Table of Contents

1 Logging In to an Access Controller Product ··························································································1-1 Logging In to an Access Controller Product····························································································1-1 Introduction to the User Interface············································································································1-1 Supported User Interfaces ··············································································································1-1 User Interface Number ····················································································································1-2 Common User Interface Configuration····························································································1-2 2 Logging In Through the Console Port·····································································································2-1 Introduction ·············································································································································2-1 Setting Up the Connection to the Console Port ······················································································2-1 Console Port Login Configuration ···········································································································2-4 Common Configuration····················································································································2-4 Console Port Login Configurations for Different Authentication Modes··········································2-5 Console Port Login Configuration with Authentication Mode Being None··············································2-5 Configuration Procedure··················································································································2-5 Configuration Example ····················································································································2-7 Console Port Login Configuration with Authentication Mode Being Password ······································2-8 Configuration Procedure··················································································································2-8 Configuration Example ····················································································································2-9 Console Port Login Configuration with Authentication Mode Being Scheme ·······································2-11 Configuration Procedure················································································································2-11 Configuration Example ··················································································································2-13 3 Logging In Through Telnet ·······················································································································3-1 Introduction ·············································································································································3-1 Common Configuration····················································································································3-2 Telnet Configurations for Different Authentication Modes·······························································3-2 Telnet Configuration with Authentication Mode Being None ··································································3-3 Configuration Procedure··················································································································3-3 Configuration Example ····················································································································3-4 Telnet Configuration with Authentication Mode Being Password ···························································3-5 Configuration Procedure··················································································································3-5 Configuration Example ····················································································································3-7 Telnet Configuration with Authentication Mode Being Scheme······························································3-8 Configuration Procedure··················································································································3-8 Configuration Example ··················································································································3-10 Telnet Connection Establishment ·········································································································3-11 Telnetting to an Access Controller from a Terminal ······································································3-11 Telnetting to Another Access Controller from the Current One·····················································3-13 4 Logging In Through the Web-Based Network Management System ···················································4-1 Introduction ·············································································································································4-1 Setting Up a Web Configuration Environment ························································································4-2
i

5 Logging In Through an NMS ····················································································································5-1 Introduction ·············································································································································5-1 Connection Establishment ······················································································································5-1 6 Controlling Login Users····························································································································6-1 Introduction ·············································································································································6-1 Controlling Telnet Users ·························································································································6-1 Prerequisites····································································································································6-1 Controlling Telnet Users by SSIDs of Clients··················································································6-1 Controlling Telnet Users by Source IP Addresses ··········································································6-2 Controlling Telnet Users by Source and Destination IP Addresses················································6-3 Controlling Telnet Users by Source MAC Addresses ·····································································6-4 Configuration Example ····················································································································6-4 Controlling Network Management Users by Source IP Addresses ························································6-5 Prerequisites····································································································································6-5 Controlling Network Management Users by Source IP Addresses·················································6-5 Configuration Example ····················································································································6-6

ii

Support of the H3C WX series access controllers for features may vary by device model. Refer to section "Feature Matrices" in Compatibility Matrices for details. The interface types and the number of interfaces supported vary by device model. Throughout this manual, GE interfaces are used in the examples that involve Ethernet interfaces. The access control engines of the H3C WX3000 series unified switches and the LSBM1WCM2A0 access controller module do not support IPv6-related configurations. For support of IPv6-related configurations, refer to section "Command Matrices" in Compatibility Matrices for details. The models listed in this manual are not applicable to all regions. Please consult your local sales office for the models applicable to your region.

1

Logging In to an Access Controller Product
To log in to an access controller product, go to these sections for information you are interested in: Logging In to an Access Controller Product Introduction to the User Interface

Logging In to an Access Controller Product
You can log in to an access controller product in one of the following ways: Logging in locally through the console port Telnetting locally or remotely to an Ethernet port

Introduction to the User Interface
Supported User Interfaces
An access controller product supports three types of user interfaces: AUX, console and VTY. Table 1-1 Description on user interface
User interface AUX Console VTY Applicable user Users logging in through the console port Users logging in through the console port Telnet users and SSH users Port used Console port Console port Ethernet port Description Each access controller can accommodate one AUX user. Each access controller can accommodate one console user. Each access controller can accommodate up to five VTY users.

1-1

User Interface Number
Two kinds of user interface indexes exist: absolute user interface index and relative user interface index. 1) The absolute user interface indexes are as follows: AUX user interface: Numbered first, and is 0. Console user interface: Numbered first, and is 0. VTY user interfaces: Numbered after AUX user interfaces and increases in the step of 1 2) A relative user interface index can be obtained by appending a number to the identifier of a user interface type. It is generated by user interface type. The relative user interface indexes are as follows: AUX user interface: AUX 0 Console user interface: Console 0 VTY user interfaces: VTY 0, VTY 1, VTY 2, and so on.

Common User Interface Configuration
To do… Lock the current user interface Specify to send messages to all user interfaces/a specified user interface Use the command… Optional lock Execute this command in user view. A user interface is not locked by default. send { all | number | type number } Optional Execute this command in user view. Optional Disconnect a specified user interface free user-interface [ type ] number Execute this command in user view. The interface type and quantity supported by this command vary by device model. — Optional By default, no banner is configured. Optional The default system name is H3C. — The interface type and quantity supported by this command vary by device model. Optional The default shortcut key combination for aborting tasks is Ctrl+C. Optional Set the history command buffer size history-command max-size value The default history command buffer size is 10. That is, a history command buffer can store up to 10 commands by default. Remarks

Enter system view Set the banner Set a system name for the access controller product

system-view header { incoming | legal | login | motd | shell } text sysname string

Enter user interface view

user-interface [ type ] first-number [ last-number ]

Define a shortcut key for aborting tasks

escape-key { default | character }

1-2

You can use the screen-length 0 command to disable the function to display information in pages. the connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes. The device must use the same type of display as the terminal. the screen can contain up to 24 lines. the device should also use VT 100. Optional Set the display type of a terminal terminal type { ansi | vt100 } By default. If the terminal uses VT 100. Optional shell By default. the terminal display type is ANSI. Optional Set the maximum number of lines the screen can contain screen-length screen-length By default.To do… Use the command… Optional Remarks The default timeout time of a user interface is 10 minutes. You can use the idle-timeout 0 command to disable the timeout function. Make terminal services available Display the information about the current user interface/all user interfaces Display the physical attributes and configuration of the current/a specified user interface display users [ all ] display user-interface [ type | number ] [ summary ] You can execute this command in any view. 1-3 . terminal services are available in all user interfaces. Set the timeout time for the user interface idle-timeout minutes [ seconds ] With the timeout time being 10 minutes. You can execute this command in any view. The interface type and quantity supported by this command vary by device model.

