User authentication configuration example 11 Command authorization configuration example 13 Command accounting configuration example 14

Transcription

1 Contents Logging in to the CLI 1 Login methods 1 Logging in through the console or AUX port 2 Logging in through Telnet 5 Telnetting to the switch 5 Telnetting from the switch to another device 7 Logging in through SSH 8 Logging in to the switch from an SSH client 9 Using the switch as an SSH client to log in to the SSH server 10 Modem dial-in through the AUX port 11 Logging in to the Web interface 1 Configuring HTTP login 1 Configuring HTTPS login 2 Configuring source IP-based Web login control 5 Configuring source IP-based Web login control 5 Logging off online Web users 5 Source IP-based Web login control configuration example 6 Displaying and maintaining Web login 6 HTTP login example 6 HTTPS login configuration example 8 Network requirements 8 Configuration procedure 9 Logging in through SNMP from an NMS 1 Configuring SNMP login 1 Prerequisites 1 Configuring SNMPv3 settings 1 Configuring SNMPv1 or SNMPv2c settings 2 NMS login example 3 Logging in through CWMP from an ACS 1 Configuring user interfaces 2 User interface assignment 2 User interface numbering 2 User interface configuration task list 3 Configuring asynchronous serial interface attributes 3 Configuring common settings for user interfaces 4 Configuring the command auto-execute function 5 Configuring a user privilege level for user interfaces 5 Configuring access control on VTY user interfaces 6 Configuring supported protocols on VTY user interfaces 6 Configuring authentication mode 7 Configuring command authorization 9 Configuring command accounting 9 Defining shortcut keys for starting terminal sessions/aborting tasks 10 Sending messages to user interfaces 10 Releasing connections to user interfaces 10 Displaying and maintaining user interfaces 11 User interface configuration examples 11 1

2 User authentication configuration example 11 Command authorization configuration example 13 Command accounting configuration example 14 Configuring Telnet login control 1 Configuring source IP-based Telnet login control 1 Configuring source/destination IP-based Telnet login control 1 Configuring source MAC-based Telnet login control 2 Telnet login control configuration example 2 2

3 Logging in to the CLI This chapter describes the available CLI login methods and their configuration procedures. If you enable FIPS mode and reboot the switch, the Telnet server function and HTTP server function are disabled. For more information about FIPS mode, see Security Configuration Guide. Login methods You can access the switch only through the console or AUX port at the first login. After you log in to the switch, you can configure other login methods, including Telnet and SSH, for remote access. Table 1 Login methods Login method Logging in through the console or AUX port Logging in through Telnet Logging in through SSH Modem dial-in through the AUX port Default settings and configuration requirements By default, login through the console and AUX port is enabled, no username or password is required, and the user privilege level is 3. By default, Telnet service is disabled. To use Telnet service, complete the following configuration tasks: Enable the Telnet server function on your switch. Assign an IP address to the network management port or VLAN interface of your switch, and make sure that your switch and the Telnet client can reach each other. (By default, your switch does not have an IP address.) Configure the authentication mode for VTY login users (password by default). Configure the user privilege level of VTY login users (0 by default). By default, SSH service is disabled. To use SSH service, complete the following configuration tasks: Enable the SSH server function on your switch. Assign an IP address to the network management port or VLAN interface of your switch, and make sure that your switch and the SSH client can reach each other. (By default, your switch does not have an IP address.) Configure the authentication mode for VTY login users as scheme (password by default). Configure the user privilege level of VTY login users (0 by default). By default, modem dial-in through the AUX port is disabled. To use modem dial-in, log in to your switch through the console port, and complete the following configuration tasks: Configure the authentication mode for AUX login users (password by default). Configure the user privilege level of AUX login users (0 by default). 1

4 Logging in through the console or AUX port The AUX port can be used as the backup of the console port. Using the AUX port for local login is the same as using the console port. This example describes the console port configuration and login procedure. By default, the first time you access the CLI you must log in through the console port. To log in through the console port, make sure the console terminal has a terminal emulation program (for example, HyperTerminal in Windows XP) and the port settings of the terminal emulation program are the same as the default settings of the console port shown in Table 2. Table 2 Default console port settings Setting Baud rate Flow control Check mode Default 9600 bps Off No check bit Stop bits 1 Data bits 8 To log in through the console port: 1. As shown in Figure 1 connect the DB-9 connector of the console cable to the serial port of your console terminal. Figure 1 Connecting a terminal to the console port 2

5 2. Connect the RJ-45 connector of the console cable to the console port of the MPU of the switch. If two MPUs are installed on the switch, log in through the console port on the active MPU (typically with a smaller slot number) for the first login. NOTE: Identify the mark on the console port and make sure you are connecting to the correct port. The serial ports on PCs do not support hot swapping. If the switch has been powered on, always connect the console cable to the PC before connecting to the switch, and when you disconnect the cable, first disconnect from the switch. 3. If the PC is off, turn on the PC. 4. Launch the terminal emulation program and configure the communication properties on the terminal. Figure 2 through Figure 4 shows the configuration procedure on Windows XP HyperTerminal. Make sure the port settings are the same as listed in Table 2. NOTE: On Windows Server 2003, add the HyperTerminal first, and then log in to and manage the switch as described in this document. On Windows Server 2008, Windows 7, Windows Vista, or any other operating system, obtain a third-party terminal control program first, and then follow the user guide or online help to log in to the switch. Figure 2 Connection description 3

