manualshive.com logo in svg

H3C WA4600 Series, Fundamentals Configuration Manual, Page: 44 / 119

Share
Download
H3C WA4600 Series Fundamentals Configuration Manual Download Page 44

 

17 

Command  accounting  allows  the  HWTACACS  server  to  record  all  commands  executed  by  users, 

regardless of command execution results. This function helps control and monitor user behaviors on the 
device. If command accounting is enabled and command authorization is not enabled, every executed 

command is recorded on the HWTACACS server. If both command accounting and command 

authorization are enabled, only the authorized and executed commands are recorded on the 

HWTACACS server. 
Follow these guidelines when you configure the SSH server: 

 

To make the command authorization or command accounting function take effect, apply an 
HWTACACS scheme to the intended ISP domain. This scheme must specify the IP address of the 

authorization server and other authorization parameters.  

 

If the local authentication scheme is used, use the 

authorization-attribute level 

level command in 

local user view to set the user privilege level on the device. 

 

If a RADIUS or HWTACACS authentication scheme is used, set the user privilege level on the 
RADIUS or HWTACACS server.  

The SSH client authentication method is password in this configuration procedure. For more information 

about SSH and publickey authentication, see 

Security Configuration Guide. 

To configure the SSH server on the device: 

 

Step Command 

Remarks 

1.

 

Enter system view. 

system-view 

N/A 

2.

 

Create local key pairs. 

public-key local create 

ecdsa

 | 

rsa 

By default, no local key pairs are 
created. 

3.

 

Enable SSH server. 

ssh server enable 

By default, SSH server is disabled. 

4.

 

Enter one or multiple VTY user 
interface views. 

user-interface vty

 

first

-

number

 

last-number 

N/A 

5.

 

Enable scheme 

authentication. 

authentication-mode scheme

 

By default, password 
authentication is enabled on VTY 
user interfaces. 

6.

 

Enable the user interfaces to 

support Telnet, SSH, or both of 
them. 

protocol inbound

 { 

all

 | 

ssh

 } 

Optional. 
By default, both Telnet and SSH are 
supported. 

7.

 

Enable command 
authorization. 

command authorization 

Optional. 
By default, command authorization 

is disabled. The commands 
available for a user only depend 

on the user privilege level. 

8.

 

Enable command accounting. 

command accounting 

Optional. 
By default, command accounting is 
disabled. The accounting server 

does not record the commands 
executed by users. 

9.

 

Exit to system view. 

quit 

N/A 

Summary of Contents for WA4600 Series

Page 1: ...ess Points Fundamentals Configuration Guide New H3C Technologies Co Ltd http www h3c com Software version WA4600 CMW520 R1507P09 WA4300 CMW520 R1507P09 WA4300S CMW520 R1507P09 Document version 6W101 2...

Page 2: ...SecBlade Comware ITCMM and HUASAN are trademarks of New H3C Technologies Co Ltd All other trademarks that may be mentioned in this manual are the property of their respective owners Notice The informa...

Page 3: ...ons used in the documentation Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown Italic Italic text represents arguments t...

Page 4: ...or damage to hardware or software IMPORTANT An alert that calls attention to essential information NOTE An alert that contains additional or supplementary information TIP An alert that provides helpfu...

Page 5: ...rovided in this document Examples in this document might use devices that differ from your device in hardware model configuration or software version It is normal that the port numbers sample output s...

Page 6: ...d aliases 6 Configuring and using hotkeys 6 Enabling redisplaying entered but not submitted commands 7 Understanding command line error messages 8 Using the command history function 8 Viewing history...

Page 7: ...xt represents arguments that you replace with actual values Square brackets enclose syntax choices keywords or arguments that are optional x y Braces enclose a set of required syntax choices separated...

Page 8: ...o For example the prompt Sysname vlan100 shows that you are in VLAN 100 view and can configure attributes for that VLAN You are placed in user view immediately after you are logged in to the CLI The u...

