HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 26
14
For more information about user login authentication, see Logging in to the CLI. For more information
a
bout AAA and SSH, see Security Configuration Guide .
Configuring a user privilege level for users by using the AAA module
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter user interface view. user-interface {
first-num1
[ last-num1 ] | { aux | vty }
first-num2 [ last-num2 ] } N/A
3.
Specify the scheme
authentication mode. authentication-mode
scheme By...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-25.png "Page 26
14
For more information about user login authentication, see Logging in to the CLI. For more information
a
bout AAA and SSH, see Security Configuration Guide .
Configuring a user privilege level for users by using the AAA module
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter user interface view. user-interface {
first-num1
[ last-num1 ] | { aux | vty }
first-num2 [ last-num2 ] } N/A
3.
Specify the scheme
authentication mode. authentication-mode
scheme By...")
![Page 27
15
[Sysname-luser-test] authorization-attribute level 3
Configuring the user privilege level directly on a user interface
To configure the user privilege level directly on a user interface that uses the scheme authentication mode:
Step Command Remarks
1. Configure the authentication
type for SSH users as
publickey . For more information, see Security
Configuration Guide
. Required only for SSH users who
use public-key authentication.
2.
Enter system view.
system-view N/A
3. Enter user...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-26.png "Page 27
15
[Sysname-luser-test] authorization-attribute level 3
Configuring the user privilege level directly on a user interface
To configure the user privilege level directly on a user interface that uses the scheme authentication mode:
Step Command Remarks
1. Configure the authentication
type for SSH users as
publickey . For more information, see Security
Configuration Guide
. Required only for SSH users who
use public-key authentication.
2.
Enter system view.
system-view N/A
3. Enter user...")
![Page 30
18
Step Command Remarks
1. Enter system view.
system-view N/A
2. Set the authentication mode
for user privilege level
switching. super authentication-mode
{ local
| scheme } * Optional.
By default, local-only
authentication is used.
3.
Configure the password for a
user privilege level. super password
[ level user-level ]
{ cipher | simple } password Required for loca
l authentication.
By default, a privilege level has no
password.
If no user privilege level is specified...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-29.png "Page 30
18
Step Command Remarks
1. Enter system view.
system-view N/A
2. Set the authentication mode
for user privilege level
switching. super authentication-mode
{ local
| scheme } * Optional.
By default, local-only
authentication is used.
3.
Configure the password for a
user privilege level. super password
[ level user-level ]
{ cipher | simple } password Required for loca
l authentication.
By default, a privilege level has no
password.
If no user privilege level is specified...")
![Page 32
20
Task Command Remarks
Display the command keyword
alias configuration. display command-alias
[ | { begin |
exclude | include } regular-expression ] Available in any view
Display data in the clipboard. display clipboard
[ | { begin | exclude |
include } regular-expression ] Available in any view](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-31.png "Page 32
20
Task Command Remarks
Display the command keyword
alias configuration. display command-alias
[ | { begin |
exclude | include } regular-expression ] Available in any view
Display data in the clipboard. display clipboard
[ | { begin | exclude |
include } regular-expression ] Available in any view")
19 User interface authentication mode User privilege level switching authentication mode Information required for the first authentication mode Information required for the second authentication mode scheme local Password configured on the device with the super password command for the privilege level N/A local scheme Password configured on the device with the super password command for the privilege level Password for privilege level switching (configured on the AAA server). The system uses the username used for logging in as the privilege level switching username. scheme Password for privilege level switching (configured on the AAA server). The system uses the username used for logging in as the privilege level switching username. N/A scheme local Password for privilege level switching (configured on the AAA server). The system uses the username used for logging in as the privilege level switching username. Password configured on the device with the super password command for the privilege level Changing the level of a command Every command in a view has a default command level. The default command level scheme is sufficient for the security and ease of maintenance requirements of most networks. If you want to change the level of a command, make sure the change does not result in any security risk or maintenance problem. To change the level of a command: Step Command Remarks 1. Enter system view. system-view N/A 2. Change the level of a command in a specific view. command-privilege level level view view command See Table 7 for the default settings. Saving the running configuration You can use the save command in any view to save all submitted and executed commands into the configuration file. Commands saved in the configuration file can survive a reboot. The save command does not take effect on one-time commands, including display and reset commands. One-time commands are never saved. Displaying and maintaining CLI
