Configuring local users
To implement local AAA, you must create local users and configure user attributes on the device. Local users and attributes are stored on the device in the local user database. Local users are uniquely identified by username. Configurable local user attributes are as follows:
Service type:
Services that the user can use. Local authentication checks the service types of a local user. If none of the service types are available, the user cannot pass authentication.
Service types include FTP, LAN access, Portal, SSH, Telnet, Web, and terminal.
User state:
Whether or not a local user can request network services. There are two user states: active and blocked. A user in active state can request network services, but a user in blocked state cannot.
Maximum number of users using the same local user account:
Number of users who can use the same local user account for local authentication.
Validity time and expiration time:
Validity time and expiration time of a local user account. A user must use a valid local user account to pass local authentication. To meet temporary network access requirements, you can create a guest account and specify a validity time and an expiration time for the account to control the validity of the account.
User group:
Each local user belongs to a local user group and bears all attributes of the group, such as the password control attributes and authorization attributes. For more information about local user group, see "Configuring user group attributes."
Password control attributes:
Password control attributes help you control the security of local users' passwords. Password control attributes include password aging time, minimum password length, and password composition policy.
You can configure a password control attribute in system view, user group view, or local user view, making the attribute effective for all local users, all local users in a group, or only the local user. A password control attribute with a smaller effective range has a higher priority. For more information about password management and global password configuration, see "Configuring password control." For more information about password control commands, see Security Command Reference.
Binding attributes:
Binding attributes are used for controlling the scope of users. They are checked during local authentication of a user. If the attributes of a user do not match the binding attributes configured for the local user account, the user cannot pass authentication. Binding attributes include the IP address, access port, MAC address, and native VLAN.
Authorization attributes:
Rights a user has after passing local authentication. Authorization attributes include the ACL, idle cut function, user level, user role, user profile, VLAN, and FTP/SFTP work directory. For more information about authorization attributes, see "Configuring local user attributes."
Every configurable authorization attribute has its definite application environments and purposes. When you configure authorization attributes for a local user, consider which attributes are needed and which are not.
You can configure an authorization attribute in user group view or local user view to make the attribute effective for all local users in the group or only for the local user. The setting of an authorization attribute in local user view takes precedence over that in user group view.
Local user configuration task list
Task | Remarks |
|---|---|
Required. | |
Optional. | |
Displaying and maintaining local users and local user groups | Optional. |
Configuring local user attributes
Follow these guidelines when you configure local user attributes:
When the password control feature is enabled globally (by using the password-control enable command), local user passwords are not displayed.
If the user interface authentication mode (set by the authentication-mode command in user interface view) is AAA (scheme), the commands that a login user can use after login depend on the privilege level authorized to the user. If the user interface authentication mode is password (password) or no authentication (none), the commands that a login user can use after login depend on the level configured for the user interface (by using the user privilege level command in user interface view). For an SSH user using public key authentication, available commands depend on the level configured for the user interface. For more information about user interface authentication mode and user interface command level, see Fundamentals Configuration Guide.
You can configure the user profile authorization attribute in local user view, user group view, and ISP domain view. The setting in local user view has the highest priority, and that in ISP domain view has the lowest priority. For more information about user profiles, see "Configuring a user profile."
You cannot delete a local user that is the only security log manager in the system, nor can you change or delete the security log manager role of the user. To do so, you must specify a new security log manager first.
To configure the attributes of a local user:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Add a local user and enter local user view. | local-user user-name | By default, a local user exists. |
3. Configure a password for the local user. |
| Optional. In non-FIPS mode, a non-password-protected user passes authentication if the user provides the correct username and passes attribute checks. To enhance security, configure a password for each local user. In FIPS mode, only password-protected users can pass authentication. |
4. Assign service types for the local user. |
| By default, no service is authorized to a local user. |
5. Place the local user to the active or blocked state. | state { active | block } | Optional. By default, a created local user is in active state and can request network services. |
6. Set the maximum number of concurrent users of the local user account. | access-limit max-user-number | Optional. By default, there is no limit to the maximum number of concurrent users of a local user account. The limit is effective only for local accounting and is not effective for FTP users. |
7. Configure password control attributes for the local user. |
| Optional. By default, the password control attributes of the user group apply. If the user group has no password control attributes configured, the global settings apply. The global settings include a 90-day password aging time, a minimum 10-character password length, one type number, and one type length. |
8. Configure binding attributes for the local user. | bind-attribute { ip ip-address | location port slot-number subslot-number port-number | mac mac-address | vlan vlan-id } * | Optional. By default, no binding attribute is configured for a local user. |
9. Configure authorization attributes for the local user. | authorization-attribute { acl acl-number | idle-cut minute | level level | user-profile profile-name | user-role { guest | guest-manager | security-audit } | vlan vlan-id | work-directory directory-name } * | Optional. By default, no authorization attribute is configured for a local user. For LAN users, only acl, idle-cut, user-profile, and vlan are supported. For portal users, only acl, user-profile, and vlan are supported. For SSH, Web, and terminal users, only level is supported. For FTP users, only level and work-directory are supported. For Telnet users, only level and user-role are supported. For other types of users, no authorization attributes are supported. |
10. Set the validity time of the local user. | validity-date time | Optional. Not set by default. |
11. Set the expiration time of the local user. | expiration-date time | Optional. Not set by default. |
12. Assign the local user to a user group. | group group-name | Optional. By default, a local user belongs to the default user group system. |
Configuring user group attributes
User groups simplify local user configuration and management. A user group comprises a group of local users and has a set of local user attributes. Configure local user attributes for a user group to implement centralized user attributes management for the local users in the group. Configurable user attributes include password control attributes and authorization attributes.
By default, every newly added local user belongs to the default user group system and bears all attributes of the group. To assign a local user to a different user group, use the user-group command in local user view.
To configure attributes for a user group:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Create a user group and enter user group view. | user-group group-name | N/A |
3. Configure password control attributes for the user group. |
| Optional. By default, the global settings apply. The global settings include a 90-day password aging time, a minimum 10-character password length, one type number, and one type length. |
4. Configure authorization attributes for the user group. | authorization-attribute { acl acl-number | idle-cut minute | level level | user-profile profile-name | vlan vlan-id | work-directory directory-name } * | Optional. By default, no authorization attribute is configured for a user group. For LAN users, only acl, idle-cut, user-profile, and vlan are supported. For portal users, only acl, user-profile, and vlan are supported. For SSH, Web, and terminal users, only level is supported. For FTP users, only level and work-directory are supported. For Telnet users, only level is supported. For other types of users, no authorization attributes are supported. |
5. Set the guest attribute for the user group. | group-attribute allow-guest | Optional. By default, the guest attribute is not set for a user group, and guest users created by a guest manager through the Web interface cannot join the group. |
Displaying and maintaining local users and local user groups
Task | Command | Remarks |
|---|---|---|
Display local user information. | display local-user [ idle-cut { disable | enable } | service-type { ftp | lan-access | portal | ssh | telnet | terminal | web } | state { active | block } | user-name user-name | vlan vlan-id ] [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] | Available in any view. |
Display user group configuration information. | display user-group [ group-name ] [ | { begin | exclude | include } regular-expression ] | Available in any view. |