Overview of CLI Login MethodsYou can log in to a device through its console port or mini USB port, or using Telnet or STelnet. After successful login, you can run commands on the command line interface (CLI) to manage and configure the device. You can also log in to another device from the local device using Telnet, STelnet, redirection, or reverse Telnet. Show
You can log in to a device using one of the CLI methods described in Table 10-1 to configure and manage the device. Table 10-1 CLI login methods
Overview of User InterfacesThe system supports console, TTY, VTY or Web user interfaces. When a user logs in to a device through CLI, the system assigns a user interface to manage and monitor the session between the device and user. Each user interface has a user interface view, where you can set parameters, such as the authentication mode and user level. Users logging in through the user interface are restricted by these parameters. Through the parameter configuration, uniform management of various user sessions can be implemented. The device supports the following types of user interfaces:
Relationship Between a User and a User InterfaceA user interface is not exclusive to a specific user. User interfaces are used to manage and monitor users that have logged in to the device using a specific method. Although a user interface can only be used by one user at a time, the user interface is not specific to the user. When a user logs in, the system allocates the idle user interface with the smallest number to the user based on the user's login mode. The login process is restricted by the configuration in the user interface view. For example, when user A logs in through the console port, the login process depends on the configuration in the console user interface view; however, when it logs in through VTY 1, the login process depends on the configuration in the VTY 1 user interface view. If a user logs in to a device using different methods, the user will be allocated different user interfaces. If a user logs in to a device at different time, the user may be allocated different user interfaces. User Interface NumberingUser interfaces are numbered in either of the following modes:
Table 10-2 Default absolute numbers of the user interfaces
Authentication Modes for User InterfacesAfter you configure an authentication mode for a user interface, the system authenticates users before they access the user interface. Two authentication modes are available: Authentication, Authorization, and Accounting (AAA) authentication and password authentication.
User Levels for User InterfacesYou can manage login users based on their levels. The levels of commands accessible to a user depend on the user level.
Licensing Requirements and Limitations for CLI LoginThis section provides licensing requirements and limitations for CLI login. Involved Network ElementsNone Licensing RequirementsCLI login configuration is a basic feature of a router and is not under license control. Hardware RequirementsThis section is applicable to all models. For details about differences for specific models, see the description in the corresponding section. Feature Limitations
Configuring Login Through a Console PortYou can connect a PC to the console port of a device and then log in to the device to perform basic configurations and management. (Optional) Configuring Attributes for the Console User Interface
This section describes how to configure attributes about data transmission and screen display for the console user interface. ContextThe data transmission and screen display attributes of the console user interface are as follows:
Procedure
Configuring an Authentication Mode for the Console User InterfaceYou can configure an authentication mode for the console user interface to control user access through the console port, which enhances login security. ContextThe system provides two authentication modes for the console user interface: AAA authentication and password authentication.
Procedure
Configuring a User Level for the Console User InterfaceThis section describes how to configure a user level for the console user interface. Context
Procedure
Logging In to a Device Through the Console PortYou can connect a PC to the console port of a device and then log in to the device. ContextAfter completing console user interface configurations on a device, you can log in to the device through the console port. If the console user interface uses the default attribute settings and password authentication, perform the following steps to log in to the device. Procedure
Verifying the Configuration
Configuring Login Through the Mini USB PortYou can connect a PC to the mini USB port of a device and then log in to the device to perform basic configurations and management. V300R019C13 and later versions do not support login through the Mini USB port. (Optional) Configuring Attributes for the Device Login Through the MiniUSB PortThis section describes how to configure attributes about data transmission and screen display for the console user interface. ContextThe data transmission and screen display attributes of the console user interface are as follows:
Procedure
Configuring an Authentication Mode for the Mini USB InterfaceYou can configure an authentication mode for the Mini USB interface to control user access through the mini USB port, which enhances login security. ContextThe system provides two authentication modes for the console user interface: AAA authentication and password authentication.
