SupportDocumentationSwitchesCampus SwitchS100&S200&S300&S500&S600&S700Configuration & CommissioningConfiguration Guide

S310 V600R022C10 Configuration Guide - Basic Configuration

Configuring Web UI-based Login

Configuring Web UI-based Login

Context

Using local authentication as an example, this section describes how to configure web UI-based login through HTTPS. For details about how to configure this function when server authentication is used, see "AAA Configuration" in CLI Configuration Guide > User Access and Authentication Configuration.

For security purposes, change the password periodically.

Procedure

  1. Create a local account. (This step is required upon first login, as there is no default account.)
    1. Enter the system view.

      system-view

    2. Enter the AAA view.

      aaa

    3. Configure the local user name and password.

      local-user user-name { password irreversible-cipher ir-password

    4. Set the service type of the local user to HTTP.

      local-user user-name service-type http

    5. Set the privilege level to 3 for the local user.

      local-user user-name privilege level 3

      Users with a privilege level of 3 can access all the pages by default. If you need to set up different users to access different levels of pages, please see "Creating an Administrator Role" in Web Configuration Guide > System > Administrator.

    6. Return to the system view.

      quit

  2. Enable the HTTPS service.

    web-manager enable [ port port-number ]

  3. Enable forcible redirection from HTTP to HTTPS.

    web-manager http forward enable

    By default, this function is enabled. With this function enabled, a device will automatically display the web UI using HTTPS — a secure version of HTTP — if a user attempts to log in to the device's management interface at http://ip-address using HTTP. If this function is disabled, you cannot use HTTP to access the web UI.

  4. Configure the certificate sent by the device functioning as a server to the terminal functioning as a client.

    web-manager security server-certificate server-certificate-file

    If no certificate is specified, the server sends the default certificate to the client for authentication when the client attempts to log in to the server through HTTPS. If a certificate is specified, the server sends the specified certificate to the client for authentication. You can obtain the CA certificate from the device's web UI or CA server and import it to the client's browser. The client then uses the imported CA certificate to verify the identity of the device.

    The specified certificate needs to be applied for from the CA server. After the CA server generates the requested certificate, download the certificate to the device's storage path and then import it to the memory for the certificate to take effect. For details, see "PKI Configuration" in CLI Configuration Guide > Security Configuration.

    The CA can be an internationally recognized organization or a PC running certificate services. The client can trust a certificate only after the client user has obtained the CA certificate of the CA server that issues the server's certificate and imports it to the browser. If the CA certificate is not imported to the browser, the client can still log in to the device through HTTPS. In this case, the client cannot verify the validity of the server's certificate and is vulnerable to attacks.

    If the local certificate is issued by a multi-level CA, you need to make the local certificate and CA certificates into a certificate chain file and import it to the device. If the local certificate and CA certificates are separately imported, the CA certificate downloaded on the login page cannot clear the security alarm generated during device access.

  5. Configure two-way authentication. Before enabling this function, import the client certificate to the browser and import the matching CA certificate to the server. When logging in to the server using HTTPS, the client sends its certificate to the server, which then uses the CA certificate to verify the client certificate.
    1. Enable two-way authentication between the server and client.

      web-manager security verify-ssl-peer

    2. Specify the CA certificate used by the server to verify the client certificate.

      web-manager security ca-certificate ca-certificate

  6. Configure the device IP address that can be used to access the web UI.

    web-manager { ipv4 | ipv6 } server-source -a ip-address [ vpn-instance vpn-instance ]

    By default, no IP address is configured for accessing the web UI.

  7. Configure the device interface that can be used to access the web UI.

    • Configure an interface to be used to access the web UI.
      web-manager server-source -i interface-type interface-num
    • Configure all interfaces to be used to access the web UI.
      web-manager server-source all-interface

    If you have configured an IP address that can be used to access the web UI, you do not need to configure the interface for accessing the web UI. Select either of them.

  8. Use an Ethernet cable to connect the network interface of the terminal to the interface of the device, either directly or via a Layer 2 switch.
  9. Open a browser on the terminal and log in to the device by entering https://Device's management interface IP address:port number. Use the account and password configured in Step 1 to log in to the web UI of the device. During the first login, the device prompts you to change the password.

Verifying the Configuration

Run the display web-manager { configuration | users [ brief ] } command in any view to check information about the web server and web login user.