6 Figure 3 Specifying the serial port used to establish the connection Figure 4 Setting the properties of the serial port 5. Power on the switch and press Enter when the following prompt appears: <Sysname> 6. Execute commands to configure the switch or view the running status of the switch. To get help, enter?. 4

7 By default, console users are not authenticated. For security, change the authentication mode of the console port immediately after you log in for the first time. For more information about authentication modes, see "Configuring authentication mode." After you log in through the console port, you can also set login parameters other than the authentication mode. For more information, see "Configuring authentication mode." The following describes how to configure password authentication: <Sysname> system-view [Sysname] user-interface console 0 [Sysname-ui-console0] authentication-mode password [Sysname-ui-console0] set authentication password cipher 123 After the configuration is complete, when users log in through the console port, they must enter authentication password 123. Logging in through Telnet You can Telnet to the switch through a VTY user interface for remote management, or use the switch as a Telnet client to Telnet to other devices. Table 3 shows the Telnet server and client configuration required for a successful Telnet login. Table 3 Telnet server and Telnet client configuration requirements Device role Telnet server Telnet client Requirements Assign an IP address to the Telnet server, and make sure the Telnet server and client can reach each other. Enable the Telnet server. Configure the authentication mode for Telnet login. Run the Telnet program. Obtain the IP address of the Telnet server. To control Telnet access to the device working as a Telnet server, configure login authentication and user privilege levels for Telnet users. Telnetting to the switch By default, Telnet service is disabled on the switch, password authentication applies to Telnet login, but no login password is configured. To allow Telnet access to the switch, you must enable the Telnet server and configure a password, or configure another authentication mode and the relative settings. You can Telnet to your switch through the network management port or any other Layer 3 interface, for example, a Layer 3 Ethernet interfaces and VLAN interface. To log in to the switch from a Telnet client: 1. Log in to the switch through the console port, and assign an IP address to the network management port of the switch. For example: # Assign IP address /24 to the network management port. <Sysname> system-view [Sysname] interface M-Ethernet 0/0/0 5

8 [Sysname-M-Ethernet0/0/0] ip address For more information about how to log in to the switch through the console port, see "Logging in through the console or AUX port." 2. Enable the Telnet server function: 1. Enter system view. system-view N/A 2. Enable the Telnet server. telnet server enable Disabled by default. 3. Enter VTY user interface view, and configure the authentication mode as needed. For more information, see "Configuring authentication mode." 4. Configure the user privilege level. Users that Telnet to the switch can execute only level-0 commands by default. For more information about command levels, see "Configuring a user privilege level for user interfaces." 5. Set up a configuration environment as shown in Figure 5, make sure the PC and switch can reach each other. Figure 5 Setting up a configuration environment 6. From your Telnet client, Telnet to the IP address of the management port of the switch, as shown in Figure 6. Figure 6 Running the Telnet program 6

9 7. If the authentication mode is none, you can log in to the switch without any authentication. If the authentication mode is password, the terminal prompts you to enter the login password. If the authentication mode is scheme, you must enter the username and password to log in to the switch. After you enter the correct username and password, if the switch prompts you to enter another password of the specified type, you are authenticated for the second time. 8. Execute commands to configure the switch, or check the running status of the switch. To get help, enter?. NOTE: When configuring your switch through Telnet, do not delete or change the IP address of the network management port or VLAN interface corresponding to the Telnet connection. Otherwise, the Telnet connection will be terminated. If the number of Telnet login users has reached the upper limit, the message "All user interfaces are used, please try later!" appears. Telnetting from the switch to another device By default, the switch is enabled with the Telnet client function. To Telnet to another device from the local switch, follow these steps: 1. Set up a configuration environment as shown in Figure 7. If the two switches are not in the same LAN, make sure the two switches can reach each other. Figure 7 Telnetting from the switch (Telnet client) to another device (Telnet server) 2. Configure the Telnet server: a. Enable the Telnet server. b. Configure the authentication mode on the Telnet server as needed. 3. Log in to the switch that operates as the Telnet client. 4. Execute the telnet command on the Telnet client to log in to the Telnet server: 1. Enter system view. system-view N/A 2. Specify the source IPv4 address or source interface for sending Telnet packets when the switch serves as a Telnet client. telnet client source { interface interface-type interface-number ip ip-address } By default, no source IPv4 address or source interface for sending Telnet packets is specified. The source IPv4 address is selected by the routing process. 3. Exit to user view. quit N/A 7