Page 9: ...connection to the device In public key code view use the public key code end command to return to the upper level view public key view In public key view use the peer public key end command to return...

Page 10: ...ds and arguments If you type a question mark in place of a keyword the CLI displays all possible keyword matches with a brief description for each keyword For example Sysname terminal debugging Send d...

Page 11: ...eyword for the incomplete one and displays what you entered in the next line If there is more than one match you can press Tab repeatedly to pick the keyword you want to enter If there is no match the...

Page 12: ...ultiple aliases the system gives you a prompt Configuration procedure To configure a command keyword alias Step Command Remarks 1 Enter system view system view N A 2 Enable the command keyword alias f...

Page 13: ...trl P Displays the previous command in the command history buffer Ctrl R Redisplays the current line Ctrl V Pastes text from the clipboard Ctrl W Deletes the word to the left of the cursor Ctrl X Dele...

Page 14: ...ter sequence matches more than one command Too many parameters The entered character sequence contains excessive keywords or arguments Wrong parameter found at position The argument in the marked posi...

Page 15: ...g the command history buffer size for user interfaces Step Command Remarks 1 Enter system view system view N A 2 Enter user interface view user interface first num1 last num1 console vty first num2 la...

Page 16: ...pression option at the end of the command When the system pauses after displaying a screen of output enter a forward slash minus sign or plus sign and a regular expression to filter subsequent output...

Page 17: ...mple string There is no such limit on A character group It is usually used with or 123A means a character group 123A 408 12 matches 40812 or 408121212 But it does not match 408 index Repeats the chara...

Page 18: ...tring containing matches a string containing and b matches a string containing b The following are several regular expression examples Use begin user interface in the display current configuration com...

Page 19: ...ll configuration commands except for those at manage level 3 Manage Includes commands that influence the basic operation of the system and commands for configuring system support modules By default co...

Page 20: ...not configure the user privilege level the user privilege level depends on the default configuration of the authentication server For more information about the local user and authorization attribute...

Page 21: ...m2 N A 3 Configure the authentication mode for any user who uses the current user interface to log in to the device authentication mode none password Optional By default the authentication mode for VT...

Page 22: ...TP connection tracert Trace route function undo Cancel current setting Configure the device to perform password authentication for Telnet users and to authorize authenticated Telnet users to use the c...

Page 23: ...DIUS server for remote authentication To use this mode you must perform the following configuration tasks Configure the required HWTACACS or RADIUS schemes and configure the ISP domain to use the sche...

Page 24: ...n authentication mode Level switching authentication mode Information required for the first authentication mode Information required for the second authentication mode none password local Password co...

Page 25: ...the change does not result in any security risk or maintenance problem To change the level of a command Step Command Remarks 1 Enter system view system view N A 2 Change the level of a command in a s...

Page 26: ...ng in through SSH 16 Configuring the SSH server on the device 16 Using the device to log in to an SSH server 18 Displaying and maintaining CLI login 19 Logging in to the Web interface 20 Configuring H...

Page 27: ...procedure 34 SNMP login control configuration example 35 Configuring Web login control 36 Configuring source IP based Web login control 36 Logging off online Web users 36 Web login control configurat...

Page 28: ...vice complete the following configuration tasks Enable the SSH server function and configure SSH attributes Assign an IP address to a Layer 3 interface and make sure the interface and the SSH client c...

Page 29: ...aces varies by device For a CLI login the device always picks the lowest numbered user interface from the idle user interfaces available for the type of login For example four VTY user interfaces 0 to...

Page 30: ...console port in Table 3 Table 3 Default console port properties Parameter Default Bits per second 9600 bps Flow control None Parity None Stop bits 1 Data bits 8 To log in through the console port fro...

Page 31: ...port settings are the same as listed in Table 3 On Windows Server 2003 add the HyperTerminal program first and then log in to and manage the device as described in this document On Windows Server 200...

Page 32: ...to access the CLI For more information about AAA see Security Configuration Guide By default console login does not require authentication Any user can log in through the console port without authenti...

