Creating a Virtual System Administrator

This section describes how to configure a virtual system administrator, the login method for the configured administrator, and the interface for the administrator to log in to the virtual system.

Context

Once a virtual system is created, the public system administrator can configure one or more administrators for the virtual system. You can log in to and manage the virtual system using the accounts of these administrators. The public system administrator can create system administrators for a virtual system only on the configuration page of the virtual system. The method for creating a virtual system administrator is the same as that for creating a public system administrator.

Data Planning

Item	Data
Administrator	User name: admin@@vsysa Authentication type: Local authentication Password: Vsysadmin@123 Role: System administrator Trusted hosts: 10.3.0.99/32 and 10.3.0.100/32
Login interface	Interface: GE0/0/3 Security zone: Trust IP address: 10.3.0.1/24 Virtual system: vsysa NOTE: If an interface has been assigned to a virtual system, you can use this interface to log in to the virtual system and public system (the name of the administrator must be suffixed with @@public). If the interface is not assigned to any virtual system and belongs to the public system, you can log in to the public system and virtual systems from this interface.
Login method NOTICE: Telnet login is not secure. You are advised to log in to the CLI using STelnet.	Telnet NOTE: The FW supports the login over STelnet. For details, see CLI: Example for Logging In to the CLI Using STelnet (Local Authentication) and CLI: Example for Logging In to the CLI Using STelnet (RSA Authentication). Note that the local key in the two preceding examples can be generated only on the public system. All virtual systems share the configuration of the public system. The ssh user command cannot distinguish cases. Therefore, when you create SSH users for a virtual system, admin@@vsysa and admin@@VSYSA are the same. However, after you run the ssh user command to create an SSH account admin@@vsysa, the account can be used to log in to both vsysa and VSYSA with their respective passwords.

Item

Data

Administrator

User name: admin@@vsysa

Authentication type: Local authentication

Password: Vsysadmin@123

Role: System administrator

Trusted hosts: 10.3.0.99/32 and 10.3.0.100/32

Interface: GE0/0/3

Security zone: Trust

IP address: 10.3.0.1/24

Virtual system: vsysa

NOTE:

If an interface has been assigned to a virtual system, you can use this interface to log in to the virtual system and public system (the name of the administrator must be suffixed with @@public). If the interface is not assigned to any virtual system and belongs to the public system, you can log in to the public system and virtual systems from this interface.

NOTICE:

Telnet login is not secure. You are advised to log in to the CLI using STelnet.

Telnet

NOTE:

The FW supports the login over STelnet. For details, see CLI: Example for Logging In to the CLI Using STelnet (Local Authentication) and CLI: Example for Logging In to the CLI Using STelnet (RSA Authentication). Note that the local key in the two preceding examples can be generated only on the public system. All virtual systems share the configuration of the public system.

The ssh user command cannot distinguish cases. Therefore, when you create SSH users for a virtual system, admin@@vsysa and admin@@VSYSA are the same. However, after you run the ssh user command to create an SSH account admin@@vsysa, the account can be used to log in to both vsysa and VSYSA with their respective passwords.

The following assumes that vsysa has already been created and interface GE0/0/3 has already been allocated for the virtual system as the login interface.

If you have already configured the administrators that log in to the CLI using Telnet, perform only the operations in 4 through 6.

Procedure

Enable Telnet.

