Configuring the USG to allow only certain users to log in through Telnet

4

Configure the USG2000&5000&6000 to allow only certain users to log in through Telnet in VTY mode as follows:
Create a corresponding ACL to allow only packets from a specified source address and then apply this ACL to the VTY interface. The configuration example is as follows:

[USG-1]acl 3999
[USG-1-acl-adv-3999]rule permit ip source 1.1.1.1 0
[USG-1-acl-adv-3999]rule deny ip source any
[USG-1-acl-adv-3999]quit
[USG-1]user-interface vty 0 4
[USG-1-ui-vty0-4]authentication-mode aaa
[USG-1-ui-vty0-4]protocol inbound telnet
[USG-1-ui-vty0-4]acl 3999 inbound

Other related questions:
How to impose the restriction that some users under the U1980 are only allowed to dial certain prefixes
Use the customized rights. 1. Add a prefix with the cus1 right. config add prefix dn 888 callcategory basic callattribute inter cusattribute cus1 cldpredeal no minlen 3 maxlen 3 2. On the user management page of the web management system, select the service rights for the corresponding numbers. In the outgoing call rights, select cus1 for users who are allowed to call this prefix and do not select cus1 for users who are not allowed to call this prefix.

How to configure an interface to allow only access from certain IP addresses
To configure an interface to allow access from certain IP addresses, configure an ACL to match the IP addresses, reference the ACL in a traffic policy, and apply the traffic policy to the interface. For example, to allow only the user with IP address 1.1.1.2 to access GE0/0/1, run the following commands: [HUAWEI] acl number 3030 [HUAWEI-acl-adv-3030] rule permit ip source 1.1.1.2 0 [HUAWEI-acl-adv-3030] quit [HUAWEI] acl number 3031 [HUAWEI-acl-adv-3031] rule permit ip [HUAWEI] traffic classifier test1 [HUAWEI-classifier-test1] if-match acl 3030 [HUAWEI] traffic classifier test2 [HUAWEI-classifier-test2] if-match acl 3031 [HUAWEI] traffic behavior test1 [HUAWEI-behavior-test1] permit [HUAWEI] traffic behavior test2 [HUAWEI-behavior-test2] deny [HUAWEI] traffic policy test [HUAWEI-trafficpolicy-test] classifier test1 behavior test1 [HUAWEI-trafficpolicy-test] classifier test2 behavior test2 [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] traffic-policy test inbound

How to configure access control on an AR router
1. Control login to the device through HTTP. Users can log in to the device through the web platform. The device cannot limit source addresses of users, which causes security risks. To ensure device security and prevent unauthorized users from using the web platform to log in to the device, an ACL can be used to allow specified users to log in to the device through HTTP. a. Configure ACL 2000 to allow the device at 192.168.6.10 and devices on network segment 192.168.5.0 to log in to the device through HTTP. b. Reference the ACL After the preceding configuration is completed, only the device at 192.168.6.10 and devices on network segment 192.168.5.0 are allowed to log in to the device through the web platform. After the configuration, limited users can open the web platform page, but cannot access the web platform after entering the user name and password. 2. Configure a security policy to limit users' login through Telnet. The route is reachable between the PC and the device, and users want to configure and manage remote devices easily. To meet the requirement, configure AAA authentication for Telnet users on the server and configure an ACL-based security policy. This ensures that only the users that meet the security policy can log in to the device. a. Set the server port number and enable the server function. system-view [Huawei] sysname Telnet Server [Telnet Server] telnet server enable [Telnet Server] telnet server port 1025 b. Configure the parameters of VTY user interface. # Configure the maximum number of VTY user interfaces. [Telnet Server] user-interface maximum-vty 8 # Configure the host address allowed by the device. [Telnet Server] acl 2001 [Telnet Server-acl-basic-2001] rule permit source 10.1.1.1 0 [Telnet Server-acl-basic-2001] quit [Telnet Server] user-interface vty 0 7 [Telnet Server-ui-vty0-7] acl 2001 inbound # Configure terminal attributes of the VTY user interface. # Configure the user authentication mode for the VTY user interface. [Telnet Server-ui-vty0-7] authentication-mode aaa [Telnet Server-ui-vty0-7] quit c. Configure information about login users. # Set the authentication mode for login users. [Telnet Server] aaa [Telnet Server-aaa] local-user admin1234 password irreversible-cipher Helloworld@6789 [Telnet Server-aaa] local-user admin1234 service-type telnet [Telnet Server-aaa] local-user admin1234 privilege level 3 [Telnet Server-aaa] quit d. Log in to the client. Access the Windows command line prompt interface of the administrator’s PC, and run commands to log in to the device through Telnet. C:\Documents and Settings\Administrator> telnet 10.137.217.177 1025 Press Enter, and enter the configured user name and password in the login window. If authentication succeeds, command line prompt is displayed in the user view, indicating that you have successfully logged in to the device. Login authentication Username:admin1234 Password: After the configuration, limited users cannot log in to the device.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top