Page 33: ...face console first number last number N A 3 Enable none authentication mode authentication mode none By default you can log in to the device through the console port without authentication and have us...

Page 34: ...nd executed commands are recorded on the HWTACACS server Follow these guidelines when you configure scheme authentication for console login To make the command authorization or command accounting func...

Page 35: ...al user view local user user name N A 9 Set an authentication password for the local user password cipher simple password N A 10 Specifies a command level of the local user authorization attribute lev...

Page 36: ...r Telnet terminal or both are set to ANSI when the total number of characters of the currently edited command line exceeds 80 an anomaly such as cursor corruption or abnormal display of the terminal d...

Page 37: ...s a Telnet server configure login authentication and user privilege levels for Telnet users The following are authentication modes available for controlling Telnet logins None Requires no authenticati...

Page 38: ...N A 2 Enable Telnet server telnet server enable By default the Telnet server function is enabled 3 Enter one or multiple VTY user interface views user interface vty first number last number N A 4 Enab...

Page 39: ...authorization is enabled a command is available only if the user has the commensurate user privilege level and is authorized to use the command by the AAA scheme Command accounting allows the HWTACAC...

Page 40: ...tem view quit N A 8 Apply an AAA authentication scheme to the intended domain a Enter ISP domain view domain domain name b Apply an AAA scheme to the domain authentication default hwtacacs scheme hwta...

Page 41: ...er one or multiple VTY user interface views user interface vty first number last number N A 3 Enable the terminal service shell Optional By default terminal service is enabled 4 Enable the user interf...

Page 42: ...task the system automatically disconnect the Telnet session Using the device to log in to a Telnet server You can use the device as a Telnet client to log in to a Telnet server If the server is locat...

Page 43: ...ble 7 SSH server and client requirements Device role Requirements SSH server Assign an IP address to a Layer 3 interface and make sure the interface and the client can reach each other Configure the a...

Page 44: ...IUS or HWTACACS server The SSH client authentication method is password in this configuration procedure For more information about SSH and publickey authentication see Security Configuration Guide To...

Page 45: ...password N A 13 Specify the command level of the user authorization attribute level level Optional 14 Specify SSH service for the user service type ssh N A 15 Exit to system view quit N A 16 Create an...

Page 46: ...Display user interface information display user interface num1 console vty num2 summary begin exclude include regular expression Available in any view Display the configuration of the device when it s...

Page 47: ...TTPS login are separate login methods To use HTTPS login you do not need to configure HTTP login Table 8 shows the basic Web login configuration requirements Table 8 Basic Web login configuration requ...

Page 48: ...local user and enter local user view local user user name N A 9 Configure a password for the local user password cipher simple password N A 10 Specify the command level of the local user authorizatio...

Page 49: ...Web login web captcha verification code Optional By default no fixed verification code is configured for Web login and a Web user must enter the verification code provided on the login page at login...

Page 50: ...ional The default HTTPS service port number is 443 7 Associate the HTTPS service with an ACL ip https acl acl number By default the HTTPS service is not associated with any ACL The device allows only...

Page 51: ...an interface id If the VLAN interface already exists the command enters its view You could replace this VLAN interface with any other Layer 3 interface as appropriate 17 Assign an IP address and subne...

Page 52: ...e1 quit Create a local user named admin and set the password to admin for the user Specify the Web service type for the local user and set the command level to 3 for this user Sysname local user admin...

Page 53: ...thorized users to access the AP s Web interface configure the AP as the HTTPS server and the host as the HTTPS client Request a certificate for each of them Figure 11 Network diagram Configuration pro...

Page 54: ...f the modulus default 1024 Generating Keys Retrieve the CA certificate AP pki retrieval certificate ca domain 1 The trusted CA s finger print is MD5 fingerprint 3352 F952 0D8E FDF8 AB98 08ED 11D3 B005...

