H3C S12500 Login Authentication
Configuration Examples
Copyright © 2013 Hangzhou H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without
prior written consent of Hangzhou H3C Technologies Co., Ltd.
The information in this document is subject to change without notice.
i
Contents
Introduction ··································································································································································· 1
Prerequisites ·································································································································································· 1
Example: Configuring password authentication for console users ··········································································· 2
Network requirements ······················································································································································ 2
Requirements analysis ······················································································································································· 2
Software version used ······················································································································································ 2
Configuration procedures ················································································································································ 2
Verifying the configuration ··············································································································································· 2
Configuration files ····························································································································································· 3
Example: Configuring local scheme authentication for console users ····································································· 3
Network requirements ······················································································································································ 3
Requirements analysis ······················································································································································· 3
Software version used ······················································································································································ 4
Configuration procedures ················································································································································ 4
Verifying the configuration ··············································································································································· 4
Configuration files ····························································································································································· 5
Example: Configuring password authentication for Telnet users ·············································································· 5
Network requirements ······················································································································································ 5
Requirements analysis ······················································································································································· 5
Software version used ······················································································································································ 6
Configuration procedures ················································································································································ 6
Verifying the configuration ··············································································································································· 6
Configuration files ····························································································································································· 6
Example: Configuring local scheme authentication for Telnet users ········································································ 7
Network requirements ······················································································································································ 7
Requirements analysis ······················································································································································· 7
Software version used ······················································································································································ 8
Configuration procedures ················································································································································ 8
Verifying the configuration ··············································································································································· 8
Configuration files ····························································································································································· 9
Related documentation ················································································································································ 9
1
Introduction
This document provides authentication configuration examples for console and Telnet logins.
The H3C S12500 switch supports the following login authentication modes:
• None—Disables authentication. This mode allows access without authentication and is insecure.
• Password—Requires a password for login authentication.
• Scheme—Requires a username and password for login authentication.
To log in to the switch, you can use the methods shown in Table 1.
Table 1 Login methods at a glance
Login method
Default settings and minimum configuration requirements
Console, AUX
By default, login through the console port is enabled and no username or password is
required. After login, configure password or scheme authentication mode to improve
device security.
By default, login through the AUX port is enabled and requires a password, but no
password is configured. To use the AUX port for login, log in through any other method
and complete the following configuration tasks:
• Configure a password for password authentication, or change the authentication
mode and configure parameters for the new authentication mode.
• Assign a user role (network-operator by default).
Telnet
By default, Telnet login is disabled.
To log in through Telnet, complete the following configuration tasks:
• Enable the Telnet server function.
• Assign an IP address to a Layer 3 interface. Make sure the interface and the Telnet
client can reach each other.
• Configure an authentication mode for VTY login users. By default, password
authentication is used but no password is configured.
• Assign a user role to VTY login users (network-operator by default).
SSH
By default, SSH login is disabled.
To log in through SSH, complete the following configuration tasks:
• Enable the SSH server function and configure SSH attributes.
• Assign an IP address to a Layer 3 interface. Make sure the interface and the SSH
client can reach each other.
• Configure scheme authentication for VTY users (password authentication by default).
• Assign a user role to VTY login users (network-operator by default).
For SSH configuration examples, see H3C S12500 SSH Configuration Examples.
Prerequisites
The configuration examples in this document were created and verified in a lab environment, and all the
devices were started with the factory default configuration. When you are working on a live network,
make sure you understand the potential impact of every command on your network.
2
This document assumes that you have basic knowledge of login authentication.
Example: Configuring password
authentication for console users
Network requirements
Configure password authentication for console users on the switch in Figure 1. Require console users to
provide the password test at login.
Figure 1 Network diagram
Requirements analysis
To require a console user to provide a password at login, configure password authentication for the
console user interface on the switch.
You do not need to change the user role setting for a console user when password authentication is
used. The user role depends on the user role setting for the console user interface and is network-admin
by default.
Software version used
This configuration example was created and verified on S12500-CMW710-R7129.
Configuration procedures
# Enable password authentication for the console user interface, and set the password to test.
<Switch1> system-view
[Switch1] user-interface console 0
[Switch1-ui-console0] authentication-mode password
[Switch1-ui-console0] set authentication password simple test
[Switch1-ui-console0] quit
Verifying the configuration
# Log in to the switch through the console port. Verify that the system displays a prompt for the console
login password.
******************************************************************************
* Copyright (c) 2004-2013 Hewlett-Packard Development Company, L.P. *
3
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
User interface con0 is available.
Press ENTER to get started.
Password:
# Enter the correct password to verify that you can access the CLI.
<Switch1> system-view
System View: return to User View with Ctrl+Z.