10 4. Telnet to the Telnet server. telnet remote-host [ service-port ] [ [ vpn-instance vpn-instance-name ] [ source { interface interface-type interface-number ip ip-address } ] ] telnet ipv6 remote-host [ -i interface-type interface-number ] [ port-number ] [ vpn-instance vpn-instance-name ] Use either method. Available in user view. 5. After login, a prompt appears (for example, <Sysname> ). If "All user interfaces are used, please try later!" appears, try again later. 6. Execute commands to configure the switch, or check the running status of the switch. To get help, enter?. Logging in through SSH SSH offers a secure method for remote login. By providing encryption and strong authentication, it protects devices against attacks such as IP spoofing and plain text password interception. You can use an SSH client to log in to the switch working as an SSH server for remote management, or use the device as an SSH client to log in to an SSH server, as shown in Figure 8. Figure 8 SSH login diagram Table 4 shows the SSH server and client configuration required for a successful SSH login. Table 4 SSH server and client requirements Device role SSH server SSH client Requirements Assign an IP address to the SSH server, and make sure the SSH server and client can reach each other. Configure the authentication mode and other settings. If the host operates as an SSH client, run the SSH client program on the host. Obtain the IP address of the SSH server. To control SSH access to the switch working as an SSH server, configure authentication and user privilege level for SSH users. As an SSH client: You can log in to an SSH sever from the client to perform operations on the server. By default, the switch is enabled with the SSH client function. 8

11 Logging in to the switch from an SSH client By default, the switch is disabled with the SSH server function, password authentication is adopted for SSH login, but no login password is configured. To log in to the switch from an SSH client, log in to the switch through the console port (see "Logging in through the console or AUX port") and configure the switch as an SSH server. Follow these guidelines when you configure the SSH server: To make the command authorization or command accounting function take effect, apply an HWTACACS scheme to the intended ISP domain. This scheme must specify the IP address of the authorization server and other authorization parameters. If the local authentication scheme is used, use the authorization-attribute level level command in local user view to set the user privilege level on the device. If a RADIUS or HWTACACS authentication scheme is used, set the user privilege level on the RADIUS or HWTACACS server. The SSH client authentication method is password in this configuration procedure. For more information about SSH and publickey authentication, see Security Configuration Guide. To configure the switch as an SSH server: 1. Enter system view. system-view N/A 2. Create local key pairs. public-key local create { dsa rsa } By default, no local key pairs are created. 3. Enable SSH server. ssh server enable By default, SSH server is disabled. 4. Exit to system view. quit N/A 5. Enter one or more VTY user interface views. 6. Specify the scheme authentication mode. 7. Enable the current user interface to support either Telnet, SSH, or both of them. user-interface vty first-number [ last-number ] authentication-mode scheme protocol inbound { all ssh } N/A By default, authentication mode for VTY user interfaces is password. By default, both protocols are supported. 8. Exit to system view. quit N/A 9

12 9. Configure the authentication mode. 10. Create a local user and enter local user view. 11. Set the local password. 12. Specify the command level of the local user. 13. Specify the service type for the local user. a. Enter the default ISP domain view: domain domain-name b. Apply the specified AAA scheme to the domain: authentication default { hwtacacs-scheme hwtacacs-scheme-name [ local ] local none radius-scheme radius-scheme-name [ local ] } c. Exit to system view: quit local-user user-name password { cipher simple } password authorization-attribute level level service-type ssh By default, the AAA scheme is local. If you specify the local AAA scheme, perform the configuration concerning local user as well. If you specify an existing scheme by providing the radius-scheme-name argument, perform the following configuration as well: For RADIUS and HWTACACS configuration, see Security Configuration Guide. Configure the username and password on the AAA server. For more information, see Security Configuration Guide. By default, no local user exists. By default, no local password is set. By default, the command level is 0. By default, no service type is specified. 14. Exit to system view. quit N/A 15. Create an SSH user, and specify the authentication mode for the SSH user. 16. Configure common settings for VTY user interfaces. ssh user username service-type stelnet authentication-type { password { any password-publickey publickey } assign publickey keyname } N/A By default, no SSH user exists, and no authentication mode is specified. See "Configuring common settings for user interfaces." Using the switch as an SSH client to log in to the SSH server You can use the device as an SSH client to log in to an SSH server. If the server is located in a different subnet than the device, make sure the two devices have routes to reach each other. To use the switch as the SSH client, first log in to the switch through the console port. For more information, see "Logging in through the console or AUX port." 10

13 Figure 9 Logging in to an SSH client from the switch Perform the following tasks in user view: Task Command Remarks Log in to an IPv4 SSH server. Log in to an IPv6 SSH server. ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa rsa } prefer-ctos-cipher { 3des aes128 des } prefer-ctos-hmac { md5 md5-96 sha1 sha1-96 } prefer-kex { dh-group-exchange dh-group1 dh-group14 } prefer-stoc-cipher { 3des aes128 des } prefer-stoc-hmac { md5 md5-96 sha1 sha1-96 } ] * ssh2 ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa rsa } prefer-ctos-cipher { 3des aes128 des } prefer-ctos-hmac { md5 md5-96 sha1 sha1-96 } prefer-kex { dh-group-exchange dh-group1 dh-group14 } prefer-stoc-cipher { 3des aes128 des } prefer-stoc-hmac { md5 md5-96 sha1 sha1-96 } ] * The server argument represents the IPv4 address or host name of the server. The server argument represents the IPv6 address or host name of the server. Modem dial-in through the AUX port An administrator can use a pair of modems to remotely connect to the switch through its AUX port over the PSTN when the IP network connection is broken. To do so, make sure that the dial-in connection, the switch, and the modems are correctly set up. To set up a configuration environment as shown in Figure 10: 1. Connect the serial port of the PC to one modem and the AUX port of the device to another modem. 2. Connect each modem to the PSTN through a telephone cable. 11