Page 55: ...p Enable the HTTPS service AP ip https enable Create a local user named usera set the password to 123 and specify the Web service type AP local user usera AP luser usera password simple 123 AP luser u...

Page 56: ...other as shown in Figure 12 This document describes only the basic SNMP configuration procedures on the device Figure 12 Network diagram IMPORTANT To make SNMP operate correctly make sure the SNMP set...

Page 57: ...nt 3 Create or update MIB view information snmp agent mib view excluded included view name oid tree mask mask value Optional By default the MIB view name is ViewDefault and OID is 1 4 Configure the SN...

Page 58: ...view Sysname system view Enable the SNMP agent Sysname snmp agent Configure an SNMP group Sysname snmp agent group v3 managev3group read view test write view test Add a user to the SNMP group Sysname...

Page 59: ...CL and enter its view or enter the view of an existing basic ACL acl ipv6 number acl number name name match order config auto By default no basic ACL exists 3 Configure an ACL rule For IPv4 networks r...

Page 60: ...e header ACLs apply to Telnet traffic only if the Telnet client and server are located in the same subnet To configure source MAC based Telnet login control Step Command Remarks 1 Enter system view sy...

Page 61: ...user interface vty 0 4 Sysname ui vty0 4 acl 2000 inbound Configuring source IP based SNMP login control Use a basic ACL 2000 to 2999 to control SNMP logins by source IP address To access the request...

Page 62: ...number SNMPv1 v2c user snmp agent usm user v1 v2c user name group name acl acl number SNMPv3 user snmp agent usm user v3 user name group name cipher authentication mode md5 sha auth password privacy...

Page 63: ...ased Web login control Step Command Remarks 1 Enter system view system view N A 2 Create a basic ACL and enter its view or enter the view of an existing basic ACL acl ipv6 number acl number name name...

Page 64: ...ork diagram Configuration procedure Create ACL 2000 and configure rule 1 to permit packets sourced from Host B Sysname system view Sysname acl number 2030 match order config Sysname acl basic 2030 rul...

Page 65: ...on the FTP server 3 Switching to another user account 4 Maintaining and troubleshooting the FTP connection 4 Terminating the FTP connection 4 FTP client configuration example 4 Displaying and maintain...

Page 66: ...operation mode varies depending on the FTP client program The device can act as the FTP client Figure 1 FTP application scenario Using the device as an FTP client To connect to an FTP server or enter...

Page 67: ...the output interface is used as the source IP address 3 Return to user view quit N A 4 Log in to the remote FTP server Approach 1 Log in to the remote FTP server in user view ftp server address servic...

Page 68: ...er image files 4 Use the lcd command to display the local working directory of the FTP client You can upload the file or save the downloaded file in this directory 5 Upload or download the file To wor...

Page 69: ...otocol command N A Enable information display in a detailed manner verbose By default the function is enabled Enable FTP related debugging when the device acts as the FTP client debugging By default t...

Page 70: ...31 Give me your password please Password 230 Logged in successfully Set the file transfer mode to binary ftp binary 200 Type set to I Download the system software image file wa2600a_fat bin ftp get wa...

Page 71: ...y of the storage medium You can copy or move a file to the root directory Reboot the AP to upgrade the system software image Sysname reboot Displaying and maintaining FTP Task Command Remarks Display...

Page 72: ...tes the old file that has the same name as it If file download is interrupted both old and new files are lost Secure download The new file is downloaded to memory and will not be written to Flash unti...

Page 73: ...erver address get put sget source filename destination filename source interface interface type interface number ip source ip address For IPv6 tftp ipv6 tftp ipv6 server i interface type interface num...

Page 74: ...lete unreserved file url command to delete unused files Details not shown Download system software image file wa2600a_fat bin from the PC Sysname tftp 1 2 1 1 get wa2600a_fat bin Upload a configuratio...

Page 75: ...ng a file 2 Deleting restoring a file 2 Emptying the recycle bin 3 Managing directories 3 Displaying directory information 3 Displaying the current working directory 3 Changing the current working dir...