20
Task Command Remarks
Display the command keyword
alias configuration. display command-alias
[ | { begin |
exclude | include } regular-expression ] Available in any view
Display data in the clipboard. display clipboard
[ | { begin | exclude |
include } regular-expression ] Available in any view
21 Login overview This chapter describes the available CLI login methods and their configuration procedures. Login methods at a glance You can access the device only through the console port at the first login, locally or remotely by using a pair of modems. After you log in to the device, you can configure other login methods, including Telnet and SSH, for remote access. Table 9 Login methods Lo gin method Default setting and configuration requirements Logging in to the CLI: • Logging in through the console port for the first time By default, login through the console port is enabled, no username or password is required, and the user privilege level is 3. • Logging in through Telnet By default, Telnet service is enabled. To use Telnet service, complete the following configuration tasks: • Enable the Telnet server. • Assign an IP address to a Layer 3 interface and make sure the interface and the Telnet client can reach each other. • Configure the authentication mode for VTY login users (password by default). • Configure the user privilege level of VTY login users (0 by default). • Logging in through SSH By default, SSH service is disabled . To use SSH service, complete the following configuration tasks: • Enable the SSH function and configure SSH attributes. • Assign an IP address to a Layer 3 interface and make sure the interface and the SSH client can reach each other. • Enable scheme authentication for VTY login users. • Configure the user privilege level of VTY login users (0 by default). • Modem dial-in through the console port By default, modem dial-in is enabled, no username or password is required, and the user privilege level is 3. Logging in to the Web interface By default, Web login is disabled. To use Web service, complete the following configuration tasks: • Assign an IP address to a Layer 3 interface. • Configure a local user account for Web login, and assign a user privilege level and the Web service to the account. Logging in through NMS By default, SNMP login is disabled. To use SNMP service, complete the following configuration tasks: • Assign an IP address to a Layer 3 interface, and make sure the interface and the NMS can reach each other. • Configure SNMP basic parameters.
22 User interfaces The device uses user interfaces (also called lines) to control CLI logins and monitor CLI sessions. You can configure access control settings, including authentication, user privilege, and login redirect on user interfaces. After users are logged in, their actions must be compliant with the settings on the user interfaces assigned to them. Users are assigned different user interfaces, de pending on their login methods, as shown in Tabl e 10 . Table 10 CLI login method and u ser interface matrix User interface Lo gin method AUX user interface Console port (EIA/TIA-232 DCE), locally or remotely by using modems Virtual type terminal (VTY) user interface Telnet or SSH User interface assignment The device automatically assigns user interfaces to CLI login users, depending on their login methods. Each user interface can be assigned to only one user at a time. If no user interface is available, a CLI login attempt will be rejected. The device provides one AUX user interfaces and 16 VTY user interfaces. For a CLI login, the device always picks the lowest numbered user interface from the idle user interfaces available for the type of login. For example, four VTY user interfaces (0 to 3) are configured, of which VTY 0 and VTY 3 are idle. When a user Telnets to the device, the device assigns VTY 0 to the user and uses the settings on VTY 0 to authenticate and manage the user. User interface numbering User interfaces are numbered by using absolute numbering or relative numbering. Absolute numbering An absolute number uniquely identifies a user interfac e among all user interfaces. The user interfaces are numbered starting from 0 and incrementing by 1 an d in the sequence of AUX and VTY user interfaces. You can use the display user-interface command without any parameters to view supported user interfaces and their absolute numbers. Relative numbering A relative number uniquely identifies a user interfac e among all user interfaces that are the same type. The number format is user interface type + number.All the types of user interf aces are numbered starting from 0 and incrementing by 1. For example, the first AUX user interface is AUX 0. A relative number uniquely identifies a user interfac e among all user interfaces that are the same type. The number format is user interface type + number . The user interfaces are numbered starting from 0 and incrementing by 1. For example, the first AUX user in terface is AUX 0, and the second AUX user interface is AUX 1.
