Setting up Authentication on @comware 7

One of the biggest changes to Comware 7 is the role based users. You can define different user roles and change what each role has access to from a command perspective. I strongly recommend reading the following guide:

http://bizsupport1.austin.hp.com/bc/docs/support/SupportManual/c03189486/c03189486.pdf

Below is the “bare bones” info you need to know to get up and running quickly. For some of you this will not be anything new. For others, who have not had the experience with the changes in comware 7 this might help.

For the most part setting up telnet/ssh with local authentication is very similar. You need to enable ssh or telnet server. You need to create RSA public key(for ssh) and specify a local user.

To configure the switch log in through the console port and enter into the system-view.

Configuration procedure

Prior to configuring switch access, determine whether telnet or ssh is required. Then only enable the corresponding server

# Enable telnet or ssh servers

<Switch> system-view

[Switch] telnet server enable

[Switch] ssh server enable

If you are using ssh then create the public key

# Create a public key

[Switch] public-key local create rsa

The range of public key size is (512 ~ 2048).

NOTES: If the key modulus is greater than 512,

It will take a few minutes.

Press CTRL+C to abort.

Input the bits of the modulus[default = 1024](enter)

Generating Keys...

+++++++++++++++

++++++++++++++++++++++++

+++

++++++

[Switch]

# Assign an IP address to VLAN interface 1, the interface connected to the Telnet user.

<Switch> system-view

[Switch] interface vlan-interface 1

[Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 (Use correct IP address/mask)

[Switch-Vlan-interface2] quit

# Enable scheme authentication on user interface

[Switch] user-interface vty 0 15

[Switch-ui-vty0-15] authentication-mode scheme

[Switch-ui-vty0-15] protocol inbound ssh (If you are configuring for ssh access. If you use this command you will not be able to telnet to the device)

[Switch-ui-vty0-15] quit

# Create local user admin and enter its view.

[Switch] local-user admin

# Set a plaintext password admin for the user and enable displaying this password in cipher text.

[Switch-luser-admin] password simple admin

# Specify service type

[Switch-luser-admin] service-type telnet or [Switch-luser-user1] service-type ssh

# Assign the user to the network-admin role.

[Switch-luser-admin] authorization-attribute user-role network-admin

By default, network-admin is specified on the console user interface, and

network-operator is specified on any other user interface.

Inter

# Configure SNMP community strings

[Switch]snmp comm read public

[Switch]snmp comm write private

[Switch]snmp sys-info version all

# Configure default route

[Switch]ip route 0.0.0.0 0.0.0.0 192.168.1.1

# Validate network connectivity

[Switch]ping 4.2.2.2

PING 4.2.2.2: 56  data bytes, press CTRL_C to break

    Reply from 4.2.2.2: bytes=56 Sequence=1 ttl=54 time=89 ms

    Reply from 4.2.2.2: bytes=56 Sequence=2 ttl=54 time=156 ms

    Reply from 4.2.2.2: bytes=56 Sequence=3 ttl=54 time=73 ms

    Reply from 4.2.2.2: bytes=56 Sequence=4 ttl=54 time=74 ms

    Reply from 4.2.2.2: bytes=56 Sequence=5 ttl=54 time=74 ms

  --- 4.2.2.2 ping statistics ---

    5 packet(s) transmitted

    5 packet(s) received

    0.00% packet loss

    round-trip min/avg/max = 73/93/156 ms

Display commands

Show line numbers in front of display output

<Sysname> display vlan 999 | by-linenum

Display parts of the configuration

<Sysname> display current-configuration | begin user-interface

Save display output to a file

<Sysname> display vlan 1 > vlan.txt

Gaining access

Logging in through the console port

By default, you can log in to a device through the console port. The

authentication mode is none (no username or password required), and

the user role is network-admin.

Logging in through Telnet

By default, you cannot log in to a device through Telnet. To log in

through Telnet, first log in to the device through the console port and

complete the following configuration:

1. Enable the Telnet function if necessary. (Telnet is enabled by

default.)

2. Assign an IP address to a VLAN interface or the management

Ethernet interface, and make sure that your device and the Telnet

client can reach each other. (By default, the device does not have an

IP address.)

3. Configure a password for password authentication, or change

authentication mode for VTY users and configure related

parameters. (By default, the authentication mode is password for

VTY users.)

4. Configure the user role for VTY users (network-operator by default).

Logging in through SSH

By default, you cannot log in to a device through SSH. To log in through

SSH, first log in to the device through the console port, and then

complete the following configuration:

1. Enable the SSH function and configure SSH attributes. (SSH is

disabled by default.)

2. Assign an IP address to a VLAN interface or the management

Ethernet interface, and make sure that your device and the SSH

client can reach each other (by default, your device does not have

an IP address).

3. Configure the authentication mode of VTY users as scheme (default

is password).

4. Configure the user role for VTY users (network-operator by default).