huawei basic user environment

Posted on March 6, 2012

As you already know you can assign a different privilege level for each user, configured on a
Huawei device. How to configure local user and how to access Huawei device you can read
in one of my previous posts.

user privilege level

Today I want to focus on the privilege level of local user. Each year lots of accidents in IP
networks are caused by inexperienced employees. We can decrease the number of such
accidents setting privilege level for local users, logging into network devices. Setting a lower
privilege level for such employees increases networks safety. For more experienced
engineers we can either configure higher privilege level or set a super password, to let them
to perform advanced operation.

Lets assume that we have created a local user with the lowest priority:

local-user labnario password cipher &EU15O"Q3/;Q=^Q`MAF4<1!!

local-user labnario service-type telnet
local-user labnario level 0

After you are logged as user labnario and putting a question mark you can see all
commands available in level 0:

<CX600>?
User view commands:
cluster Run cluster command
display Display LPUF-10 work-mode
hwtacacs-user HWTACACS user
language-mode Specify the language environment
local-user Local user
ping Ping function
quit Exit from current command view
return Exit to user view
save Save file
super Privilege current user a specified priority level
telnet Establish a Telnet connection
trace Trace route (switch) to host on Data Link Layer
tracert Trace route to host

As this is the lowest privilege level we cannot even display current-configuration and
interfaces statistics:

<CX600>display current-configuration
^
Error: Unrecognized command found at '^' position.

<CX600>display interface GigabitEthernet7/0/0

^
Error: Unrecognized command found at '^' position.
command privilege level

But we can assign additional commands to this level in advance, as needed:

command-privilege level 0 view shell display current-configuration

command-privilege level 0 view system display current-configuration
command-privilege level 0 view shell display interface
GigabitEthernet7/0/0

Now it is possible to display current-configuration and statistics of GE7/0/0:

<CX600>display ?
current-configuration Current configuration
interface Status and configuration information for the
interface

super password and switching user levels

Lets come back to super password. What we want to do is to the set super password, in
advance, for privilege level 15:

[CX600]super password level 15 cipher &EU15O"Q3/;Q=^Q`MAF4<1!!

And now if you are logged as level 0 user, you can switch to level 15. If you want to recall
about a levels arrangement on Huawei devices you can read huawei cli introduction.

<CX600>super 15
Password:
Now user privilege is 15 level, and only those commands whose level is
equal to or less than this level can be used.
Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE

Now you have full rights to configure and manage this device.

locking user terminal

Remember to lock your current user terminal interface if you are away of your desk. It
prevents your device against unauthorized users operations on the current terminal interface:

<CX600>lock
Enter Password:
Confirm Password:

Info: The terminal is locked.

Enter Password:
<CX600>