Setting Up the Connection to the Console Port Step1 Connect the serial port of your PC/terminal to the console port of the access controller (AC). Logging in through the console port is the most common way to log in to the device. go to these sections for information you are interested in: Introduction Setting Up the Connection to the Console Port Console Port Login Configuration Console Port Login Configuration with Authentication Mode Being None Console Port Login Configuration with Authentication Mode Being Password Console Port Login Configuration with Authentication Mode Being Scheme Introduction Support for the console port and AUX port varies by device model. To log in to the device through its console port. Table 2-1 lists the default settings of a console port. as shown in Figure 2-1. It is also the prerequisite to configure other login methods. the related configuration of the user terminal must be in accordance with that of the console port. 2-1 . Refer to section Console Port Login Configuration for more information. you can log in to the device through its console port only.2 Logging In Through the Console Port When logging in through the console port.600 bps No check bit 1 8 Default After logging in to the device. you can modify the settings of the console port. Table 2-1 The default settings of a console port Setting Baud rate Check mode Stop bits Data bits 9. By default.

launch a terminal emulation utility (such as Terminal in Windows 3. the parameters of a terminal are configured as those listed in Table 2-1.X or HyperTerminal in Windows 9X/Windows 2000/Windows XP) and perform the configuration shown in Figure 2-2 through Figure 2-4 for the connection to be created. Figure 2-2 Create a connection Figure 2-3 Specify the port used to establish the connection 2-2 . Normally.Figure 2-1 Diagram for setting the connection to the console port RS-232 port Console port Console cable PC AC Step2 If you use a PC to connect to the console port.

The prompt (such as <H3C>) appears after the user presses the Enter key. Refer to the following chapters for information about the commands. as shown in Figure 2-5. Figure 2-5 The terminal window Step4 You can then configure the access controller or check the information about the access controller by executing commands. 2-3 . You can also acquire help by type the ? character.Figure 2-4 Set port parameters terminal window Step3 Turn on the access controller. You will be prompted to press the Enter key if the access controller successfully completes POST (power-on self test).

Optional The default timeout time is 10 minutes. Optional The default data bits of a console port is 8.Console Port Login Configuration Common Configuration Table 2-2 lists the common configuration of console port login. 2-4 . the screen can contain up to 24 lines. Optional Check mode Console port configuration Stop bits By default. Table 2-2 Common configuration of console port login Configuration Baud rate Optional The default baud rate is 9. Optional By default. Optional The default stop bits of a console port is 1.600 bps. the history command buffer can contain up to 10 commands. you need to modify the configuration of the termination emulation utility running on your PC accordingly. pressing the Enter key starts the terminal session. the check mode of the console port is set to none. Optional By default. which means no check bit. terminal services are available in all user interfaces Optional By default. Optional By default. Optional The default shortcut key combination for aborting tasks is Ctrl+C. commands of level 3 are available to the users logging in to the AUX/console user interface. Refer to Setting Up the Connection to the Console Port for more. Description Data bits Configure the command level available to the users logging in to the AUX/console user interface Define a shortcut key for aborting tasks AUX/Console user interface configuration Define a shortcut key for starting terminal sessions Terminal configuration Make terminal services available Set the maximum number of lines the screen can contain Set history command buffer size Set the timeout time of a user interface Modifying the settings of the console port terminates the connection to the console port. Optional By default. To establish the connection again.

Table 2-3 Console port login configurations for different authentication modes Authenticati on mode None Console port login configuration Perform common configuration Configure the password Password Perform common configuration Specify to perform local authentication or RADIUS authentication Perform common configuration for console port login Configure the password for local authentication Perform common configuration for console port login AAA configuration specifies whether to perform local authentication or RADIUS authentication Optional Refer to Common Configuration for more. Refer to user manual of RADIUS server for more. Required Description Scheme Manage AUX/console users Perform common configuration Set service type for AUX/console users Perform common configuration for console port login Optional Refer to Common Configuration for more. Optional Local authentication is performed by default. Console Port Login Configuration with Authentication Mode Being None Configuration Procedure To do… Enter system view Enter AUX/console user Use the command… system-view user-interface aux 0 — — Remarks 2-5 . Changes of the authentication mode of console port login will not take effect unless you exit and enter the CLI again. The user name and password of a remote user are configured on the RADIUS server. Required Optional Refer to Common Configuration for more. Required Configure user name and password Configure user names and passwords for local/remote users The user name and password of a local user are configured on the access controller.Console Port Login Configurations for Different Authentication Modes Table 2-3 lists console port login configurations for different authentication modes. Refer to AAA Configuration in the Security Volume for more.

5 | 2 } databits { 5 | 6 | 7 | 8 } Configure the command level available to users logging in to the user interface user privilege level level By default.To do… interface view Use the command… user-interface console 0 authentication-mode none Required Remarks Configure not to authenticate users By default. terminal services are available in all user interfaces. no check bit. the screen can contain up to 24 lines. Optional The default shortcut key combination for aborting tasks is Ctrl+C. the check mode of a console port is set to none. that is. Optional The default data bits of a console port is 8.600 bps. Optional Set the maximum number of lines the screen can contain screen-length screen-length By default. Optional The default timeout time of a user interface is 10 minutes. That is. 2-6 . Optional Set the history command buffer size history-command max-size value The default history command buffer size is 10. Optional Define a shortcut key for aborting tasks escape-key { default | character } Make terminal services available shell By default. a history command buffer can store up to 10 commands by default. Set the timeout time for the user interface idle-timeout minutes [ seconds ] With the timeout time being 10 minutes. Optional Set the baud rate speed speed-value The default baud rate of an AUX/console port (also the console port) is 9. Optional Define a shortcut key for starting terminal sessions activation-key character By default. You can use the idle-timeout 0 command to disable the timeout function. Optional Configure the console port Set the check mode Set the stop bits Set the data bits parity { even | mark | none | odd | space } stopbits { 1 | 1. Optional By default. commands of level 3 are available to users logging in to the AUX/console user interface. pressing the Enter key starts the terminal session. the connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes. Optional The stop bits of an AUX/console port is 1. You can use the screen-length 0 command to disable the function to display information in pages. users logging in through the AUX/console port are not authenticated.

<Sysname> system-view # Enter AUX user interface view. The screen can contain up to 30 lines. [Sysname-ui-aux0] authentication-mode none # Specify commands of level 2 are available to the user logging in to the AUX user interface.200 bps. The timeout time of the AUX user interface is 6 minutes. [Sysname] user-interface aux 0 # Specify not to authenticate the user logging in through the console port. Commands of level 2 are available to user logging in to the AUX user interface. The baud rate of the console port is 19.Note that the command level available to users logging in to the device depends on both the authentication-mode none command and the user privilege level level command. The user is not authenticated when logging in through the console port. Figure 2-6 Network diagram for AUX user interface configuration (with the authentication mode being none) Configuration procedure # Enter system view. The history command buffer can contain up to 20 commands. and your user level is set to the administrator level (level 3). perform configuration to meet the following. After you telnet to the access controller. as listed in the following table. Table 2-4 Determine the command level (A) Scenario Command level Authentication mode None (authentication-mode none) User type Users logging in through AUX/console ports Command The user privilege level level command not executed The user privilege level level command already executed Level 3 Determined by the level argument Configuration Example Network requirements Assume the access controller is configured to allow you to login through Telnet. 2-7 .