14 Figure 10 Setting up a configuration environment Modem serial cable Telephone cable Modem IP network Remote telephone number: Obtain the telephone number of the modem connected to the device. 4. Configure the following settings on the modem directly connected to the device: AT&F Restores the factory default. ATS0=1 Configures auto-answer on first ring. AT&D Ignores data Terminal Ready signals. AT&K0 Disables local flow control. AT&R1 Ignores Data Flow Control signals AT&S0 Forces DSR to remain on. ATEQ1&W Disables the modem from returning command responses and execution results, and saves configuration. To verify your configuration, enter AT&V to display the configuration results. NOTE: The configuration commands and output vary by modem. For more information, see the modem user guide. 5. To avoid data loss, verify that the speed of the AUX port is slower than the transmission rate of the modem, and the default parity check, stop bits, and data bits settings are used. 6. Launch the terminal emulation program and create a connection by using the telephone number of the modem connected to the device. Figure 11 to Figure 13 shows the configuration procedure in Windows XP HyperTerminal. 12

15 Figure 11 Creating a connection Figure 12 Entering the phone number 13

16 Figure 13 Dialing the number 7. If the authentication mode is password, a prompt (for example, Sysname) appears after you enter the configured password. Then, you can configure or manage the switch. To get help, enter?. 14

17 Logging in to the Web interface The switch provides a built-in Web server for you to configure the switch through a Web browser. Web login is by default disabled. To enable Web login, log in through the console port, and perform the following configuration tasks: Enable HTTP service. Assign an IP address to the VLAN interface, and make sure that the interface and the configuration terminal can reach each other. Configure a local user account for Web login The switch supports using HTTP 1.0 and HTTPS to transfer webpage data across the Internet. HTTPS uses SSL to encrypt data between the client and the server for data integrity and security, and is more secure than HTTP. You can define a certificate attribute-based access control policy to allow only legal clients to access the device. HTTP login and HTTPS login are separate login methods. To use HTTPS login, you do not need to configure HTTP login. Table 5 shows the basic Web login configuration requirements. Table 5 Basic web login configuration requirements Object Device PC Requirements Assign an IP address to the VLAN interface. Configure routes to make sure the switch and the PC can reach each other. Configure HTTP login. Install a Web browser. Obtain the IP address of the switch's VLAN interface. Configuring HTTP login 1. Specify a fixed verification code for Web login. web captcha verification-code By default, a Web user must enter the verification code indicated on the login page to log in. This command is available in user view. 2. Enter system view. system-view N/A 3. Enable the HTTP service. ip http enable By default, HTTP service is disabled. 1

18 4. Configure the HTTP service port number. 5. Associate the HTTP service with an ACL. 6. Create a local user and enter local user view. 7. Configure a password for the local user. 8. Specify the command level of the local user. 9. Specify the Telnet service type for the local user. ip http port port-number ip http acl acl-number local-user user-name password { cipher simple } password authorization-attribute level level service-type web 80 by default. If you execute the command multiple times, the most recent configuration takes effect. By default, the HTTP service is not associated with any ACL. Associating the HTTP service with an ACL enables the switch to allow only clients permitted by the ACL to access the switch. By default, no local user is configured. By default, no password is configured for the local user. No command level is configured for the local user. By default, no service type is configured for the local user. 10. Exit to system view. quit N/A 11. Create a VLAN interface and enter its view. 12. Assign an IP address and subnet mask to the VLAN interface. interface vlan-interface vlan-interface-id ip address ip-address { mask mask-length } If the VLAN interface already exists, the command enters its view. By default, no IP address is assigned to the VLAN interface. Configuring HTTPS login The switch supports the following HTTPS login modes: Simplified mode To make the switch operate in this mode, you only need to enable HTTPS service on the switch. The switch will use a self-signed certificate (a certificate that is generated and signed by itself, rather than a CA) and the default SSL settings. This mode is simple to configure but has potential security risks. Secure mode To make the switch operate in this mode, you must enable HTTPS service on the switch, specify an SSL server policy for the service, and configure PKI domain-related parameters. This mode is more complicated to configure but provides higher security. For more information about SSL and PKI, see Security Configuration Guide. To configure HTTPS login: 2

19 1. Specify a fixed verification code for Web login. web captcha verification-code By default, a Web user must enter the verification code indicated on the login page to log in. This command is available in user view. 2. Enter system view. system-view N/A By default, the HTTPS service is not associated with any SSL server policy, and the switch uses a self-signed certificate for authentication. 3. Associate the HTTPS service with an SSL server policy. ip https ssl-server-policy policy-name If you disable the HTTPS service, the system automatically de-associates the HTTPS service from the SSL service policy. Before re-enabling the HTTPS service, re-associate the HTTPS service with an SSL server policy. If the HTTPS service has been enabled, any changes to the SSL server policy associated with it do not take effect. By default, the HTTPS service is disabled. 4. Enable the HTTPS service. ip https enable Enabling the HTTPS service triggers an SSL handshake negotiation process: If a local certificate exists on the switch, the SSL negotiation succeeds and the HTTPS service starts up. If no local certificate exists, a certificate application process is triggered. Because the application process takes much time, the SSL negotiation often fails and the HTTPS service cannot be started. In that case, execute this command multiple times to start the HTTPS service. 3

