Configuring local users

To implement local authentication, authorization, and accounting, create local users and configure user attributes on the device. The local users and attributes are stored in the local user database on the device. A local user is uniquely identified by the combination of a username and a user type. Local users are classified into the following types:

Device management user—User who logs in to the device for device management.
Network access user—User who accesses network resources through the device.

The following shows the configurable local user attributes:

Service type—Services that the user can use. Local authentication checks the service types of a local user. If none of the service types is available, the user cannot pass authentication.
Service types include FTP, HTTP, HTTPS, LAN access, portal, SSH, Telnet, and terminal.
User state—There are two user states: active and blocked. A user in active state can request network services. A user in blocked state cannot request authentication, authorization, and accounting services, but it can request to stop the accounting service in use.
Upper limit of concurrent logins using the same user name—Maximum number of users who can concurrently access the device by using the same user name. When the number reaches the upper limit, no more local users can access the device by using the user name.
User group—Each local user belongs to a local user group and has all attributes of the group. The attributes include the password control attributes and authorization attributes. For more information about local user group, see "Configuring user group attributes."
Binding attributes—Binding attributes control the scope of users, and are checked during local authentication of a user. If the attributes of a user do not match the binding attributes configured for the local user account, the user cannot pass authentication. Binding attributes include the IP address, access port, MAC address, and native VLAN. For support and usage information about binding attributes, see "Configuring local user attributes."
Authorization attributes—Authorization attributes indicate the user's rights after it passes local authentication. Authorization attributes include the ACL, idle cut feature, user profile, user role, VLAN, and FTP/SFTP/SCP working directory. For support information about authorization attributes, see "Configuring local user attributes."
Configure the authorization attributes based on the service type of local users.
You can configure an authorization attribute in user group view or local user view. The setting of an authorization attribute in local user view takes precedence over the attribute setting in user group view.
- The attribute configured in user group view takes effect on all local users in the user group.
- The attribute configured in local user view takes effect only on the local user.
Password control attributes—Password control attributes help control password security for device management users. Password control attributes include password aging time, minimum password length, password composition checking, password complexity checking, and login attempt limit.
You can configure a password control attribute in system view, user group view, or local user view. A password control attribute with a smaller effective range has a higher priority. For more information about password management and global password configuration, see "Configuring password control."

Local user configuration task list

Tasks at a glance
(Required.) Configuring local user attributes
(Optional.) Configuring user group attributes
(Optional.) Displaying and maintaining local users and local user groups

Configuring local user attributes

When you configure local user attributes, follow these guidelines:

When you use the password-control enable command to globally enable the password control feature, local user passwords are not displayed.
You can configure authorization attributes and password control attributes in local user view or user group view. The setting in local user view takes precedence over the setting in user group view.
Configure authorization attributes according to the application environments and purposes. Support for authorization attributes depends on the service types of users.
- For LAN and portal users, only the following authorization attributes are effective: acl, user-profile, and vlan.
- For HTTP and HTTPS users, only the authorization attribute user-role is effective.
- For Telnet and terminal users, only the following authorization attributes are effective: idle-cut and user-role.
- For SSH users, only the following authorization attributes are effective: idle-cut, user-role, and work-directory.
- For FTP users, only the following authorization attributes are effective: user-role and work-directory.
- For other types of local users, no authorization attribute is effective.
Configure the location binding attribute based on the service types of users.
- For 802.1X users, specify the 802.1X-enabled Layer 2 Ethernet interfaces through which the users access the device.
- For MAC authentication users, specify the MAC authentication-enabled Layer 2 Ethernet interfaces through which the users access the device.
- For portal users, specify the portal-enabled interfaces through which the users access the device. Specify the Layer 2 Ethernet interfaces if portal is enabled on VLAN interfaces and the portal roaming enable command is not configured.