Console Port Login Configuration with Authentication Mode Being Password Configuration Procedure To do… Enter system view Enter AUX/console user interface view Use the command… system-view user-interface aux 0 — user-interface console 0 Required Configure to authenticate users using the local password authentication-mode password By default. Optional user privilege level level By default. [Sysname-ui-aux0] history-command max-size 20 # Set the timeout time of the AUX user interface to 6 minutes. Optional databits { 5 | 6 | 7 | 8 } The default data bits of an AUX/console port is 8. to ensure a successful login. Required Optional speed speed-value The default baud rate of an AUX/console port (also the console port) is 9.600 bps. [Sysname-ui-aux0] idle-timeout 6 After the above configuration.[Sysname-ui-aux0] user privilege level 2 # Set the baud rate of the console port to 19.5 | 2 } The default stop bits of an AUX/console port is 1. — Remarks Set the local password set authentication password { cipher | simple } password Set the baud rate Set the stop bits Set the data bits Configure the command level available to users logging in to the user interface 2-8 . [Sysname-ui-aux0] screen-length 30 # Set the maximum number of commands the history command buffer can store to 20. Optional stopbits { 1 | 1. the check mode of an AUX/console port is set to none. Refer to Setting Up the Connection to the Console Port. while users logging in through Telnet need to pass the password authentication. users logging in through the console port are not authenticated. commands of level 3 are available to users logging in to the AUX/console user interface. that is. no check bit.200 bps. the console user needs to change the corresponding configuration of the terminal emulation program running on the PC. Optional Configure the console port Set the check mode parity { even | mark | none | odd | space } By default. [Sysname-ui-aux0] speed 19200 # Set the maximum number of lines the screen can contain to 30. to make the configuration consistent with that on the access controller.

pressing the Enter key starts the terminal session. Optional The default timeout time of a user interface is 10 minutes. the screen can contain up to 24 lines. You can use the idle-timeout 0 command to disable the timeout function. Note that the level the commands of which are available to users logging in to the device depends on both the authentication-mode password and the user privilege level level command. That is. Optional Set history command buffer size history-command max-size value The default history command buffer size is 10. and your user level is set to the administrator level (level 3).To do… Define a shortcut key for starting terminal sessions Use the command… Optional activation-key character Remarks By default. Optional Set the maximum number of lines the screen can contain screen-length screen-length By default. as listed in the following table. Optional Define a shortcut key for aborting tasks Make terminal services available to the user interface escape-key { default | character } shell By default. After you telnet to the access controller. the connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes. Table 2-5 Determine the command level (B) Scenario Command level Authentication mode Local authentication (authentication-mode password) User type Users logging in to the AUX/console user interface Command The user privilege level level command not executed The user privilege level level command already executed Level 3 Determined by the level argument Configuration Example Network requirements Assume the access controller is configured to allow you to login through Telnet. perform configuration to meet the following. Optional The default shortcut key combination for aborting tasks is Ctrl+C. You can use the screen-length 0 command to disable the function to display information in pages. terminal services are available in all user interfaces. Set the timeout time for the user interface idle-timeout minutes [ seconds ] With the timeout time being 10 minutes. a history command buffer can store up to 10 commands by default. 2-9 .

<Sysname> system-view # Enter AUX user interface view.200 bps. [Sysname-ui-aux0] idle-timeout 6 After the above configuration. [Sysname-ui-aux0] speed 19200 # Set the maximum number of lines the screen can contain to 30. the console user needs to change the corresponding configuration of the terminal emulation program running on the PC. The timeout time of the AUX user interface is 6 minutes. [Sysname-ui-aux0] history-command max-size 20 # Set the timeout time of the AUX user interface to 6 minutes. to make the configuration consistent with that on the access controller. [Sysname-ui-aux0] authentication-mode password # Set the local password to 123456 (in plain text). [Sysname] user-interface aux 0 # Specify to authenticate the user logging in through the console port using the local password. The screen can contain up to 30 lines. [Sysname-ui-aux0] set authentication password simple 123456 # Specify commands of level 2 are available to the user logging in to the AUX user interface. Refer to Setting Up the Connection to the Console Port for more. The commands of level 2 are available to users logging in to the AUX user interface. [Sysname-ui-aux0] screen-length 30 # Set the maximum number of commands the history command buffer can store to 20. The baud rate of the console port is 19200 bps. [Sysname-ui-aux0] user privilege level 2 # Set the baud rate of the console port to 19. Figure 2-7 Network diagram for AUX user interface configuration (with the authentication mode being password) Configuration procedure # Enter system view. The local password is set to 123456 (in plain text).The user is authenticated against the local password when logging in through the console port. to ensure a successful login. 2-10 . The history command buffer can store up to 20 commands.

you need to perform the following configuration as well: Perform AAA&RADIUS configuration on the access controller. Users are authenticated locally by default.Console Port Login Configuration with Authentication Mode Being Scheme Configuration Procedure To do… Enter system view Enter the default ISP domain view Use the command… system-view domain domain-name authentication default { hwtacacs. 2-11 . you need to perform the configuration concerning local user as well. the local AAA scheme is applied. Required Remarks Configure the authenticati on mode Specify the AAA scheme to be applied to the domain Quit to system view quit Create a local user (Enter local user view.scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } — Optional By default. (Refer to the user manual of AAA server. If you specify to apply the local AAA scheme.) Required No local user exists by default.) Set the authentication password for the local user local-user user-name password { simple | cipher } password service-type terminal authorization-attribute { acl acl-number | callback-number callback-number | idle-cut minute | level level | user-profile profile-name | vlan vlan-id | work-directory directory-name } * quit user-interface aux 0 Specify the service type for AUX and console users Required Quit to system view Enter AUX/console user interface view — — user-interface console 0 Required Configure to authenticate users locally or remotely authentication-mode scheme [ commandauthorization ] The specified AAA scheme determines whether to authenticate users locally or remotely. If you specify to apply an existing scheme by providing the radius-scheme-name argument.) Configure the user name and password accordingly on the AAA server. (Refer to AAA Configuration in the Security Volume for more.

that is. the screen can contain up to 24 lines.5 | 2 } The default stop bits of an AUX/console port is 1. 2-12 . as listed in Table 2-6. the connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes. Optional Define a shortcut key for aborting tasks Make terminal services available to the user interface escape-key { default | character } shell By default.To do… Set the baud rate Set the check mode Set the stop bits Set the data bits Configure the command level available to users logging in to the user interface Define a shortcut key for starting terminal sessions Use the command… Optional speed speed-value Remarks The default baud rate of the AUX/console port is 9. You can use the idle-timeout 0 command to disable the timeout function. That is. Optional Set history command buffer size history-command max-size value The default history command buffer size is 10. Optional By default.600 bps. Note that the level of the commands that are available to users logging in to the device depends on the authentication-mode scheme [ command-authorization ] command. terminal services are available in all user interfaces. Set the timeout time for the user interface idle-timeout minutes [ seconds ] With the timeout time being 10 minutes. the check mode of an AUX/console port is set to none. Optional The default shortcut key combination for aborting tasks is Ctrl+C. pressing the Enter key starts the terminal session. Optional Configure the console port parity { even | mark | none | odd | space } stopbits { 1 | 1. Optional The default data bits of a console port is 8. no check bit. a history command buffer can store up to 10 commands by default. commands of level 3 are available to users logging in to the AUX/console user interface. Optional databits { 5 | 6 | 7 | 8 } user privilege level level By default. Optional activation-key character By default. You can use the screen-length 0 command to disable the function to display information in pages. Optional The default timeout time of a user interface is 10 minutes. Optional Set the maximum number of lines the screen can contain screen-length screen-length By default.

