1-Checking the Network Connectivity
Context
Before a user logs in to the AC using Telnet, reachable routes must exist between the user client and AC. Ping the IP address of the server from the client to check whether the network connection between the client and AC is available.
2- Checking the Telnet Service Status on the Server
Procedure
Log in to the AC using SSH or through the console port. Run the display telnet server status command and check whether the following information is correct:
Whether the Telnet service is enabled
Telnet server port number
<AC> display telnet server status
TELNET IPV4 server :Enable
TELNET IPV6 server :Disable
TELNET server port :23
If the value of the TELNET IPv4 server or TELNET IPV6 server field is Disable, run the telnet [ ipv6 ] server enable command in the system view to enable the Telnet service.
The Telnet client and server must use the same service port number. A Telnet client can log in to the Telnet server with no port number specified only when the port number of the Telnet server is 23. If the Telnet server uses another port number, the port number must be specified when a Telnet client logs in to the Telnet server. If the service port numbers of the Telnet client and server are different, run the telnet server port 23 command in the system view to change the port number of the Telnet server to 23.
3- Checking Whether the ACL Configuration in the VTY User Interface View Is Correct
Procedure
Log in to the AC using SSH or through the console port and check whether an ACL is configured on the VTY user interface.
If an ACL is configured, record the ACL number.
If no ACL is configured, skip this step.
<AC> system-view
[AC] user-interface vty 0 4
[AC-ui-vty0-4] display this
#
user-interface con 0
authentication-mode aaa
user-interface vty 0 4
acl 3000 inbound
authentication-mode aaa
protocol inbound all
user-interface vty 16 20
#
return
If an ACL is configured, check whether the IP address of the Telnet client is denied in the ACL. If the IP address is denied, delete the deny rule in the ACL view, and modify the IP addresses of clients that are permitted in the ACL.
For example, an ACL is configured on the AC and a deny rule is configured for the IP address (192.168.1.2) of a Telnet client.
[AC-ui-vty0-4] display acl 3000
Advanced ACL 3000, 1 rule
Acl's step is 5
rule 5 deny tcp source 192.168.1.2 0
[AC-ui-vty0-4] quit
Modify the ACL rule to permit the IP address of the Telnet client.
[AC] acl 3000
[AC-acl-adv-3000] undo rule 5
[AC-acl-adv-3000] rule 5 permit tcp source 192.168.1.2 0
[AC-acl-adv-3000] display this
#
acl number 3000
rule 5 permit tcp source 192.168.1.2 0
#
return
4- Checking Whether the Access Protocol Configuration in the VTY User Interface View Is Correct
Procedure
Log in to the AC using SSH or through the console port and check whether the value of the protocol inbound field is telnet or all on the VTY user interface. (By default, the AC supports the Telnet protocol.) If telnet or all is not displayed, change the configuration to allow Telnet users to access the AC.
<AC> system-view
[AC] user-interface vty 0 4
[AC-ui-vty0-4] display this
#
user-interface con 0
authentication-mode password
set authentication password cipher %^%#3]qy<(%O)95+([Fe0>o7PbnY=>Qr.05%,INA&}t1g}*^FA~qAL*($vVJa"]*%^%#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh //The Telnet protocol is not bound.
user-interface vty 16 20
protocol inbound all
#
return
If the Telnet protocol is not bound, run the following command to bind it:
[AC-ui-vty0-4] protocol inbound telnet
or
[AC-ui-vty0-4] protocol inbound all
5- Checking Whether the Login Authentication Configuration in the VTY User Interface View Is Correct
Procedure
Log in to the AC through the console port and check the login authentication mode.
Currently, the following authentication modes are mainly used:
authentication-mode password: password authentication mode
authentication-mode aaa: AAA authentication mode
<AC> system-view
[AC] user-interface vty 0 4
[AC-ui-vty0-4] display this
#
user-interface maximum-vty 15
user-interface con 0
user-interface vty 0 14
authentication-mode aaa
user privilege level 3
protocol inbound ssh
user-interface vty 16 20
If the login authentication mode is password on a VTY channel, you must configure the login password in the VTY user interface view. Run the display this command in the VTY user interface view to check whether the login password is configured. If not, run the set authentication password cipher command in the VTY user interface view to configure the login password.
If the login authentication mode is AAA on a VTY channel, you must create a local AAA user. Run the display this command in the AAA view to check the configuration. You must specify the level and service type for the account; otherwise, you cannot use this account to log in to the AC.
For example, the user name is admin and password is Admin@huawei.com. If the account configuration is incorrect, run the aaa command to enter the AAA view, reconfigure the account based on the following command format, and log in to the AC.
[AC] aaa
[AC-aaa] local-user admin password irreversible-cipher Admin@huawei.com
[AC-aaa] local-user admin service-type telnet http terminal
In AAA authentication mode, if a user enters incorrect passwords three times consecutively within 5 minutes when the client attempts to set up a Telnet connection with the Telnet server, the IP address of the client will be locked for 5 minutes, and the user cannot pass authentication. You can run the display aaa online-fail-record username username command in any view to check clients' IP addresses that are locked due to authentication failures. If the IP address of a client is locked, solve the problem using the following methods:
Wait for 5 minutes until the IP address is automatically unlocked.
Enter the AAA view and run the undo local-aaa-user wrong-password command to disable the local account locking function.
Check whether the IP address of the client is permitted in the ACL.
<AC> display current-configuration | include telnet
telnet server permit interface GigabitEthernet0/0/1 //Clients can connect to GigabitEthernet0/0/1 on the Telenet server, but cannot connect to other interfaces.
By default, clients can connect to all the physical interfaces on the Telnet server. You can run the undo telnet server permit interface command in the system view to allow clients to connect to all the physical interfaces on the Telnet server.
6- Checking Whether the User Password Is Correct
Procedure
Check whether the user password is correct. If it cannot be determined, log in to the device through the console port and run the following command to change the user password:
[AC] aaa
[AC-aaa] local-user admin password irreversible-cipher Admin@huawei.com
you can follow This Guide for More troubleshooting , if issue Not Solved please contact Your regional TAC :
http://support.huawei.com/onlinetoolsweb/ptmngsys/Web/tsrev_wlan/en/content/wlan/37_edesk_Telnet_Login_Failure/edesk_Telnet_Login_Failure_edesk000.html
