VRP System--5

Configuring users to log on to the switch via HTTP Web managed

Because ENSP can't emulate HTTP login, it's just a little bit simpler.

The configuration tasks for the entire HTTP login method are as follows:

1. Upload and Load Web page files: Before enabling the HTTP service feature, you need to make sure that the Web page file is already loaded on the switch.

2. Configure the SSL policy and load the digital certificate: Perform this configuration task only if you need to reload the SSL certificate.

3, configure the HTTP service features: including the HTTPS and HTTP service enable, port number, session time-out and so on.

4, configure the HTTP User: including HTTP user name and password, user level, access type and so on.

5. Configuring HTTP Access control: Includes configuring ACL rules and HTTP basic access control lists, which are only performed when an ACL is required to control the user's login to the switch via HTTP.

6. User login via HTTP.

upload Web page file : Web page file must be stored in the memory root directory, and must be "*.web.zip" or "*.web.7z" format, through FTP, SFTP and other ways to upload to the device memory, the name is generally "product-software version number." Web Administrator file version number. wab.7z ".

loading this web page file : System view, HTTP server load File-name

The Web page file contains an SSL certificate that is SSL verified when logged in with HTTP, ensuring that the user is secure (the current HTTP login skips to HTTPS logins, and then jumps back to HTTP when the login is successful).

Configure the SSL policy and load the digital certificate : Upload the server digital certificate file and the private key file, which must be saved in the Flash: Memory root directory of the security directory.

Configure the HTTP Service feature : Start HTTP, HTTPS (user logon verification There is a jump that requires HTTPS, you must start the HTTPS Service) service feature, configure the SSL policy, HTTP service Port, HTTP session timeout, and free HTTP connections.

Configure HTTP access control : It is also controlled by ACLs.

HTTP Web Managed login Management : Perform display Httpuser [username username] at the command line to view summary information for current online users, display HTTP Server view current HTTP servers information

Specific configuration steps:

To load a Web page file:
[Httpserver]http Server Load webtest.web.7z
Enable HTTPS and HTTP service features
[Httpserver]http Secure-server Enable
[Httpserver]http Server Eanble
Create HTTP users and configure levels and support for HTTP services
[HTTPSERVER]AAA
[Httpserver-aaa]local-user admin Password cipher Huawei
[Httpserver-aaa]local-user admin Privilege Level 15
[Httpserver-aaa]local-user admin Service-type http
[Httpserver-aaa]quit

Then log in to test: Text browser, enter HTTP://IP

Configure users to log in to the switch via HTTPS Web network management

HTTPS binds HTTP and SSL, authenticates the server through SSL, and encrypts the transmitted data.

The configuration tasks are as follows:

1, Upload and load Web page files;

2, Upload server digital certificate file and private key file;

3, configure the SSL policy and load the digital certificate;

4, configure the HTTPS service function;

5, configure the HTTP user;

6, configure HTTP access control;

7, the user HTTPS mode login.

The server digital certificate format is in PEM format, ANSI format, and PFX format, the PEM format is the most common one, and the file extension is. PEM, which is suitable for text-mode transmission between systems. The ANSI format file extension is. der, which is the default format for most browsers, and the PFX format extension is. pfx, which is a portable format and binary format.

Configure the HTTPS service to listen for port numbers by Httpsecure-server Port Port-number.

Display SSL policy [Policy-name] View the configured SSL policies and the digital certificates that are loaded.

Specific configuration:

Upload digital certificate files and Web page files and upload them in FTP mode
[Huawei]sysname Https-server
[HTTPS-SERVER]FTP Server Eanble #---Enable FTP server functionality
#---The following are the authentication information, authorization method, and authorization directory for configuring the FTP user.
[HTTPS-SERVER]AAA
[Https-server-aaa]local-user Huawei Password Cipher huawei1
[Https-server-aaa]local-user Huawei Service-type FTP
[Https-server-aaa]local-user Huawei Privilege Level 15
[Https-server-aaa]local-user Huawei Ftp-directory Flash:
[Https-server-aaa]quit
[Https-server]quit
To upload a file on the client:
FTP IP
Put Local-filename [Remote-file-name]
Assuming that the upload digital certificate and key files are 1_servercert_pem_rsa.pem and 1_serverkey_pem_rsa.pem, the Web file is web001.7z
Configure SSL policies and load digital certificates
#---The following to create the security directory and copy the SSL digital certificate file from the storage root to the security directory
Create an HTTPS server SSL policy and load the PEM format digital certificate via certificate load Pem-cert.
[Https-server]ssl Policy Http_server
[Https-server-ssl-policy-http_server]certificate load Pem-cert 1_servercert_pem_rsa.pem key-pair RSA Key-file 1_ SERVERKEY_PEM_RSA.PEM Auth-code cipher 123456
[Https-server-ssl-policy-http_server]quit
The display SSL policy allows you to see the loaded digital certificate details.
Loading Web page Files
[Https-server]http Server Load web001.7z
Enable HTTPS server, create HTTP user (note that the user is still an HTTP user, not an HTTPS user)
[Https-server]http secure-server Ssl-policy Http_server
[Https-server]http Secure-server Enable
[HTTPS-SERVER]AAA
[https-server-aaa]local-use admin Password cipher Huawei
[Https-server-aaa]local-use admin Privilege level15
[Https-server-aaa]local-use admin Service-type http
[Https-server-aaa]quit

Login test: HTTPS://IP

Common management operations after logging in

1. Show users online: Display user [all]

2, clear the online User: Kill User-interface {ui-number | ui-type Ui-number} is not directly for the user account operation, but the corresponding user interface connection is disconnected.

3, set the switch User level password: Super password [levels user-level] [cipher password]

4. Switch user levels: Super [level]

5, Lock User Configuration rights: Multiple users logged in at the same time may have configuration conflicts, you can set the rights of mutual exclusion, to ensure that only one user can be configured. Executes the configuration exclusive, executing configuration-occupied timeout timeout-value Setting the time interval for self-unlocking. Perform display configuration-occupied user to view the information for the locked configuration.

6. Send message to other user interface: send {all | ui-type ui-number | ui-number}, executed in user view

7, automatically match the previous level view: The system view executes the matched Upper-view command, allowing the Undo command to go to the previous level view execution.

8. Lock the user interface: Lock

9. Allow user view commands to execute in System view: Run COMMAN-LINE,ENSP Virtual S5700 does not have this command.

10. Set the minimum length of plaintext password allowed by the switch: Set password min-length length, undo Set Password Min-length

Common configuration Error analysis and troubleshooting

1. Telnet login failure Analysis and troubleshooting

(1) See if the Vty user interface used is allowed to support the Telnet service.

Using User-interface vty to enter the corresponding user interface view, perform display this to see if the protocol Inbound command for the Vty user interface is set to Telnet or all

(2) Check whether the number of users logging on to the switch has reached the upper limit

Perform display users to see if the current vty channel is all occupied, the default Vty channel is 5, can perform display user-interface maximum-vty view the maximum number, execute User-interface Maximum-vty 15 is configured to the maximum number.

(3) See if ACLs are properly configured under the Vty user interface view on the switch

Executes the user-interface vty into the user interface view, performing the display this to see if the ACL is configured, remember the ACL number, and then execute the dispaly ACL acl-number see if there is a deny rule in the control list that restricts the login , in ACL view, undo rule Rule-id Deletes the rules, and rule permit source increases the license.

(4) Check if login verification is set correctly under Vty user interface view

With authentication-mode password, login must enter an accurate password, using Authentication-mode AAA, you must use the Local-user user-name Password command to create the user.

2. Failure analysis and elimination of Stelnet login failure

(1) Check whether the SSH service is allowed under the Vty user interface view.

Execute User-interface vty Enter view, display this to see if protocol inbound is SSH or all

(2) Check whether the number of users logged on to the SSH server has reached the limit

Display users, display User-interface maximum-vty

(3) Check whether the ACL is bound on the SSH server vty

If bound, view the appropriate ACL

(4) Check whether the SSH version on the SSH client and server is compatible

Perform the display SSH server status to view the SSH version number, if you are using a SSHV1 version of the client logon server, you need to perform an SSH server compatible-ssh1x enable to configure the SSH servers compatible SSHV1 version.