Level 0 The default command level available for local users is level 0. The user privilege level level command is not executed. The commands of level 2 are available to the user logging in to the AUX user interface. Determined by the authorization-attri bute command authentication-mode scheme [ command-authoriza tion ] Users logging in to the AUX/console port and pass AAA&RADIUS or local authentication Configuration Example Network requirements Assume the access controller is configured to allow you to login through Telnet. Set the service type of the local user to Terminal. The screen can contain up to 30 lines.Table 2-6 Determine the command level Scenario Command level Authentication mode User type Command The user privilege level level command is not executed. and the authorization-attribute command specifies the available command level.200 bps. Set the authentication password of the local user to 123456 (in plain text). The history command buffer can store up to 20 commands. The baud rate of the console port is 19. and your user level is set to the administrator level (level 3). Configure to authenticate the user logging in through the console port in the scheme mode. and the authorization-attribute command does not specify the available command level. <Sysname> system-view # Create a local user named guest and enter local user view. Configure the name of the local user as guest. Figure 2-8 Network diagram for AUX user interface configuration (with the authentication mode being scheme) Configuration procedure # Enter system view. [Sysname] local-user guest 2-13 . After you telnet to the access controller. perform configuration to meet the following. The timeout time of the AUX user interface is 6 minutes.

Refer to Setting Up the Connection to the Console Port for more. [Sysname-ui-aux0] authentication-mode scheme # Set the baud rate of the console port to 19.# Set the authentication password to 123456 (in plain text). and specify that commands of level 2 are available to the user logging in to the AUX user interface. [Sysname-ui-aux0] idle-timeout 6 After the above configuration. [Sysname] user-interface aux 0 # Configure to authenticate the user logging in through the console port in the scheme mode. the console user needs to change the corresponding configuration of the terminal emulation program running on the PC. 2-14 . [Sysname-ui-aux0] speed 19200 # Set the maximum number of lines the screen can contain to 30.200 bps. to make the configuration consistent with that on the access controller. [Sysname-luser-guest] password simple 123456 # Set the service type to Terminal. [Sysname-ui-aux0] screen-length 30 # Set the maximum number of commands the history command buffer can store to 20. [Sysname-ui-aux0] history-command max-size 20 # Set the timeout time of the AUX user interface to 6 minutes. [Sysname-luser-guest] authorization-attribute level 2 [Sysname-luser-guest] service-type terminal [Sysname-luser-guest] quit # Enter AUX user interface view. to ensure a successful login.

3 Logging In Through Telnet When logging in through Telnet. you need to configure both the device and the Telnet terminal properly. you can issue commands to the access controller by way of pasting session text. Table 3-1 Requirements for telnetting to the device Item Start the Telnet Server Access controller product The IP address of the VLAN interface and the management interface of the access controller product are configured and the route between the access controller product and the Telnet terminal is available. Requirement After you log in to the access controller through Telnet. which cannot exceed 2000 bytes. refer to File System Management Configuration in the System Volume. and the pasted commands must be in the same view. For details. To achieve this. Refer to IPv6 Application Configuration in the IP Services Volume for details. 3-1 . The authentication mode and other settings are configured. Telnet terminal Telnet is running. To log in on the access controller using Telnet based on IPv6 is same as that based on IPv4. the access controller may not execute the commands correctly. Refer to Table 3-2 and Table 3-3. Support for the login on the access controller using Telnet based on IPv6 varies by device model. The IP address of the management VLAN of the access controller product is available. upload the configuration file to the access controller and reboot the access controller with this configuration file. If the session text exceeds 2000 bytes. otherwise. you can save it in a configuration file. go to these sections for information you are interested in: Introduction Telnet Configuration with Authentication Mode Being None Telnet Configuration with Authentication Mode Being Password Telnet Configuration with Authentication Mode Being Scheme Telnet Connection Establishment Introduction You can telnet to a remote access controller product to manage and maintain the device.

Optional By default. the screen can contain up to 24 lines. Optional By default.Common Configuration Table 3-2 lists the common Telnet configuration. so use it with caution. Telnet and SSH protocol are supported. Table 3-2 Common Telnet configuration Configuration Configure the command level available to users logging in to the VTY user interface VTY user interface configuration Configure the protocols the user interface supports Set the command that is automatically executed when a user logs into the user interface Define a shortcut key for aborting tasks Optional By default. the history command buffer can contain up to 10 commands. Telnet Configurations for Different Authentication Modes Table 3-3 lists Telnet configurations for different authentication modes. Optional By default. Before executing the auto-execute command command and save your configuration. terminal services are available in all user interfaces Optional By default. no command is automatically executed when a user logs into a user interface. Description 3-2 . commands of level 0 are available to users logging in to a VTY user interface. make sure you can log in to the access controller in other modes and can cancel the configuration. Description Make terminal services available VTY terminal configuration Set the maximum number of lines the screen can contain Set history command buffer size Set the timeout time of a user interface The auto-execute command command may cause you unable to perform common configuration in the user interface. Optional The default timeout time is 10 minutes. Table 3-3 Telnet configurations for different authentication modes Authentication mode None Telnet configuration Perform common configuration Perform common Telnet configuration Optional Refer to Table 3-2. Optional By default. Optional The default shortcut key combination for aborting tasks is Ctrl+C.

Optional By default. Optional Local authentication is performed by default. no command is automatically executed when a user logs into a user interface. commands of level 0 are available to users logging in to VTY user interfaces. Remarks protocol inbound { all | ssh | telnet } 3-3 . VTY users are authenticated after logging in. Required The user name and password of a local user are configured on the access controller. Optional auto-execute command text By default. The user name and password of a remote user are configured on the RADIUS server.Authentication mode Configure the password Password Telnet configuration Configure the password for local authentication Perform common Telnet configuration AAA configuration specifies whether to perform local authentication or RADIUS authentication Required Optional Description Perform common configuration Specify to perform local authentication or RADIUS authentication Refer to Table 3-2. Scheme Configure user name and password Configure user names and passwords for local/remote users Manage VTY users Perform common configuration Set service type for VTY users Perform common Telnet configuration Telnet Configuration with Authentication Mode Being None Configuration Procedure To do… Enter system view Enter one or more VTY user interface views Configure not to authenticate users logging in to VTY user interfaces Configure the command level available to users logging in to VTY user interface Configure the protocols to be supported by the VTY user interface Set the command that is automatically executed when a user logs into the user interface Use the command… system-view user-interface vty first-number [ last-number ] — — Required authentication-mode none By default. Refer to user manual of RADIUS server for more. Required Optional Refer to Table 3-2. Optional user privilege level level By default. both Telnet protocol and SSH protocol are supported. Refer to the AAA Configuration in the Security Volume for more.

a history command buffer can store up to 10 commands by default. terminal services are available in all user interfaces.To do… Define a shortcut key for aborting tasks Use the command… escape-key { default | character } Optional Remarks The default shortcut key combination for aborting tasks is Ctrl+C. Set the timeout time of the VTY user interface idle-timeout minutes [ seconds ] With the timeout time being 10 minutes. Optional Set the maximum number of lines the screen can contain screen-length screen-length By default. You can use the screen-length 0 command to disable the function to display information in pages. Telnet protocol is supported. You can use the idle-timeout 0 command to disable the timeout function. Commands of level 2 are available to users logging in to VTY 0. the connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes. the screen can contain up to 24 lines. Optional Set the history command buffer size history-command max-size value The default history command buffer size is 10. as listed in Table 3-4. Table 3-4 Determine the command level when users logging in to the device are not authenticated Scenario Command level Authentication mode None (authentication-mode none) User type Command The user privilege level level command not executed VTY users The user privilege level level command already executed Determined by the level argument Level 0 Configuration Example Network requirements Assume that you are a level 3 AUX/console user and want to perform the following configuration for Telnet users logging in to VTY 0: Do not authenticate users logging in to VTY 0. That is. Note that if you configure not to authenticate the users. The screen can contain up to 30 lines. Optional The default timeout time of a user interface is 10 minutes. the command level available to users logging in to the device depends on both the authentication-mode none command and the user privilege level level command. 3-4 . Optional Make terminal services available shell By default.