Procedure
Configuring a User Level for the Mini USB InterfaceThis section describes how to configure a user level for the console user interface. Context
Procedure
Logging In to a Device Through the Mini USB PortYou can connect a PC to the mini USB port of a device and then log in to the device. ContextAfter completing console user interface configurations on a device, you can log in to the device through the mini USB port. If the console user interface uses the default attribute settings and password authentication. Procedure
Verifying the Configuration
Configuring Telnet LoginYou can log in to a device using Telnet to manage and configure the device. The Telnet protocol has security vulnerabilities. It is recommended that you log in to the device using STelnet V2. (Optional) Configuring Attributes for a VTY User InterfaceThis section describes how to configure attributes for a VTY user interface. ContextYou can configure attributes for a VTY user interface to control Telnet login and screen display. The attributes of a VTY user interface include the maximum number of VTY user interfaces, timeout period of a user connection, number of rows and columns displayed on a terminal screen, and buffer size for historical commands. Procedure
Configuring an Authentication Mode for a VTY User InterfaceYou can configure an authentication mode for a VTY user interface to control user access through Telnet, which enhances login security. ContextThe system provides two authentication modes for a VTY user interface: AAA authentication and password authentication.
Procedure
Configuring a User Level for a VTY User InterfaceThis section describes how to configure a user level for a VTY user interface. Context
Procedure
Enabling the Telnet Server FunctionIn addition to the authentication mode and user level, you need to configure the Telnet server function on a device. ContextWhen a device functions as a Telnet server, you can specify the protocol port and source interface of the Telnet server to enhance Telnet connection security. Procedure
Logging In to a Device Through TelnetThis section describes how to log in to a device using Telnet. ContextAfter completing Telnet server configurations on a device, you can use either Telnet software or Windows Command Prompt on a PC to log in to the device. Assume that AAA authentication is configured and the management IP address of the device is 10.137.217.177. The Windows Command Prompt is used as an example to illustrate the Telnet login process. Procedure
Verifying the Configuration
(Optional) Using Telnet to Log In to Another Device From the Local DeviceThis section describes how to use Telnet to log in to another device from the local device. ContextA device can function as a Telnet server to allow other devices to log in or as a Telnet client to log in to other devices. When a terminal lacks the necessary software or no reachable route exists between the terminal and target device, you can log in to an intermediate device and then use Telnet to log in to the target device from the intermediate device. The intermediate device functions as a Telnet client. The device can function as a Telnet IPv6 client. You can specify the source address or interface of the Telnet client to ensure security of the management IP address. As shown in Figure 10-6, a PC connects to a device through network 1 and the device connects to a Telnet server through network 2. The PC cannot directly communicate with the Telnet server. In this situation, you can configure the device as a Telnet client and log in to the Telnet server from the device. Figure 10-6 Configuring a device as a Telnet client to log in to another device Pre-configuration TasksBefore configuring a device as a Telnet client to log in to another device, complete the following tasks:
Procedure
Configuring STelnet LoginYou can log in to a device using STelnet to manage and configure the device. The STelnet V1 protocol has security vulnerabilities. It is recommended that you log in to the device using STelnet V2. (Optional) Configuring Attributes for a VTY User InterfaceThis section describes how to configure attributes for a VTY user interface. ContextYou can configure attributes for a VTY user interface to control STelnet login and screen display. The attributes of a VTY user interface include the maximum number of VTY user interfaces, timeout period of a user connection, number of rows and columns displayed on a terminal screen, and buffer size for historical commands. Procedure
Configuring an Authentication Mode for a VTY User InterfaceYou can configure an authentication mode for a VTY user interface to control user access through STelnet, which enhances login security. ContextTo configure a VTY user interface to support SSH, you must set the authentication mode of the VTY user interface to AAA; otherwise, the protocol inbound ssh command does not take effect. Procedure
Configuring a User Level for a VTY User InterfaceThis section describes how to configure a user level for a VTY user interface. Context
Procedure
Configuring an SSH UserTo use STelnet to log in to a device, you need to configure an SSH user. In addition to setting AAA authentication for the VTY user interface, you also need to specify an authentication mode for the SSH user. ContextSSH users can be authenticated in the following modes: password, Revest-Shamir-Adleman (RSA), Elliptic Curves Cryptography (ECC), password-RSA, Password-ECC, and all.
