secpath+无法web登录
- 0关注
- 1收藏,1000浏览
问题描述:
console口登录正常,且用户服务类型也包含https, 一开始网页登陆ok,现在登陆不上了
相关配置如下:
local-user admin class manage password hash $h$6$PyMKNB0tfs5jNDg3aTDE1W9zmppKeCEFeMQNoiKDhmAEfayqeXZdk7IKutTMb6rIBvSc7PDaSdmVfqG+JfEB0c3/yw==
service-type ssh telnet terminal https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin authorization-attribute user-role network-operator
- 2021-10-10提问
- 举报
-
(0)
WEB登录失败,以下是排查要点,请参考:
1、检查用户名、密码是否已输入正确。
2、检查是否配置了登陆IP的限制。
3、更换其他浏览器、清理浏览器缓存、更新浏览器flash
4、看下防火墙的软件版本是否最新,可考虑升级到最新。
5、检查安全策略或域间策略是否有拦截。
- 2021-10-10回答
- 评论(1)
- 举报
-
(0)
麻烦看下评论,谢谢啦
配置如下:
dis cur
#
version 7.1.064, Ess 9504P07
#
sysname H3C
#
context Admin id 1
#
ip vpn-instance management
route-distinguisher 1000000000:1
vpn-target 1000000000:1 import-extcommunity
vpn-target 1000000000:1 export-extcommunity
#
telnet server enable
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
security-zone intra-zone default permit
#
dialer-group 1 rule ip permit
#
dhcp enable
#
dns proxy enable
#
password-recovery enable
#
vlan 1
#
vlan 4
#
vlan 210
description B1
#
vlan 220
description B2
#
vlan 300
description C
#
vlan 400
description D
#
object-group ip address 1
0 network subnet 192.168.4.0 255.255.255.0
#
object-group ip address 125.120.222.231
0 network host address 125.120.222.231
#
object-group ip address 192.168.1.22
0 network host address 192.168.1.22
#
object-group ip address 2
0 network subnet 0.0.0.0 0.0.0.0
#
object-group ip address ad
0 network host address 192.168.1.81
#
object-group ip address SVN
0 network host address 192.168.1.104
#
object-group service TCP-5566
0 service tcp source eq 5566 destination eq 5566
#
dhcp server ip-pool B1
gateway-list 192.168.2.1
network 192.168.2.0 mask 255.255.254.0
dns-list 202.101.172.46
expired day 0 hour 1
forbidden-ip 192.168.2.1
#
dhcp server ip-pool office
gateway-list 192.168.1.1
network 192.168.0.0 mask 255.255.254.0
dns-list 202.101.172.46
expired day 0 hour 1
forbidden-ip 192.168.1.2
forbidden-ip 192.168.1.20
#
interface Dialer1
ppp chap password cipher $c$3$fArASCjyHqh6NuPBGJetyFDo5WomXfnRWw==
ppp chap user 057109536856
ppp pap local-user 057109536856 password cipher $c$3$5JBmJkPaRWFJmXhfT5NybYAS+QN4Gwufbg==
dialer bundle enable
dialer-group 1
dialer timer idle 0
dialer timer autodial 60
ip address ppp-negotiate
tcp mss 1450
nat outbound 3000
nat server protocol tcp global current-interface 7443 inside 192.168.1.2 443 reversible
nat server protocol tcp global current-interface 9443 inside 192.168.1.104 8443 reversible
nat server protocol tcp global current-interface 20080 inside 192.168.1.104 20080 reversible
nat server protocol tcp global current-interface 20081 inside 192.168.1.104 20081 reversible
nat server protocol tcp global current-interface 20082 inside 192.168.1.104 20082 reversible
nat server protocol tcp global current-interface 20083 inside 192.168.1.104 20083 reversible
nat server protocol tcp global current-interface 20084 inside 192.168.1.104 20084 reversible
nat server protocol tcp global current-interface 50001 inside 192.168.1.104 50001 reversible
nat server protocol tcp global current-interface 51001 inside 192.168.1.104 51001 reversible
nat server protocol tcp global current-interface 55651 inside 192.168.1.151 55651 reversible
nat server protocol tcp global current-interface 55652 inside 192.168.1.152 55652 reversible
nat server protocol tcp global current-interface 55653 inside 192.168.1.153 55653 reversible
nat server protocol tcp global current-interface 55654 inside 192.168.1.154 55654 reversible
nat server protocol tcp global current-interface 55655 inside 192.168.1.155 55655 reversible
nat server protocol tcp global current-interface 55660 inside 192.168.1.164 55660 reversible disable