and enable the Telnet service. [Sysname-ui-vty0] idle-timeout 6 Telnet Configuration with Authentication Mode Being Password Configuration Procedure To do… Enter system view Enter one or more VTY user interface views Configure to authenticate users logging in to VTY user interfaces using the local password Set the local password Use the command… system-view user-interface vty first-number [ last-number ] authentication-mode password set authentication password { cipher | simple } password — — Remarks Required Required Optional Configure the command level available to users logging in to the user interface user privilege level level By default. commands of level 0 are available to users logging in to VTY user interface. [Sysname-ui-vty0] history-command max-size 20 # Set the timeout time to 6 minutes. <Sysname> system-view [Sysname] telnet server enable # Enter VTY 0 user interface view. [Sysname-ui-vty0] screen-length 30 # Set the maximum number of commands the history command buffer can store to 20. The timeout time of VTY 0 is 6 minutes. 3-5 . [Sysname-ui-vty0] user privilege level 2 # Configure Telnet protocol is supported. [Sysname-ui-vty0] authentication-mode none # Specify commands of level 2 are available to users logging in to VTY 0. Figure 3-1 Network diagram for Telnet configuration (with the authentication mode being none) RS-232 port Console port Console cable PC AC Configuration procedure # Enter system view.The history command buffer can contain up to 20 commands. [Sysname] user-interface vty 0 # Configure not to authenticate Telnet users logging in to VTY 0. [Sysname-ui-vty0] protocol inbound telnet # Set the maximum number of lines the screen can contain to 30.

Table 3-5 Determine the command level when users logging in to the device are authenticated in the password mode Scenario Command level Authentication mode Password (authentication-mode password) User type Command The user privilege level level command not executed VTY users The user privilege level level command already executed Determined by the level argument Level 0 3-6 . Optional Set the history command buffer size history-command max-size value The default history command buffer size is 10. Optional Define a shortcut key for aborting tasks escape-key { default | character } Make terminal services available shell By default. You can use the screen-length 0 command to disable the function to display information in pages. as listed in Table 3-5. no command is automatically executed when a user logs into a user interface. Optional The default timeout time of a user interface is 10 minutes. the screen can contain up to 24 lines. the command level available to users logging in to the device depends on both the authentication-mode password command and the user privilege level level command. Optional The default shortcut key combination for aborting tasks is Ctrl+C. That is. Optional Set the maximum number of lines the screen can contain screen-length screen-length By default. Note that if you configure to authenticate the users in the password mode. Set the timeout time of the user interface idle-timeout minutes [ seconds ] With the timeout time being 10 minutes.To do… Configure the protocol to be supported by the user interface Use the command… protocol inbound { all | ssh | telnet } Optional Remarks By default. You can use the idle-timeout 0 command to disable the timeout function. both Telnet protocol and SSH protocol are supported. Optional Set the command that is automatically executed when a user logs into the user interface auto-execute command text By default. a history command buffer can store up to 10 commands by default. terminal services are available in all user interfaces. the connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes.

<Sysname> system-view [Sysname] telnet server enable # Enter VTY 0 user interface view. [Sysname-ui-vty0] history-command max-size 20 # Set the timeout time to 6 minutes. Telnet protocol is supported. [Sysname-ui-vty0] authentication-mode password # Set the local password to 123456 (in plain text). [Sysname-ui-vty0] screen-length 30 # Set the maximum number of commands the history command buffer can store to 20. The timeout time of VTY 0 is 6 minutes. The history command buffer can contain up to 20 commands. Figure 3-2 Network diagram for Telnet configuration (with the authentication mode being password) RS-232 port Console port Console cable PC AC Configuration procedure # Enter system view. Set the local password to 123456 (in plain text). The screen can contain up to 30 lines. [Sysname-ui-vty0] set authentication password simple 123456 # Specify commands of level 2 are available to users logging in to VTY 0. [Sysname-ui-vty0] user privilege level 2 # Configure Telnet protocol is supported. [Sysname] user-interface vty 0 # Configure to authenticate users logging in to VTY 0 using the local password. Commands of level 2 are available to users logging in to VTY 0. [Sysname-ui-vty0] protocol inbound telnet # Set the maximum number of lines the screen can contain to 30. [Sysname-ui-vty0] idle-timeout 6 3-7 .Configuration Example Network requirements Assume that you are a level 3 AUX/console user and want to perform the following configuration for Telnet users logging in to VTY 0: Authenticate users logging in to VTY 0 using the local password. and enable the Telnet service.

(Refer to the user manual of AAA server. Configure the command level available to users logging in to the user interface Optional user privilege level level By default. Users are authenticated locally by default. no command is automatically executed when a user logs into a user interface. Optional The default shortcut key combination for aborting tasks is Ctrl+C. Optional auto-execute command text By default.) Configure the user name and password accordingly on the AAA server. commands of level 0 are available to users logging in to the VTY user interfaces.name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } — Optional By default.) No local user exists by default. you need to perform the following configuration as well: Perform AAA&RADIUS configuration on the access controller. the local AAA scheme is applied. If you specify to apply an existing scheme by providing the radius-scheme-name argument. Remarks Configure the authenticatio n scheme Configure the AAA scheme to be applied to the domain Quit to system view quit Create a local user and enter local user view Set the authentication password for the local user Specify the service type for VTY users Quit to system view Enter one or more VTY user interface views local-user user-name password { simple | cipher } password service-type telnet [ level level ] quit user-interface vty first-number [ last-number ] Configure the supported protocol Set the command that is automatically executed when a user logs into the user interface Define a shortcut key for aborting tasks protocol inbound { all | ssh | telnet } escape-key { default | character } 3-8 . Required Required — — Required Configure to authenticate users locally or remotely authentication-mode scheme [ commandauthorization ] The specified AAA scheme determines whether to authenticate users locally or remotely. Optional Both Telnet protocol and SSH protocol are supported by default.Telnet Configuration with Authentication Mode Being Scheme Configuration Procedure To do… Enter system view Enter the default ISP domain view Use the command… system-view domain domain-name authentication default { hwtacacs-scheme hwtacacs-scheme. (Refer to AAA Configuration in the Security Volume for more. If you specify to apply the local AAA scheme. you need to perform the configuration concerning local user as well.

and the authorization-attribute level command. Note that if you configure to authenticate the users in the scheme mode. That is. and the authorization-attribute level command specifies the available command level. and the authorization-attribute level command specifies the available command level. You can use the idle-timeout 0 command to disable the timeout function. the screen can contain up to 24 lines. You can use the screen-length 0 command to disable the function to display information in pages. The user privilege level level command is executed. Table 3-6 Determine the command level when users logging in to the device are authenticated in the scheme mode Scenario Authentication mode Command level User type Command The user privilege level level command is not executed. the connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes. as listed in Table 3-6. the user privilege level level command. Optional Set the maximum number of lines the screen can contain screen-length screen-length By default. and the authorization-attribute level command does not specify the available command level. The user privilege level level command is not executed. The user privilege level level command is executed.To do… Make terminal services available Use the command… Optional shell Remarks Terminal services are available in all use interfaces by default. Optional Set history command buffer size history-command max-size value The default history command buffer size is 10. and the authorization-attribute level command does not specify the available command level. Optional The default timeout time of a user interface is 10 minutes. the command level available to users logging in to the device depends on the authentication-mode scheme [ command-authorization ] command. a history command buffer can store up to 10 commands by default. Set the timeout time for the user interface idle-timeout minutes [ seconds ] With the timeout time being 10 minutes. Level 0 authenticationmode scheme [ command-aut horization ] VTY users that are AAA&RADIUS authenticated or locally authenticated Determined by the authorization-attri bute level command Level 0 Determined by the authorization-attri bute level command 3-9 .

