Example for Configuring Telnet Login (Based on ACL Rules and RADIUS Authentication)

Overview

Telnet login to a switch facilitates remote management and maintenance on the switch so that you do not need to connect a terminal to each switch. By default, you cannot log in to a switch using Telnet. You need to log in to a switch through a console port and configure the Telnet function first. For details, see Example for Configuring Switch Login Through a Console Port.

An Access Control List (ACL) is a packet filter that filters packets based on rules. One or more rules describe the packet matching conditions, such as the source address, destination address, and port number of packets. For packets that match the ACL rules configured on a device, the device forwards or discards these packets according to the policies used by the service module to which the ACL is applied.

RADIUS uses the client/server model in distributed mode and protects a network against unauthorized access. It is often used on networks that require high security and remote user access control. After Telnet login based on RADIUS authentication is configured, a switch sends the user name and password of a login user to the RADIUS server. The RADIUS server then authenticates the user and records the user operations, ensuring network security.

If ACLs and RADIUS authentication are both configured, packets matching ACL rules reach an upper-layer module and then are authenticated in RADIUS mode based on the user name and password. The Telnet login mode based on ACL rules and RADIUS authentication therefore ensures network security.

Configuration Notes

Telnet is an insecure protocol. Using STelnet V2 is recommended.
Ensure that the user terminal has reachable routes to the switch and RADIUS server.
Ensure that the IP address, port number, and shared key of the RADIUS server are configured correctly on the switch and are the same as those on the RADIUS server.
Ensure that a user has been configured on the RADIUS server. In this example, the user admin@huawei.com (in the format of user name@domain name) and password Huawei@1234 have been configured.
This example applies to all versions of all S series switches.

The following uses the command lines and outputs of the S7700 running V200R006C00 as an example.

Networking Requirements

The network administrator requires remote management and maintenance on a switch and high network security for protecting the network against unauthorized access. To meet the requirements, configure Telnet login based on ACL rules and RADIUS authentication.

As shown in Figure 1, the Switch has reachable routes to the administrator and the RADIUS server. The IP address and port number of the RADIUS server are 10.2.1.1/24 and 1812 respectively.

Figure 1 Networking diagram for configuring Telnet login based on ACL rules and RADIUS authentication

Configuration Roadmap

The configuration roadmap is as follows:

Configure the Telnet protocol so that users can log in to the Switch using Telnet.
Configure an ACL rule to ensure that only users matching the ACL rule can log in to the Switch.
Configure the RADIUS protocol to implement RADIUS authentication. After the configuration is complete, you can use the user name and password configured on the RADIUS server to log in to the Switch using Telnet, ensuring user login security.

Procedure

Configure Telnet login.

<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] telnet server enable
[Switch] user-interface vty 0 14    //Enter the user interface views of VTY 0 to VTY 14.
[Switch-ui-vty0-14] protocol inbound telnet    //Configure the VTY user interface to support Telnet. By default, switches in V200R006 and earlier versions support Telnet, and switches in V200R007 and later versions support SSH.
[Switch-ui-vty0-14] authentication-mode aaa    //Set the authentication mode of users in VTY 0 to VTY 14 to AAA.
[Switch-ui-vty0-14] user privilege level 15    //Set the level of users in VTY 0 to VTY 14 to 15.
[Switch-ui-vty0-14] quit

Configure a basic ACL rule.

[Switch] acl 2008
[Switch-acl-basic-2008] rule permit source 10.137.217.177 0
[Switch-acl-basic-2008] quit
[Switch] user-interface vty 0 14
[Switch-ui-vty0-14] acl 2008 inbound    //Allow only users matching ACL 2008 in VTY 0 to VTY 14 to log in to the switch.
[Switch-ui-vty0-14] quit

Configure RADIUS authentication.

# Configure a RADIUS server template on the Switch to implement communication with the RADIUS server.

[Switch] radius-server template 1    //Enter the RADIUS server template view.
[Switch-radius-1] radius-server authentication 10.2.1.1 1812    //Configure the RADIUS server.
[Switch-radius-1] radius-server shared-key cipher Huawei@6789    //Set the shared key of the RADIUS server to Huawei@6789.
[Switch-radius-1] quit

If the RADIUS server does not support a user name containing the domain name, run the undo radius-server user-name domain-included command to configure the Switch to send packets carrying a user name without the domain name to the RADIUS server.

# Configure an AAA authentication scheme, with the authentication mode being RADIUS.

[Switch] aaa
[Switch-aaa] authentication-scheme sch1    //Create an authentication scheme named sch1.
[Switch-aaa-authen-sch1] authentication-mode radius    //Set the authentication mode to RADIUS.
[Switch-aaa-authen-sch1] quit

# Create a domain, and apply the AAA authentication scheme and RADIUS server template in the domain.

[Switch-aaa] domain huawei.com    //Create a domain named huawei.com and enter the domain view.
[Switch-aaa-domain-huawei.com] authentication-scheme sch1    //Configure the authentication scheme sch1 for the domain.
[Switch-aaa-domain-huawei.com] radius-server 1    //Apply the RADIUS server template 1 to the domain.
[Switch-aaa-domain-huawei.com] quit
[Switch-aaa] quit

# Configure the domain huawei.com as the default global management domain so that an administrator does not need to enter the domain name for logging in to the Switch.

[Switch] domain huawei.com admin

Verify the configuration.
Choose Start > Run as an administrator. Enter cmd to open the Windows Command Prompt window. Type telnet 10.1.1.1, and press Enter.
```
C:\Documents and Settings\Administrator> telnet 10.1.1.1
```
In the login interface, type the user name admin and password Huawei@1234 as prompted and press Enter. Authentication succeeds, and you successfully log in to the Switch using Telnet. (The following information is only for reference.)
```
Login authentication


Username:admin
Password:
Info: The max number of VTY users is 8, and the number
      of current VTY users on line is 2.
      The current login time is 2014-07-30 09:54:02+08:00. 
<Switch>
```

Configuration Files

Switch configuration file

#
sysname Switch
#
domain huawei.com admin
#
telnet server enable
#
radius-server template 1
 radius-server shared-key cipher %^%#}+ysUO*B&+p'NRQR0{ZW7[GA*Z*!X@o:Va15dxQAj+,$>NP>63de|G~ws,9G%^%#
 radius-server authentication 10.2.1.1 1812 weight 80
#
acl number 2008
 rule 5 permit source 10.137.217.177 0
#
aaa
 authentication-scheme sch1    
  authentication-mode radius  
 domain huawei.com            
  authentication-scheme sch1     
  radius-server 1 
#
user-interface vty 0 14
 acl 2008 inbound
 authentication-mode aaa
 user privilege level 15 
 protocol inbound telnet 
#
return