20 By default, the HTTPS service is not associated with any certificate-based attribute access control policy. 5. Associate the HTTPS service with a certificate attribute-based access control policy. 6. Specify the HTTPS service port number. 7. Associate the HTTPS service with an ACL. 8. Set the HTTPS user authentication mode. 9. Create a local user and enter local user view. ip https certificate access-control-policy policy-name ip https port port-number ip https acl acl-number web https-authorization mode { auto manual } local-user user-name The switch uses the associated policy to control client access rights. You must configure the client-verify enable command and at least one permit rule in the SSL server policy. Otherwise, no clients can log in through HTTPS. For more information about certificate attribute-based access control policies, see the chapter on PKI in Security Configuration Guide. The default HTTPS service port is 443. By default, the HTTPS service is not associated with any ACL. The switch allows only clients permitted by the associated ACL to log in. The default HTTPS user authentication mode is manual. In manual mode, a user must enter the correct username and password to log in through HTTPS. In auto mode, the device first authenticates users by their certificates: If the certificate is correct and not expired, the CN field in the certificate is used as the username to perform AAA authentication. If the authentication succeeds, the Web interface of the device appears on the user's terminal. If the certificate is correct and not expired, but the AAA authentication fails, the device shows the Web login page and the user must enter the correct username and password to log in. If the certificate is incorrect or expired, the HTTPS connection is terminated. By default, no local user is configured. 4

21 10. Configure a password for the local user. 11. Specify a privilege level for the local user. 12. Authorize the local user to use the Web service. password { cipher simple } password authorization-attribute level level service-type web By default, no password is configured for the local user. By default, no privilege level is specified for a local user. By default, no service type is authorized to a local user. 13. Exit to system view. quit N/A 14. Create a VLAN interface and enter its view. 15. Assign an IP address and subnet mask to the interface. interface vlan-interface vlan-interface-id ip address ip-address { mask mask-length } If the VLAN interface already exists, the command enters its view. By default, no IP address is assigned to the interface. Configuring source IP-based Web login control Use a basic ACL (2000 to 2999) to filter HTTP traffic by source IP address for Web login control. To access the device, a Web user must use an IP address permitted by the ACL. For more information about ACL, see ACL and QoS Configuration Guide. You can also log off suspicious Web users that have been logged in. Configuring source IP-based Web login control 1. Enter system view. system-view N/A 2. Create a basic ACL and enter its view, or enter the view of an existing basic ACL. 3. Create rules for this ACL. acl [ ipv6 ] number acl-number [ match-order { config auto } ] rule [ rule-id ] { permit deny } [ source { sour-addr sour-wildcard any } time-range time-name fragment logging ]* By default, no basic ACL exists. N/A 4. Exit the basic ACL view. quit N/A 5. Associate the HTTP service with the ACL. ip http acl acl-number N/A Logging off online Web users Task Command Remarks Log off online Web users. free web-users { all user-id user-id user-name user-name } Available in user interface view. 5

22 Source IP-based Web login control configuration example Network requirements As shown in Figure 14, configure the switch to allow only Web users from Host B to access. Figure 14 Network diagram Configuration procedure # Create ACL 2000, and configure rule 1 to permit packets sourced from Host B. <Sysname> system-view [Sysname] acl number 2030 match-order config [Sysname-acl-basic-2030] rule 1 permit source # Associate the ACL with the HTTP service so that only Web users from Host B are allowed to access the switch. [Sysname] ip http acl 2030 Displaying and maintaining Web login Task Command Remarks Display information about Web users. Display HTTP state information. display web users [ { begin exclude include } regular-expression ] display ip http [ { begin exclude include } regular-expression ] Available in any view. Available in any view. HTTP login example Network requirements As shown in Figure 15, configure the switch to allow the PC to log in over the IP network. 6

23 Figure 15 Network diagram Configuration procedure 1. Configure the switch: # Create VLAN 999 and add interface GigabitEthernet 3/0/1 that connects the switch to the PC to the VLAN. <Sysname> system-view [Sysname] vlan 999 [Sysname-vlan999] port GigabitEthernet 3/0/1 [Sysname-vlan999] quit # Specify the IP address and subnet mask of VLAN-interface 999 as and [Sysname] interface vlan-interface 999 [Sysname-VLAN-interface999] ip address [Sysname-VLAN-interface999] quit # Create a local user named admin, and set the password to admin for the user. Specify the Telnet service type for the local user, and set the command level to 3 for this user. [Sysname] local-user admin [Sysname-luser-admin] service-type web [Sysname-luser-admin] authorization-attribute level 3 [Sysname-luser-admin] password simple admin 2. Verify the configuration: # On the PC, run the Web browser. Enter the IP address of the switch in the address bar. The Web login page appears, as shown in Figure 16. 7

24 Figure 16 Web login page # Enter the user name, password, verify code, select English, and click Login. The homepage appears. After login, you can configure switch settings through the Web interface. HTTPS login configuration example Network requirements As shown in Figure 17, to allow only authorized users to access the switch's Web interface, configure the switch as the HTTPS server and the host as the HTTPS client, and request a certificate for each of them. Figure 17 Network diagram 8

