Configuring local users
To implement local user authentication, authorization, and accounting, you must create local users and configure user attributes on the switch. The local users and attributes are stored in the local user database on the switch. A local user is uniquely identified by a username. Configurable local user attributes are as follows:
Service type.
Types of services that the user can use. Local authentication checks the service types of a local user. If none of the service types is available, the user cannot pass authentication.
Service types include FTP, LAN access, portal, SSH, Telnet, terminal, and Web.
User state.
Indicates whether or not a local user can request network services. There are two user states: active and blocked. A user in active state can request network services, but a user in blocked state cannot.
Maximum number of users using the same local user account.
Indicates how many users can use the same local user account for local authentication.
Validity time and expiration time.
Indicates the validity time and expiration time of a local user account. A user must use a valid local user account to pass local authentication. For temporary network access requirements, you can create a guest account and specify a validity time and an expiration time for the account to control the validity of the account.
User group.
Each local user belongs to a local user group and bears all attributes of the group, such as the password control attributes and authorization attributes. For more information about local user group, see "Configuring user group attributes."
Password control attributes.
Password control attributes help you control the security of local users' passwords. Password control attributes include password aging time, minimum password length, and password composition policy.
You can configure a password control attribute in system view, user group view, or local user view, making the attribute effective for all local users, all local users in a group, or only the local user. A password control attribute with a smaller effective range has a higher priority. For more information about password management and global password configuration, see "Configuring password control."
Binding attributes.
Binding attributes are used to control the scope of users. They are checked during local authentication of a user. If the attributes of a user do not match the binding attributes configured for the local user account, the user cannot pass authentication. Binding attributes include the ISDN calling number, IP address, access port, MAC address, and native VLAN. For more information about binding attributes, see "Configuring local user attributes." Be cautious when deciding which binding attributes to configure for a local user.
Authorization attributes.
Authorization attributes indicate the rights that a user has after passing local authentication. Authorization attributes include the ACL, idle cut function, user level, user role, user profile, VLAN, and FTP/SFTP work directory. For more information about authorization attributes, see "Configuring local user attributes."
Every configurable authorization attribute has its definite application environments and purposes. When you configure authorization attributes for a local user, consider which attributes are needed and which are not.
You can configure an authorization attribute in user group view or local user view to make the attribute effective for all local users in the group or only for the local user. The setting of an authorization attribute in local user view takes precedence over that in user group view.
Local user configuration task list
Task | Remarks |
|---|---|
Required | |
Optional | |
Displaying and maintaining local users and local user groups | Optional |
Configuring local user attributes
Follow these guidelines when you configure local user attributes:
If the user interface authentication mode (set by the authentication-mode command in user interface view) is AAA (scheme), which commands a login user can use after login depends on the privilege level authorized to the user. If the user interface authentication mode is password (password) or no authentication (none), which commands a login user can use after login depends on the level configured for the user interface (set by the user privilege level command in user interface view). For an SSH user using public key authentication, which commands are available depends on the level configured for the user interface. For more information about user interface authentication mode and user interface command level, see Fundamentals Configuration Guide.
You can configure the user profile authorization attribute in local user view, user group view, and ISP domain view. The setting in local user view has the highest priority, and that in ISP domain view has the lowest priority. For more information about user profiles, see "Configuring a user profile."
You cannot delete a local user who is the only security log manager in the system, nor can you change or delete the security log manager role of the user. To do so, you must specify a new security log manager first.
To configure local user attributes:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Add a local user and enter local user view. | local-user user-name | No local user exists by default. |
3. Configure a password for the local user. |
| Optional. A local user with no password configured passes authentication after providing the valid local username and attributes. To enhance security, configure a password for each local user. If none of the parameters is specified, you enter the interactive mode to set a plaintext password. This interactive mode is available only on switches that support the password control feature. |
4. Specify the service types for the local user. |
| By default, no service is authorized to a local user. |
5. Place the local user to the state of active or blocked. | state { active | block } | Optional. When created, a local user is in active state by default, and the user can request network services. |
6. Set the maximum number of concurrent users of the local user account. | access-limit max-user-number | Optional. By default, there is no limit to the maximum number of concurrent users of a local user account. The limit is effective only for local accounting, and is not effective for FTP users. |
7. Configure the password control attributes for the local user. |
| Optional. By default, the local user uses password control attributes of the user group to which the local user belongs, and uses the global setting for any password control attribute that is not configured in the user group. For more information about password control configuration commands, see Security Command Reference. |
8. Configure the binding attributes for the local user. | bind-attribute { ip ip-address | location port slot-number subslot-number port-number | mac mac-address | vlan vlan-id } * | Optional. By default, no binding attribute is configured for a local user. |
9. Configure the authorization attributes for the local user. | authorization-attribute { acl acl-number | idle-cut minute | level level | user-profile profile-name | user-role { guest | guest-manager | security-audit } | vlan vlan-id | work-directory directory-name } * | Optional. By default, no authorization attribute is configured for a local user. For LAN and portal users, only acl, idle-cut, user-profile, and vlan are supported. For SSH, terminal, and Web users, only level is supported. For FTP users, only level and work-directory are supported. For Telnet users, only level and user-role is supported. For other types of local users, no binding attribute is supported. |
10. Set the validity time of the local user. | validity-date time | Optional. Not set by default. |
11. Set the expiration time of the local user. | expiration-date time | Optional. Not set by default. |
12. Assign the local user to a user group. | group group-name | Optional. By default, a local user belongs to the default user group system. |
Configuring user group attributes
User groups simplify local user configuration and management. A user group consists of a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized user attributes management for the local users in the group. Configurable user attributes include password control attributes and authorization attributes.
By default, every newly added local user belongs to the system default user group system and bears all attributes of the group. To change the user group to which a local user belongs, use the user-group command in local user view.
To configure attributes for a user group:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Create a user group and enter user group view. | user-group group-name | N/A |
3. Configure password control attributes for the user group. |
| Optional. By default, the user group uses global password control attribute settings. For more information about password control attributes configuration commands, see Security Command Reference. |
4. Configure the authorization attributes for the user group. | authorization-attribute { acl acl-number | idle-cut minute | level level | user-profile profile-name | vlan vlan-id | work-directory directory-name } * | Optional. By default, no authorization attribute is configured for a user group. |
5. Set the guest attribute for the user group. | group-attribute allow-guest | Optional. By default, the guest attribute is not set for a user group, and guest users created by a guest manager through the Web interface cannot join the group. |
Displaying and maintaining local users and local user groups
Task | Command | Remarks |
|---|---|---|
Display local user information | display local-user [ idle-cut { disable | enable } | service-type { ftp | lan-access | portal | ssh | telnet | terminal | web } | state { active | block } | user-name user-name | vlan vlan-id ] [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] | Available in any view |
Display the user group configuration information. | display user-group [ group-name ] [ | { begin | exclude | include } regular-expression ] | Available in any view |