CLI: Example for Logging in to the CLI Using the Telnet (HWTACACS Server Authentication)

Procedure

1. If you log in to the CLI for the first time, reference Logging In to the CLI Through the Console Port and establish the Telnet login environment.
2. Enable the Telnet service for IPv4 or IPv6. IPv4 is used as an example.

   <FW> system-view
   [FW] telnet server enable

3. Optional: Configure the login interface.
   

   If you use the default settings of management interface to log in to the device, do not perform this step.

   Because the default IP address of the management interface has been set to 192.168.0.1, the interface has been added to the Trust zone, and the administrator is allowed to log in to the device using Telnet.

   1. Configure the interface IP address and interface-based access control and enable the administrator to log in to the device through Telnet.

      [FW] interface GigabitEthernet 0/0/3
      [FW-GigabitEthernet0/0/3] ip address 10.3.0.1 255.255.255.0
      [FW-GigabitEthernet0/0/3] service-manage enable
      [FW-GigabitEthernet0/0/3] service-manage telnet permit
      [FW-GigabitEthernet0/0/3] quit

   2. Add an interface to the security zone.

      [FW] firewall zone trust
      [FW-zone-trust] add interface GigabitEthernet0/0/3
      [FW-zone-trust] quit

4. Configure the VTY administrator interface.

   Set the authentication mode of the VTY administrator interface to AAA and idle disconnection duration to 5 minutes (the default value is 10 minutes).

   

   The number of default VTY administrator interfaces is five. To add more interfaces, run the user-interface maximum-vty number command.

   [FW] user-interface vty 0 4
   [FW-ui-vty0-4] authentication-mode aaa
   [FW-ui-vty0-4] protocol inbound telnet
   [FW-ui-vty0-4] user privilege level 3
   [FW-ui-vty0-4] idle-timeout 5
   [FW-ui-vty0-4] quit

5. Set the interface IP address, assign the interface to a security zone, and configure a security policy.

   Set the interface IP address.

   [FW] interface GigabitEthernet 0/0/2
   [FW-GigabitEthernet0/0/2] ip address 172.16.0.1 255.255.255.0
   [FW-GigabitEthernet0/0/2] quit

   Add the interface to a security zone.

   [FW] firewall zone dmz
   [FW-zone-dmz] add interface GigabitEthernet0/0/2
   [FW-zone-dmz] quit

   Configure a security policy.

   [FW] security-policy
   [FW-policy-security] rule name rule1
   [FW-policy-security-rule-rule1] source-zone local
   [FW-policy-security-rule-rule1] destination-zone dmz
   [FW-policy-security-rule-rule1] destination-address 172.16.0.2 32
   [FW-policy-security-rule-rule1] action permit
   [FW-policy-security-rule-rule1] quit
   [FW-policy-security] quit

6. Configure a server template. In this example, an HWTACACS server is used.

   [FW] hwtacacs-server template hwtacacs_server
   [FW-hwtacacs-hwtacacs_server] hwtacacs-server authentication 172.16.0.2 49
   [FW-hwtacacs-hwtacacs_server] hwtacacs-server authorization 172.16.0.2 49
   [FW-hwtacacs-hwtacacs_server] hwtacacs-server shared-key cipher Admin@123
   [FW-hwtacacs-hwtacacs_server] test-aaa testname testpassword hwtacacs-template hwtacacs_server
   [FW-hwtacacs-hwtacacs_server] quit

7. Configure an authentication scheme.

   [FW] aaa
   [FW-aaa] authentication-scheme hwtacacs
   [FW-aaa-authen-hwtacacs] authentication-mode hwtacacs local
   [FW-aaa-authen-hwtacacs] quit

   

   In this example, only the HWTACACS server is used for authentication, and the local role is used to authorize the administrator. To use the HWTACACS authorization mode, see CLI: Example for Logging In to the CLI Using STelnet (HWTACACS Authentication and Authorization).

8. Configure the Telnet administrator.
   1. Optional: Create an administrator role.
      

      Ignore this step if the default administrator role is used.

      [FW] aaa
      [FW-aaa] role service-admin
      [FW-aaa-role-service-admin] description policy_object_network_readwrite_and_other_modules_none
      [FW-aaa-role-service-admin] dashboard none
      [FW-aaa-role-service-admin] monitor none
      [FW-aaa-role-service-admin] system none
      [FW-aaa-role-service-admin] network read-write
      [FW-aaa-role-service-admin] object read-write
      [FW-aaa-role-service-admin] policy read-write
      [FW-aaa-role-service-admin] quit

   2. Create an administrator and bind a role to the administrator.

      [FW] aaa
      [FW-aaa] manager-user vtyadmin
      [FW-aaa-manager-user-vtyadmin] password 
      Enter Password: 
      Confirm Password:   
      [FW-aaa-manager-user-vtyadmin] service-type telnet
      [FW-aaa-manager-user-vtyadmin] authentication-scheme hwtacacs
      [FW-aaa-manager-user-vtyadmin] hwtacacs-server hwtacacs_server
      [FW-aaa-manager-user-vtyadmin] quit
      [FW-aaa] bind manager-user vtyadmin role service-admin

   3. Optional: Configure the automatic lockout function upon a failed login.

      By default, an account is locked for 30 minutes after three failed login attempts. In the following example, the account is locked for 10 minutes after two failed login attempts.

      [FW-aaa] lock-authentication enable
      [FW-aaa] lock-authentication failed-count 2
      [FW-aaa] lock-authentication timeout 10

9. Configure the HWTACACS server. The configuration procedure includes adding a device, adding a user.
10. Configure the local administrator PC as follows:
    1. Set the IP address and subnet mask of the administrator PC to 10.3.0.100 and 255.255.255.0.
    2. Run the Telnet software on the PC. Windows OS is used as an example. Choose Start > Run. The Run window is displayed. Enter telnet 10.3.0.1 in Open.

    3. Click OK and start to connect to the FW.
    4. On the login page, enter vtyadmin for Username: and press Enter.
    5. Enter Mydevice@abc for Password: and press Enter to log in to the VTY interface.