25 Configuration procedure In this example, the CA runs Windows Server and has the SCEP add-on installed. The switch, host, and CA can reach one another. 1. Configure the switch (HTTPS server): # Configure a PKI entity, and set the common name to http-server1 and the FQDN to ssl.security.com. <Sysname> system-view [Sysname] pki entity en [Sysname-pki-entity-en] common-name http-server1 [Sysname-pki-entity-en] fqdn ssl.security.com [Sysname-pki-entity-en] quit # Create a PKI domain, specify the trusted CA as new-ca, the URL of the server for certificate request as authority for certificate request as RA, and the entity for certificate request as en. [Sysname] pki domain 1 [Sysname-pki-domain-1] ca identifier new-ca [Sysname-pki-domain-1] certificate request url [Sysname-pki-domain-1] certificate request from ra [Sysname-pki-domain-1] certificate request entity en [Sysname-pki-domain-1] quit # Create RSA local key pairs. [Sysname] public-key loc al create rsa # Retrieve the CA certificate. [Sysname] pki retrieval-certificate ca domain 1 # Request a local certificate for the switch through SCEP. [Sysname] pki request-certificate domain 1 # Create SSL server policy myssl, specify PKI domain 1 for the SSL server policy, and enable certificate-based SSL client authentication. [Sysname] ssl server-policy myssl [Sysname-ssl-server-policy-myssl] pki-domain 1 Sysname-ssl-server-policy-myssl] client-verify enable [Sysname-ssl-server-policy-myssl] quit # Create certificate attribute group mygroup1 and configure a certificate attribute rule for it, specifying that the distinguished name in the subject name includes the string of new-ca. [Sysname] pki certificate attribute-group mygroup1 [Sysname-pki-cert-attribute-group-mygroup1] attribute 1 issuer-name dn ctn new-ca [Sysname-pki-cert-attribute-group-mygroup1] quit # Create certificate attribute-based access control policy myacp and configure a certificate attribute-based access control rule, specifying that a certificate is considered valid when it matches an attribute rule in certificate attribute group myacp. [Sysname] pki certificate access-control-policy myacp [Sysname-pki-cert-acp-myacp] rule 1 permit mygroup1 [Sysname-pki-cert-acp-myacp] quit # Associate the HTTPS service with SSL server policy myssl. 9

26 [Sysname] ip https ssl-server-policy myssl # Associate the HTTPS service with certificate attribute-based access control policy myacp. [Sysname] ip https certificate access-control-policy myacp # Enable the HTTPS service. [Sysname] ip https enable # Create local user usera, set the password to 123, assign the Web service type to the user, and, and specify the user privilege level 3. [Sysname] local-user usera [Sysname-luser-usera] password simple 123 [Sysname-luser-usera] authorization-attribute level 3 [Sysname-luser-usera] service-type web 2. Configure the host (HTTPS client): On the host, run the IE browser, and then enter in the address bar and request a certificate for the host as prompted. 3. Verify the configuration: On the host, enter in the browser's address bar and then select the certificate issued by new-ca. When the Web login page of the switch appears, enter the username usera and password 123 to log in to the Web management page. For more information about PKI configuration commands, SSL configuration commands, and the public-key local create rsa command, see Security Command Reference. 10

27 Logging in through SNMP from an NMS You can run SNMP on an NMS to access the device MIB and perform GET and SET operations to manage and monitor the device. The device supports SNMPv1, SNMPv2c, and SNMPv3, and can work with various network management software products, including IMC. For more information about SNMP, see Network Management and Monitoring Configuration Guide. By default, SNMP access is disabled. To enable SNMP access, log in to the device by using any other method. Configuring SNMP login Connect the Ethernet port of the NMS host to an Ethernet port of VLAN 1 on the switch, and make sure that the NMS host and VLAN 1 interface can reach each other. Figure 18 Network diagram IMPORTANT: This document describes only the basic SNMP configuration procedures on the device. To make SNMP work correctly, make sure the SNMP settings (including the SNMP version) on the NMS are consistent with those on the device. Prerequisites Assign an IP address to a Layer 3 interface on the device. Configure routes to make sure that the NMS and the Layer 3 interface can reach each other. Configuring SNMPv3 settings 1. Enter system view. system-view N/A 2. Enable SNMP agent. snmp-agent Disabled by default. You can enable SNMP agent with this command or any command that begins with snmp-agent. 1

28 3. Configure an SNMP group and specify its access right. 4. Add a user to the SNMP group. snmp-agent group v3 group-name [ authentication privacy ] [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number ] snmp-agent usm-user v3 user-name group-name [ [ cipher ] authentication-mode { md5 sha } auth-password [ privacy-mode { 3des aes128 des56 } priv-password ] ] [ acl acl-number ] By default, no SNMP group is configured. If the cipher keyword is specified, both auth-password and priv-password are cipher text passwords. Configuring SNMPv1 or SNMPv2c settings 1. Enter system view. system-view N/A Disabled by default. 2. Enable SNMP agent. snmp-agent You can enable SNMP agent with this command or any command that begins with snmp-agent. 3. Create or update MIB view information. 4. Specify the SNMP NMS access right. snmp-agent mib-view { excluded included } view-name oid-tree [ mask mask-value ] (Method 1) Specify the SNMP NMS access right directly by configuring an SNMP community snmp-agent community { read write } community-name [ acl acl-number mib-view view-name ]* (Method 2) Specify the SNMP NMS access right indirectly a. Configure an SNMP group snmp-agent group { v1 v2c } group-name [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number ] b. Add a user to the SNMP group snmp-agent usm-user { v1 v2c } user-name group-name [ acl acl-number ] By default, the MIB view name is ViewDefault and OID is 1. Use either method. The direct configuration method is for SNMPv1 or SNMPv2c. The community name configured on the NMS should be consistent with the username configured on the agent. The indirect configuration method is for SNMPv3. 2

