Configuring a User Level and Authentication Mode for the VTY User Interface

To use Telnet to log in to a device for remote management and maintenance, you must first log in to the device through the console port and change the user level and authentication mode.

Context

Other attributes on the VTY user interface have default values. Generally, you do not need to modify them. You can also modify these attributes as required. For details, see Configuring VTY User Interfaces.

Procedure

Configure a user level for the VTY user interface.

Run system-view
The system view is displayed.
Run user-interface vty first-ui-number [ last-ui-number ]
The VTY user interface is displayed.

Run user privilege level level

The user level is set. Table 1 lists the mapping between user levels and command levels in the VTY user interface.

The value of level ranges from 0 to 15 when the command-privilege level rearrange configuration exists.

The value of level ranges from 0 to 3 when the command-privilege level rearrange configuration does not exist.

**Table 1** Mapping between user levels and command levels
User Level (0 to 3)	User Level (0 to 15)	Command Level	Permission	Description
0	0	0	Visit	Diagnostic commands, such as ping and tracert, and commands that are used to access a remote device such as a Telnet client.
1	1-9	0, 1	Monitoring	Commands of this level are used for system maintenance, including display commands. NOTE: Not all display commands are of the monitoring level. For example, the display current-configuration command is of management level (3). For details about command levels, see HUAWEI NetEngine 8000 F Series Command Reference.
2	10 to 14	0, 1, and 2	Configuration level	Service configuration commands
3	15	0, 1, 2, and 3	Management level	Commands of the management level are used for basic system operation to support services, including file system, FTP, TFTP, and configuration file switching commands, slave board control commands, user management commands, command level configuration commands, reboot commands, and debugging commands.

User levels correspond to command levels. After a user logs in to a device, the user can use only commands of the corresponding level or lower, which improves device security.
If the user level configured for a user interface conflicts with the user level configured for a user, the user level configured for the user takes precedence.

Run commit
The configuration is committed.

Configure an authentication mode for the VTY user interface.
The system provides password and AAA authentication. You can select either as required.
- Configure password authentication.
  1. Run system-view
    The system view is displayed.
  2. Run user-interface vty first-ui-number [ last-ui-number ]
    The VTY user interface is displayed.
  3. Run authentication-mode password
    
    The authentication mode is set to password authentication.
  4. Run set authentication password [ cipher password ]
    
    The configured password is changed.
    If cipher is not specified, a password is entered in man-machine interaction mode and the system does not display the entered password.
    
    A password is a string of 8 to 16 case-sensitive characters and must contain at least two types of the following characters: uppercase letters, lowercase letters, digits, and special characters.
    
    Special characters exclude question marks (?) and spaces. However, when quotation marks (") are used around the password, spaces are allowed in the password.
    Double quotation marks cannot contain double quotation marks if spaces are used in a password.
    Double quotation marks can contain double quotation marks if no space is used in a password.
    
    For example, the password "Aa123"45"" is valid, but the password "Aa 123"45"" is invalid.
    
    If cipher is specified, a password can be entered in either simple text or cipher text.
    
    If a password is entered in simple text, the password requirements are the same as those when cipher is not specified. When you input a password in simple text, the system displays the password in simple text mode, which brings risks.
    A password is displayed in cipher text in the configuration file regardless of whether it is entered in simple text or cipher text.
    
    If you have run the undo authentication-mode command to delete the authentication mode configured for the console user interface, you cannot run the set authentication password [ cipher password ] command to change the authentication password.
  5. Run commit
    The configuration is committed.
- Configure AAA authentication.
  
  When the authentication mode is set to AAA authentication, you must specify the access type of a local user.
  1. Run system-view
    The system view is displayed.
  2. (Optional) Run crypto password irreversible-algorithm hmac-sha256
    The HMAC-SHA256 ciphertext password encryption algorithm is set.
  3. Run aaa
    The AAA view is displayed.
  4. Run local-user user-name password [ cipher password | irreversible-cipher irreversible-cipher-password ]
    The local username and password are configured.
    - If cipher or irreversible-cipher is not specified, a password is entered in man-machine interaction mode and the system does not display the entered password.
      
      When the user security policy is configured, the value is a string of 8 to 128 case-insensitive characters without spaces. When the user security policy is not configured, the value is a string of 1 to 128 case-insensitive characters without spaces.When the user security policy is configured, the password cannot be the same as the user name or its reverse. The password must contain the following characters: upper-case character, lower-case character, digit, and special character.
      
      Special characters do not include question marks (?) or spaces. However, when double quotation marks are used around a password, spaces are allowed in the password.
      Double quotation marks cannot contain double quotation marks if spaces are used in a password.
      Double quotation marks can contain double quotation marks if no space is used in a password.
      
      For example, the password "Aa123"45"" is valid, but the password "Aa 123"45"" is invalid.
    - If cipher is specified, a password can be entered in either simple text or cipher text.
      
      If a password is entered in simple text, the password requirements are the same as those when cipher is not specified. When you input a password in simple text, the system displays the password in simple text mode, which brings risks.
      
      A password is displayed in cipher text in the configuration file regardless of whether it is entered in simple text or cipher text.
    - If irreversible-cipher is specified, a password can be entered in either simple text or irreversible cipher text.
      
      If a password is entered in simple text, the password requirements are the same as those when irreversible-cipher is not specified.
      
      A password is displayed in cipher text in the configuration file regardless of whether it is entered in simple text or irreversible cipher text.
  5. Run local-user user-name service-type telnet
    The access type of the local user is set to Telnet.
  6. Run local-user user-name user-group user-group-name
    The local user is added to a user group.
  7. Run quit
    Exit the AAA view.
  8. Run user-interface vty first-ui-number [ last-ui-number ]
    The VTY user interface is displayed.
  9. Run authentication-mode aaa
    The authentication mode is set to AAA authentication.
  10. Run protocol inbound { telnet | all }
    Telnet is configured for VTY user interfaces.
  11. Run commit
    The configuration is committed.