< Home

CLI: Example for Logging in to the CLI Using the Telnet (RADIUS Server Authentication)

By default, Telnet is disabled on the device. You need to establish a Telnet login environment. This section provides an example for configuring how to log in to the CLI using Telnet.

Context

Telnet login is not secure. You are advised to log in to the CLI using STelnet.

Networking Requirements

Figure 1 shows that the FW has a local administrator. The local administrator has some administrator permissions and can use Telnet to log in to the CLI only from a local PC for FW management and maintenance. RADIUS server authentication takes precedence over local authentication. The FW implements local authentication on administrators only when the RADIUS server does not respond.

Figure 1 Networking diagram of logging in to the CLI using Telnet

Data Planning

Item

Data

Description

VTY interface timeout period

5 minutes

The default period is 10 minutes.

Maximum number of authentication attempts allowed

2

The default value is 3.

Lockout period

10 minutes

The default period is 30 minutes.

Administrator account/password

vtyadmin/Mydevice@abc

Note down the user name and password in case you forget them.

Authentication scheme

Name: RADIUS

Authentication methods: RADIUS and local

-

RADIUS server template

Name: radius_server

RADIUS server address: 172.16.0.2

-

IP address of the administrator's PC

10.3.0.100/255.255.255.0

-

Configuration Roadmap

  1. Configurations on the FW are as follows:
    1. Enable the Telnet service on the FW.
    2. Configure the administrator login interface.
    3. Configure the VTY administrator interface.
    4. Configure a RADIUS server template, authentication scheme, authorization scheme, and authentication domain.
    5. Optional: Configure the administrator on the FW.
  2. Create an administrator on the RADIUS server and specify the administrator level.

  3. Configure the IP address of the administrator PC and use the Telnet software to log in to the VTY interface.

Procedure

  1. If you log in to the CLI for the first time, reference Logging In to the CLI Through the Console Port and establish the Telnet login environment.
  2. Enable the Telnet service for IPv4 or IPv6. IPv4 is used as an example.

    <FW> system-view
[FW] telnet server enable

  3. Optional: Configure the login interface.

    If you use the default settings of management interface to log in to the device, do not perform this step.

    Because the default IP address of the management interface has been set to 192.168.0.1, the interface has been added to the Trust zone, and the administrator is allowed to log in to the device using Telnet.

    1. Configure the interface IP address and interface-based access control and enable the administrator to log in to the device through Telnet.

      [FW] interface GigabitEthernet 0/0/3
[FW-GigabitEthernet0/0/3] ip address 10.3.0.1 255.255.255.0
[FW-GigabitEthernet0/0/3] service-manage enable
[FW-GigabitEthernet0/0/3] service-manage telnet permit
[FW-GigabitEthernet0/0/3] quit

    2. Add an interface to the security zone.

      [FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet0/0/3
[FW-zone-trust] quit

  4. Configure the VTY administrator interface.

    Set the authentication mode of the VTY administrator interface to AAA and idle disconnection duration to 5 minutes (the default value is 10 minutes).

    The number of default VTY administrator interfaces is five. To add more interfaces, run the user-interface maximum-vty number command.

    [FW] user-interface vty 0 4
[FW-ui-vty0-4] authentication-mode aaa
[FW-ui-vty0-4] protocol inbound telnet
[FW-ui-vty0-4] user privilege level 3
[FW-ui-vty0-4] idle-timeout 5
[FW-ui-vty0-4] quit

  5. Set the interface IP address, assign the interface to a security zone, and configure a security policy.

    Set the interface IP address.

    [FW] interface GigabitEthernet 0/0/2
[FW-GigabitEthernet0/0/2] ip address 172.16.0.1 255.255.255.0
[FW-GigabitEthernet0/0/2] quit

    Add the interface to a security zone.

    [FW] firewall zone dmz
[FW-zone-dmz] add interface GigabitEthernet0/0/2
[FW-zone-dmz] quit

    Configure a security policy.

    [FW] security-policy
[FW-policy-security] rule name rule1
[FW-policy-security-rule-rule1] source-zone local
[FW-policy-security-rule-rule1] destination-zone dmz
[FW-policy-security-rule-rule1] destination-address 172.16.0.2 32
[FW-policy-security-rule-rule1] action permit
[FW-policy-security-rule-rule1] quit
[FW-policy-security] quit

  6. Configure a server template. In this example, a RADIUS server is used.

    [FW] radius-server template radius_server
[FW-radius-radius_server] radius-server authentication 172.16.0.2 1812
[FW-radius-radius_server] radius-server shared-key cipher Admin@123
[FW-radius-radius_server] test-aaa testname testpassword radius-template radius_server
[FW-radius-radius_server] quit

  7. Configure an authentication scheme and authorization schemes.

    # Configure an authentication scheme and set the authentication mode to RADIUS or local authentication.

    [FW] aaa
[FW-aaa] authentication-scheme radius
[FW-aaa-authen-radius] authentication-mode radius local   //Configure authentication scheme radius.
[FW-aaa-authen-radius] quit

    # Set the authorization mode to RADIUS.

    [FW] aaa
[FW-aaa]  authorization-scheme radius   //Configure authorization scheme radius
[FW-aaa-author-radius] authorization-mode radius
[FW-aaa-author-radius] quit

  8. Configure an authentication domain and references a RADIUS server template, authentication scheme, and authorization scheme.