Page 76: ...ment If the file is in a nested folder separate each folder name by a forward slash 1 to 135 characters test a cfg indicates a file named a cfg in the test folder in the current working directory driv...

Page 77: ...isplayed Renaming a file Perform this task in user view Task Command Rename a file rename fileurl source fileurl dest Copying a file Perform this task in user view Task Command Copy a file copy fileur...

Page 78: ...the recycle bin Step Command Remarks 1 Enter the original working directory of the file to be deleted in user view cd directory Skip this step if the original directory of the file is the current work...

Page 79: ...les in the recycle bin if any Perform this task in user view Task Command Remove a directory rmdir directory Managing storage medium space CAUTION After a storage medium is formatted all files on it a...

Page 80: ...the file system operation mode The file systems support the following operation modes alert The system warns you about operations that might cause problems such as file corruption and data loss To pre...

Page 81: ...me pwd flash test Display the files and the subdirectories in the test directory Sysname dir Directory of flash test 0 drw Feb 16 2006 15 28 14 mytest 2540 KB total 2519 KB free Return to the upper di...

Page 82: ...configuration rollback 4 Configuration task list 4 Configuring configuration archive parameters 4 Enabling automatic configuration archiving 5 Manually archiving running configuration 5 Performing con...

Page 83: ...le You can view the current startup configuration in either of the following ways Execute the display startup command To view detailed file contents use the more command After the device reboots execu...

Page 84: ...upted or unavailable the device starts up with the factory defaults You can specify a main or backup next startup configuration file directly see Specifying a configuration file for the next startup o...

Page 85: ...complete If a reboot or power failure occurs during the save operation the next startup configuration file is still retained Use the safe mode if the power source is not reliable or you are remotely c...

Page 86: ...ion task list Task Remarks Configuring configuration archive parameters Required Enabling automatic configuration Manually archiving running configuration Required Perform either task Performing confi...

Page 87: ...ling automatic configuration archiving Make sure you have set an archive path and file name prefix before performing this task To enable automatic configuration archiving Step Command Remarks 1 Enter...

Page 88: ...not result in a valid undo command For example if the undo form designed for the A B C command is undo A C the configuration rollback function cannot undo the A B C command because the system does no...

Page 89: ...me N A Restoring the next startup configuration file from a TFTP server To download a configuration file from a TFTP server to the device and specify the file as the next startup configuration file pe...

Page 90: ...the file is still used as the main file To delete the file you must also execute the reset saved configuration main command Perform the following task in user view Task Command Delete the next startup...

Page 91: ...g a patch step by step 7 Uninstalling a patch step by step 8 Displaying and maintaining software upgrade 9 Software upgrade examples 9 Reboot method software upgrade example 9 Hotfix method software u...

Page 92: ...ystem software Upgrading method Software types Remarks Upgrading from the CLI Reboot approach BootWare image System software image excluding patches You must reboot the entire device to complete the u...

Page 93: ...ge medium has been partitioned the file must be saved on the first partition 2 Read or upgrade BootWare on the device bootrom read update file file url all part N A 3 Reboot the device reboot N A Upgr...

Page 94: ...re formally released to users Temporary patches are interim solutions that are provided to fix critical bugs They are not formally released A common patch always includes the functions of its previous...

Page 95: ...pports up to 200 patches Figure 3 Patches that are not loaded to the patch memory area DEACTIVE state Patches in DEACTIVE state have been loaded to the patch memory area but have not yet run in the sy...

Page 96: ...states in the system The patches that are in ACTIVE state change to the DEACTIVE state at a reboot Figure 5 Patches are activated RUNNING state After you confirm ACTIVE patches their states change to...

Page 97: ...s the first three characters of the value for the Version field in the output from the display patch information command If a patch file is not correctly named the system cannot identify the file If t...

