Configuring Telnet login on the device
Task | Remarks |
|---|---|
(Required.) Configuring login authentication: | Configure one authentication mode as required. |
(Optional.) Setting the maximum number of concurrent Telnet users | N/A |
(Optional.) Setting the DSCP value for outgoing Telnet packets | N/A |
(Optional.) Configuring common VTY line settings | N/A |
The Telnet login configuration is effective only for users who log in after the configuration is completed.
Disabling authentication for Telnet login
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enable Telnet server. | telnet server enable | By default, the Telnet server feature is disabled. |
3. Enter VTY line view or class view. |
| Use either command. A setting in user line view is applied only to the user line. A setting in user line class view is applied to all user lines of the class. A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view. A setting in user line view takes effect immediately and affects the online user. A setting in user line class view does not affect online users and takes effect only for users who log in after the configuration is completed. |
4. Disable authentication. | authentication-mode none | By default, password authentication is enabled for VTY lines. In VTY line view, this command is associated with the protocol inbound command. If you specify a non-default value for only one of the two commands in VTY line view, the other command uses the default setting, regardless of the setting in VTY line class view. |
5. (Optional.) Assign a user role. | user-role role-name | By default, a VTY line user is assigned the user role network-operator. |
The next time you attempt to Telnet to the device, you do not need to provide any username or password, as shown in Figure 8. If the maximum number of login users has been reached, your login attempt fails and the message "All user lines are used, please try later!" appears.
Figure 8: Telnetting to the device without authentication
Configuring password authentication for Telnet login
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enable Telnet server. | telnet server enable | By default, the Telnet server feature is disabled. |
3. Enter VTY line view or class view. |
| Use either command. A setting in user line view is applied only to the user line. A setting in user line class view is applied to all user lines of the class. A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view. A setting in user line view takes effect immediately and affects the online user. A setting in user line class view does not affect online users and takes effect only for users who log in after the configuration is completed. |
4. Enable password authentication. | authentication-mode password | By default, password authentication is enabled for VTY lines. In VTY line view, this command is associated with the protocol inbound command. If you specify a non-default value for only one of the two commands in VTY line view, the other command uses the default setting, regardless of the setting in VTY line class view. |
5. Set a password. | set authentication password { hash | simple } password | By default, no password is set. |
6. (Optional.) Assign a user role. | user-role role-name | By default, a VTY line user is assigned the user role network-operator. |
The next time you attempt to Telnet to the device, you must provide the configured login password, as shown in Figure 9. If the maximum number of login users has been reached, your login attempt fails and the message "All user lines are used, please try later!" appears.
Figure 9: Password authentication interface for Telnet login
Configuring scheme authentication for Telnet login
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enable Telnet server. | telnet server enable | By default, the Telnet server feature is disabled. |
3. Enter VTY line view or class view. |
| Use either command. A setting in user line view is applied only to the user line. A setting in user line class view is applied to all user lines of the class. A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view. A setting in user line view takes effect immediately and affects the online user. A setting in user line class view does not affect online users and takes effect only for users who log in after the configuration is completed. |
4. Enable scheme authentication. | authentication-mode scheme | By default, password authentication is enabled for VTY lines. In VTY line view, this command is associated with the protocol inbound command. If you specify a non-default value for only one of the two commands in VTY line view, the other command uses the default setting, regardless of the setting in VTY line class view. |
To use scheme authentication, you must also configure login authentication methods in ISP domain view. For more information, see Security Configuration Guide.
The next time you attempt to Telnet to the CLI, you must provide the configured login username and password, as shown in Figure 10. If the maximum number of login users has been reached, your login attempt fails and the message "All lines are used, please try later!" appears.
Figure 10: Scheme authentication interface for Telnet login
Setting the maximum number of concurrent Telnet users
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Set the maximum number of concurrent Telnet users. | aaa session-limit telnet max-sessions | By default, the maximum number of concurrent Telnet users is 32. Changing this setting does not affect online users. If the current number of online Telnet users is equal to or greater than the new setting, no additional Telnet users can log in until online users log out. For more information about this command, see Security Command Reference. |
Setting the DSCP value for outgoing Telnet packets
The DSCP value is carried in the ToS/Traffic class field of an IP packet, and it indicates the transmission priority of the packet.
To set the DSCP value for outgoing Telnet packets:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Set the DSCP value for outgoing Telnet packets. |
| By default, the DSCP value is 48. |
Configuring common VTY line settings
For a VTY line, you can specify a command that is to be automatically executed when a user logs in. After executing the specified command, the system automatically disconnects the Telnet session. Typically, you configure the auto-execute command telnet X.X.X.X command on the device so the device redirects a Telnet user to the host at X.X.X.X. In this case, the connection to the current device is closed when the user terminates the Telnet connection to X.X.X.X.
To configure common settings for VTY lines:
Step | Command | Remarks | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|
1. Enter system view. | system-view | N/A | ||||||||
2. Enter VTY line view or class view. |
| Use either command. A setting in user line view is applied only to the user line. A setting in user line class view is applied to all user lines of the class. A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view. A setting in user line view takes effect immediately and affects the online user. A setting in user line class view does not affect online users and takes effect only for users who log in after the configuration is completed. | ||||||||
3. Enable the terminal service. | shell | By default, terminal service is enabled. | ||||||||
4. Specify the protocols for the user lines to support. | protocol inbound { all | ssh | telnet } | By default, both Telnet and SSH are supported. This configuration is effective only for users who log in to the user lines after the configuration is completed. In VTY line view, this command is associated with the authentication-mode command. If you specify a non-default value for only one of the two commands in VTY line view, the other command uses the default setting, regardless of the setting in VTY line class view. | ||||||||
5. Define a shortcut key for terminating tasks. | escape-key { character | default } | By default, pressing Ctrl+C terminates a task. | ||||||||
6. Specify the terminal display type. | terminal type { ansi | vt100 } | By default, the terminal display type is ANSI. | ||||||||
7. Set the maximum number of lines to be displayed on a screen. | screen-length screen-length | By default, up to 24 lines is displayed on a screen. To disable pausing between screens of output, set the value to 0. | ||||||||
8. Set the size of command history buffer. | history-command max-size value | By default, the buffer saves 10 history commands. | ||||||||
9. Set the CLI connection idle-timeout timer. | idle-timeout minutes [ seconds ] | By default, the CLI connection idle-timeout timer is 10 minutes. If no interaction occurs between the device and the user within the idle-timeout interval, the system automatically terminates the user connection on the user line. If you set the timeout timer to 0, the connection will not be aged out. | ||||||||
10. Specify the command to be automatically executed for login users on the user lines. | auto-execute command command | By default, no automatically executed command is specified.
| ||||||||
![[IMPORTANT: ]](images/important.png)