Wednesday, November 7, 2012

Setting up Authentication on @comware 7


One of the biggest changes to Comware 7 is the role based users. You can define different user roles and change what each role has access to from a command perspective. I strongly recommend reading the following guide:


Below is the “bare bones” info you need to know to get up and running quickly. For some of you this will not be anything new. For others, who have not had the experience with the changes in comware 7 this might help.

For the most part setting up telnet/ssh with local authentication is very similar. You need to enable ssh or telnet server. You need to create RSA public key(for ssh) and specify a local user.

To configure the switch log in through the console port and enter into the system-view.

Configuration procedure

Prior to configuring switch access, determine whether telnet or ssh is required. Then only enable the corresponding server

# Enable telnet or ssh servers
<Switch> system-view
[Switch] telnet server enable
[Switch] ssh server enable

If you are using ssh then create the public key
# Create a public key
[Switch] public-key local create rsa

The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Press CTRL+C to abort.
Input the bits of the modulus[default = 1024](enter)
Generating Keys...
+++++++++++++++
++++++++++++++++++++++++
+++
++++++
[Switch]

# Assign an IP address to VLAN interface 1, the interface connected to the Telnet user.
<Switch> system-view
[Switch] interface vlan-interface 1
[Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 (Use correct IP address/mask)
[Switch-Vlan-interface2] quit

# Enable scheme authentication on user interface
[Switch] user-interface vty 0 15
[Switch-ui-vty0-15] authentication-mode scheme
[Switch-ui-vty0-15] protocol inbound ssh (If you are configuring for ssh access. If you use this command you will not be able to telnet to the device)
[Switch-ui-vty0-15] quit

# Create local user admin and enter its view.
[Switch] local-user admin

# Set a plaintext password admin for the user and enable displaying this password in cipher text.
[Switch-luser-admin] password simple admin
# Specify service type
[Switch-luser-admin] service-type telnet or [Switch-luser-user1] service-type ssh

# Assign the user to the network-admin role.
[Switch-luser-admin] authorization-attribute user-role network-admin

By default, network-admin is specified on the console user interface, and
network-operator is specified on any other user interface.
Inter

# Configure SNMP community strings
[Switch]snmp comm read public
[Switch]snmp comm write private
[Switch]snmp sys-info version all


# Configure default route
[Switch]ip route 0.0.0.0 0.0.0.0 192.168.1.1

# Validate network connectivity
[Switch]ping 4.2.2.2
PING 4.2.2.2: 56  data bytes, press CTRL_C to break
    Reply from 4.2.2.2: bytes=56 Sequence=1 ttl=54 time=89 ms
    Reply from 4.2.2.2: bytes=56 Sequence=2 ttl=54 time=156 ms
    Reply from 4.2.2.2: bytes=56 Sequence=3 ttl=54 time=73 ms
    Reply from 4.2.2.2: bytes=56 Sequence=4 ttl=54 time=74 ms
    Reply from 4.2.2.2: bytes=56 Sequence=5 ttl=54 time=74 ms

  --- 4.2.2.2 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 73/93/156 ms



Display commands
Show line numbers in front of display output
<Sysname> display vlan 999 | by-linenum

Display parts of the configuration
<Sysname> display current-configuration | begin user-interface

Save display output to a file
<Sysname> display vlan 1 > vlan.txt

Gaining access

Logging in through the console port
By default, you can log in to a device through the console port. The
authentication mode is none (no username or password required), and
the user role is network-admin.

Logging in through Telnet
By default, you cannot log in to a device through Telnet. To log in
through Telnet, first log in to the device through the console port and
complete the following configuration:
1. Enable the Telnet function if necessary. (Telnet is enabled by
default.)
2. Assign an IP address to a VLAN interface or the management
Ethernet interface, and make sure that your device and the Telnet
client can reach each other. (By default, the device does not have an
IP address.)
3. Configure a password for password authentication, or change
authentication mode for VTY users and configure related
parameters. (By default, the authentication mode is password for
VTY users.)
4. Configure the user role for VTY users (network-operator by default).

Logging in through SSH
By default, you cannot log in to a device through SSH. To log in through
SSH, first log in to the device through the console port, and then
complete the following configuration:
1. Enable the SSH function and configure SSH attributes. (SSH is
disabled by default.)
2. Assign an IP address to a VLAN interface or the management
Ethernet interface, and make sure that your device and the SSH
client can reach each other (by default, your device does not have
an IP address).
3. Configure the authentication mode of VTY users as scheme (default
is password).
4. Configure the user role for VTY users (network-operator by default).

2 comments:



  1. Very helpful Post!!! This is the first time I have read a post like this. Find Career tips here.

    123 HP Setup Com

    ReplyDelete