and the authorization-attribute level command does not specify the available command level. and the authorization-attribute level command does not specify the available command level. and the service-type command specifies the available command level. and the authorization-attribute level command specifies the available command level.Scenario Authentication mode Command level User type Command The user privilege level level command is not executed. The user privilege level level command is not executed.0 Configuration in the Security Volume for information about AAA-RADIUS-HWTACACS and SSH. Set the service type of VTY users to Telnet. The user privilege level level command is executed. and the authorization-attribute level command specifies the available command level. Level 0 VTY users that are authenticated in the RSA mode of SSH The user privilege level level command is not executed. and the authorization-attribute level command does not specify the available command level. Configure to authenticate users logging in to VTY 0 in scheme mode. The user privilege level level command is executed. The user privilege level level command is executed. and the authorization-attribute level command specifies the available command level. Set the authentication password of the local user to 123456 (in plain text). The user privilege level level command is executed. Configuration Example Network requirements Assume that you are a level 3 AUX/console user and want to perform the following configuration for Telnet users logging in to VTY 0: Configure the name of the local user as guest. and the authorization-attribute level command does not specify the available command level. The user privilege level level command is not executed. 3-10 . Determined by the user privilege level level command Level 0 VTY users that are authenticated in the password mode of SSH Determined by the authorization-attri bute level command Level 0 Determined by the service-type command Refer to AAA Configuration and SSH 2.

[Sysname-ui-vty0] history-command max-size 20 # Set the timeout time to 6 minutes. Figure 3-3 Network diagram for Telnet configuration (with the authentication mode being scheme) RS-232 port Console port Console cable PC AC Configuration procedure # Enter system view. [Sysname-ui-vty0] protocol inbound telnet # Set the maximum number of lines the screen can contain to 30. and enable the Telnet service. [Sysname-luser-guest] password simple 123456 # Set the service type to Telnet. <Sysname> system-view [Sysname] telnet server enable # Create a local user named guest and enter local user view. The timeout time of VTY 0 is 6 minutes. [Sysname] local-user guest # Set the authentication password of the local user to 123456 (in plain text). and specify that commands of level 2 are available to users logging in to VTY 0.The commands of level 2 are available to users logging in to VTY 0. [Sysname-ui-vty0] idle-timeout 6 Telnet Connection Establishment Telnetting to an Access Controller from a Terminal Step1 Log in to the access controller through the management Ethernet interface or VLAN interface. [Sysname] user-interface vty 0 # Configure to authenticate users logging in to VTY 0 in the scheme mode. [Sysname-ui-vty0] screen-length 30 # Set the maximum number of commands the history command buffer can store to 20. 3-11 . [Sysname-ui-vty0] authentication-mode scheme # Configure Telnet protocol is supported. Telnet protocol is supported in VTY 0. The screen can contain up to 30 lines. The history command buffer can store up to 20 commands. [Sysname-luser-guest] authorization-attribute level 2 [Sysname-luser-guest] service-type telnet [Sysname-luser-guest] quit # Enter VTY 0 user interface view.

Connect to the console port. as shown in the following figure.0. as shown in Figure 3-4.160.92 255.160.255.160.160.255. section Telnet Configuration with Authentication Mode Being Password.38. and section Telnet Configuration with Authentication Mode Being Scheme for more.92.255. <Sysname> system-view [Sysname] interface Vlan-interface 1 [Sysname-Vlan-interface1] ip address 202. corresponding configurations should have been performed on the device according to different authentication modes for them. Telnet users need to pass the password authentication to login. with the IP address of the management Ethernet interface of the device. <Sysname> system-view [Sysname] interface M-Ethernet 1/0/1 [Sysname-M-Ethernet1/0/1] ip address 202.255. configure the IP address of VLAN-interface 1 on the device as 202. Refer to Setting Up the Connection to the Console Port. Figure 3-4 Network diagram for Telnet connection establishment Step4 Launch Telnet on your PC. with the subnet mask 255.0 # Or.255.38. with the subnet mask 255. Refer to VLAN Configuration in the Access Volume and MAC Address Table Management Configuration in the System Volume for details. Make sure the route between the PC and the management Ethernet interface (or Ethernet interface) of the device is available if the PC and the access controller are not in the same LAN. # Configure the IP address of the management Ethernet interface on the device as 202.You can assign an IP address to the VLAN interface of the access controller that does not have a management Ethernet port to make sure the route between the PC and the access controller is valid.92 255.255. Execute the following commands in the terminal window to assign an IP address to the management Ethernet interface of the access controller. 3-12 . Refer to section Telnet Configuration with Authentication Mode Being None.0.255.0 Step2 Before Telnet users can log in to the device.38.92.38. Step3 Connect your PC to the management Ethernet interface (or Ethernet interface) of the device.255. By default.

you will fail to establish the connection and receive the message that says “The number of users currently using the system configuration has reached the maximum. Step6 After successfully Telnetting to the device. Refer to the Basic System Configuration. Figure 3-6 Network diagram for Telnetting to another access controller from the current one 3-13 . The CLI prompt (such as <Sysname>) appears if the password provided is correct. You can also type ? at any time for help. after Telnetting to an access controller product (labeled as Telnet client). the current access controller product operates as the client. Telnetting to Another Access Controller from the Current One You can Telnet to another access controller product from the current one. you can Telnet to another device (labeled as Telnet server) by executing the telnet command and then to configure the latter. A Telnet connection will be terminated if you remove or modify the IP address of the management interface or VLAN interface in the Telnet session. An access controller can accommodate up to five Telnet connections at same time. In this case. make sure the IP addresses of the two management VLAN interfaces to which the two Ethernet ports belong to are of the same network segment. and the other operates as the server. As shown in Figure 3-6. By default. Refer to Basic System Configuration in the System Volume for information about command level.Figure 3-5 Launch Telnet Step5 Enter the password when the Telnet window displays Login authentication and prompts for login password. If all VTY user interfaces of the access controller are in use. If the interconnected Ethernet ports of the two access controller products are in the same LAN segment. you can configure the access controller or display the information about the access controller by executing corresponding commands. or the route between the two VLAN interfaces is available.”. Please wait until one of the users releases the system configuration. commands of level 0 are available to Telnet users authenticated by password.

By default. Telnet users need to pass the password authentication to login. Refer to section Telnet Configuration with Authentication Mode Being None. Refer to Basic System Configuration in the System Volume. You can also type ? at any time for help.Step1 Configure the user name and password for Telnet on the access controller operating as the Telnet server. where xxxx is the IP address or the host name of the access controller operating as the Telnet server. the CLI prompt (such as <Sysname>) appears. If the password is correct. and section Telnet Configuration with Authentication Mode Being Scheme for more. section Telnet Configuration with Authentication Mode Being Password. you can configure the access controller or display the information about the access controller by executing corresponding commands. 3-14 . Step3 Execute this command on the access controller operating as the Telnet client: <Sysname> telnet xxxx. you will fail to establish the connection and receive the message that says All user interfaces are used. Step4 Enter the password. Step5 After successfully Telnetting to the access controller. You can use the ip host to assign a host name to an access controller. Step2 Telnet to the access controller operating as the Telnet client. please try later!. If all VTY user interfaces of the access controller are in use.

