HPE Community
Comware Based
1822439 Members
2696 Online
109642 Solutions
New Discussion юеВ

Re: Telnet Remote Access - No Privileges

 
SOLVED
Go to solution
DeepakAshwath
Advisor

тАО01-20-2015 07:07 AM

тАО01-20-2015 07:07 AM

Telnet Remote Access - No Privileges

Hi,

 

I enabled telnet access as below

 

>telnet server enable

>user-interface vty 0 4 

>set authentication ...

>protocol inbound telnet

 

Now when I access the switch remotely, the privilege is less and I am not able to execute any commands

 

Is there any way to access the exec mode in the HP 5900 switch ?

 

Also how to enable the web access on the switch ?

 

Please let me know your suggestions

0 Kudos
7 REPLIES 7
TerjeAFK
Respected Contributor

тАО01-20-2015 07:12 AM

тАО01-20-2015 07:12 AM

Solution

Re: Telnet Remote Access - No Privileges

We have the following config on our 5900:

 

user-interface vty 0 4
  user-role network-admin
  user-role privilege

 

Try it and see if it works for you.

 

0 Kudos
sdide
Respected Contributor

тАО01-20-2015 07:43 AM

тАО01-20-2015 07:43 AM

Re: Telnet Remote Access - No Privileges

hi,

 

in your vty lines configuration you need:

 

line vty 0 63

 authentication-mode password

 set authentication password <your_password>

 user-role network-admin

 protocol inbound telnet

 quit

 

Normaly if you are not priviledged and need to be, you'd do the "super"-command

However its not certain that your current priviledge-level grants you access to that.

In the above "user-role network-admin" grants you admin-priviledge, but maybe you'd like

a view-only kind'a access you could say "user-role network-operator" instead.

And then from network-operator, you could gain admin-priviledge using the super command.

 

To use the super you need to grant the vty lines access to it.

Lets make a role, that allows the "super"-command and nothing else

role name priv
 rule 1 permit command super

 quit

 

Now add this role to the vty lines

line vty 0 63

  user-role priv

  quit

 

and you need to set the super password.

 

super password simple <your_super_password>

 

 

Then you could log in and have operator access, and gain admin priviledge using the super command

 

if you want to enable the web-service, you need to do:

 

ip https enable

or for nonsecure web access

ip http enable

 

 Regards

S├╕ren Dideriksen, Network Administrator
Region Midtjylland
Apachez-
Trusted Contributor

тАО01-20-2015 11:20 AM

тАО01-20-2015 11:20 AM

Re: Telnet Remote Access - No Privileges

Please dont use telnet, use ssh if you need remote access to the device.

 

Here is a basic config you can apply (taken from a HP A5820 running R1808P25 or newer):

 

#

super password level 3 cipher <REMOVED>
#
local-user <REMOVED>
password cipher <REMOVED>
authorization-attribute level 1
service-type ssh terminal
#
acl number 2002 name v4-MGMT-SSH
hardware-count enable
rule 0 deny fragment
rule 5 permit source <REMOVED> 0
rule 10 deny
#
acl ipv6 number 2002 name v6-MGMT-SSH
hardware-count enable
rule 0 deny fragment
rule 5 deny routing
rule 10 deny
#
ssh server enable
ssh server rekey-interval 1
undo ssh server compatible-ssh1x
undo sftp server enable
ssh client source interface LoopBack0
ssh server acl 2002
ssh server ipv6 acl ipv6 2002
#
user-interface vty 0 15
acl 2002 inbound
acl ipv6 2002 inbound
authentication-mode scheme
user privilege level 1
set authentication password cipher <REMOVED>
protocol inbound ssh
terminal type vt100
#

 

You will also need to create the private keys before you can use the ssh server in your comware device, see the manual for more info.

DennisMartin
Visitor

тАО01-20-2015 02:58 PM

тАО01-20-2015 02:58 PM

Re: Telnet Remote Access - No Privileges

We are a test lab and are trying to get the HP 5900 up and running in a relatively simple configuration. I need a simple telnet connection that has the same privileges as the console port. I've tried the commands suggested in this thread, but keep getting the following message when I try anything useful from the telnet session.

 

"System is busy or this command can't be executed because of no such privilege!"

 

 

Here is a snippet of our configuration so far:

 

line class vty
 authentication-mode none
 user-role network-admin
 user-role network-operator
 user-role privilege
 protocol inbound telnet
 command authorization
#
line vty 0 63
 authentication-mode none
 user-role network-admin
 user-role network-operator
 user-role priv
 user-role privilege
 protocol inbound telnet
 command authorization
#

 

 

What am I missing?

Thanks!

DeepakAshwath
Advisor

тАО01-20-2015 11:04 PM

тАО01-20-2015 11:04 PM

Re: Telnet Remote Access - No Privileges

Thanks,

 

All the posts  gave me idea, got it working.

 

I just had to give

 

>user-role network-admin

 

Thanks to all.

 

0 Kudos
sdide
Respected Contributor

тАО01-21-2015 02:29 AM

тАО01-21-2015 02:29 AM

Re: Telnet Remote Access - No Privileges

hi DennisMartin

 

in your case you need to remove the "command authorization". that is

 

line vty 0 63

 undo command authorization

 quit

line class vty

 undo command authorization

 quit

 

That said. You are of course aware that everyone able to access that net-segment can access your switch with FULL priviledges.

 

use ssh and make a user with a password, og even better a scheme. - you'll need it when the switch need to enter a "real" environment anyways.

 

Regards.

 

 

S├╕ren Dideriksen, Network Administrator
Region Midtjylland
0 Kudos
DennisMartin
Visitor

тАО01-26-2015 01:20 PM

тАО01-26-2015 01:20 PM

Re: Telnet Remote Access - No Privileges

Thanks. That solved the problem. Yes, I'm aware that this is unsecure, but we are a test lab connected to test equipment for this project.

 

Best regards!

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.