Huawei Telnet and Stelnet login methods that make people dizzy

I am Zhao Jiexu, a lecturer at 51CTO Academy. On the occasion of the 51CTO Academy "4.20 IT Recharge Festival" (April 19-20), I would like to share with you my experience of Huawei Telnet and stelnet login methods.

The reasons why various authentication and login methods feel confusing can be summarized as follows:

1. Complex configuration commands (objective reasons)

2. Not really understanding the configuration ideas (subjective reasons)

So today, let’s experience various authentication and login methods through experiments so that everyone can have clear ideas while learning.

The experimental topology is relatively simple. The two routers R2 and R3 are connected to the two ports of the switch respectively. The interface addresses on the routers are as shown in the figure, so that both sides can ping through!

1. Simple Telnet

1. Let's start with Telnet. Enable Telnet service on R3. To log in to R3, you must enable the telnet channel, set the login method to password and set the password to huawei.

 [R3] user -interface vty 0 4 (allows 5 users to access the device at the same time)  
 [R3-ui-vty0-4]authentication-mode password   
 Please configure the login password (maximum length 16):huawei

Telnet R3 on R2 and enter the password huawei to log in to R3, as shown below:

 <R2>telnet 192.168.1.1  
 Password :  
 <R3>

2. The problem is that in this R3 mode, typing system-view does not enter the system view mode. What is the reason? Use the question mark to view the available commands, and the result is that there is no such command (as shown below). The reason is that the user permissions are not set, so when configuring user login, the user permissions are generally configured .

 <R3>?  
 User   view commands:  
 display Display information  
 hwtacacs- user HWTACACS user  
 local - user   Add / Delete / Set   user (s)  
 ping Ping function  
 quit Exit from   current mode and enter prior mode  
 save Save file  
 super Modify super password parameters  
 telnet Open a telnet connection  
 tracert <Group> tracert command group  
 <R3>  

3. Configure the user level on R3 to a maximum of 15

 [R3] user -interface vty 0 4  
 [R3-ui-vty0-4] user privilege level 15

It's that simple to do it, just understand the whole process!

2. Telnet based on aaa authentication

The above configuration is easy to implement, but the problem is here! All administrators who use the same password to Telnet to R3 are still not safe. One day, an administrator is dissatisfied with the company and changes the login password "huawei", which makes other login passwords unusable!

Solution: Each administrator is assigned a user name and password, and each uses his or her own account and password to log in. The authentication method is AAA authentication, and each user is assigned an account and password.

 [R3]aaa  
 [R3-aaa] local - user client1 password cipher huawei1  
 Info: Add a new user . Add a client1 user with a ciphertext password of huawei  
 [R3-aaa] local - user client1 privilege level 15 Configure user level  
 [R3-aaa] local - user client1 service-type telnet The type of service available to this user  

Set up a second account and password.

 [R3-aaa] local - user client2 password cipher huawei2  
 Info: Add a new user . Add a client1 user with a ciphertext password of huawei  
 [R3-aaa] local - user client1 privilege level 15 Configure user level permissions  
 [R3-aaa] local - user client1 service-type telnet The type of service available to this user  

Configure the authentication mode on the vty channel to aaa.

 [R3] user -interface vty 0 4  
 [R3-ui-vty0-4]authentication-mode aaa  
 [R2-ui-vty0-4] user privilege level 15  

Note that aaa is a local management. The created username and password can be used for Telnet service as well as other services. Therefore, the authentication mode should be specified as aaa on the vty channel. vty 0 4 (allows 5 users to access the device at the same time). If the sixth user Telnet accesses the device, the connection will fail.

3. stelnet

Continue to explore the problem. Telnet uses AAA authentication to set different users and passwords, which enhances security. However, by capturing and analyzing Telnet's data packets, you will find that the username and password can be captured, so these usernames and passwords are not safe. How to solve it? Use stelnet digital certificate authentication and SSH protocol to solve the problem of Telnet transmitting plain text.

First, create a key pair.

 [R3]rsa local - key -pair create  
 The key   name will be: Host  
 % RSA keys defined for Host already exist. (Default certificate has been created)  
 Confirm to   replace them? (y/n)[n]:y (Do you want to replace them? Enter y)  
 The range of   public   key   size   is (512 ~ 2048).  
 NOTES: If the key modulus is greater than 512,  
 It will take a few minutes.  
 Input the bits in the modulus[ default = 512]:1024 (the default key length is 512, we use a longer 1024)  
 Generating keys...  
 ..................++++++  
 ................++++++  
 .........++++++++  
 ........................++++++++

At this time, the SSH protocol is used for authentication, so the protocol type SSH for inbound traffic is defined in the vty channel.

 [R3] user -interface vty 0 4  
 [R3-ui-vty0-4]authentication-mode aaa  
 [R3-ui-vty0-4]protocol inbound ssh  
 [R3-ui-vty0-4]

The user is still the user managed by aaa before. You can add SSH service type. The password level has been configured before. If you have a new configuration, you must remember to set it . Remember to assign permission level as long as the user is set.

 [R3]aaa  
 [R3-aaa] local - user client1 privilege level 15  
 [R3-aaa] local - user client1 service-type ssh  
 [R3-aaa] local - user client2 service-type ssh telnet (multiple services can be listed in parallel)  

After configuring aaa, confirm that ssh uses a password for authentication. This should be the default and you don't need to type it.

 [R3]ssh user client1 authentication-type password  

Check the status of ssh server is closed.

 [R3]display ssh server status  
 SSH version: 1.99  
 SSH connection timeout:60 seconds  
 SSH server key generating interval :0 hours  
 SSH Authentication retries :3 times  
 SFTP Server :Disable  
 Stelnet server :Disable  

So you need to enable the stelnet server service on the server side.

 [R3]stelnet server enable

After the server configuration is complete, return to R2 to start the first connection and load the certificate on the server.

 [R2]ssh client first - time enable  
 [R2]stelnet 192.168.1.1  
 Please input the username:client1  
 Trying 192.168.1.1 ...  
 Press CTRL+K to abort  
 Connected to 192.168.1.1 ...  
 Enter password : (Enter the password corresponding to the client)  
 <R3>

Login successful.

51CTO Academy 4.20 IT Charging Festival

(On the 19th and 20th, 100 video courses are free to grab, and members can enjoy a 40% discount on video courses, non-members can enjoy a 30% discount, and packages can enjoy an additional 20% discount, and micro-jobs can enjoy a huge discount of 2,000 yuan)

Activity link: http://edu..com/activity/lists/id-47.html?wenzhang

Related video tutorials:

IT technology exchanges at 51CTO Forum

http://bbs..com/thread-1491072-1.html

Learn Network ACL Technology Online Course

http://edu..com/course/course_id-8148.html

Learn site-to-site VPN technology online course

http://edu..com/course/course_id-7485.html

Learn Policy Routing Technology Online Course

http://edu..com/course/course_id-8103.html