Example for Configuring Local Authentication and User Level Authorization for Administrators

Networking Requirements

On the network shown in Figure 1, the network administrator of an enterprise needs to remotely manage the device in an easy and secure manner. To achieve this, local authentication can be configured for the administrator logging in through Telnet. The requirements are as follows:

The administrator enters the correct user name and password to log in to the device through Telnet.
After logging in to the device through Telnet, the administrator can run the commands at levels 0-15.

Figure 1 Configuring authentication for Telnet login users (local authentication)

Configuration Roadmap

The configuration roadmap is as follows:

Assign an IP address to the interface on the switch that is connected to the management network.
Enable the Telnet server function.
Configure AAA authentication for the VTY user interface.
Configure local authentication, including setting the user name and password, access type, and user level.

Procedure

Assign an IP address to the interface on the switch that is connected to the management network.

<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100
[Switch] interface vlanif 100
[Switch-Vlanif100] ip address 10.1.2.10 24
[Switch-Vlanif100] quit
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type hybrid
[Switch-GigabitEthernet0/0/1] port hybrid pvid vlan 100
[Switch-GigabitEthernet0/0/1] port hybrid untagged vlan 100
[Switch-GigabitEthernet0/0/1] quit

Enable the Telnet server function.
```
[Switch] telnet server enable
```

Configure AAA authentication for the VTY user interface.

[Switch] user-interface maximum-vty 15
[Switch] user-interface vty 0 14
[Switch-ui-vty0-14] authentication-mode aaa  
[Switch-ui-vty0-14] protocol inbound telnet 
[Switch-ui-vty0-14] quit

Configure local authentication.
```
[Switch] aaa
[Switch-aaa] local-user user1 password irreversible-cipher Huawei@123
[Switch-aaa] local-user user1 service-type telnet
[Switch-aaa] local-user user1 privilege level 15
[Switch-aaa] quit
```
When the entered user name does not contain a domain name, the device authenticates the user using the default management domain default_admin. By default, the default_admin domain uses the authentication scheme default and accounting scheme default.
- Authentication scheme default: Uses the local authentication mode.
- Accounting scheme default: Uses the non-accounting mode.
Verify the configuration.
Choose Start > Run on your computer and enter cmd to open the cmd window. Run the telnet command and enter the user name user1 and password Huawei@123 to log in to the device through Telnet.
```
C:\Documents and Settings\Administrator> telnet 10.1.2.10
Username:user1
Password:***********
```

Configuration Files

Switch configuration file

#
sysname Switch
#
vlan batch 100
#
telnet server enable
#
aaa                                                                             
 local-user user1 password irreversible-cipher $1a$+:!j;\;$Z!$&%}p%ctzj"W`GM;APoC=XPLB=L-vJG3-'3Dhyci;$
 local-user user1 privilege level 15                                                       
 local-user user1 service-type telnet
#
 interface Vlanif100
 ip address 10.1.2.10 255.255.255.0                                          
#
interface GigabitEthernet0/0/1
 port link-type hybrid
 port hybrid pvid vlan 100
 port hybrid untagged vlan 100   
# 
user-interface maximum-vty 15                                                   
user-interface vty 0 14                                                         
 authentication-mode aaa 
 protocol inbound telnet                                                     
#
return