Configuring attributes for network access users

You can configure authorization attributes in local user view or user group view. The setting in local user view takes precedence over the setting in user group view.

Configure the location binding attribute based on the service types of users.

• For 802.1X users, specify the 802.1X-enabled Layer 2 Ethernet interfaces through which the users access the device.

• For MAC authentication users, specify the MAC authentication-enabled Layer 2 Ethernet interfaces through which the users access the device.

• For portal users, specify the portal-enabled interfaces through which the users access the device. Specify the Layer 2 Ethernet interfaces if portal is enabled on VLAN interfaces and the portal roaming enable command is not configured.

1. Enter system view.

   system-view

2. Add a network access user and enter network access user view.

   local-user user-name class network

3. (Optional.) Configure a password for the network access user.

   password { cipher | simple } string

4. (Optional.) Configure a description for the network access user.

   description text

   By default, no description is configured for a local user.

5. Assign services to the network access user.

   service-type { lan-access | portal }

   By default, no services are authorized to a network access user.

6. (Optional.) Set the status of the network access user.

   state { active | block }

   By default, a network access user is in active state and can request network services.

7. (Optional.) Set the upper limit of concurrent logins using the network access username.

   access-limit max-user-number

   By default, the number of concurrent logins is not limited for a network access user.

8. (Optional.) Configure binding attributes for the network access user.

   bind-attribute { ip ip-address | location interface interface-type interface-number | mac mac-address | vlan vlan-id } *

   By default, no binding attributes are configured for a network access user.

9. (Optional.) Configure authorization attributes for the network access user.

   authorization-attribute { acl acl-number | idle-cut minutes | ip-pool ipv4-pool-name | ipv6-pool ipv6-pool-name | session-timeout minutes | user-profile profile-name | vlan vlan-id } *

   By default, a network access user does not have authorization attributes.

10. (Optional.) Assign the network access user to a user group.

    group group-name

    By default, a network access user belongs to user group system.

11. (Optional.) specify the validity period for the local user.

    validity-datetime { from start-date start-time to expiration-date expiration-time | from start-date start-time | to expiration-date expiration-time }

    By default, the validity period for a network access user does not expire.