A Telnet user did not perform any operation on the NE40. After the expiry of the idle timeout, the system could still not exit form the command line.
1. Checking the VTY interface configuration and AAA configuration of the device, the engineer found that the idling cut-off function and AAA authentication were enabled on the VTY interface.
2. Checking the configuration of the Telnet user's device, the engineer found that the Telnet user used a device enabled with AAA authentication. Because the local-user idle-cut command was not configured, the idling cut-off function was not enabled. Because the priority of user authentication in the AAA domain was higher than the priority of the idling cut-off configured on the VTY interface, the system did not exit from the command line in spite of the timeout.
local-user jihl password cipher @LK%`C6!Q&@+_X,BUB`^>!!!
local-user jihl service-type ftp terminal telnet ssh
local-user jihl level 3
local-user tanlb password cipher <;:[1:VI7[IZ[[G6WTM6=A!!
local-user tanlb service-type ftp terminal telnet ssh
local-user tanlb level 1
user-interface vty 0 4
acl 2020 inbound
user privilege level 1
idle-timeout 5 0
Because the Telnet user adopted AAA authentication, the peer user must run the local-user idle-cut command to enable the idling cut-off function locally.
By default, the idling cut-off function is disabled on the NE40.
When the idling cut-off function was enabled on the NE40, the system should be able to exit form the command line when the idle timeout expired.
The idling cut-off function is enabled on the VTY interface by default. However, the priority of this configuration is relatively low. For a Telnet user passing the AAA authentication, the idle timeout value depends on the priority: the priority of users authenticated by the server is the highest, then the priority of users passing AAA authentication, and last the priority of VTY users.