    [FW-aaa] domain radius
[FW-aaa-domain-radius] authentication-scheme radius   //Configure authentication scheme radius.
[FW-aaa-domain-radius] authorization-scheme radius   //Configure authorization scheme radius
[FW-aaa-domain-radius] radius-server radius_server   //Configure RADIUS server radius_server.
[FW-aaa-domain-radius] service-type administrator-access
[FW-aaa-domain-radius] quit
[FW-aaa] quit

  9. Configure the RADIUS server. For the configuration methods of the RADIUS server you use, refer to related documents.
  10. Optional: Configure the Telnet administrator on the FW.
    1. Optional: Create an administrator role.

      Ignore this step if the default administrator role is used.

      [FW] aaa
[FW-aaa] role service-admin
[FW-aaa-role-service-admin] description policy_object_network_readwrite_and_other_modules_none
[FW-aaa-role-service-admin] dashboard none
[FW-aaa-role-service-admin] monitor none
[FW-aaa-role-service-admin] system none
[FW-aaa-role-service-admin] network read-write
[FW-aaa-role-service-admin] object read-write
[FW-aaa-role-service-admin] policy read-write
[FW-aaa-role-service-admin] quit

    2. Create an administrator and bind a role to the administrator.

      [FW] aaa
[FW-aaa] manager-user vtyadmin
[FW-aaa-manager-user-vtyadmin] password 
Enter Password: 
Confirm Password:   
[FW-aaa-manager-user-vtyadmin] service-type telnet
[FW-aaa-manager-user-vtyadmin] authentication-scheme radius
[FW-aaa-manager-user-vtyadmin] radius-server radius_server
[FW-aaa-manager-user-vtyadmin] quit
[FW-aaa] bind manager-user vtyadmin role service-admin

    3. Optional: Configure the automatic lockout function upon a failed login.

      By default, an account is locked for 30 minutes after three failed login attempts. In the following example, the account is locked for 10 minutes after two failed login attempts.

      [FW-aaa] lock-authentication enable
[FW-aaa] lock-authentication failed-count 2
[FW-aaa] lock-authentication timeout 10

  11. Configure the local administrator PC as follows:
    1. Set the IP address and subnet mask of the administrator PC to 10.3.0.100 and 255.255.255.0.
    2. Run the Telnet software on the PC. Windows OS is used as an example. Choose Start > Run. The Run window is displayed. Enter telnet 10.3.0.1 in Open.

    3. Click OK and start to connect to the FW.
    4. On the login page, enter vtyadmin for Username: and press Enter.
    5. Enter Mydevice@abc for Password: and press Enter to log in to the VTY interface.

Configuration Scripts

#                                                                               
 telnet server enable
#
interface GigabitEthernet0/0/2                                                  
 ip address 172.16.0.1 255.255.255.0                                           
#
interface GigabitEthernet0/0/3                                                  
 ip address 10.3.0.1 255.255.255.0                                           
 service-manage enable
 service-manage telnet permit                                                    
#
user-interface vty 0 4 
 authentication-mode aaa
 protocol inbound telnet
 user privilege level 3
 idle-timeout 5
#
aaa
 authentication-scheme radius                                                   
  authentication-mode radius local
  authorization-scheme radius
   authorization-mode radius
  domain radius
   authentication-scheme radius
   authorization-scheme radius
   radius-server radius-server
   service-type administrator-access
   internet-access mode password
   reference user current-domain
 #
 manager-user vtyadmin                                                          
  password cipher %@%@*y:3*ZN}.%%qcL1cCyDwlB.|@XBVMDWq'6JF(iOz2D8>A\SN%@%@           
  service-type telnet                                                             
  level 15                                                                      
  authentication-scheme radius 
  radius-server radius_server
 #
 lock-authentication enable
 lock-authentication failed-count 2
 lock-authentication timeout 10
 #
 bind manager-user vtyadmin role service-admin
role service-admin            
  description policy_object_network_readwrite_and_other_modules_none
 dashboard none
 monitor none
 system none
 network read-write 
 object read-write
 policy read-write
# 
radius-server template radius_server
 radius-server authentication 172.16.0.2 1812
 radius-server shared-key cipher %@%@*y:3*ZN}.%%qcL1cCyDwlB.|@XBVMDWq'6JF(iOz2D8>A\SN%@%@
#
firewall zone trust 
 set priority 85 
 add interface GigabitEthernet0/0/3
#
firewall zone dmz 
 set priority 50 
 add interface GigabitEthernet0/0/2
#                                                                              
security-policy                                                                 
 rule name rule1                                                                
  source-zone local                                                             
  destination-zone dmz                                                          
  destination-address 172.16.0.2 32                                             
  action permit                                                                 
#
return
Parent Topic: Logging In to the Device
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >