VRP System--4

User login configuration and Management

When the device acts as a server, the user can log in to the switch via the console port, Telnet, stelnet (secure Telnet), or web. Stelnet Login method is also known as SSH (Secure shell, security Shell) login method, is based on the SSL protocol. When the device is a client, you can log on to other devices via Telnet or stelnet from the device.

This knowledge point some of the previous said, but there is a good saying, important things to say three times, here is the important content practiced three times.

One, command line login mode

Console, Telnet, or stelnet three types of logins are command-line logon methods. Here is a comparison:

Second, web network management login mode

Log in to the switch via HTTP or HTTPS. HTTPS logon method is the combination of HTTP and SSL, the authentication of the server identity through SSL, the transmission of data encryption, to achieve security management.

Configuring the user to log in to the switch via Telnet

The Telnet protocol belongs to the application layer protocol in the TCP/IP protocol family and provides remote login and virtual terminal function through the network. Works in Server/client (server/client) mode.

To Configure the task important node process :

1. Configure Telnet Server features and parameters: include enable Telnet server and Telnet Server parameter configuration

2. Configure the Vty user interface for Telnet user login: Specify the vty user interface that can be used for Telnet login, configure Vty user interface properties, including the user priority of Vty user interface, authentication method, Inbound/outbound restrictions, etc.

3. Configure the local User AAA authentication mode of Telnet type: including 2 Step configuration authentication mode is AAA user name and password, and support Telnet, if the use is password authentication or not authentication, this configuration task is not required.

4. Log in Via Telnet from the terminal.

Huawei S-Series switches parameter default configuration for Telnet login:

Configure the Telnet Server features and parameters :

To log on to the device via Telnet from the terminal :

Telnet ip-address Port

Telnet Login Management :

Display users [all], display TCP Status View all currently established TCP connections, display Telnet Server status, view the state and configuration information of the Telnet server.

Configuration Instance :

Requirements and ideas: Require--telnet login mode using vty virtual circuit, the use of AAA authentication method, the need to control through the ACL through Telnet terminal;

Idea--1) Configure Vty user interface properties, specify a vty user interface that supports the Telnet service, and configure ACL policies under the specified vty for the interface to control which endpoints allow Telnet to log on, ensuring that only the current administrator is using the PC to log on to the switch ; 2) Configure the AAA authentication method for Telnet login and create a local user and password for AAA authentication, as well as the supported Telnet service and command access level, 3) Enable Telnet Server and configure Telnet Server properties.

To configure the specific steps:

Close the terminal prompt message: After the device configuration changes, there will be a prompt message appears, causing the interface display confusion, using the Undo Terminal monitor shutdown.

1) Configure the management IP of the switch, in order to log in, set the ip:192.168.1.150/24 of the Vlan1 interface here.

2) Configure the properties of the Vty user interface used by Telnet login to specify vty0~7 these 8 vty virtual channels are available:

3) Configure the Telnet login vty user Interface AAA authentication method and User level.

4) Configure the user ACL policy that controls access to the switch via Telnet.

5) Create a user name and password for Telnet authentication, support for the Telnet service, and user access level.

6) Enable Telnet Server function and configure the Telnet server's listening port number.

7) Client Login test

To do a test, add a switch, such as:

Configure the switch IP to 192.168.1.31 for Cloud configuration:

This can ping the pain from the 31 switch ping150:

to Telnet

Cannot succeed. Configure the ACL on 150,

Then telnet on the 31 switch:

The display has been able to log on, stating that the configuration of the ACL has worked. Look at the ACL.

Look at the current login user situation:

Console login, Telnet has two logins on VTY0 and 1.

Iv. Configuring the user to log in to the switch via stelnet

Stelnet (Secure Telnet) is an SSH (secure Shell) protocol that requires a negotiated, secure transport connection between the client and server side during transmission, and SSH provides secure remote logins on unsecured networks through the following measures.

--Support RSA (Revest-shamir-adleman) and DSA (digital Signature algorithm, digitally signed algorithm) encryption, authentication method, RSA is used to encrypt and digitally sign the data sent, DSA is used only to digitally sign data.

--Support Encryption Algorithm des (Date Encryption Standard), 3DES, AES128 (Advanced Encryption Standard 128) to encrypt the user name password and the transmitted data.

Huawei S-Series switches support SSH server functions and client functions. However, only the SSH2 version is supported as an SSH client.

To configure the task important node process:

1, configuration Stelnet server functions and parameters: including the server local key pair generation, the Stelnet server function and the configuration of server parameters, such as listening port number, key pair update time, SSH authentication timeout time or SSH authentication retry number and so on.

2. Configure the user interface for SSH user login: Includes user priority of Vty user interface, user authentication method ( only AAA authentication mode can be selected ), Support SSH protocol and other Vty user interface properties.

3, configure the SSH User: including SSH user name and password, authentication method and service mode, etc.

4, the user login through Stelnet.

Configuring Stelnet Server features and parameters

Stelnet server function and parameter configuration steps are described in the following table, mainly including the creation of an SSH local key pair for data encryption, enabling the Stelnet server function, configuring the SSH listening port, SSH key update cycle, SSH authentication retry count, SSH connection timeout, and so on.

Configuring the SSH User

S-Series switches support RSA, DSA, password, Password-rsa, PASSWORD-DSA, and all six user authentication methods. Where PASSWORD-RSA authentication needs to satisfy both password and RSA authentication, PASSWORD-DSA authentication needs to satisfy both password verification and DSA verification; All validation is password authentication, RSA or DSA authentication method satisfies one of them.