nat server protocol tcp global current-interface 55661 inside 192.168.1.164 55661 reversible disable
nat server protocol tcp global current-interface 55662 inside 192.168.1.61 55662 reversible
nat server protocol tcp global current-interface 55664 inside 192.168.1.165 55664 reversible
nat server protocol tcp global current-interface 55665 inside 192.168.1.165 55665 reversible
nat server protocol tcp global current-interface 55666 inside 192.168.1.166 55666 reversible
nat server protocol tcp global current-interface 55667 inside 192.168.1.167 55667 reversible
nat server protocol tcp global current-interface 55668 inside 192.168.1.176 55668 reversible
nat server protocol tcp global current-interface 65500 inside 192.168.1.104 65500 reversible
nat server protocol udp global current-interface 55651 inside 192.168.1.151 55651 reversible
nat server protocol udp global current-interface 55652 inside 192.168.1.152 55652 reversible
nat server protocol udp global current-interface 55653 inside 192.168.1.153 55653 reversible
nat server protocol udp global current-interface 55654 inside 192.168.1.154 55654 reversible
nat server protocol udp global current-interface 55655 inside 192.168.1.155 55655 reversible
nat server protocol udp global current-interface 55662 inside 192.168.1.61 55662 reversible
nat server protocol udp global current-interface 55664 inside 192.168.1.165 55664 reversible
nat server protocol udp global current-interface 55666 inside 192.168.1.166 55666 reversible
nat server protocol udp global current-interface 55667 inside 192.168.1.167 55667 reversible
nat server protocol udp global current-interface 55668 inside 192.168.1.176 55668 reversible
#
interface NULL0
#
interface Vlan-interface1
ip address 192.168.1.1 255.255.254.0
nat hairpin enable
#
interface Vlan-interface4
ip address 1.1.1.1 255.255.255.0
#
interface Vlan-interface210
ip address 192.168.2.1 255.255.254.0
#
interface Vlan-interface220
ip address 192.168.4.1 255.255.255.0
#
interface Vlan-interface300
ip address 192.168.5.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ip binding vpn-instance management
ip address 192.168.0.1 255.255.255.0
nat outbound
#
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
nat outbound
pppoe-client dial-bundle-number 1
#
interface GigabitEthernet1/0/5
port link-mode route
#
interface GigabitEthernet1/0/9
port link-mode route
#
interface GigabitEthernet1/0/10
port link-mode route
#
interface GigabitEthernet1/0/11
port link-mode route
#
interface GigabitEthernet1/0/2
port link-mode bridge
#
interface GigabitEthernet1/0/3
port link-mode bridge
#
interface GigabitEthernet1/0/4
port link-mode bridge
port access vlan 4
#
interface GigabitEthernet1/0/6
port link-mode bridge
port link-type trunk
port trunk permit vlan all
#
interface GigabitEthernet1/0/7
port link-mode bridge
#
interface GigabitEthernet1/0/8
port link-mode bridge
#
object-policy ip Any-Any
rule 0 pass
#
object-policy ip Local-Trust
rule 0 pass
#
object-policy ip Trust-Local
rule 0 pass
#
object-policy ip Trust-Trust
rule 0 pass
#
security-zone name Local
#
security-zone name Trust
import interface Vlan-interface1
import interface Vlan-interface4
import interface Vlan-interface210
import interface Vlan-interface220
import interface Vlan-interface300
import interface GigabitEthernet1/0/4 vlan 1 to 4094
import interface GigabitEthernet1/0/6 vlan 1 to 4094
import interface GigabitEthernet1/0/7 vlan 1 to 4094
import interface GigabitEthernet1/0/8 vlan 1 to 4094
#
security-zone name DMZ
#
security-zone name Untrust
import interface Dialer1
import interface GigabitEthernet1/0/1
#
security-zone name Management
import interface GigabitEthernet1/0/0
#
security-zone name nw
import interface GigabitEthernet1/0/2 vlan 1
#
security-zone name svr
#
zone-pair security source Any destination Any
