Configuring the device as a Telnet server

Tasks at a glance
(Required.) Enabling Telnet server
(Required.) Perform one of the following tasks: Disabling authentication for Telnet login Configuring password authentication for Telnet login Configuring scheme authentication for Telnet login
(Optional.) Setting the maximum number of concurrent Telnet users
(Optional.) Setting the DSCP value for outgoing Telnet packets
(Optional.) Configuring common VTY line settings

Telnet login configuration changes do not take effect for current online users. They take effect only for new login users.

Enabling Telnet server

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable the Telnet server.	telnet server enable	By default, the Telnet server is disabled.

Disabling authentication for Telnet login

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter VTY line view or class view.	Enter VTY line view: line vty first-number [ last-number ] Enter VTY line class view:line class vty	A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class. A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view. A setting in user line class view does not take effect for current online users. It takes effect only for new login users.
3. Disable authentication.	authentication-mode none	In non-FIPS mode, password authentication is enabled for VTY lines by default. In VTY line view, this command is associated with the protocol inbound command. If you specify a non-default value for one of the two commands, the other command uses the default setting, regardless of the setting in VTY line class view.
4. (Optional.) Assign a user role.	user-role role-name	By default, a VTY line user is assigned the network-operator user role.

After you finish this configuration task, a user can Telnet to the device without authentication, as shown in the following example:

******************************************************************************
* Copyright (c) 2010-2017 Hewlett Packard Enterprise Development LP          *
* Without the owner's prior written consent,                                 *
* no decompiling or reverse-engineering shall be allowed.                    *
******************************************************************************



<HPE>

If the maximum number of login users has been reached, the login attempt fails and the message "All user lines are used, please try later!" appears.

Configuring password authentication for Telnet login

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter VTY line view or class view.	Enter VTY line view: line vty first-number [ last-number ] Enter VTY line class view:line class vty	A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class. A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view. A setting in user line class view does not take effect for current online users. It takes effect only for new login users.
3. Enable password authentication.	authentication-mode password	In non-FIPS mode, password authentication is enabled for VTY lines by default. In VTY line view, this command is associated with the protocol inbound command. If you specify a non-default value for one of the two commands, the other command uses the default setting, regardless of the setting in VTY line class view.
4. Set a password.	set authentication password { hash \| simple } password	By default, no password is set.
5. (Optional.) Assign a user role.	user-role role-name	By default, a VTY line user is assigned the network-operator user role.

After you finish this configuration task, a user must provide the configured password when Telnetting to the device, as shown in the following example:

******************************************************************************
* Copyright (c) 2010-2017 Hewlett Packard Enterprise Development LP          *
* Without the owner's prior written consent,                                 *
* no decompiling or reverse-engineering shall be allowed.                    *
******************************************************************************

Password:
<HPE>

If the maximum number of login users has been reached, the login attempt fails and the message "All user lines are used, please try later!" appears.

Configuring scheme authentication for Telnet login

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter VTY line view or class view.

Enter VTY line view: line vty first-number [ last-number ]
Enter VTY line class view:line class vty

A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class.

A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view.

A setting in user line class view does not take effect for current online users. It takes effect only for new login users.

3. Enable scheme authentication.

authentication-mode scheme

In non-FIPS mode, password authentication is enabled for VTY lines by default.

In VTY line view, this command is associated with the protocol inbound command. If you specify a non-default value for one of the two commands, the other command uses the default setting, regardless of the setting in VTY line class view.

To use scheme authentication, you must also perform the following tasks:

Configure login authentication methods in ISP domain view.
For remote authentication, configure a RADIUS, HWTACACS, or LDAP scheme.
For local authentication, create a local user account and configure the relevant attributes.

For more information, see Security Configuration Guide.

After you finish this configuration task, a user must provide the configured username and password when Telnetting to the device, as shown in the following example:

******************************************************************************  
* Copyright (c) 2010-2017 Hewlett Packard Enterprise Development LP          *  
* Without the owner's prior written consent,                                 *  
* no decompiling or reverse-engineering shall be allowed.                    *  
******************************************************************************  
                                                                                
login: admin                                                                    
Password:                                                                       
<HPE>

If the maximum number of login users has been reached, the login attempt fails and the message "All lines are used, please try later!" appears.

Setting the maximum number of concurrent Telnet users

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Set the maximum number of concurrent Telnet users.

aaa session-limit telnet max-sessions

The default is 32.

Changing this setting does not affect users who are currently online. If the new limit is less than the number of online Telnet users, no additional users can Telnet in until the number drops below the new limit.

For more information about this command, see Security Command Reference.

Setting the DSCP value for outgoing Telnet packets

The DSCP value is carried in the ToS or Traffic class field of an IP or IPv6 packet to indicate the transmission priority of the packet.

To set the DSCP value for outgoing Telnet packets:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set the DSCP value for outgoing Telnet packets.	For a Telnet server running IPv4:telnet server dscp dscp-value For a Telnet server running IPv6:telnet server ipv6 dscp dscp-value	By default, the DSCP value is 48.

Configuring common VTY line settings

For a VTY line, you can specify a command that is to be automatically executed when a user logs in. After executing the specified command, the system automatically disconnects the Telnet session. Typically, you configure the auto-execute command telnet X.X.X.X command on the device so the device redirects a Telnet user to the host at X.X.X.X. The connection to the current device is closed when the user terminates the Telnet connection to X.X.X.X.

To configure common settings for VTY lines:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter VTY line view or class view.

Enter VTY line view: line vty first-number [ last-number ]
Enter VTY line class view:line class vty

A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class.

A setting in user line class view does not take effect for current online users. It takes effect only for new login users.

3. Enable the terminal service.

shell

By default, the terminal service is enabled on all user lines.

4. Specify the supported protocols.

protocol inbound { all | ssh | telnet }

By default, both Telnet and SSH are supported.

A protocol change does not take effect for current online users. It takes effect only for new login users.

In VTY line view, this command is associated with the authentication-mode command. If you specify a non-default value for one of the two commands, the other command uses the default setting, regardless of the setting in VTY line class view.

5. Specify the shortcut key for terminating a task.

escape-key { character | default }

The default setting is Ctrl+C.

6. Set the user line locking key.

lock-key key-string

By default, no user line locking key is set.

7. Specify the terminal display type.

terminal type { ansi | vt100 }

The default terminal display type is ANSI.

8. Set the maximum number of lines of command output to send to the terminal at a time.

screen-length screen-length

By default, the device sends up to 24 lines to the terminal at a time when pausing between screens of output is enabled.

To disable pausing between screens of output, set the value to 0.

9. Set the size for the command history buffer.

history-command max-size value

The default size is 10 history commands.

10. Set the CLI connection idle-timeout timer.

idle-timeout minutes [ seconds ]

By default, the CLI connection idle-timeout timer is 10 minutes.

If no interaction occurs between the device and the user within the idle-timeout interval, the system automatically terminates the user connection on the user line.

If you set the timeout timer to 0, the connection will not be aged out.

11. Specify the command to be automatically executed for login users on the user lines.

auto-execute command command

By default, no command is specified for auto execution.

IMPORTANT:

Before you configure this command and save the configuration, make sure you can access the CLI to modify the configuration through other VTY user lines or AUX user lines.

prev	up	next
Configuring Telnet login	home	Using the device to log in to a Telnet server