Example for Configuring Authentication for Telnet Login Users (AAA Local Authentication)
AAA Local Authentication Overview
Users are locally authenticated through AAA. To log in to a device, a user must enter the correct user name and password. User information is configured on the local device. There is no need to deploy an authentication server on the network. Therefore, AAA local authentication is fast and inexpensive. However, how much user information can be stored depends on the hardware capacity of the device.
Networking Requirements
As shown in Figure 1, administrator needs to remotely manage the device in a simplified and secure manner. The specific requirements are as follows:
- The administrator must enter correct user name and password to log in to the device through Telnet.
- After logging in to the device through Telnet, the administrator can run the commands at levels 0-3.
Configuration Roadmap
- Enable the Telnet service.
- Set the authentication method for Telnet login users to AAA.
- Configure AAA local authentication, including creating a local user, setting the user access type to Telnet, and setting the user level to 15.
Procedure
- Configure interfaces and assign IP addresses.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] vlan batch 10 [Switch] interface vlanif 10 [Switch-Vlanif10] ip address 10.1.2.10 24 [Switch-Vlanif10] quit [Switch] interface gigabitethernet0/0/1 [Switch-GigabitEthernet0/0/1] port link-type access [Switch-GigabitEthernet0/0/1] port default vlan 10 [Switch-GigabitEthernet0/0/1] quit
- Enable the Telnet server.
[Switch] telnet server enable - Set the authentication method for the VTY user interface to AAA.
[Switch] user-interface maximum-vty 15 //Set the maximum number of VTY login uses to 15 (The value range varies according to product versions and models). By default, the maximum number of Telnet users is 5. [Switch] user-interface vty 0 14 //Enter the VTY 0-14 user view. [Switch-ui-vty0-14] authentication-mode aaa //Set the authentication method for the VTY user view to AAA. [Switch-ui-vty0-14] protocol inbound telnet //Configure the VTY user interface to support Telnet. By default, switches in V200R006 and earlier versions support Telnet, and switches in V200R007 and later versions support SSH. [Switch-ui-vty0-14] quit
- Configure AAA local authentication.
[Switch] aaa [Switch-aaa] local-user user1 password irreversible-cipher Huawei@1234 //Create local user user1 and set the password. The password is displayed in cipher text in the configuration file, so remember the password. If you forget the password, run this command again to reconfigure the password (the command is local-user user-name password cipher password in V200R002 and earlier versions). [Switch-aaa] local-user user1 service-type telnet //Set the access type of user1 to Telnet. The user can log in through only Telnet (by default, users can log in through any method in versions earlier than V200R007 and cannot log in through any method in V200R007 and later versions). [Switch-aaa] local-user user1 privilege level 15 //Set the user level of user1 to 15. The user can use the commands of level 3 and lower levels. Warning: This operation may affect online users, are you sure to change the user privilege level ?[Y/N] y [Switch-aaa] quit
When the entered user name does not contain a domain name, the device authenticates the user using the default administrative domain default_admin. By default, the default administrative domain uses the authentication scheme default and accounting scheme default.
- Authentication scheme default: local authentication
- Accounting scheme default: non-accounting
- Verify the configuration.
Choose Start > Run on your computer and enter cmd to open the cmd window. Run the telnet command and enter the user name user1 and password Huawei@1234 to log in to the device through Telnet.
C:\Documents and Settings\Administrator> telnet 10.1.2.10 Username:user1 Password:*********** <Switch>//The administrator successfully logs in.
Configuration Files
Configuration file of the Switch
# sysname Switch # vlan batch 10 # telnet server enable # aaa local-user user1 password irreversible-cipher %^%#.)P`(ahmeXKljES$}IC%OdjjC$m)cA#}T(8z4*ZK!_Z+GSo<7C*O8WO,!rt;%^%# local-user user1 privilege level 15 local-user user1 service-type telnet # interface Vlanif10 ip address 10.1.2.10 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type access port default vlan 10 # user-interface maximum-vty 15 user-interface vty 0 14 authentication-mode aaa protocol inbound telnet # return