object-policy apply ip Any-Any
packet-filter 2000
#
zone-pair security source Local destination Trust
object-policy apply ip Local-Trust
packet-filter 2000
#
zone-pair security source Trust destination Local
object-policy apply ip Trust-Local
packet-filter 2000
#
zone-pair security source Trust destination Trust
object-policy apply ip Trust-Trust
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 1
user-role network-operator
#
line con 1
authentication-mode scheme
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-admin
#
ip route-static 0.0.0.0 0 Dialer1
ip route-static 192.168.8.0 24 192.168.1.142
ip route-static 192.168.10.0 24 192.168.1.142
ip route-static 192.168.20.0 24 192.168.1.142
#
ssh server enable
#
acl basic 2000
rule 0 permit
#
acl advanced 3000
rule 0 deny ip source 192.168.4.0 0.0.0.255
rule 5 permit ip
#
domain system
#
aaa session-limit ftp 16
aaa session-limit telnet 16
aaa session-limit ssh 16
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$PyMKDES6Cij66eLv$NB0tfs5jNDg3aTDE1W9zmppKeCEFeMQNoiKDhmAEfayqeXZdk7IKutTMb6rIBvSc7PDaSdmVfqG+JfEB0c3/yw==
service-type ssh telnet terminal https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
ip http enable
ip https port 2017
ip https enable
#
inspect block-source parameter-profile ips_block_default_parameter
#
traffic-policy
#
ips policy default
#
anti-virus policy default
#
return
- 2021-10-10回答
- 评论(0)
- 举报
-
(0)
配置里面把https 的端口修改成2017了,是不是因为这个
https://192.168.1.1:2017
http的端口没修改,账号没有http的权限
具体web登录不了是什么情况?
如果是打不开网页的话,需要确认 域间策略(看配置已经放行了)和你输的网址是否正确
如果你打开的是https://192.168.1.1的话,应该会提示密码错误之类的(账号没有http权限)
还有就是是不是web登录修改了账号密码,命令行重新修改一下试试
- 2021-10-10回答
- 评论(0)
- 举报
-
(0)
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
麻烦帮忙检查一下配置,如下: dis cur # version 7.1.064, Ess 9504P07 # sysname H3C # context Admin id 1 # ip vpn-instance management route-distinguisher 1000000000:1 vpn-target 1000000000:1 import-extcommunity vpn-target 1000000000:1 export-extcommunity # telnet server enable # irf mac-address persistent timer irf auto-update enable undo irf link-delay irf member 1 priority 1 # security-zone intra-zone default permit # dialer-group 1 rule ip permit # dhcp enable # dns proxy enable # password-recovery enable # vlan 1 # vlan 4 # vlan 210 description B1 # vlan 220 description B2 # vlan 300 description C # vlan 400 description D # object-group ip address 1 0 network subnet 192.168.4.0 255.255.255.0 # object-group ip address 125.120.222.231 0 network host address 125.120.222.231 # object-group ip address 192.168.1.22 0 network host address 192.168.1.22 # object-group ip address 2 0 network subnet 0.0.0.0 0.0.0.0 # object-group ip address ad 0 network host address 192.168.1.81 # object-group ip address SVN 0 network host address 192.168.1.104 # object-group service TCP-5566 0 service tcp source eq 5566 destination eq 5566 # dhcp server ip-pool B1 gateway-list 192.168.2.1 network 192.168.2.0 mask 255.255.254.0 dns-list 202.101.172.46 expired day 0 hour 1 forbidden-ip 192.168.2.1 # dhcp server ip-pool office gateway-list 192.168.1.1 network 192.168.0.0 mask 255.255.254.0 dns-list 202.101.172.46 expired day 0 hour 1 forbidden-ip 192.168.1.2 forbidden-ip 192.168.1.20 # interface Dialer1 ppp chap password cipher $c$3$fArASCjyHqh6NuPBGJetyFDo5WomXfnRWw== ppp chap user 057109536856 ppp pap local-user 057109536856 password cipher $c$3$5JBmJkPaRWFJmXhfT5NybYAS+QN4Gwufbg== dialer bundle enable dialer-group 1 dialer timer idle 0 dialer timer autodial 60 ip address ppp-negotiate tcp mss 1450 nat outbound 3000 nat server protocol tcp global current-interface 7443 inside 192.168.1.2 443 reversible nat server protocol tcp global current-interface 9443 inside 192.168.1.104 8443 reversible nat server protocol tcp global current-interface 20080 inside 192.168.1.104 