(5) Check if SSH server on SSH server is started

Display SSH server status, if not started, SSH server enable

(6) To see if the RSA or DSA public key is configured on the SSH server side

When the switch as an SSH server must be configured with a local key pair, perform the display RSA Local-key-pair public or the display DSA Local-key-pair Public command to view the current server-side key pair information. If NULL, indicates that the server-side key pair is not configured, performing the RSA Local-key-pair Create or DSA Local-key-pair creation command.

(7) Check if SSH user is configured on the SSH server side

Display SSH user-information, if no user exists, execute SSH user, ssh user authentication-type and SSH user Service-type

(8) Check if the SSH client is capable of first-time authentication.

Perform the display this in system view to see if the SSH client is capable of the SSH client's first authentication function. If it is not used, the first time the Stelnet client logs on to the SSH server due to the failure of the RSA public key validation check on the SSH server, which causes the login to fail, the SSH client first-time enable command is required to enable the first authentication function. After enabling the SSH client to authenticate for the first time, the SSH server's RSA or DSA public key is not checked for validity when the STELNET/SFTP client first logs on to the SSH server, because at this point stelnet/ The SFTP client has not yet saved the RSA or DSA public key for the SSH server.

Remote file Management

Support for file management: Remote file management via FTP, TFTP, SFTP, SCP, or FTPS. Switches can act as server and client roles respectively

1, through the FTP file operation, previously learned, briefly over

1) Configure FTP server functions and Parameters; 2) Configure FTP Local Users, 3) Configure FTP access control (ACL), 4) User access via FTP

FTP Access Management: Display Ftp-server, display ftp-users, display ACL

Configuration examples of file operations via ftp:

<sshserver>system-view
Enter system view, return user view with Ctrl + Z.
[SSHSERVER]FTP Server Enable
Info:succeeded in starting the FTP server.
[SSHSERVER]AAA
[Sshserver-aaa]local-user Huawei Password Cipher huawei1
Info:add a new user.
[Sshserver-aaa]local-user Huawei Privilege Level 15
[Sshserver-aaa]local-user Huawei Service-type FTP
[Sshserver-aaa]local-user Huawei Ftp-directory flash:/
[Sshserver-aaa]quit
[Sshserver]

File operation via SFTP

SFTP is part of the SSH protocol and needs to be connected via the Vty user interface (the FTP protocol does not need to be connected via the Vty user interface).

Steps to configure a task:

1. Configure the SFTP server function and parameters: including server local key pair generation, SFTP server function enable and parameter configuration: Listening port, key pair update time, SSH authentication timeout, SSH authentication retry count, etc.

2. Configure the user interface for SSH user login: Includes user authentication method of Vty user interface, vty user interface supports SSH protocol and other properties.

3, configure the SSH User: including the SSH user's creation, the authentication way, the service way, the SFTP service authorization directory and so on.

4. The user accesses the switch via the SFTP protocol

Accessing the switch from the terminal via SFTP requires the terminal to install the SSH client software, such as OpenSSH or putty, to OpenSSH as an example, enter SFTP in the Windows command Window [email protected],sftp client must manually enter the full command

Example of configuration for file operation via SFTP:

The process of logging in via PSFTP software:

File operations via SCP

SCP is also part of the SSH protocol and is a remote file replication technology based on SSH protocol.

To configure the task step:

1, configure the SCP server function and parameters: including the server local key pair generation, SCP server function and parameter settings: Listening port, key pair update time, SSH authentication timeout, SSH authentication number and so on.

2. Configure the user interface for SSH user login: Vty interface, with SFTP

3, configure the SSH User: including creation, authentication, service and so on.

An SCP-enabled SSH client, such as OpenSSH and putty, needs to be installed at the terminal. Take OpenSSH as an example:

SCP "-port port-number | -a sourceaddress | -I interface-type interface-number | -r | -cipher {des | 3des | aes128} | -C " sourcefile destinationfile command to upload files directly to the server or download files from the server to local.

SCP Access Management: Display scp-client, display ssh user-information, display SSH server status, display SSH server session.