The password verification here depends on the AAA implementation , so when users log on to the device using password, PASSWORD-RSA, PASSWORD-DSA authentication , they need to To create a local user with the same name under the AAA view . If the SSH user uses password authentication, only the local RSA or DSA key needs to be generated on the SSH server, and if the SSH user uses RSA or DSA authentication, the local RSA or DSA key pair must be generated on both the server side and the client. And both the server side and the client need to configure the other party's public key to local.

If the SSH user is password verified (password, PASSWORD-RSA, PASSWORD-DSA) also needs to be configured in table 3-18, if the ssh user An RSA or DSA verification (including DSA, RSA, PASSWORD-DSA, or Password-rsa) also requires 3-19 table configurations, and if the SSH user is Password-rsa or PASSWORD-DSA authenticated, Then both the AAA user and the RSA or DSA public key need to be configured to perform both the tables 3-18 and 3-19 configurations.

As explained above, the Local-user user-name here should be the same as the username created by SSH. (password verification is done with AAA.) ）

Stelnet Login Management

--Use the display SSH user-information [username] command to view the SSH User configuration information on the SSH server side (that is, the switch device). If you do not specify an SSH user, you can view all SSH User configuration information on the SSH server side.

--Use the Display SSH Server Status command to view the global configuration information for the SSH server.

--Use the Display SSH Server session command to view session information connected to the SSH client on the SSH server side.

the configuration instance of the switch is logged on through stelnet :

The IP of the switch is 192.168.1.150, in the SSH server side configuration Two login user for client001, client002,client001 through password Authentication mode login SSH server, The client002 logs on to the SSH server via RSA authentication.

Basic Configuration Ideas :

Requires the Stelnet method (SSH service) to log into the VRP system, which is also vty user interface.

1) client001 adopts password authentication method, so installing SSH service client software beforehand, client002 using RSA authentication method, in addition to installing SSH service client software, also need to generate local RSA public key pair and server key pair for RSA authentication. SSH users have password, RSA, Passwor-rsa, DSA, PASSWORD-DSA, all6 kinds of authentication methods, if the SSH user authentication mode for password, Password-rsa, PASSWORD-DSA, Local users with the same name must be configured on the server side, and if the SSH user is authenticated as RSA, Password-rsa, DSA, PASSWORD-DSA, and all, the RSA or DSA public key of the SSH client should be saved on the server side.

2) Configure the Vty user interface used by the stelnet login user and set them to support the SSH service, using AAA authentication and user level.

3) generate a local key pair and a server key pair on the switch side configured for the SSH server, enabling secure data interaction between the SSH server and the SSH client.

4) Open the Stelnet service function on the SSH server side, and create the SSH user client001, client002, and specify password authentication method and RSA authentication method respectively, configure client001 user password, user level and support SSH service.

5) User client001 and client002 respectively in the stelnet way to implement the login SSH server.

specific configuration steps :

1) Configure the Vty user interface properties that are used by the stelnet login user, including specifying AAA authentication methods, support for SSH service and User level:

2) Create a new SSH user named client001, and verify the method is password, and configure it with the password required for AAA authentication, the user level (here 3 level) and SSH service support:

3) Create a new user name client002 SSH user, and verify the method is RSA:

4) Install Putty Terminal software that supports SSH service in terminal, run Puttygen.exe on client002 terminal, generate public key and private key two files:

The saved public key is key.pub and the private key is PRIVATE.PPK. (When the last step is saved, the type of the saved public key is all files, and the file type that holds the private key is. PPK). The generated key type, see the first figure, for SSH-2 RSA, the number of secret key bits is 1024.

Then run Sshkey.exe,

Select Browse, locate the public key file key.pub that was generated in the previous step, and then click Vonvert to convert the public key to the desired encoding format (by default, per), and then save, I save it as a text file key.txt.

5) Use the RSA Local-key-pair Create command on the SSH server side to generate the local RSA key pair (also 1024 bits) for the server-side data encryption protection when transferring data to the SSH user client002.

Use the command: Display RSA Local-key-pair Public to view the generated key information:

6) The RSA public key generated on the client002 side is configured on the SSH server side, and the RSA public key created by the client002 binding on its client for the SSH user is implemented for the SSH server to authenticate the SSH user client002. At the prompt after executing the public-key-code begin command, enter the previous CLIENT002 client RSA public key (the content of the key.txt that was obtained after the previous conversion).

The last sentence of SSH user client002 assign Rsa-key rsakey001 binds the configured public key rsakey001 with client002.

7) on the SSH server to enable the Stelnet service function, and configure the SSH user client001, client002 service mode is stelnet.

8) test by stelnet login switch:

First of all, client001: Open the Putty, enter the IP address selection protocol for the switch as SSH, connect the SSH server with password authentication, and then click Open

(Perhaps the default is the password authentication method, where can you see the password verification?? I didn't find it. Prompt after Open

Click Yes, the login screen appears:

Enter User client001, enter password 001001, login successful.

Test client002 Login, run putty, start with the same interface, enter the address, port, select SSH, and then need to click on the left side of SSH:

Version Select 2 (the default), and then click Auth on the left:

Click Browse, select the local private key file, that is, the private key PRIVATE.PPK that we generated earlier, and then click Open, the prompt appears:

Select Yes, the login screen appears:

Note here, because for client002 just use RSA authentication, so there is no password input this entry, enter the user name directly into the system .

Use the display command to view the status of the user and SSH server:

Question: Is the RSA Local-key-pair create command, the command generated key pair switch name _host and switch name _server, through the above 5th) step to see, do not understand is the following explanation:

Host key pair and server key pair, which is a pair (public key) or two pairs, the host key pair has a public and private key, the server key pair also has a public key and a private key???? What is the function of server key pair???

VRP System--4