Procedure
Enabling the SSH Server FunctionTo allow user terminals to establish an SSH connection with a device, log in to the device in another mode and enable the SSH server function on the device. ContextA device serving as an SSH server must generate a key pair of the same type as the client's key for data encryption and server authentication on the client. The device also supports configuration of rich SSH server attributes for flexible control on SSH login. Procedure
Logging In to a Device Through STelnetThis section describes how to log in to a device using STelnet. ContextAfter completing SSH user and STelnet server configurations on a device, you can use STelnet software on a PC to log in to the device. Assume that password authentication is configured for SSH users and the management IP address of the device is 10.137.217.203. The third-party software, PuTTY, is used as an example to illustrate the STelnet login process. Procedure
Verifying the Configuration
(Optional) Using STelnet to Log In to Another Device from the Local DeviceThis section describes how to use STelnet to log in to another device from the local device. ContextA device can function as both an STelnet server and an STelnet client. As an STelnet client, the device can log in to other devices. When a terminal lacks the necessary software or no reachable route exists between the terminal and target device, you can log in to an intermediate device and then use STelnet to log in to the target device from the intermediate device. The intermediate device functions as an STelnet client. As shown in Figure 10-8, a PC connects to a device through network 1 and the device connects to an STelnet server through network 2. The PC cannot directly communicate with the STelnet server. In this situation, you can configure the device as an STelnet client and log in to the STelnet server from the device. Figure 10-8 Configuring a device as an STelnet client to log in to another device
Pre-configuration TasksBefore configuring a device as an STelnet client to log in to another device, complete the following tasks:
Procedure
Verifying the Configuration
Configuring the Redirection Function for Device LoginAfter completing redirection configuration, you can log in to a remote serial port device from the local device to configure and manage the remote device. Pre-configuration TasksBefore logging in to a device through redirection, complete the following tasks:
(Optional) Configuring an Authentication Mode for the TTY User InterfaceYou can configure an authentication mode for the TTY user interface to ensure secure login through the redirection function. ContextThe TTY user interface supports AAA authentication and password authentication.
Procedure
Logging In to a Device Through RedirectionThis section describes how to configure the redirection function and use this function to log in to a remote device. ContextTo manage a remote device that can transmit data only through a serial port, configure the redirection function on the current device. A remote device can be a router, a switch, an electricity terminal, a finance terminal, or other terminals that use serial ports to transmit data.
Procedure
Verifying the ConfigurationRun the display tcp status command to check the current TCP connection status. Configuring Reverse Telnet LoginThe reverse Telnet function enables dumb terminals that are directly connected to a router using asynchronous serial cables or console cables to log in to a remote server. Pre-configuration TasksBefore logging in to a device through reverse Telnet, complete the following tasks:
For details about the asynchronous serial cable, see "SA Cable" in the NetEngine AR Get to Know the Product - Hardware Description - Cables. Configuring an Authentication Mode for the Console or TTY User InterfaceYou can configure an authentication mode for the console user interface or a TTY user interface to ensure secure login through the reverse Telnet function. ContextThe console or TTY user interface supports AAA authentication and password authentication.
Procedure
Logging In to a Device Through Reverse Telnet (Direct Connection Through an Asynchronous Cable)This section describes how to configure reverse Telnet and use this function to log in to a device through an asynchronous cable. ContextAs shown in Figure 10-12, a multimedia software terminal (dumb terminal) is connected to the router with an asynchronous cable, and the router is connected to a server. The terminal cannot communicate with the server directly. To enable the dumb terminal to communicate with the server, you can configure reverse Telnet on the router. The router then acts as a client to transmit data from the terminal to the server. Figure 10-12 Diagram for login through reverse Telnet Procedure
Verifying the ConfigurationRun the display tcp status command to check the current TCP connection status. Configuring Reverse Telnet Login (Direct Connection Through a Console Cable)This section describes how to configure reverse Telnet and use this function to log in to a device through a console cable. ContextAs shown in Figure 10-13, a multimedia software terminal (dumb terminal) is connected to the console interface of the router through a console cable, and the router is connected to a server. The terminal cannot communicate with the server directly. To enable the dumb terminal to communicate with the server, you can configure reverse Telnet on the router. The router then acts as a client to transmit data from the terminal to the server. Figure 10-13 Networking for login through reverse Telnet Procedure
Verifying the ConfigurationRun the display tcp status command to check the current TCP connection status. Typical Operations After LoginAfter logging in to a device through a console port or mini USB port, or using Telnet or STelnet, you can perform service configurations and the following common operations on the device. Displaying Online UsersAfter logging in to a device, you can view user login information of each user interface. Run the display users [ all ] command to view the user login information of user interfaces. Setting an Authentication Password for Switching User LevelsAR6300 and AR6300K router do not support this function in active/standby switchover scenarios. AR6300-S router do not support this function in active/standby switchover scenarios. V300R019C11SPC100 and V300R019C11SPC200 versions do not support this function. Users at a higher level can set an authentication password used to switch a user from a lower level to a higher level. If a user wants to use a command whose level is higher than the user level, the user can use the authentication password to switch to the higher level.
Switching User LevelsAR6300 and AR6300K router do not support this function in active/standby switchover scenarios. AR6300-S router do not support this function in active/standby switchover scenarios. V300R019C11SPC100 and V300R019C11SPC200 versions do not support this function. You need to enter a password when switching from a low user level to a higher one.
Sending Messages to Other User InterfacesYou can send messages from the current user interface to other user interfaces.
Automatically Searching for the undo Command in the Upper-level ViewWhen you run the undo command not registered with the current view, the system returns to the upper-level view to search for this undo command. If the undo command can be found, it takes effect. If the undo command cannot be found, the system continues to search for it in the next upper-level view until the system view.
Locking a User InterfaceWhen you need to temporarily leave the operation terminal, lock the user interface to prevent unauthorized users from operating the terminal.
Configuring the Minimum Password LengthThis function is supported in V300R019C11SPC100 and later versions. You can set the minimum password length so that the length of the password configured on the device must meet the requirement. That is, the entered password cannot be less than the configured minimum length.
Configuration Examples for CLI LoginThis section describes examples of logging in to a device through a console port, Telnet, or STelnet. Example for Logging In to the Device Through a Console PortNetworking RequirementsIf a user cannot remotely log in to a device, the user will attempt to log in through the console port. By default, a user only needs to pass password authentication to log in to the device from the console user interface. To prevent unauthorized users from accessing the device, change the authentication mode of the console user interface to AAA authentication. Figure 10-14 Networking diagram of user login through a console port Configuration RoadmapThe configuration roadmap is as follows:
You can use the built-in terminal emulation software (such as the HyperTerminal of Windows 2000) on the PC. If no built-in terminal emulation software is available, use the third-party terminal emulation software. For details, see the software user guide or online help. Procedure
Configuration Files# sysname Router # aaa local-user admin1234 password irreversible-cipher %@%@HW=5%Mr;:2)/RX$FnU1HLO%-TBMp4wn%;~\#%iAut}_~O%0L%@%@ local-user admin1234 privilege level 3 local-user admin1234 service-type terminal # user-interface con 0 authentication-mode aaa # return Example for Configuring a Security Policy to Limit Telnet LoginNetworking RequirementsAs shown in Figure 10-18, the PC and device (Telnet server) are reachable to each other. The customer requires that the device be remotely and easily configured and managed. To meet this requirement, you can configure AAA authentication for Telnet users on the Telnet server and configure an ACL-based security policy to allow only users meeting the security policy to log in to the device. Figure 10-18 Networking diagram for configuring a security policy to limit Telnet login STelnet V2 is more secure than Telnet, and is therefore recommended. Configuration RoadmapThe configuration roadmap is as follows:
Procedure
Configuration FilesTelnet server configuration file # sysname Telnet Server # acl number 2001 rule 5 permit source 10.1.1.1 0 # aaa local-user admin1234 password irreversible-cipher %^%#*~Br";[g6Pv5Zf>$~{hY+N!`{$<[Y{;l02P)B,EBz\1FN!c+%^%# local-user admin1234 privilege level 3 local-user admin1234 service-type telnet # telnet server permit interface all telnet server enable telnet server port 1025 # user-interface maximum-vty 8 user-interface vty 0 7 acl 2001 inbound authentication-mode aaa history-command max-size 20 idle-timeout 20 0 screen-length 30 # return Example for Configuring STelnet LoginNetworking RequirementsAs shown in Figure 10-19, users require secure remote login, but Telnet cannot provide a secure authentication method. In this scenario, STelnet can be configured to ensure security of remote login. PC1 and PC2 have reachable routes to the SSH server, and 10.137.217.203 is the IP address of the management interface on the SSH server. Two login users client001 and client002 need to be configured on the SSH server. The user client001 uses PC1 to log in to the SSH server through password authentication; the user client002 uses PC2 to log in to the SSH server through RSA authentication. Configure a security policy to ensure that only PC1 and PC2 can be used to log in to the device. Figure 10-19 Networking diagram of configuring STelnet login STelnet V2 is more secure than STelnet V1, and is therefore recommended. Configuration RoadmapThe configuration roadmap is as follows:
Procedure
Configuration FilesSSH server configuration file # sysname SSH Server # acl number 2001 rule 5 permit source 10.137.217.10 0 rule 10 permit source 10.137.217.20 0 rule 15 deny source 10.137.217.30 0 # rsa peer-public-key rsakey001 public-key-code begin 30820107 02820100 DD89041A 5E30AA97 6F384B5D B366A704 8C0E7906 EC6B088B B9567D75 914B5B4E A7B2E519 38D1184B 863A38BA 7E0F0DBE 5C5AE4CA 55B192B5 31AC48B0 7D21E362 E3F2A58C 04C443CF 51CF5113 6B5B9E81 2AB1B712 50EB24A4 AE5083A1 DB18ECE2 395C9BB8 06E8F00B E24FB516 95878440 3B617F8A AAB1F8C6 DE8C3CF0 9E4D237D 1C17BF4A AF09C474 C083AF17 CD307533 96B32232 C57FF0B1 99197102 F1033B81 AA6D4744 520F2368 5FAF7204 BA4B6E61 5EF22414 E64E2A33 1EEB7F18 8D980596 DBFD300C 947A5ABA 879DC4F8 48B76951 3C35CDB5 2B291702 B77693F7 9910EE52 87F25297 7F985E5F 186C9493 F267804E 7F5F9D52 87350A0A 4F49881B F6AB7C1B 0201 25 public-key-code end peer-public-key end # aaa local-user client001 password irreversible-cipher %^%#*~Br";[g6Pv5Zf>$~{hY+N!`{$<[Y{;l02P)B,EBz\1FN!c+%^%# local-user client001 privilege level 3 local-user client001 service-type ssh local-user client002 password irreversible-cipher %^%#HW=5%Mr;:2)/RX$FnU1HLO%-TBMp4wn%;~\#%iAut}_~O%0L%^%# local-user client002 privilege level 3 local-user client002 service-type ssh # ssh user client002 assign rsa-key rsakey001 ssh user client002 authentication-type rsa ssh server permit interface all stelnet server enable # user-interface vty 0 4 acl 2001 inbound authentication-mode aaa protocol inbound ssh # return Example for Configuring the Device as a Telnet Client to Log In to Another DeviceNetworking RequirementsAs shown in Figure 10-29, there are reachable routes between the PC and Router1 and between Router1 and Router2. The user needs to manage and maintain Router2 remotely. However, the PC cannot directly log in to Router2 through Telnet because it has no reachable route to Router2. The user can log in to Router1 through Telnet, and then log in to Router2 from Router1. To prevent unauthorized devices from logging in to Router2 through Telnet, an ACL needs to be configured to allow only the Telnet connection from Router1 to Router2. Figure 10-29 Networking diagram of configuring the device as a Telnet client to log in to another device STelnet V2 is more secure than Telnet, and is therefore recommended. Configuration RoadmapThe configuration roadmap is as follows:
Procedure
Configuration FilesRouter2 configuration file # sysname Router2 # acl number 2000 rule 5 permit source 10.1.1.1 0 # aaa local-user admin1234 password irreversible-cipher %^%#*~Br";[g6Pv5Zf>$~{hY+N!`{$<[Y{;l02P)B,EBz\1FN!c+%^%# local-user admin1234 privilege level 3 local-user admin1234 service-type telnet # telnet server permit interface all telnet server enable # user-interface vty 0 4 acl 2000 inbound authentication-mode aaa user privilege level 3 # return Example for Configuring the Device as an STelnet Client to Log In to Another DeviceNetworking RequirementsThe customer requires secure data exchange between the SSH server and clients. As shown in Figure 10-30, two login users client001 and client002 are configured and they use the password and RSA authentication modes respectively to log in to the SSH server. A new port number is configured, and the default port number is not used. Figure 10-30 Networking diagram of logging in to another device through STelnet STelnet V2 is more secure than STelnet V1, and is therefore recommended. Configuration RoadmapThe configuration roadmap is as follows:
Procedure
Configuration Files
Example for Logging In to Another Device Through RedirectionNetworking RequirementsIn telecommunication and financial fields, some terminals provide only access through the serial port or cannot access the Internet using Telnet. The serial port redirection of the router enables you to configure and manage terminals connected to the router through Telnet. As shown in Figure 10-31, the asynchronous serial port on RouterA connects to the console port on RouterB through an asynchronous serial cable. You can log in to RouterB through RouterA from the remote PC in vpna. RouterA functions as the serial port server and there is a reachable route between the remote PC and RouterA. You can log in to RouterB connected to RouterA from the remote PC using the IP address and specified port number. For details about the asynchronous serial cable, see "8AS Cable" in the NetEngine AR Get to Know the Product - Hardware Description - Cables. Figure 10-31 Networking diagram for redirection configuration Configuration RoadmapThe configuration roadmap is as follows:
Procedure
Configuration Files
Example for Configuring an NMS to Communicate with a Device by SSH over a VPNThis section provides an example for configuring an NMS to communicate with a device by SSH over a VPN. Networking RequirementsOn the network shown in Figure 10-32, an NMS, RouterA, and AAA server are connected over a VPN. The NMS is integrated with the SSH client and SFTP server functions. The SSH client uses SSH to log in to and communicate with the RouterA. The SFTP server uses SFTP for file transfer with the RouterA functioning as an SFTP client. Figure 10-32 Networking diagram for configuring an NMS to communicate with a device by SSH over a VPN The interfaces are bound to the same VPN instance. PrecautionsEnsure that the route between the device and NMS is reachable. Configuration RoadmapThe configuration roadmap is as follows:
Procedure
Configuration Files
Troubleshooting CLI LoginThis section describes common faults caused by incorrect configurations and provides the corresponding troubleshooting procedures. Failing to Log In Through the Console PortFault DescriptionLogin through the console port fails. Procedure
Failing to Log In Through TelnetFault DescriptionThe Telnet server fails to be logged in through Telnet. Procedure
Failing to Log In Through STelnetFault DescriptionThe SSH server fails to be logged in through STelnet. Procedure
FAQ About CLI LoginThis section describes common problems you may encounter during the configuration and provides the solutions to these problems. What If I Forget the Password for Console Port Login?ProcedureWhen you forget the password for logging in through the console port, use either of the following two methods to set a new password. Logging In to the Device Through STelnet/Telnet to Set a New Password It is recommended that you use STelnet V2 to log in to the device. The following uses the command lines and outputs of logging in to the device using STelnet as an example. After logging in to the device through STelnet, perform the following operations. # Take password authentication as an example. Set the password to Huawei@123. <Huawei> system-view [Huawei] user-interface console 0 [Huawei-ui-console0] authentication-mode password [Huawei-ui-console0] set authentication password cipher Warning: The "password" authentication mode is not secure, and it is strongly re commended to use "aaa" authentication mode. Enter Password(<8-128>): Confirm password: [Huawei-ui-console0] return <Huawei> save # Take AAA authentication as an example. Set the user name and password to admin123 and Huawei@123, respectively. <Huawei> system-view [Huawei] user-interface console 0 [Huawei-ui-console0] authentication-mode aaa [Huawei-ui-console0] quit [Huawei] aaa [Huawei-aaa] local-user admin123 password irreversible-cipher Huawei@123 [Huawei-aaa] local-user admin123 privilege level 15 [Huawei-aaa] local-user admin123 service-type terminal [Huawei-aaa] return <Huawei> save Clearing the Lost Password Using the BootROM Menu You can use the BootROM menu of the device to clear the lost password for console port login. After starting the device, set a new password and save your configuration. Perform the following steps.
More Information
What If I Forget the Password for Telnet Login?ProcedureIf you forget the Telnet login password, log in to the device through the console port and set a new password for Telnet login. # Take password authentication for VTY0 login as an example. Set the password to Huawei@123. <Huawei> system-view [Huawei] user-interface vty 0 [Huawei-ui-vty0] authentication-mode password [Huawei-ui-vty0] set authentication password cipher Warning: The "password" authentication mode is not secure, and it is strongly re commended to use "aaa" authentication mode. Enter Password(<8-128>): Confirm password: [Huawei-ui-vty0] user privilege level 15 [Huawei-ui-vty0] return <Huawei> save # Take AAA authentication for VTY0 login as an example. Set the user name and password to admin123 and Huawei@123, respectively. <Huawei> system-view [Huawei] user-interface vty 0 [Huawei-ui-vty0] protocol inbound telnet [Huawei-ui-vty0] authentication-mode aaa [Huawei-ui-vty0] quit [Huawei] aaa [Huawei-aaa] local-user admin123 password irreversible-cipher Huawei@123 [Huawei-aaa] local-user admin123 service-type telnet [Huawei-aaa] local-user admin123 privilege level 15 [Huawei-aaa] return <Huawei> save More InformationBy default, a user only needs to pass password authentication to log in to the device from the console user interface. To prevent unauthorized users from accessing the device, change the authentication mode of the console user interface to AAA authentication. How Do I Configure Screen Display?
|