Configuration instance:

Configure the SFTP on the basis of the previous step:

<ssh-server>sys
Enter system view, return user view with Ctrl + Z.
[SSH-SERVER]SCP Server Enable
Info:succeeded in starting the SCP server.
[ssh-server]ssh user scpu authentication-type password
Info:succeeded in Adding a new SSH user.
[ssh-server]ssh user scpu Service-type?
All Set all service type
SFTP Set sftp Service type
Stelnet Set stelnet Service type
[ssh-server]ssh user scpu Service-type all
[Ssh-server]ssh user Scpu?
Assign Set the key
Authentication-type Authentication Type
Authorization-cmd Authorization Mode
Service-type Set Service Type
Sftp-directory Set SFTP Directory
<cr>
[SSH-SERVER]AAA
[Ssh-server-aaa]local-user scpu Password cipher 321321
Info:add a new user.
[Ssh-server-aaa]local-user SCPU Privilege Level 15
[Ssh-server-aaa]local-user scpu Service-type?
8021x 802.1x User
Bind bind Authentication User
FTP FTP User
HTTP HTTP User
PPP PPP User
SSH SSH user
Telnet telnet user
Terminal Terminal user
Web Web authentication User
X25-pad X25-pad User
[Ssh-server-aaa]local-user scpu service-type SSH
[Ssh-server-aaa]quit
<ssh-server>dir
Directory of flash:/


IDX Attr Size (Byte) Date time FileName
0 drw--21:26:42 src
1 drw--May 10:58:18 compatible
2 drw--00:00:52 Resetinfo
3-rw-481 15:40:22 Vrpcfg-test.zip

32,004 KB Total (31,940 KB free)
<SSH-Server>

Note: The SSH user's service-type is all, there is no SCP option; the Service-type of Local-user created by AAA is SSH;SSH user does not have scp-directory, the default is to access Flash:

File operation via FTPs

FTPS combines the FTP protocol with the SSL protocol to authenticate the server via SSL and encrypt the transmitted data.

To configure a task step:

1, Upload server digital certificate and private key file;

2, configure the SSL policy and load the digital certificate, with HTTPS configuration;

3. Configure FTPs server functions and parameters, including configuring SSL policy, enable and parameters for FTPs server: port, source address, timeout, etc.

4. Configure FTP Local Users: Includes configuring the local User Service type and authorization directory.

5, through the FTPS access switch;

Configuration instance:

[Huawei]sysname Ftps-server
[FTPS-SERVER]FTP Server Eanble #---Enable FTP server functionality
[FTPS-SERVER]AAA
[Ftps-server-aaa]local-user Huawei Password Cipher huawei1
[Ftps-server-aaa]local-user Huawei Service-type FTP
[Ftps-server-aaa]local-user Huawei Privilege Level 3
[Ftps-server-aaa]local-user Huawei Ftp-directory Flash:
[Ftps-server-aaa]quit
[Ftps-server]quit
To upload a file on the client:
FTP IP
Put Local-filename [Remote-file-name]
Imagine uploading digital certificates and key files for Servercert.der and Serverkey.der
Configure SSL policies and load digital certificates
#---The following to create the security directory and copy the SSL digital certificate file from the storage root to the security directory
<ftps-server>mkdir Security
<ftps-server>copy Servercert.der security/
<ftps-server>copy Serverkey.der security/
Create a FTPS server SSL policy and load the PEM format digital certificate via certificate load Pem-cert.
<ftps-server>system-view
[Ftps-server]ssl Policy Ftp_server
[Ftps-server-ssl-policy-ftp_server]certificate load Ans1-cert servercert.der key-pair RSA Key-file Serverkey.der
[Ftps-server-ssl-policy-ftp_server]quit
The display SSL policy allows you to see the loaded digital certificate details.


Enable FTPS server, create FTP user (note that the user is still an FTP user, and no FTPS user)
[Ftps-server]undo FTP Server #---Enable FTPS server functionality, you must turn off the normal FTP servers feature before you can.
[Ftps-server] FTP Secure-server Ssl-policy Ftp_server
[Ftps-server] FTP Secure-server Enable

VRP System--5