Page 98: ...oading a patch file Required Activating patches Required Confirming ACTIVE patches Optional Specifying the patch file location For reliable patch loading H3C recommends saving patch files to the root...

Page 99: ...boot you must change its state to RUNNING To activate patches Step Command 1 Enter system view system view 2 Activate patches patch active patch number Confirming ACTIVE patches To have an ACTIVE patc...

Page 100: ...ormation about the system software image display boot loader begin exclude include regular expression Available in any view Display information about the patch package display patch begin exclude incl...

Page 101: ...r aaa service type ftp FTP Server luser aaa authorization attribute work directory flash aaa 2 Configure the AP Log in to the FTP server the prompt may vary with servers AP ftp 2 2 2 2 Trying 2 2 2 2...

Page 102: ...ver function Details not shown Save the patch file patch_xxx bin to the directory of the TFTP server Details not shown 2 Configure the AP CAUTION Make sure the flash of the AP has sufficient space for...

Page 103: ...ized access to the original configuration file H3C recommends that you disable the password recovery feature If the password recovery feature is disabled a console user must restore the factory defaul...

Page 104: ...H3C Technologies Co Ltd Compiled Date Mar 27 2017 CPU Type APM86791 CPU L1 Cache 32KB CPU Clock Speed 1000MHz Memory Type SDRAM Memory Size 256MB BootWare Size 512KB Flash Size 16MB CPLD Version 001 P...

Page 105: ...tion will be lost save current configuration Y N n Info Now replacing the current configuration Please wait Info Succeeded in replacing current configuration with the file startup cfg Set a new consol...

Page 106: ...uration file Save the configuration to the default configuration file Sysname save Handling user password loss when password recovery is disabled Enter 5 in the extended BootWare menu to restore the f...

Page 107: ...uring the maximum number of concurrent users 6 Configuring the exception handling method 7 Rebooting the device 7 Rebooting devices immediately at the CLI 7 Scheduling a device reboot 8 Scheduling job...

Page 108: ...management depends on an accurate system time setting because the timestamps of system messages and logs use the system time For NTP configuration see Network Management and Monitoring Configuration...

Page 109: ...the daylight saving time range The system time increases by summer offset clock summer time ss one off 00 30 2005 1 1 1 00 2005 8 8 2 03 00 00 ss Sat 01 01 2005 If the original system time plus summer...

Page 110: ...off 1 00 2007 1 1 1 00 2007 8 8 2 02 00 00 zone time Sat 01 01 2005 Original system clock zone offset outside the daylight saving time range Original system clock zone offset summer offset clock time...

Page 111: ...nter system view system view N A 3 Set the time zone clock timezone zone name add minus zone offset Optional Coordinated UTC time zone by default 4 Set a daylight saving time scheme Set a non recurrin...

Page 112: ...put text including the command keywords and the delimiters cannot exceed 510 characters In this mode do not press Enter before you input the end delimiter For example you can configure the shell banne...

Page 113: ...rks 1 Enter system view system view N A 2 Configure the login banner header login text Optional 3 Configure the legal banner header legal text Optional 4 Configure the shell banner header shell text O...

Page 114: ...ion before a reboot Use the display startup and display boot loader commands to verify that you have correctly set the startup configuration file and the main system software image file If the main sy...

Page 115: ...mand is reached the job automatically executes the command If a confirmation is required while the command is running the system automatically enters Y or Yes If characters are required the system aut...

Page 116: ...the system time and date or configure NTP for the device For NTP configuration see Network Management and Monitoring Configuration Guide In the modular approach Every job can have only one view and u...

Page 117: ...specific time time time id one off repeating at time month date month day week day week daylist command command Configure a command to run after a delay time time id one off repeating delay time comma...

Page 118: ...bit interface indexes and keep one interface index match one interface name for network management After deleting a logical interface the device retains its 16 bit interface index so the same index c...

Page 119: ...ature modules display diagnostic information begin exclude include regular expression Available in any view Display device temperature information display environment begin exclude include regular exp...

Reviews:

No comments