23 Logging in to the CLI By default, the first time you access the CLI you must log in through the console port, locally or remotely by using a pair of modems. At the CLI, you can configure Telnet or SSH for remote access. Logging in through the console port for the first time To log in through the console port, make sure the co nsole terminal has a terminal emulation program (for example, HyperTerminal in Windows XP). In addition , the port settings of the terminal emulation program must be the same as the default settings of the console port in Tabl e 11. Table 11 Default console port properties Parameter Default Bits per second 9600 bps Flow control None Parity None Stop bits 1 Data bits 8 To log in through the console port from a console terminal (for example, a PC): 1. Plug the DB-9 female connector of the cons ole cable to the serial port of the PC. 2. Plug the RJ-45 connector of the console cable to the console port of the device. NOTE: • Identify the mark on the console port and make sure you are connecting to the correct port. • The serial ports on PCs do not support hot swapping. If the switch has been powered on, always connec t the console cable to the PC before connecting to th e switch, and when you disconnect the cable, first disconnect it from the switch. Figure 4 Connecting a terminal to the console port 3. If the PC is off, turn on the PC. Launch the terminal emulation program and configure the communication properties on the PC. Figure 5 through Figure 7 show th e configuration procedure on Windows XP HyperTerminal. Make sure the port settings are the same as listed in Table 11. Switch Host RS-232 Console
24 NOTE: On Windows Server 2003, add the HyperTerminal prog ram first, and then log in to and manage the device as described in this document. On Window s Server 2008, Windows 7, Windows Vista, or some other operating system, obtain a third-party terminal control program first, and then follow the user guide or online help to log in to the device. Figure 5 Connection description Figure 6 Specifying the serial port us ed to establish the connection
25 Figure 7 Setting the properties of the serial port 4. Power on the device and press Enter at the prompt. Figure 8 CLI 5. At the default user view prompt , enter commands to configure the device or view the running status of the device. To get help, enter ?. Configuring console login control settings The following authentication modes are available for controlling console logins:
26 • None —Requires no authentication. This mode is insecure. • Password —Requires password authentication. If your password was lost, see HP Series Ethernet Switches Login Password Recovery Manual for password recovery. • Scheme —Uses the AAA module to provide local or remote console login authentication. You must provide a username and password for accessing the CLI. If the password configured in the local user database was lost, see HP Series Ethernet Switches Login Password Recovery Manual for p a s s w o r d r e c o v e r y. I f t h e u s e r n a m e o r p a s s w o r d c o n f i g u r e d o n a r e m o t e s e r v e r w a s l o s t , c o n t a c t t h e server administrator for help. By default, console login does not require authentica tion. Any user can log in through the console port without authentication and have user privilege level 3. To improve device security, configure the password or scheme authentication mode immediately after you log in to the device for the first time. Table 12 Configuration required for different console login authentication modes Authentication mode Configuration tasks Reference None Set the authentication mode to none for the AUX user interface. Configuring none authentication f or console login Password Enable password authentication on the AUX user interface. Set a password. Configuring password authentication f or console login Scheme Enable scheme authentication on the AUX user interface. Configure local or remote authentication settings. To configure local authentication: 3. Configure a local user and specify the password. 4. Configure the device to use local authentication. To configure remote authentication: 5. Configure the RADIUS or HWTACACS scheme on the device. Configure the username and password on the AAA server. 6. Configure the device to use the scheme for user authentication. Configuring scheme authentication f or console login Configuring none authentication for console login Step Command Remarks 1. Enter system view. system-view N/A 2. Enter AUX user interface view. user-interface aux first -number [ last-number ] N/A 3. Enable the none authentication mode. authentication-mode none By default, you can log in to the device through the console port without authentication and have user privilege level 3.
27
Step Command Remarks
4. Configure common settings
for console login. See
Configuring common console
login settings ( optional). Optional.
The next time you attempt to log in through the console port, you do not need to provide any username
or password, as shown in
Figure 9.
Figure 9 Accessing the
CLI through the console port without authentication
Configuring password authentication for console login
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter AUX user interface view. user-interface aux
first -number
[ last-number ] N/A
3.
Enable password
authentication. authentication-mode password By default, you can log in to the
device through the console port
without authentication and have
user privilege level 3 after login.
4.
Set a password. set authentication password
{ cipher | simple } password By default, no password is set.
5.
Configure common settings
for console login. See
Configuring common console
login settings ( optional). Optional.
The next time you attempt to log in through the co
nsole port, you must provide the configured login
password, as shown in Figure 10.
28 Figure 10 Password authentication interface for console login Configuring scheme authentication for console login Follow these guidelines when you configure scheme authentication for console login: • To make the command authorization or command accounting function take effect, apply an HWTACACS scheme to the intended ISP domain. This scheme must specify the IP address of the authorization server and other authorization parameters. • If the local authentication scheme is used, use the authorization-attribute level level command in local user view to set the user privilege level on the device. • If a RADIUS or HWTACACS authentication scheme is used, set the user privilege level on the RADIUS or HWTACACS server. To configure scheme authentication for console login: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter AUX user interface view. user-interface aux first -number [ last-number ] N/A 3. Enable scheme authentication. authentication-mode scheme Whether local, RADIUS, or HWTACACS authentication is adopted depends on the configured AAA scheme. By default, console log users are not authenticated.