It enables you to log in to the device through a Web browser and then manage and maintain the device intuitively by interacting with the built-in Web server. you need to perform the related configuration on both the switching engine and the PC operating as the network management terminal. go to these sections for information you are interested in: Introduction Setting Up a Web Configuration Environment Introduction Each H3C WX series access controller product has a Web server built in. the access controller engines of the WX3024 unified switches are used in the examples. The user name and password for logging in to the Web-based network management system are configured. PC operating as the network management terminal IE is available. Access controller product 4-1 . The IP address of the VLAN interface of the device.Logging In Through the Web-Based Network Management System 4 Logging in through the web-based network management system varies by device model. and the route between the access controller product and the Web network management terminal is reachable. the user name. When logging in through the Web-based network management system. Table 4-1 Requirements for logging in to the device through the Web-based network management system Item Requirement The VLAN interface or management interface of the access controller product is assigned an IP address. To log in to the access controller product through the built-in Web-based network management system. In this chapter. and the password are available.

you can log in to the access controller engine through the Web-based network management system.100 in the address bar of the browser on a Web network management terminal (PC). and the factory defaults are ineffective.0.101 is the management IP address of the 4-2 . WX5002V2.100 24 [Sysname-Vlan-interface1] quit # Create a Web user account. you can input http://192. For the WX6103. and WX3008. # Assign an IP address to the access controller engine of the WX3024. the device will start up this configuration file at next boot. For the access controller modules LS8M1WCMA0. you can log in to the device through the Web-based network management system. you can go to the Web interface of the switching engine from the Web interface of the access controller engine. LSRM1WCM2A1. For the login to the switch interface board. setting both the user name and the password to admin and the user level to 3 (manage level). WX3010. and LSWM1WCM20.168.168. supposing that a route between the Web network management terminal and the access controller product is available.0. If you have saved your configuration file.168. Input the default username. With this configuration. Setting Up a Web Configuration Environment Step1 Before logging in to the access controller engine of the WX3024 (AC in Figure 4-1) through the Web-based network management system. you can configure the IP address on the management Ethernet interface). you can log in to the main control board through the Web-based network management system. For the login to the switching engine. <Sysname> system-view [Sysname] interface Vlan-interface 1 [Sysname-Vlan-interface1] ip address 192. password admin and verification code. and then you can log in to the Web interface. # After configuring the IP address. For the WX5002. LSQM1WCMB0. and WX5004. see the related section of the Login Configuration in the H3C WX3000 Series Unified Switches Switching Engine Operation Manual. see the related section of the Login Configuration in the H3C WX6103 Access Controller Switch Interface Board Operation Manual. and the browser will display the login page. 192. LSWM1WCM10. For the WX3024. and configure Web network management user name and authentication password. LSBM1WCM2A0. you can log in to the access controller modules through the Web-based network management system.An access controller product has a factory default configuration when it is shipped. select the language. [Sysname] local-user admin [Sysname-luser-admin] service-type telnet [Sysname-luser-admin] authorization-attribute level 3 [Sysname-luser-admin] password simple admin [Sysname-luser-admin] quit Step2 Configure the management IP address for the switching engine of the WX3024 (Optional).0. assign an IP address to the switching engine (for devices providing management Ethernet ports.

101 slot 0 Step3 Set up a Web configuration environment. Launch IE on the Web-based network management terminal (your PC) and enter http://192.0. Currently. Figure 4-2 The login page of the Web-based network management system 4-3 .) Step5 When the login authentication interface (as shown in Figure 4-2) appears.168.168. only the WX3000 series support this function. and slot 0 is the slot number of the switching engine.100 in the address bar.0. enter the user name and the password admin. (Make sure the route between the Web-based network management terminal and the switching engine is available. type the verify code. Figure 4-1 Set up a Web configuration environment Internet PC AC Step4 Log in to the switching engine through IE.switching engine. and then click Login to bring up the main page of the Web-based network management system. [Sysname] oap management-ip 192. as shown in Figure 4-1.

Table 5-1 Requirements for logging in to the device through an NMS Item Requirement The IP address of the management VLAN of the access controller is configured. The route between the NMS and the access controller is available.) Access controller NMS Connection Establishment Figure 5-1 Network diagram for logging in through an NMS 5-1 . (Refer to the user manual of your NMS for more. To log in to an access controller through an NMS. SNMP (Simple Network Management Protocol) is applied between the NMS and the agent. you need to perform related configuration on both the NMS and the device.) The NMS is properly configured. The agent here refers to the server-side software running on network devices (access controllers). and then configure and manage the access controller through the agent module on the access controller. go to these sections for information you are interested in: Introduction Connection Establishment Introduction You can also log in to an access controller through an NMS (network management station). The basic SNMP functions are configured. (Refer to SNMP Configuration in the System Volume for more.5 Logging In Through an NMS When logging in through an NMS.

and protocol features By source MAC addresses SNMP By source IP addresses Implementation Through WLAN ACL Through basic ACLs Related section Controlling Telnet Users by SSIDs of Clients Controlling Telnet Users by Source IP Addresses Controlling Telnet Users by Source and Destination IP Addresses Controlling Telnet Users by Source MAC Addresses Controlling Network Management Users by Source IP Addresses Through advanced ACLs Through Layer 2 ACLs Through basic ACLs Controlling Telnet Users Prerequisites The controlling policy against Telnet users is determined. destination IP addresses. go to these sections for information you are interested in: Introduction Controlling Telnet Users Controlling Network Management Users by Source IP Addresses Introduction An access controller provides ways to control different types of login users. WLAN ACLs are numbered from 100 to 199. Table 6-1 Ways to control different types of login users Login mode Control method By SSIDs of clients By source IP addresses Telnet By source. Refer to ACL Configuration in the Security Volume for information about defining an ACL. source and destination IP addresses to be controlled and the controlling actions (permitting or denying). including the wireless clients. as listed in Table 6-1. protocols carried over IP. Controlling Telnet Users by SSIDs of Clients Controlling Telnet users by service set identifiers (SSIDs) is achieved by matching WLAN ACLs with packets based on SSIDs of clients. To do… Enter system view Create a WLAN ACL and enter WLAN ACL view Use the command… system-view acl number acl-number — Required Remarks 6-1 .6 Controlling Login Users To control login users.

6-2 . which are numbered from 2000 to 2999. rule [ rule-id ] { permit | deny } [ source { sour-addr sour-wildcard | any } | time-range time-name | fragment | logging ]* quit Remarks Define rules for the ACL Required Quit to system view — — Enter user interface view user-interface [ type ] first-number [ last-number ] The interface type and quantity supported by this command vary by device model. Required Apply the WLAN ACL to control Telnet users by SSIDs of WLAN clients acl acl-number inbound The inbound keyword filters the users trying to Telnet to the current access controller. Support for the IPv6 addresses vary by device model. To do… Enter system view Use the command… system-view — Required Create a basic ACL or enter basic ACL view acl [ ipv6 ] number acl-number [ match-order { config | auto } ] As for the acl number command. Refer to ACL Configuration in the Security Volume for information about defining an ACL. Controlling Telnet Users by Source IP Addresses Controlling Telnet users by source IP addresses is achieved by applying basic ACLs. Support for this command depends on the supported interface type. the config keyword is specified by default.To do… Define a rule for the WLAN ACL Quit to system view Use the command… rule [ rule-id ] { permit | deny } [ ssid ssid-name ] quit Required — — Remarks Enter user interface view user-interface [ type ] first-number [ last-number ] The interface type and quantity supported by this command vary by device model.