<FW> system-view
[FW] telnet server enable

Configure the VTY administrator interface.
# Configure five VTY administrator interfaces that support AAA and Telnet and set the level of the VTY administrator interfaces to 3.
```
[FW] user-interface vty 0 4
[FW-ui-vty0-4] authentication-mode aaa
[FW-ui-vty0-4] user privilege level 3
[FW-ui-vty0-4] protocol inbound telnet
[FW-ui-vty0-4] quit
```
To ensure that the administrator can log in to the device, you are advised to set the level of the VTY administrator interfaces to 3 or larger.
Configure the automatic lockout function for failed login attempts.
By default, an account is locked for 30 minutes after three consecutive login failures. In the following example, the account is locked for 10 minutes after five consecutive login failures.
```
[FW] aaa
[FW-aaa] lock-authentication enable
[FW-aaa] lock-authentication failed-count 5
[FW-aaa] lock-authentication timeout 10
```
Access the vsysa view.
```
[FW] switch vsys vsysa
```
Create an administrator account.
# Configure a trusted host.
```
<FW-vsysa> system-view
[FW-vsysa] acl 2001
[FW-vsysa-acl-basic-2001] rule permit source 10.3.0.99 0.0.0.0
[FW-vsysa-acl-basic-2001] rule permit source 10.3.0.100 0.0.0.0
[FW-vsysa-acl-basic-2001] quit
```
# Set the administrator account to admin@@vsysa, VTY administrator interface level to 3, login method to telnet and the maximum number of connections for the account to 5.
```
[FW-vsysa] aaa
[FW-vsysa-aaa] manager-user admin@@vsysa
[FW-vsysa-aaa-manager-user-admin@@vsysa] password
Enter Password:  
Confirm Password: 
[FW-vsysa-aaa-manager-user-admin@@vsysa] level 3
[FW-vsysa-aaa-manager-user-admin@@vsysa] service-type telnet
[FW-vsysa-aaa-manager-user-admin@@vsysa] acl-number 2001
[FW-vsysa-aaa-manager-user-admin@@vsysa] access-limit 5
[FW-vsysa-aaa-manager-user-admin@@vsysa] quit
[FW-vsysa-aaa] quit
```
The name of a virtual system administrator must be suffixed with @@Virtual system name.

If a third-party authentication server is used to authenticate the virtual system administrator, the user name configured on the authentication server does not need to carry the suffix "@@virtual system name". For example, if the authentication server needs to authenticate administrator admin@@vsysa of virtual system vsysa, configure user name admin on the authentication server.

To ensure that the administrator can log in to the device properly, you are advised to set the administrator level to 3 or larger.

The maximum number of the connections for the account must be smaller than the number of online users configured for the virtual system.

# Associate the administrator with the system administrator role.
```
[FW-vsysa-aaa] bind manager-user admin@@vsysa role system-admin
[FW-vsysa-aaa] quit
```
Trusted hosts are the IP addresses of the hosts that are allowed to log in to the virtual system. If the IP address of the administrator PC is fixed, add the IP address as a trusted host so that the administrator can log in to the virtual system using the PC. If the IP address of the administrator PC is dynamically allocated, do not configure any trusted hosts. Otherwise, the administrator may fail to log in to the virtual system if the IP address of the administrator PC changes.

Configure the login interface.

# Configure the interface IP address and interface-based access control and enable the administrator to log in to the device through Telnet.

[FW-vsysa] interface GigabitEthernet 0/0/3
[FW-vsysa-GigabitEthernet0/0/3] ip address 10.3.0.1 255.255.255.0
[FW-vsysa-GigabitEthernet0/0/3] service-manage enable
[FW-vsysa-GigabitEthernet0/0/3] service-manage telnet permit
[FW-vsysa-GigabitEthernet0/0/3] quit

# Add the interface to a security zone.

[FW-vsysa] firewall zone trust
[FW-vsysa-zone-trust] add interface GigabitEthernet0/0/3
[FW-vsysa-zone-trust] quit

Follow-up Procedure

After the configuration is complete, the virtual system administrator can log in to the virtual system as follows:

The following uses the Windows operating system as an example. Choose Start > Run. The Run dialog box is displayed. Then enter telnet 10.3.0.1 in Open.
Click OK. The PC starts to connect to the FW.
Enter admin@@vsysa as the user name and press Enter.
Enter Vsysadmin@123 as the password and press Enter to access the CLI of the virtual system.