20080 reversible nat server protocol tcp global current-interface 20081 inside 192.168.1.104 20081 reversible nat server protocol tcp global current-interface 20082 inside 192.168.1.104 20082 reversible nat server protocol tcp global current-interface 20083 inside 192.168.1.104 20083 reversible nat server protocol tcp global current-interface 20084 inside 192.168.1.104 20084 reversible nat server protocol tcp global current-interface 50001 inside 192.168.1.104 50001 reversible nat server protocol tcp global current-interface 51001 inside 192.168.1.104 51001 reversible nat server protocol tcp global current-interface 55651 inside 192.168.1.151 55651 reversible nat server protocol tcp global current-interface 55652 inside 192.168.1.152 55652 reversible nat server protocol tcp global current-interface 55653 inside 192.168.1.153 55653 reversible nat server protocol tcp global current-interface 55654 inside 192.168.1.154 55654 reversible nat server protocol tcp global current-interface 55655 inside 192.168.1.155 55655 reversible nat server protocol tcp global current-interface 55660 inside 192.168.1.164 55660 reversible disable nat server protocol tcp global current-interface 55661 inside 192.168.1.164 55661 reversible disable nat server protocol tcp global current-interface 55662 inside 192.168.1.61 55662 reversible nat server protocol tcp global current-interface 55664 inside 192.168.1.165 55664 reversible nat server protocol tcp global current-interface 55665 inside 192.168.1.165 55665 reversible nat server protocol tcp global current-interface 55666 inside 192.168.1.166 55666 reversible nat server protocol tcp global current-interface 55667 inside 192.168.1.167 55667 reversible nat server protocol tcp global current-interface 55668 inside 192.168.1.176 55668 reversible nat server protocol tcp global current-interface 65500 inside 192.168.1.104 65500 reversible nat server protocol udp global current-interface 55651 inside 192.168.1.151 55651 reversible nat server protocol udp global current-interface 55652 inside 192.168.1.152 55652 reversible nat server protocol udp global current-interface 55653 inside 192.168.1.153 55653 reversible nat server protocol udp global current-interface 55654 inside 192.168.1.154 55654 reversible nat server protocol udp global current-interface 55655 inside 192.168.1.155 55655 reversible nat server protocol udp global current-interface 55662 inside 192.168.1.61 55662 reversible nat server protocol udp global current-interface 55664 inside 192.168.1.165 55664 reversible nat server protocol udp global current-interface 55666 inside 192.168.1.166 55666 reversible nat server protocol udp global current-interface 55667 inside 192.168.1.167 55667 reversible nat server protocol udp global current-interface 55668 inside 192.168.1.176 55668 reversible # interface NULL0 # interface Vlan-interface1 ip address 192.168.1.1 255.255.254.0 nat hairpin enable # interface Vlan-interface4 ip address 1.1.1.1 255.255.255.0 # interface Vlan-interface210 ip address 192.168.2.1 255.255.254.0 # interface Vlan-interface220 ip address 192.168.4.1 255.255.255.0 # interface Vlan-interface300 ip address 192.168.5.1 255.255.255.0 # interface GigabitEthernet1/0/0 port link-mode route combo enable copper ip binding vpn-instance management ip address 192.168.0.1 255.255.255.0 nat outbound # interface GigabitEthernet1/0/1 port link-mode route combo enable copper nat outbound pppoe-client dial-bundle-number 1 # interface GigabitEthernet1/0/5 port link-mode route # interface GigabitEthernet1/0/9 port link-mode route # interface GigabitEthernet1/0/10 port link-mode route # interface GigabitEthernet1/0/11 port link-mode route # interface GigabitEthernet1/0/2 port link-mode bridge # interface GigabitEthernet1/0/3 