651W, AR657W, or AR6120-VW.

The all parameter is supported in V300R019C11SPC100 and later versions.

In V300R019C11SPC100 and later versions, this step is mandatory. If you do not perform this step, the HTTP/HTTPS service cannot be enabled.

The HTTP/HTTPS server function is enabled.

By default, the HTTP server function is disabled and the HTTPS server function is enabled.

The source IP address of the web system is configured.

By default, the source IP address of the web system is not configured.

If the source IP address is not specified for the web system, the device selects a source IP address according to routing entries to send packets. Specify an interface in stable state, such as a loopback interface, as the source interface. Before specifying a source interface, ensure that clients have reachable routes to the source interface. Otherwise, the configuration will fail.

The port number of the HTTPS server is configured.

The default port number of the HTTPS server is 443.

If the default port number is used, attackers may access this port continuously, consuming bandwidth resources and degrading security performance of the server. As a result, authorized users cannot access the device. If the default port number is used by another service, users cannot log in to the device through the web system.

The management port of the HTTPS server is enabled and the management port number is set.

By default, the management port of the HTTPS server is disabled.

You can run this command to enable the management port of the HTTPS server and set the management port number, and then can manage the router.

Only users at level 3 and higher levels can log in to the web platform through the management port.

The maximum number of concurrent online users in the web system is set.

By default, the maximum number of concurrent online users in the web system is 5.

You can configure the maximum number of concurrent online users in the web system to restrict the number of users who access the web system at the same time.

The HTTPS session timeout interval is set.

By default, the HTTPS session timeout interval is 10 minutes.

By default, only five users can concurrently log in to the device through the web system. If a web user logs in to the device but does not perform any operations for a long time, the user occupies web channel resources and other users may fail to log in to the device. You can set a proper HTTPS session timeout interval so that web channel resources can be released in a timely manner.

1. Run acl [ number ] acl-number

   A numbered ACL is created and the ACL view is displayed.

2. Configure an ACL rule.

   The command for configuring rules for a basic ACL differs from that for configuring rules for an advanced ACL.

   • For a basic ACL, run rule [ rule-id ] { deny | permit } [ source { source-address source-wildcard | any } | vpn-instance vpn-instance-name | [ fragment | none-first-fragment ] | logging | time-range time-name ] ^*

   • For an advanced ACL, run rule [ rule-id ] { deny | permit } ip [ destination { destination-address destination-wildcard | any } | source { source-address source-wildcard | any } | logging | time-range time-name | vpn-instance vpn-instance-name | [ dscp dscp | [ tos tos | precedence precedence ] ^* ] | [ fragment | none-first-fragment ] ] ^*

3. Run quit

   Return to the system view.

4. Run http acl acl-number

   An ACL is configured for the HTTPS server.

   By default, no ACL is configured for the HTTPS server, that is, web users using any clients can establish HTTPS connections with the device.

The edition for web platform login to the router is set.

By default, the EasyOperation edition is used for web platform login to a router.

Only the models that support the web system of the EasyOperation edition support this function. For details, see EasyOperation Edition.

V300R019C10 and later versions, the device does not support this function.

A subdirectory is created for storing the logo image under the directory logo-path of the default working directory on the device.

The system view is displayed.

The storage directory of the logo image on the web page is set.

By default, the storage directory of the Huawei logo image is used.

The system view is displayed.

The AAA view is displayed.

A web system user name and password are configured.

The default username and password are available in AR Router Default Usernames and Passwords (Enterprise Network or Carrier). If you have not obtained the access permission of the document, see Help on the website to find out how to obtain it.

The service type is set to HTTP.

By default, the service type of the local user admin is HTTP.

The user level is configured.

By default, the level of the local user admin is 15, that is, the local user is a super administrator.

If the level of a user is 0 or no level is configured for the user, the user does not have the right to log in to the web system. The mapping between user levels and users is as follows:

• If the user level is 1, the user is a common administrator.
• If the user level is 2, the user is an enterprise administrator.
• If the user level is 3 to 15, the user is a super administrator.

Return to the system view.

1. Select a language.

   Currently, the web system supports English and Chinese, and automatically uses a language based on the browser.

2. Enter the user name and password.

   The default username and password are available in AR Router Default Usernames and Passwords (Enterprise Network or Carrier). If you have not obtained the access permission of the document, see Help on the website to find out how to obtain it.

3. Click Login.

   The system displays a message about login failure in situations shown in Figure 11-3.

   Figure 11-3 Login failure
   

   Check the cause of the login failure based on the prompt message. If the number of incorrect password attempts reaches the upper limit, the current account will be locked. By default, a locked account is automatically unlocked after 5 minutes.

After a user logs in, the web system automatically displays the last login time, IP address, and login mode of the user.

The system asks you to change the password in the following situations, as shown in Figure 11-4.

