Configuring Telnet login on the device
Task | Remarks |
---|---|
(Required.) Configuring login authentication: | Configure one authentication mode as required. |
(Optional.) Setting the maximum number of concurrent Telnet users | N/A |
(Optional.) Setting the DSCP value for outgoing Telnet packets | N/A |
(Optional.) Configuring common VTY line settings | N/A |
Telnet login configuration changes do not take effect for current online users. They take effect only for new login users.
Disabling authentication for Telnet login
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enable Telnet server. | telnet server enable | By default, the Telnet server feature is disabled. |
3. Enter VTY line view or class view. |
| A setting in user line view is applied only to the user line. A setting in user line class view is applied to all user lines of the class. A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view. A setting in user line view takes effect immediately and affects the online user. A setting in user line class view does not affect online users and takes effect only for new login users. |
4. Disable authentication. | authentication-mode none | By default, password authentication is enabled for VTY lines. In VTY line view, this command is associated with the protocol inbound command. If you specify a non-default value for only one of the two commands in VTY line view, the other command uses the default setting, regardless of the setting in VTY line class view. |
5. (Optional.) Assign a user role. | user-role role-name | By default, a VTY line user is assigned the user role network-operator. |
The next time you Telnet to the device, you do not need to provide a username or password, as shown in the following example:
****************************************************************************** * Copyright (c) 2010-2017 Hewlett Packard Enterprise Development LP * * Without the owner's prior written consent, * * no decompiling or reverse-engineering shall be allowed. * ****************************************************************************** <Sysname>
If the maximum number of login users has been reached, your login attempt fails and the device displays the "All user lines are used, please try later!" message.
Configuring password authentication for Telnet login
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enable Telnet server. | telnet server enable | By default, the Telnet server feature is disabled. |
3. Enter VTY line view or class view. |
| A setting in user line view is applied only to the user line. A setting in user line class view is applied to all user lines of the class. A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view. A setting in user line view takes effect immediately and affects the online user. A setting in user line class view does not affect online users and takes effect only for new login users. |
4. Enable password authentication. | authentication-mode password | By default, password authentication is enabled for VTY lines. In VTY line view, this command is associated with the protocol inbound command. If you specify a non-default value for only one of the two commands in VTY line view, the other command uses the default setting, regardless of the setting in VTY line class view. |
5. Set a password. | set authentication password { hash | simple } password | By default, no password is set. |
6. (Optional.) Assign a user role. | user-role role-name | By default, a VTY line user is assigned the user role network-operator. |
The next time you Telnet to the device, you must provide the configured login password, as shown in the following example:
****************************************************************************** * Copyright (c) 2010-2017 Hewlett Packard Enterprise Development LP * * Without the owner's prior written consent, * * no decompiling or reverse-engineering shall be allowed. * ****************************************************************************** Password: <Sysname>
If the maximum number of login users has been reached, your login attempt fails and the device displays the "All user lines are used, please try later!" message.
Configuring scheme authentication for Telnet login
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enable Telnet server. | telnet server enable | By default, the Telnet server feature is disabled. |
3. Enter VTY line view or class view. |
| A setting in user line view is applied only to the user line. A setting in user line class view is applied to all user lines of the class. A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view. A setting in user line view takes effect immediately and affects the online user. A setting in user line class view does not affect online users and takes effect only for new login users. |
4. Enable scheme authentication. | authentication-mode scheme | By default, password authentication is enabled for VTY lines. In VTY line view, this command is associated with the protocol inbound command. If you specify a non-default value for only one of the two commands in VTY line view, the other command uses the default setting, regardless of the setting in VTY line class view. |
To use scheme authentication, you must also perform the following tasks:
Configure login authentication methods in ISP domain view.
To use remote authentication, configure the scheme to be used.
To use local authentication, configure a local user and the relevant attributes.
For more information, see Security Configuration Guide.
The next time you Telnet to the CLI, you must provide the configured login username and password, as shown in the following example:
****************************************************************************** * Copyright (c) 2010-2017 Hewlett Packard Enterprise Development LP * * Without the owner's prior written consent, * * no decompiling or reverse-engineering shall be allowed. * ****************************************************************************** login: admin Password: <Sysname>
If the maximum number of login users has been reached, your login attempt fails and the device displays the "All user lines are used, please try later!" message.
Setting the maximum number of concurrent Telnet users
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Set the maximum number of concurrent Telnet users. | aaa session-limit telnet max-sessions | By default, the maximum number of concurrent Telnet users is 32. Changing this setting does not affect online users. If the current number of online Telnet users is equal to or greater than the new setting, no additional Telnet users can log in until online users log out. For more information about this command, see Security Command Reference. |
Setting the DSCP value for outgoing Telnet packets
The DSCP value is carried in the ToS/Traffic class field of an IP or IPv6 packet, and it indicates the transmission priority of the packet.
To set the DSCP value for outgoing Telnet packets:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Set the DSCP value for outgoing Telnet packets. |
| By default, the DSCP value is 48. |
Configuring common VTY line settings
For a VTY line, you can specify a command that is to be automatically executed when a user logs in. After executing the specified command, the system automatically disconnects the Telnet session. Before you configure this feature and save the configuration, make sure you can access the CLI through a different user line.
Typically, you configure the auto-execute command telnet X.X.X.X command on the device so the device redirects a Telnet user to the host at X.X.X.X. In this case, the connection to the current device is closed when the user terminates the Telnet connection to X.X.X.X.
To configure common settings for VTY lines:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter VTY line view or class view. |
| A setting in user line view is applied only to the user line. A setting in user line class view is applied to all user lines of the class. A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view. A setting in user line view takes effect immediately and affects the online user. A setting in user line class view does not affect online users and takes effect only for new login users. |
3. Enable the terminal service. | shell | By default, terminal service is enabled. |
4. Specify the protocols for the user lines to support. | protocol inbound { all | ssh | telnet } | By default, both Telnet and SSH are supported. A protocol change does not take effect for current online users. It takes effect only for new login users. In VTY line view, this command is associated with the authentication-mode command. If you specify a non-default value for only one of the two commands in VTY line view, the other command uses the default setting, regardless of the setting in VTY line class view. |
5. Define a shortcut key for terminating tasks. | escape-key { character | default } | By default, pressing Ctrl+C terminates a task. |
6. Specify the terminal display type. | terminal type { ansi | vt100 } | By default, the terminal display type is ANSI. |
7. Set the maximum number of lines to be displayed on a screen. | screen-length screen-length | By default, up to 24 lines is displayed on a screen. A value of 0 disables the feature. |
8. Set the size of command history buffer. | history-command max-size value | By default, the buffer saves 10 history commands. |
9. Set the CLI connection idle-timeout timer. | idle-timeout minutes [ seconds ] | By default, the CLI connection idle-timeout timer is 10 minutes. If no interaction occurs between the device and the user within the idle-timeout interval, the system automatically terminates the user connection on the user line. If you set the timeout timer to 0, the connection will not be aged out. |
10. Specify a command to be automatically executed when users log in to the user lines. | auto-execute command command | By default, no automatically executed command is specified. |