29 NMS login example In this example, IMC is used as the NMS for illustration. 1. Configure the switch: # Assign IP address /24 to VLAN-interface 1. Make sure the switch and the NMS host can reach each other. (Details not shown.) # Enter system view. <Sysname> system-view # Enable the SNMP agent. [Sysname] snmp-agent # Create an SNMP community and assign access rights. [Sysname] snmp-agent sys-info version all [Sysname] snmp-agent community read public [Sysname] snmp-agent community write private # Configure an SNMP group. [Sysname] snmp-agent group v3 managev3group # Add a user to the SNMP group. [Sysname] snmp-agent usm-user v3 managev3user managev3group 2. Configure IMC: a. On the PC, launch a browser, and enter in the address bar. (Suppose the IP address of IMC is ) When you log in to IMC for the first time, you can use the default account with the username admin and password admin. Be sure to change the password immediately after login. For information about how to change the password, see IMC manuals, such as H3C Intelligent Management Center Getting Started Guide. b. On the login page, enter the username and password, and then click Login. The IMC homepage appears. c. Configure the switch in the IMC system. (Details not shown.) The settings of the switch in the IMC system must match those of the switch. For more information about NMS and SNMP agent configuration on IMC and the switch, see Network Management and Monitoring Configuration Guide. You can also add accounts with different rights for operators and perform other operations in the IMC system. For more information about IMC, see IMC manuals. 3

30 Logging in through CWMP from an ACS You can launch a browser on a PC to log in to an ACS, and use the server to access and manage CPE through the CWMP. CWMP is intended for management and configuration of home network devices in DSL access networks. The H3C implementation of the ACS system is the IMC BIMS component, which runs on IMC Platform. For more information about ACS and CWMP, see Network Management and Monitoring Configuration Guide. For more information about IMC BIMS, see the IMC BIMS manuals. To log in to an ACS running BIMS from a PC, follow these steps: 1. Launch a browser on the PC. 2. Enter :8080/imc in the address bar (suppose that the ACS uses the IP address and the port 8080). 3. Enter the login username and password, which are the same as those used for logging in to IMC. When you log in to IMC for the first time, you can use the default account with the username admin and password admin. Be sure to change the password immediately after login. For information about how to change the password, see IMC manuals, such as H3C Intelligent Management Center Getting Started Guide. You can also add accounts with different rights for operators and perform other operations in the IMC system. For more information, see IMC online help. 1

31 Configuring user interfaces The switch uses user interfaces (also called "lines") to control CLI logins and monitor CLI sessions. You can configure access control settings, including authentication, user privilege, and login redirect on the user interfaces. After users are logged in, their actions must be compliant with the settings on the user interfaces assigned to them. Users are assigned different user interfaces, depending on their login methods, as shown in Table 6. Table 6 CLI login method and user interface matrix User interface Console user interface AUX user interface VTY user interface Login method Console port (EIA/TIA-232 DCE) AUX port (EIA/TIA-232 DTE, typically used for dial-in access through modems) Telnet or SSH The switch supports at most 16 concurrent VTY users. User interface assignment The switch automatically assigns user interfaces to CLI login users, depending on their login methods. Each user interface can be assigned to only one user at a time. If no user interface is available, a CLI login attempt will be rejected. For a CLI login, the switch always picks the lowest numbered user interface from the idle user interfaces available for the type of login. For example, four VTY user interfaces (0 to 3) are configured, of which VTY 0 and VTY 3 are idle. When a user Telnets to the switch, the switch assigns VTY 0 to the user and uses the settings on VTY 0 to authenticate and manage the user. User interface numbering User interfaces can be numbered in two ways: absolute numbering and relative numbering. Absolute numbering An absolute number uniquely identifies a user interface among all user interfaces. The user interfaces are numbered starting from 0 and incrementing by 1 and in the sequence of console, AUX, and VTY user interfaces. Standalone mode The console port and AUX port each use two numbers, and the VTY user interface uses numbers 20 through 35. IRF mode The user interfaces of the master are numbered the first, and then the subordinate switch. The console port and AUX port each use four numbers, and the VTY user interface uses numbers 24 through 39. 2

