Configure the user to log in to the device through telnet -- AAA local authentication

AAA Local certification

AAA Local authentication can authenticate the identity of users , The user can successfully log in to the device by entering the correct user name and password .

• advantage ：AAA Local authentication configures user information on the device , There is no need to deploy other authentication servers in the network , Faster and lower operating costs .
• shortcoming ： The amount of information stored is limited by the hardware conditions of the device .

Networking requirements

As shown in the figure below , Enterprises hope that administrators can easily and safely manage devices remotely , The administrator can be configured to pass telnet When logging in to the device ：

1. The administrator can enter the correct user name and password to pass telnet Log in to the device .
2. Administrator through telnet After logging in to the device , The command level that can be executed is 0~3 All command lines for .
   

Huawei switch configuration

Configuration ideas

1. Can make telnet service .
2. Configure the user through telnet The login authentication method is AAA.
3. To configure AAA Local certification ： Create local users 、 The access type of the specified user is telnet、 Configure the user level as 15 level .

Configuration topology

Configuration operation

1. LSW1 Configure the interface and IP Address

<Huawei>sys
[Huawei]sysname HW1
[HW1]vlan batch 10
Info: This operation may take a few seconds. Please wait for a moment...done.
[HW1]int Vlanif 10
[HW1-Vlanif10]ip add 10.1.1.1 24
[HW1-Vlanif10]q
[HW1]int GigabitEthernet 0/0/1
[HW1-GigabitEthernet0/0/1]port link-type access 
[HW1-GigabitEthernet0/0/1]port default vlan 10
[HW1-GigabitEthernet0/0/1]q

2. Can make telnet Server function

[HW1]telnet server enable 
Info: The Telnet server has been enabled.

3. To configure vty The authentication method of the user interface is AAA

[HW1]user-interface maximum-vty 15
[HW1-ui-vty0-14]authentication-mode aaa
[HW1-ui-vty0-14]protocol inbound telnet 
[HW1-ui-vty0-14]q

4. To configure AAA Local certification

[HW1]aaa
[HW1-aaa]local-user user1 password cipher [email protected]
[HW1-aaa]local-user user1 service-type telnet 
[HW1-aaa]local-user user1 privilege level 15
[HW1-aaa]q	

5. LSW2 Interface configuration

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname HW2
[HW2]vlan batch 10
[HW2]int Vlanif 10
[HW2-Vlanif10]ip add 10.1.1.2
[HW2-Vlanif10]q
[HW2]int GigabitEthernet 0/0/1
[HW2-GigabitEthernet0/0/1]port link-type access
[HW2-GigabitEthernet0/0/1]port default vlan 10
[HW2-GigabitEthernet0/0/1]q

6. verification ,LSW2 telnet LSW1

<HW2>telnet 10.1.1.1
Trying 10.1.1.1 ...
Press CTRL+K to abort
Connected to 10.1.1.1 ...


Login authentication


Username:user1
Password:
Info: The max number of VTY users is 15, and the number
      of current VTY users on line is 1.
      The current login time is 2021-08-24 13:22:59.
<HW1>

The configuration file

LSW1 To configure

[HW1]dis cu
#
sysname HW1
#
vlan batch 10
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default
 domain default_admin
 local-user admin password simple admin
 local-user admin service-type http
 local-user user1 password cipher [JD(UTW1T15NZPO3JBXBHA!!
 local-user user1 privilege level 15
 local-user user1 service-type telnet
#
interface Vlanif1
#
interface Vlanif10
 ip address 10.1.1.1 255.255.255.0
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 10
#
user-interface maximum-vty 15
user-interface con 0
user-interface vty 0 14
 authentication-mode aaa
#
return

LSW2 To configure

[HW2]dis cur
#
sysname HW2
#
vlan batch 10
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default
 domain default_admin
 local-user admin password simple admin
 local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif10
 ip address 10.1.1.2 255.255.255.0
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 10
#
return