V300R019C11SPC100 and later versions:

• When you use the default account and password to login to the system for the first time, you need to change the password.
• After the password expires, you need to change the password.
• At your first login to the system after your password is changed by another user, you need to change your password.
• If your password is about to expire, the system notifies you the password expiration time and asks you to change the password.

Figure 11-4 Password change page

• When you must change the password, after you change the password, click OK. If the password is changed successfully, a message indicating successful password change is displayed. Click OK. The login page is displayed. Click Cancel to access the login page without changing the password, and you cannot enter the web platform.
• When the system asks you to change the password, after you change the password, click OK. If the password is changed successfully, a message indicating successful password change is displayed. Click OK. The login page is displayed. Click Cancel to access the Device Information page.

<Huawei> system-view
[Huawei] interface gigabitethernet 0/0/0
[Huawei-GigabitEthernet0/0/0] ip address 10.1.1.1 24
[Huawei-GigabitEthernet0/0/0] quit

[Huawei] aaa
[Huawei-aaa] local-user admin password irreversible-cipher YsHsjx_202206
[Huawei-aaa] local-user admin privilege level 15
[Huawei-aaa] local-user admin service-type http
[Huawei-aaa] quit

Before configuring a web user, you can run the display this command in the AAA view to check user names of local users. Ensure that the user name of the configured web user does not conflict with that of an existing local user; otherwise, the new web user may overwrite the existing local user.

# Enable the web system function.

[Huawei] http server permit interface gigabitethernet 0/0/0
[Huawei] http server enable
  This operation will take several minutes, please wait.........................................................
Info: Succeeded in starting the HTTP server
[Huawei] quit

Open a browser on the PC, enter https://192.168.1.1 in the address bar, and press Enter. The login page web system is displayed, as shown in Figure 11-6.

Figure 11-6 Web system login page

Enter the web user name and password, and click Login or press Enter. The web system homepage is displayed.

# After the configuration is complete, you can successfully log in to the device through the web system.

# Run the display http server command on the device to check the SSL policy name and HTTPS server status.

<Huawei> display http server
  HTTP server status              : Enabled        (default: disable)
  HTTP server port                : 80             (default: 80)
  HTTP timeout interval           : 10             (default: 10 minutes)        
  Current online users            : 0                                           
  Maximum users allowed           : 5                                           
  HTTPS server status             : Enabled        (default: enable)            
  HTTPS server port               : 443            (default: 443)               
  HTTPS server manager port       :                                             
  HTTPS SSL Policy                : default_policy  

Access the Windows command prompt and run the ping command to check whether the PC and device are reachable to each other. If the system displays "Request time out", the target device is unreachable.

Check whether the physical port that receives ping packets is blocked. If the physical port is not blocked, check whether the correct gateway address is configured on the device, and whether the device and PC are on the same network segment. If they are on different network segments, run the ip address ip-address { mask | mask-length } command in the interface view to reconfigure the management IP address of the device in the target network segment.

Check whether IP address in https://IP address:port entered in the address box of the browser is correct. If the IP address is incorrect, enter the correct one to log in to the web system.

Run the display this command in the system view to check whether the http secure-server enable configuration exists. If not, the HTTPS service is disabled. Run the http secure-server enable command in the system view to enable the HTTPS service.

Run the display http server command in any view to check the maximum number of access users allowed by the HTTP server. Run the display http user command in any view to check the number of online web users. If the number of online web users reaches the maximum number of access users allowed by the HTTP server, you can log in to the device only after other users go offline.

Run the display this command in the interface view to check whether the configured IP address is correct. If not, run the ip address ip-address { mask | mask-length } command in the interface view to reconfigure the management IP address of the device.

Run the display this command in the system view to check whether the http acl acl-number command configuration exists. If so, record the value of acl-number.

Run the display acl acl-number command in any view to check whether the web user's client IP address is denied in the ACL. If so, run the undo rule rule-id command in the ACL view to delete the deny rule, and run the corresponding command to modify the ACL so that the web user's client IP address is allowed.

If you cannot access the web page and the error message "ERR_SSL_SERVER_CERT_BAD_FORMAT" is displayed, run the undo http secure-server ssl-policy command to disassociate the HTTPS server from the server SSL policy.

If the user level is 1, the user is a common administrator and can only access Device Information and change the password in User Management. If the user level is 2, the user is an enterprise administrator and has most operating rights in the web system. If the user level is 3 to 15, the user is a super administrator and has all operating rights in the web system.

Run the display this command in the AAA view to check the web user level. If the value of level is too small in the local-user user-name privilege level level configuration, some functions cannot be displayed in the web system. Run the local-user user-name privilege level level command in the AAA view to set the web user level to 3 or higher so that the web user has all operating rights in the web system.

Run the display version command in any view to check the device version. If the value of Version is too small in the VRP (R) software, Version Version configuration, the device does not support some functions in the web system. Upgrade the device to a proper version.