32 You can use the display user-interface command without any parameters to view supported user interfaces and their absolute numbers. Relative numbering A relative number uniquely identifies a user interface among all user interfaces that are the same type in the format user interface type + number, starting from 0 and incrementing by 1. For example, the first console user interface is console 0. User interface configuration task list Task Configuring asynchronous serial interface attributes Configuring common settings for user interfaces Configuring the command auto-execute function Configuring a user privilege level for user interfaces Configuring access control on VTY user interfaces Configuring supported protocols on VTY user interfaces Configuring authentication mode Configuring command authorization Configuring command accounting Defining shortcut keys for starting terminal sessions/aborting tasks Sending messages to user interfaces Releasing connections to user interfaces Remarks Configuring asynchronous serial interface attributes For users to Telnet to Device B from Device A, you can connect Device A to Device B through the asynchronous serial interfaces, and configure the redirect enable and redirect listen-port port-number commands on Device A. Then, users can use the telnet DeviceA's-IP-address port-number command to log in to Device B. To facilitate the user login operation, you can associate the Telnet redirect listening port with Device A's IP address by using the ip alias ip-address port-number command, so users only need to enter telnet IP-address to log in to Device B. To configure asynchronous attributes for a serial interface (AUX port or console port): 1. Enter system view. system-view N/A 2. Enter user interface view. 3. Configure the transmission rate. user-interface { first-num1 [ last-num1 ] { aux console } first-num2 [ last-num2 ] } speed speed-value N/A 9600 bps by default. 3

33 4. Configure the data bits for each character. 5. Configure a parity check method. 6. Configure the number of stop bits transmitted per byte. databits { } parity { even mark none odd space } stopbits { } The setting depends on the contexts to be transmitted, For example, you can set it to 7 if standard ASCII characters are to be sent; set it to 8 if extended ASCII characters are to be sent. 8 by default. None by default. 1 by default. 7. Detect the stop bits. stopbit-error intolerance By default, stop bits are not detected. 8. Configure the flow control mode. 9. Associate the Telnet redirect listening port with an IP address. flow-control { hardware software none } ip alias ip-address port-number By default, the flow control mode is none. The switch does not support the hardware and software keywords. By default, no IP address is associated with the Telnet redirect listening port. Configuring common settings for user interfaces The device supports two terminal display types: ANSI and VT100. H3C recommends that you set the display type to VT100 on both the device and the configuration terminal. If either side uses the ANSI type, a display problem such as cursor positioning error might occur when a command line has more than 80 characters. 1. Enter system view. system-view N/A 2. Enter user interface view. user-interface { first-num1 [ last-num1 ] { aux console vty } first-num2 [ last-num2 ] } N/A 3. Start the terminal service. shell 4. Set the idle-timeout disconnection function for terminal users. idle-timeout minutes [ seconds ] The terminal service is enabled on all user interfaces by default. 10 minutes by default. 4

34 5. Set the maximum number of lines on a screen. 6. Set the display type of the current user terminal. 7. Set the size of the history command buffer of the user interface. screen-length screen-length terminal type { ansi vt100 } history-command max-size size-value By default, up to 24 lines of data are displayed on a screen. ANSI by default. The history buffer can store 10 commands by default. 8. Return to user view. return N/A 9. Lock the user interface to prevent unauthorized users from using this interface. lock Disabled by default. Configuring the command auto-execute function CAUTION: You might be unable to access the CLI through a VTY user interface after configuring the auto-execute command command on it. Before you configure the command and save the configuration, make sure you can access the CLI through a different user interface. The command auto-execute function is typically used for redirecting a Telnet user to a specific host. After executing the specified command and performing the incurred task, the system automatically disconnect the Telnet session. To configure the command auto-execute function: 1. Enter system view. system-view N/A 2. Enter user interface view. 3. Specify a command to be automatically executed when a user logs in to the user interfaces. user-interface { first-num1 [ last-num1 ] { aux vty } first-num2 [ last-num2 ] } auto-execute command command N/A The console port does not support this command. By default, no automatically executed command is specified. Configuring a user privilege level for user interfaces User privilege levels restrict the access rights of different users to the switch: If the authentication mode is scheme, the user must provide the username and password. For SSH publickey authentication, the user privilege level is the user interface level configured in user interface view, which is 0 by default. 5

35 If the authentication mode is none or password when a user logs in, no username is needed, and the privilege level of the user is the user interface level. The user privilege level can be configured in user interface view or by configuring AAA parameters. Which configuration mode takes effect depends on the user login authentication mode. For more information, see "Using the CLI." To configure the user privilege level for user interfaces: 1. Enter system view. system-view N/A 2. Enter user interface view. 3. Configure user's privilege level under the current user interface. user-interface { first-num1 [ last-num1 ] { aux console vty } first-num2 [ last-num2 ] } user privilege level level N/A By default, users logging in through console port have a privilege level of 3; users logging in through other user interfaces have a privilege level of 0. Configuring access control on VTY user interfaces You can configure access control on the VTY user interface by referencing an ACL. For more information about ACL, see ACL and QoS Configuration Guide. To control access to VTY user interfaces: 1. Enter system view. system-view N/A 2. Enter VTY user interface view. 3. Control access to the VTY user interface. user-interface { first-num1 [ last-num1 ] vty first-num2 [ last-num2 ] } By referencing a basic/advanced ACL: acl [ ipv6 ] acl-number { inbound outbound } By referencing a WLAN/Ethernet frame header ACL: acl acl-number inbound N/A Use either command. No access control is set by default. Configuring supported protocols on VTY user interfaces If SSH is configured, you must set the authentication mode to scheme by using the authentication-mode scheme command to guarantee a successful login. The protocol inbound ssh command fails if the authentication mode is password or none. 6