[Switch1]
Configuration files
#
user-interface con 0
authentication-mode password
user-role network-admin
set authentication password hash $h$6$4PKgIe09Fnyq3ZGB$Gjw9CActpVa5IJm9oGEgMBxt
opkZkEYv7CriP31oqNJOpAyBPwxIvOds+7XcJ5aGz2xaO77H3CsaSMpRzKenq0Q==
#
Example: Configuring local scheme
authentication for console users
Network requirements
Configure local scheme authentication for console users on the switch in Figure 2. Require console users
to provide the username test and password test at login.
Figure 2 Network diagram
Requirements analysis
To meet the network requirements, perform the following tasks:
• To require a console user to provide a username and password at login, configure scheme
authentication for the console user interface.
4
• Because local authentication is the default authentication method for login users, you only need to
configure a local user on the switch.
• To allow the local user to log in to the switch, authorize the local user to use the terminal service.
• To allow the local user to use all commands, assign the user role network-admin to the local user.
The user role of a login user depends on the user role setting for the local user. It is
network-operator by default when local scheme authentication is used.
Software version used
This configuration example was created and verified on S12500-CMW710-R7129.
Configuration procedures
# Enable scheme authentication for the console user interface.
<Switch1> system-view
[Switch1] user-interface console 0
[Switch1-ui-console0] authentication-mode scheme
[Switch1-ui-console0] quit
# Configure a local user with the username test and password test.
[Switch1] local-user test class manage
[Switch1-luser-manage-test] password simple test
# Assign the user role network-admin and the terminal service to the user.
[Switch1-luser-manage-test] authorization-attribute user-role network-admin
[Switch1-luser-manage-test] service-type terminal
[Switch1-luser-manage-test] quit
Verifying the configuration
# Log in to the switch through the console port. Verify that the system displays a prompt for the console
login username and password.
******************************************************************************
* Copyright (c) 2004-2013 Hewlett-Packard Development Company, L.P. *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
User interface con0 is available.
Press ENTER to get started.
login: test
Password:
# Enter the correct username and password to verify that you can access the CLI.
<Switch1> system-view
5
System View: return to User View with Ctrl+Z.
[Switch1]
Configuration files
#
domain default enable system
#
user-interface con 0
authentication-mode scheme
user-role network-admin
#
local-user test class manage
password hash $h$6$DaTNpkN/T5vDTCTX$knzvBlMhlFZ77CORDl55gdS8+oMzxCsxe/xH+qoSllg
AEyWm7wW70ZB5O2QqlvHEUg8nkLaM/1/xK/6Cvq5shQ==
service-type terminal
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
Example: Configuring password
authentication for Telnet users
Network requirements
Configure password authentication for Telnet users on the switch in Figure 3. Require Telnet users to
provide the password test at login.
Figure 3 Network diagram
Requirements analysis
To meet the network requirements, perform the following tasks:
• To allow Telnet logins, enable the Telnet server on the switch.
• To require a Telnet user to provide a password at login, configure password authentication for the
VTY user interfaces on the switch.
• To allow a Telnet user to use all commands, assign the user role network-admin to the VTY user
interfaces. The default user role is network-operator for a Telnet user.
6
Software version used
This configuration example was created and verified on S12500-CMW710-R7129.
Configuration procedures
# Enable Telnet server.
<switch1> system-view
[switch1] telnet server enable
# Configure interface GigabitEthernet 7/0/35.
[switch1] interface Vlan-interface 5
[switch1-Vlan-interface5] ip address 15.15.1.1 16
[switch1-Vlan-interface5] quit
[switch1] interface GigabitEthernet 7/0/35
[switch1-GigabitEthernet7/0/35] port link-mode bridge
[switch1-GigabitEthernet7/0/35] port access vlan 5
[switch1-GigabitEthernet7/0/35] quit
# For all VTY user interfaces, enable password authentication, set the password to test, and assign the
user role network-admin.
[switch1] user-interface vty 0 15
[switch1-ui-vty0-15] authentication-mode password
[switch1-ui-vty0-15] set authentication password simple test
[switch1-ui-vty0-15] user-role network-admin
[switch1-ui-vty0-15] quit
Verifying the configuration
# Telnet to the switch. Verify that the system displays a prompt for the password.
******************************************************************************
* Copyright (c) 2004-2013 Hewlett-Packard Development Company, L.P. *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
Password:
# Enter the correct password to verify that you can access the CLI
<Switch1> system-view
System View: return to User View with Ctrl+Z.
