Configuring the device as a Telnet server
Tasks at a glance |
---|
(Required.) Enabling Telnet server |
(Required.) Perform one of the following tasks: |
(Optional.) Setting the maximum number of concurrent Telnet users |
(Optional.) Setting the DSCP value for outgoing Telnet packets |
(Optional.) Configuring common VTY line settings |
Telnet login configuration changes do not take effect for current online users. They take effect only for new login users.
Enabling Telnet server
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enable the Telnet server. | telnet server enable | By default, the Telnet server is disabled. |
Disabling authentication for Telnet login
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter VTY line view or class view. |
| A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class. A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view. A setting in user line class view does not take effect for current online users. It takes effect only for new login users. |
3. Disable authentication. | authentication-mode none | In non-FIPS mode, password authentication is enabled for VTY lines by default. In VTY line view, this command is associated with the protocol inbound command. If you specify a non-default value for one of the two commands, the other command uses the default setting, regardless of the setting in VTY line class view. |
4. (Optional.) Assign a user role. | user-role role-name | By default, a VTY line user is assigned the network-operator user role. |
After you finish this configuration task, a user can Telnet to the device without authentication, as shown in the following example:
****************************************************************************** * Copyright (c) 2010-2018 Hewlett Packard Enterprise Development LP * * Without the owner's prior written consent, * * no decompiling or reverse-engineering shall be allowed. * ****************************************************************************** <HPE>
If the maximum number of login users has been reached, the login attempt fails and the message "All user lines are used, please try later!" appears.
Configuring password authentication for Telnet login
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter VTY line view or class view. |
| A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class. A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view. A setting in user line class view does not take effect for current online users. It takes effect only for new login users. |
3. Enable password authentication. | authentication-mode password | In non-FIPS mode, password authentication is enabled for VTY lines by default. In VTY line view, this command is associated with the protocol inbound command. If you specify a non-default value for one of the two commands, the other command uses the default setting, regardless of the setting in VTY line class view. |
4. Set a password. | set authentication password { hash | simple } password | By default, no password is set. |
5. (Optional.) Assign a user role. | user-role role-name | By default, a VTY line user is assigned the network-operator user role. |
After you finish this configuration task, a user must provide the configured password when Telnetting to the device, as shown in the following example:
****************************************************************************** * Copyright (c) 2010-2018 Hewlett Packard Enterprise Development LP * * Without the owner's prior written consent, * * no decompiling or reverse-engineering shall be allowed. * ****************************************************************************** Password: <HPE>
If the maximum number of login users has been reached, the login attempt fails and the message "All user lines are used, please try later!" appears.
Configuring scheme authentication for Telnet login
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter VTY line view or class view. |
| A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class. A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view. A setting in user line class view does not take effect for current online users. It takes effect only for new login users. |
3. Enable scheme authentication. | authentication-mode scheme | In non-FIPS mode, password authentication is enabled for VTY lines by default. In VTY line view, this command is associated with the protocol inbound command. If you specify a non-default value for one of the two commands, the other command uses the default setting, regardless of the setting in VTY line class view. |
To use scheme authentication, you must also perform the following tasks:
Configure login authentication methods in ISP domain view.
For remote authentication, configure a RADIUS, HWTACACS, or LDAP scheme.
For local authentication, create a local user account and configure the relevant attributes.
For more information, see Security Configuration Guide.
After you finish this configuration task, a user must provide the configured username and password when Telnetting to the device, as shown in the following example:
****************************************************************************** * Copyright (c) 2010-2018 Hewlett Packard Enterprise Development LP * * Without the owner's prior written consent, * * no decompiling or reverse-engineering shall be allowed. * ****************************************************************************** login: admin Password: <HPE>
If the maximum number of login users has been reached, the login attempt fails and the message "All lines are used, please try later!" appears.
Setting the maximum number of concurrent Telnet users
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Set the maximum number of concurrent Telnet users. | aaa session-limit telnet max-sessions | The default is 32. Changing this setting does not affect users who are currently online. If the new limit is less than the number of online Telnet users, no additional users can Telnet in until the number drops below the new limit. For more information about this command, see Security Command Reference. |
Setting the DSCP value for outgoing Telnet packets
The DSCP value is carried in the ToS or Traffic class field of an IP or IPv6 packet to indicate the transmission priority of the packet.
To set the DSCP value for outgoing Telnet packets:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Set the DSCP value for outgoing Telnet packets. |
| By default, the DSCP value is 48. |
Specifying the Telnet service port number
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Specify the Telnet service port number. |
| By default, the Telnet service port number is 23. |
Configuring common VTY line settings
For a VTY line, you can specify a command that is to be automatically executed when a user logs in. After executing the specified command, the system automatically disconnects the Telnet session. Typically, you configure the auto-execute command telnet X.X.X.X command on the device so the device redirects a Telnet user to the host at X.X.X.X. The connection to the current device is closed when the user terminates the Telnet connection to X.X.X.X.
To configure common settings for VTY lines:
Step | Command | Remarks | ||||||||
---|---|---|---|---|---|---|---|---|---|---|
1. Enter system view. | system-view | N/A | ||||||||
2. Enter VTY line view or class view. |
| A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class. A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view. A setting in user line class view does not take effect for current online users. It takes effect only for new login users. | ||||||||
3. Enable the terminal service. | shell | By default, the terminal service is enabled on all user lines. | ||||||||
4. Specify the supported protocols. | protocol inbound { all | ssh | telnet } | By default, both Telnet and SSH are supported. A protocol change does not take effect for current online users. It takes effect only for new login users. In VTY line view, this command is associated with the authentication-mode command. If you specify a non-default value for one of the two commands, the other command uses the default setting, regardless of the setting in VTY line class view. | ||||||||
5. Specify the shortcut key for terminating a task. | escape-key { character | default } | The default setting is Ctrl+C. | ||||||||
6. Set the user line locking key. | lock-key key-string | By default, no user line locking key is set. | ||||||||
7. Specify the terminal display type. | terminal type { ansi | vt100 } | The default terminal display type is ANSI. | ||||||||
8. Set the maximum number of lines of command output to send to the terminal at a time. | screen-length screen-length | By default, the device sends up to 24 lines to the terminal at a time when pausing between screens of output is enabled. To disable pausing between screens of output, set the value to 0. | ||||||||
9. Set the size for the command history buffer. | history-command max-size value | The default size is 10 history commands. | ||||||||
10. Set the CLI connection idle-timeout timer. | idle-timeout minutes [ seconds ] | By default, the CLI connection idle-timeout timer is 10 minutes. If no interaction occurs between the device and the user within the idle-timeout interval, the system automatically terminates the user connection on the user line. If you set the timeout timer to 0, the connection will not be aged out. | ||||||||
11. Specify the command to be automatically executed for login users on the user lines. | auto-execute command command | By default, no command is specified for auto execution.
|