To configure local user attributes:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Add a local user and enter local user view.	local-user user-name [ class { manage \| network } ]	By default, no local user exists.
3. (Optional.) Configure a password for the local user.	For a network access user:password { cipher \| simple } password For a device management user: In non-FIPS mode:password [ { hash \| simple } password ] In FIPS mode:password	Network access user passwords are encrypted with the encryption algorithm and saved in ciphertext. Device management user passwords are encrypted with the hash algorithm and saved in ciphertext. In non-FIPS mode, a non-password-protected user passes authentication if the user provides the correct username and passes attribute checks. To enhance security, configure a password for each local user. In FIPS mode, only password-protected users can pass authentication.
4. Assign services to the local user.	For a network access user:service-type { lan-access \| portal } For a device management user: In non-FIPS mode:service-type { ftp \| { http \| https \| ssh \| telnet \| terminal } * } In FIPS mode:service-type { https \| ssh \| terminal } *	By default, no service is authorized to a local user.
5. (Optional.) Place the local user to the active or blocked state.	state { active \| block }	By default, a created local user is in active state and can request network services.
6. (Optional.) Set the upper limit of concurrent logins using the local user name.	access-limit max-user-number	By default, the number of concurrent logins is not limited for the local user. This command takes effect only when local accounting is configured for the local user. It does not apply to FTP, SFTP, or SCP users, who do not support accounting.
7. (Optional.) Configure binding attributes for the local user.	bind-attribute { ip ip-address \| location interface interface-type interface-number \| mac mac-address \| vlan vlan-id } *	By default, no binding attribute is configured for a local user. Binding attribute ip applies only to LAN users using 802.1X. Binding attributes location, mac, and vlan apply only to LAN and portal users.
8. (Optional.) Configure authorization attributes for the local user.	authorization-attribute { acl acl-number \| idle-cut minute \| user-profile profile-name \| user-role role-name \| vlan vlan-id \| work-directory directory-name } *	The following default settings apply: The working directory for FTP, SFTP, and SCP users is the root directory of the NAS. However, the users do not have permission to access the root directory. The network-operator user role is assigned to local users that are created by a network-admin or level-15 user.
9. (Optional.) Configure password control attributes for the local user.	Set the password aging time:password-control aging aging-time Set the minimum password length:password-control length length Configure the password composition policy:password-control composition type-number type-number [ type-length type-length ] Configure the password complexity checking policy:password-control complexity { same-character \| user-name } check Configure the maximum login attempts and the action to take if there is a login failure:password-control login-attempt login-times [ exceed { lock \| lock-time time \| unlock } ]	Optional. By default, the local user uses password control attributes of the user group to which the local user belongs. Only device management users support the password control feature.
10. (Optional.) Assign the local user to a user group.	group group-name	By default, a local user belongs to the default user group system.

Configuring user group attributes

User groups simplify local user configuration and management. A user group contains a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized user attributes management for the local users in the group. Local user attributes that are manageable include authorization attributes.

By default, every new local user belongs to the default user group system and has all attributes of the group. To assign a local user to a different user group, use the group command in local user view.

To configure user group attributes:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a user group and enter user group view.	user-group group-name	By default, there is a system-defined user group named system, which is the default user group.
3. Configure authorization attributes for the user group.	authorization-attribute { acl acl-number \| idle-cut minute \| user-profile profile-name \| vlan vlan-id \| work-directory directory-name } *	By default, no authorization attribute is configured for a user group.
4. (Optional.) Configure password control attributes for the user group.	Set the password aging time:password-control aging aging-time Set the minimum password length:password-control length length Configure the password composition policy:password-control composition type-number type-number [ type-length type-length ] Configure the password complexity checking policy:password-control complexity { same-character \| user-name } check Configure the maximum login attempts and the action to take for login failures:password-control login-attempt login-times [ exceed { lock \| lock-time time \| unlock } ]	Optional. By default, the user group uses the global password control settings. For more information, see "Configuring password control."

Displaying and maintaining local users and local user groups

Execute display commands in any view.

Task	Command
Display the local user configuration and online user statistics.	display local-user [ class { manage \| network } \| idle-cut { disable \| enable } \| service-type { ftp \| http \| https \| lan-access \| portal \| ssh \| telnet \| terminal } \| state { active \| block } \| user-name user-name class { manage \| network } \| vlan vlan-id ]
Display the user group configuration.	display user-group [ group-name ]

prev	up	next
Configuring AAA schemes	home	Configuring RADIUS schemes