port link-mode bridge # interface GigabitEthernet1/0/4 port link-mode bridge port access vlan 4 # interface GigabitEthernet1/0/6 port link-mode bridge port link-type trunk port trunk permit vlan all # interface GigabitEthernet1/0/7 port link-mode bridge # interface GigabitEthernet1/0/8 port link-mode bridge # object-policy ip Any-Any rule 0 pass # object-policy ip Local-Trust rule 0 pass # object-policy ip Trust-Local rule 0 pass # object-policy ip Trust-Trust rule 0 pass # security-zone name Local # security-zone name Trust import interface Vlan-interface1 import interface Vlan-interface4 import interface Vlan-interface210 import interface Vlan-interface220 import interface Vlan-interface300 import interface GigabitEthernet1/0/4 vlan 1 to 4094 import interface GigabitEthernet1/0/6 vlan 1 to 4094 import interface GigabitEthernet1/0/7 vlan 1 to 4094 import interface GigabitEthernet1/0/8 vlan 1 to 4094 # security-zone name DMZ # security-zone name Untrust import interface Dialer1 import interface GigabitEthernet1/0/1 # security-zone name Management import interface GigabitEthernet1/0/0 # security-zone name nw import interface GigabitEthernet1/0/2 vlan 1 # security-zone name svr # zone-pair security source Any destination Any object-policy apply ip Any-Any packet-filter 2000 # zone-pair security source Local destination Trust object-policy apply ip Local-Trust packet-filter 2000 # zone-pair security source Trust destination Local object-policy apply ip Trust-Local packet-filter 2000 # zone-pair security source Trust destination Trust object-policy apply ip Trust-Trust # scheduler logfile size 16 # line class aux user-role network-operator # line class console user-role network-admin # line class vty user-role network-operator # line aux 1 user-role network-operator # line con 1 authentication-mode scheme user-role network-admin # line vty 0 63 authentication-mode scheme user-role network-admin # ip route-static 0.0.0.0 0 Dialer1 ip route-static 192.168.8.0 24 192.168.1.142 ip route-static 192.168.10.0 24 192.168.1.142 ip route-static 192.168.20.0 24 192.168.1.142 # ssh server enable # acl basic 2000 rule 0 permit # acl advanced 3000 rule 0 deny ip source 192.168.4.0 0.0.0.255 rule 5 permit ip # domain system # aaa session-limit ftp 16 aaa session-limit telnet 16 aaa session-limit ssh 16 domain default enable system # role name level-0 description Predefined level-0 role # role name level-1 description Predefined level-1 role # role name level-2 description Predefined level-2 role # role name level-3 description Predefined level-3 role # role name level-4 description Predefined level-4 role # role name level-5 description Predefined level-5 role # role name level-6 description Predefined level-6 role # role name level-7 description Predefined level-7 role # role name level-8 description Predefined level-8 role # role name level-9 description Predefined level-9 role # role name level-10 description Predefined level-10 role # role name level-11 description Predefined level-11 role # role name level-12 description Predefined level-12 role # role name level-13 description Predefined level-13 role # role name level-14 description Predefined level-14 role # user-group system # local-user admin class manage password hash $h$6$PyMKDES6Cij66eLv$NB0tfs5jNDg3aTDE1W9zmppKeCEFeMQNoiKDhmAEfayqeXZdk7IKutTMb6rIBvSc7PDaSdmVfqG+JfEB0c3/yw== service-type ssh telnet terminal https authorization-attribute user-role level-3 authorization-attribute user-role network-admin authorization-attribute user-role network-operator # ip http enable ip https port 2017 ip https enable # inspect block-source parameter-profile ips_block_default_parameter # traffic-policy # ips policy default # anti-virus policy default # return
配置我在评论里补充了,麻烦帮忙检查一下,谢谢哈