To do… Enter system view Use the command… system-view — Required Create an advanced ACL or enter advanced ACL view acl [ ipv6 ] number acl-number [ name acl-name ] [ match-order { auto | config } ] As for the acl number command. — — Enter user interface view user-interface [ type ] first-number [ last-number ] The interface type and quantity supported by this command vary by device model. the config keyword is specified by default. The interface type supported by this command varies by device model. Refer to ACL Configuration in the Security Volume for information about defining an ACL. Apply the ACL to control Telnet users by source IP addresses acl [ ipv6 ] acl-number { inbound | outbound } The outbound keyword filters the users trying to Telnet to other access controllers from the current access controller. Support for the IPv6 addresses depends on the device model. Remarks Quit to system view quit 6-3 . Controlling Telnet Users by Source and Destination IP Addresses Controlling Telnet users by source and destination IP addresses is achieved by applying advanced ACLs. Support for the IPv6 addresses depends on the device model. Required Define rules for the ACL rule [ rule-id ] { permit | deny } rule-string You can define rules as needed to filter by specific source and destination IP addresses. Required The inbound keyword filters the users trying to Telnet to the current access controller. Support for the IPv6 addresses varies by device model. The interface type supported by this command varies by device model.To do… Use the command… Required Remarks The inbound keyword filters the users trying to Telnet to the current access controller. which are numbered from 3000 to 3999. Apply the ACL to control Telnet users by specified source and destination IP addresses acl [ ipv6 ] acl-number { inbound | outbound } The outbound keyword filters the users trying to Telnet to other access controllers from the current access controller.

<Sysname> system-view [Sysname] acl number 2000 match-order config [Sysname-acl-basic-2000] rule 1 permit source 10. To do… Enter system view Create a basic ACL or enter basic ACL view Use the command… system-view acl number acl-number [ name acl-name ] [ match-order { auto | config } ] — As for the acl number command.46 0 [Sysname-acl-basic-2000] rule 3 deny 6-4 . which are numbered from 4000 to 4999.46/24 Configuration procedure # Define a basic ACL.110.52 and 10. — — Enter user interface view user-interface [ type ] first-number [ last-number ] The interface type and quantity supported by this command vary by device model. Required Define rules for the ACL rule [ rule-id ] { permit | deny } rule-string You can define rules as needed to filter by specific source MAC addresses.110.110.46 are permitted to log in to the access controller. Refer to ACL Configuration in the Security Volume for information about defining an ACL. Figure 6-1 Network diagram for controlling Telnet users using ACLs 10.100. Remarks Quit to system view quit Configuration Example Network requirements Only the Telnet users sourced from the IP address of 10. the config keyword is specified by default.110.110.52/24 Host A IP network Host B AC 10.100.52 0 [Sysname-acl-basic-2000] rule 2 permit source 10.Controlling Telnet Users by Source MAC Addresses Controlling Telnet users by source MAC addresses is achieved by applying Layer 2 ACLs.100. Required Apply the ACL to control Telnet users by source MAC addresses acl acl-number inbound The inbound keyword filters the users trying to Telnet to the current access controller.110.100.100.100.

including the source IP addresses to be controlled and the controlling actions (permitting or denying). [Sysname] user-interface vty 0 4 [Sysname-ui-vty0-4] acl 2000 inbound Controlling Network Management Users by Source IP Addresses You can manage an access controller through network management software.100. Controlling Network Management Users by Source IP Addresses Controlling network management users by source IP addresses is achieved by applying basic ACLs. the config keyword is specified by default.46 to access the access controller.110.52 and 10.100. Defining an ACL Applying the ACL to control users accessing the access controller through SNMP Prerequisites The controlling policy against network management users is determined.. Network management users can access controllers through SNMP.110. You need to perform the following two operations to control network management users by source IP addresses.[Sysname-acl-basic-2000] quit # Apply the ACL to only permit Telnet users sourced from the IP addresses of 10. Refer to ACL Configuration in the Security Volume for information about defining an ACL. Required — Required Remarks Define rules for the ACL Quit to system view Apply the ACL while configuring the SNMP community name Apply the ACL while configuring the SNMP group name 6-5 . To do… Enter system view Create a basic ACL or enter basic ACL view Use the command… system-view acl number acl-number [ name acl-name ] [ match-order { auto | config } ] rule [ rule-id ] { permit | deny } [ source { sour-addr sour-wildcard | any } | time-range time-name | fragment | logging ]* quit snmp-agent community { read | write } community-name [ acl acl-number | mib-view view-name ] * snmp-agent group { v1 | v2c } group-name [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number ] snmp-agent group v3 group-name [ authentication | privacy ] [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number ] Required — As for the acl number command. which are numbered from 2000 to 2999.

100. <Sysname> system-view [Sysname] acl number 2000 match-order config 6-6 . If you configure both the SNMP group name and the SNMP user name and specify ACLs in the two operations. Figure 6-2 Network diagram for controlling SNMP users using ACLs 10.52/24 Host A IP network Host B AC 10.110. the SNMP group name and the SNMP user name. Refer to SNMP Configuration in the System Volume for SNMP-related commands. As SNMP community name is a feature of SNMPv1 and SNMPv2c. the specified ACLs in the commands that configure SNMP group names (the snmp-agent group command and the snmp-agent group v3 command) and SNMP user names (the snmp-agent usm-user command and the snmp-agent usm-user v3 command) take effect in the network management systems that adopt SNMPv2c or higher SNMP versions. Similarly. as SNMP group name and SNMP user name are features of SNMPv2c and the higher SNMP versions.110.46/24 Configuration procedure # Define a basic ACL. the specified ACLs in the command that configures SNMP community names (the snmp-agent community command) take effect in the network management systems that adopt SNMPv1 or SNMPv2c.110.To do… Use the command… snmp-agent usm-user { v1 | v2c } user-name group-name [ acl acl-number ] Remarks Apply the ACL while configuring the SNMP user name snmp-agent usm-user v3 user-name group-name [ cipher ] [ authentication-mode { md5 | sha } auth-password [ privacy-mode { des56 | aes128 } priv-password ] ] [ acl acl-number ] Required You can specify different ACLs while configuring the SNMP community name.52 and 10.46 are permitted to access the access controller.100.110.100. Configuration Example Network requirements Only SNMP users sourced from the IP addresses of 10.100. the access controller will filter network management users by both SNMP group name and SNMP user name.

110.52 0 [Sysname-acl-basic-2000] rule 2 permit source 10.100.[Sysname-acl-basic-2000] rule 1 permit source 10.52 and 10.100.46 0 [Sysname-acl-basic-2000] rule 3 deny [Sysname-acl-basic-2000] quit # Apply the ACL to only permit SNMP users sourced from the IP addresses of 10.46 to access the access controller.110.100. [Sysname] snmp-agent community read aaa acl 2000 [Sysname] snmp-agent group v2c groupa acl 2000 [Sysname] snmp-agent usm-user v2c usera groupa acl 2000 6-7 .110.100.110.