(Optional) Managing a CLI Administrator Interface

This section describes how to manage a CLI administrator interface, how to set console attributes, how to configure administrator interfaces to exchange messages, and how to log out online administrators.

Configuring a CLI Administrator Interface

Access the system view.
system-view
Optional: Set the maximum number of available VTY interfaces.
user-interface maximum-vty number

If the maximum number of VTY interfaces to be configured is greater than the current maximum number, the default level of the new VTY interface is 0 and the password authentication mode is used, you must set the level of the new VTY interface, set the password authentication password, or re-specify the authentication mode.

By default, the maximum number of VTY administrator interfaces is five.
Access the CLI administrator interface view.
user-interface [ ui-type ] first-ui-number [ last-ui-number ]
Optional: Enable a terminal service.
shell

By default, the terminal service is enabled on all CLI administrator interfaces.

Optional: Configure the CLI administrator interface.

Operation	Command
Set the timeout period after which a connection between a FW and an administrator PC is disconnected. The default timeout period is 10 minutes.	idle-timeout minutes [ seconds ]
Set the maximum number of lines on each screen. By default each screen displays a maximum of 24 lines.	screen-length screen-length
Set the size of the historical command buffer. By default, the buffer caches a maximum of 10 historical commands.	history-command max-size size-value
Specify a command that a FW automatically executes after an administrator logs in to the FW. The console interface does not support this command.	auto-execute command command
Set the CLI administrator interface priority.	user privilege level level
Set the protocols supported by the CLI administrator interface.	protocol inbound { all \| ssh \| telnet }
Bind a CLI administrator interface to an access control list (ACL). You can specify either of the following parameters: inbound: permits a host request with a specified address or address range to log in to the FW. outbound: permits a request to log in to another device through the FW.	acl acl-number { inbound \| outbound }

Specify an authentication mode.
- If password, or AAA authentication is specified and no level is specified for an administrator account for AAA authentication, the highest level of commands that an administrator can access is determined by the CLI administrator interface level.
- If AAA authentication is enabled and a level is specified for an administrator account, the highest level of commands that an administrator can access is determined by the administrator account level.
- After an authentication mode is specified, the default authentication mode does not take effect. Keep the new account and password (if configured) secure.
Configure an authentication mode.
- Configure AAA authentication.
  1. Specify the AAA authentication mode.
    
    authentication-mode aaa
  2. Configure an administrator. For the configuration procedure, see Creating an Administrator Account (Local Authentication) or Creating an Administrator Account (Server Authentication).
- Configure password authentication.
  
  Specify the password authentication mode.
  
  authentication-mode password
  
  Specify the password.
  
  set authentication password [ cipher password ]
  
  The interactive mode is recommended for creating administrator passwords because the passwords configured by the cipher password command are not safe.

Configuring Attributes of the Console Port

An administrator can log in to the console interface through a console port on a FW. The FW must have the same console port settings as an administrator host to log in to the FW.

Access the system view.
system-view
Access the administrator interface view.
user-interface console interface-number

Set console port attributes.

Operation	Command
Set the transmission rate. The default rate is 9600 bit/s.	speed speed-value
Specify a flow control mode. The default mode is none.	flow-control { hardware \| none \| software }
Specify a parity mode. The default mode is none.	parity { even \| mark \| none \| odd \| space }
Set stop bits. The default stop bit is 1.	stopbits { 1.5 \| 1 \| 2 }
Set data bits. The default data bits are 8.	databits { 5 \| 6 \| 7 \| 8 }

Sending Messages to Another CLI Administrator Interface

Administrator interfaces can exchange messages.

In the user view, enable the current interface to send messages to another administrator interface.
send { all | ui-type ui-number | ui-number }
Enter a message to be sent and press Ctrl+Z or Enter to send the message.

Logging Out Online Administrators of Another CLI Administrator Interface

You can log out an online administrator that has logged in to another administrator interface.

View online administrator information, including interfaces to which the administrators log in. Write down the administrators to be logged out and their administrator interfaces.
display users
In the user view, specify an interface to which administrators logged in are to be logged out.
free user-interface { ui-number | ui-type ui-number }
Perform either of the following operations:
- Enter y and press Enter to log out the administrator that logs in to a specified administrator interface.
- Enter n and press Enter to cancel the logout operation.

Configuring Configuration Locking

When multiple users log in to the FW to configure the device, configuration conflict may occur. To prevent these conflicts from affecting services, you can enable the configuration locking function. This allows only one user to configure the device at a time.

Before configuring configuration locking, you can run the display configuration-occupied user command to check whether the configuration set is locked by another user. If no user has locked the configuration set, you can exclusively lock the configuration.

Enable the configuration locking function.
```
configuration exclusive
```
After enabling the configuration locking function, you have the exclusive authority to perform configurations on the FW.

You can run this command in any view.
Enter the system view.
```
system-view
```
Set the timeout period for automatically unlocking the configuration.
```
configuration-occupied timeout timeout-value
```
After the timeout period expires, the configuration is automatically unlocked, and other users can configure the device.

By default, the timeout period is 30s.