[Switch1]
Configuration files
#
7
domain default enable system
#
telnet server enable
#
vlan 5
#
interface Vlan-interface5
ip address 15.15.1.1 255.255.0.0
#
interface GigabitEthernet7/0/35
port link-mode bridge
port access vlan 5
#
user-interface vty 0 15
user-role network-admin
user-role network-operator
set authentication password hash $h$6$ifF6RyM3SrB7BiSA$2zNo5WkQc2Oz8GXYOq7FkL2s
98vO13C11511sWzNn+J/NcqmEKGuwbMubqY0r8gA5iGy7ojYux/m1A+ux+F5yw==
idle-timeout 0 0
#
Example: Configuring local scheme
authentication for Telnet users
Network requirements
Configure local scheme authentication for Telnet users on the switch in Figure 4. Require Telnet users to
provide the username test and password test at login.
Figure 4 Network diagram
Requirements analysis
To meet the network requirements, perform the following tasks:
• To allow Telnet logins, enable Telnet server on the switch.
• To require a Telnet user to provide a username and password at login, configure scheme
authentication for the VTY user interfaces.
• Because local authentication is the default authentication method for login users, you only need to
configure a local user on the switch.
8
• To allow the local user to Telnet to the switch, authorize the local user to use the Telnet service.
• To allow the local user to use all commands, assign the user role network-admin to the local user.
The user role of a login user depends on the user role setting for the local user. It is
network-operator by default when local scheme authentication is used.
Software version used
This configuration example was created and verified on S12500-CMW710-R7129.
Configuration procedures
# Enable Telnet server.
<switch1> system-view
[switch1] telnet server enable
# Configure interface GigabitEthernet 7/0/35.
[switch1] interface Vlan-interface 5
[switch1-Vlan-interface5] ip address 15.15.1.1 16
[switch1-Vlan-interface5] quit
[switch1] interface GigabitEthernet 7/0/35
[switch1-GigabitEthernet7/0/35] port link-mode bridge
[switch1-GigabitEthernet7/0/35] port access vlan 5
[switch1-GigabitEthernet7/0/35] quit
# Enable scheme authentication for all VTY user interfaces.
[switch1] user-interface vty 0 15
[Switch1-ui-vty0-15] authentication-mode scheme
[Switch1-ui-vty0-15] quit
# Configure a local user with the username test and password test.
[Switch1] local-user test class manage
[Switch1-luser-manage-test] password simple test
# Assign the user role network-admin and the Telnet service to the user.
[Switch1-luser-manage-test] authorization-attribute user-role network-admin
[Switch1-luser-manage-test] service-type telnet
[Switch1-luser-manage-test] quit
Verifying the configuration
# Telnet to the switch. Verify that the system displays a prompt for the username and password.
******************************************************************************
* Copyright (c) 2004-2013 Hewlett-Packard Development Company, L.P. *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
login: test
Password:
9
# Enter the correct username and password to verify that you can access the CLI.
<Switch1> system-view
System View: return to User View with Ctrl+Z.
[Switch1]
Configuration files
#
domain default enable system
#
telnet server enable
#
vlan 5
#
interface Vlan-interface5
ip address 15.15.1.1 255.255.0.0
#
interface GigabitEthernet7/0/35
port link-mode bridge
port access vlan 5
#
user-interface vty 0 15
authentication-mode scheme
user-role network-admin
user-role network-operator
idle-timeout 0 0
#
local-user test class manage
password hash $h$6$uUxUbGGD00+3wYOs$cVq29Rs+FEp5GSCfTmCw3Wkg43lLKHtUaWOf7LkHDAP
7B2VqITsm5OK7vIgd3W2HGDHXzjc1g/Z4PNPIkFN2WQ==
service-type telnet
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
Related documentation
• H3C S12500 Routing Switch Series Fundamentals Configuration Guide
• H3C S12500 Routing Switch Series Fundamentals Command Reference
-
1
-
2
-
3
-
4
-
5
-
6
-
7
-
8
-
9
-
10
-
11
Ask a question and I''ll find the answer in the document
Finding information in a document is now easier with AI
Related papers
-
H3C WA4600 Series Fundamentals Configuration Manual
-
H3C WA2200 Series Fundamentals Configuration Manual
-
-
-
-
-
-
H3C S3610 Series Operating instructions
-
H3C WX Series Command Reference Manual
-
Other documents
-
3com SW4500-26 Configuration manual
-
Digisol DG-GS4200 Series User manual
-
3com SuperStack 4 5500G-EI Series Configuration manual
-
Digisol DG-GS4628HPE-P User manual
-
Digisol DIGISOL 24/ 48 Port Gigabit Ethernet Access Layer 3 Switch User manual
-
-
Amer Networks SS2R48G4I User manual
-
Accton Technology ES4650 User manual
-
Cisco Systems v1.0 User manual
-
Alcatel 7700 Datasheet