No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, and AR530 V200R007

This document describes the configurations of Security, including AAA, DAA,NAC, BRAS Access, ACL, Firewall, Deep Security Defense, Local Attack Defense;Attack Defense, Traffic Suppression, ARP Security, Port Security, DHCP Snooping, IPSG, URPF, PKI, SSL, HTTPS, Keychain, separating the management plane from the service plane, security risks.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a Local User

Configuring a Local User

Context

When local authentication and authorization are configured, configure authentication and authorization information on the device, including the user name, password, and user level.

NOTE:

After you change the rights (including the password, access type, FTP directory, and level) of a local account, the rights of users already online do not change. The change takes effect to users who go online after the change.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    aaa

    The AAA view is displayed.

  3. Create a local user account and set the password as required.

    • Run the local-user user-name password command to create a local user and set the password.

    • Run the local-user user-name password { cipher | irreversible-cipher } password command to create a local user and set the password.

    By default, the local user admin exists in the system. The password of the user is Admin@huawei, the irreversible encryption algorithm is used, the level is 15, and service type is http.

    If a user name contains a domain name delimiter (such as @ | %) and the domain name resolution direction is not configured using the domainname-parse-direction right-to-left command, the character string before the delimiter is considered as the user name, and that after the delimiter is considered as the domain name. If a user name does not contain a domain name delimiter, the entire character string is considered as the user name. By default, common users are authenticated in the domain default, and administrative users are authenticated in the domain default_admin.

    The method of entering passwords in plain text has security risks. The interaction method is recommended.

  4. (Optional) Run:

    user-password complexity-check

    The password complexity check is configured.

    By default, a device checks password complexity.

    NOTE:

    To ensure device security, do not disable password complexity check, and change the password periodically.

  5. Run:

    local-user user-name service-type { 8021x | bind | ftp | http | ppp | ssh | sslvpn | telnet | terminal | web | x25-pad } *

    The access type is configured for the local user.

    By default, a local user cannot use any access type.

    Security risks exist if the user access type is set to Telnet, FTP or HTTP. It is recommended that you set the user access type to SSH.

    Local users have the following access types:
    • Administrative category: FTP, HTTP, SSH, Telnet, x25-pad, and Terminal
    • Common category: 802.1x, bind, ppp, sslvpn, and web

    If the user does not exist before you set the access type for the user, the access type can only be set to administrative category.

    If the user already exists before you set the access type, pay attention to the following points:
    • If the irreversible password algorithm is used, the access type can only be set to administrative category.
    • If the reversible password algorithm is used, the access type can be set to common or administrative, but cannot be set to a mixed type of common and administrative. In addition, when the access type is set to administrative, the password encryption algorithm is automatically changed to irreversible algorithm.

  6. (Optional) Run:

    local-user user-name idle-timeout minutes [ seconds ]

    The idle timeout interval is configured for the local user.

    If the idle timeout interval is set to 0 or a large value, the terminal will remain in the login state, resulting in security risks. You are advised to run the lock command to lock the current connection.

  7. (Optional) Run:

    local-user user-name ftp-directory directory

    The FTP directory is configured for the local user.

    By default, the FTP directory of a local user is empty.

    NOTE:

    If the access type of the local user is set to FTP, the FTP directory of the local user must be configured and the level of local user cannot be lower than management level. Otherwise, FTP user login will fail.

  8. (Optional) Run:

    local-user user-name privilege level level

    The level of the local user is configured.

    By default, the user level is 0.

  9. (Optional) Run:

    local-user user-name expire-date expire-date

    The expiry date of the local account is specified.

    By default, a local account is permanently valid.

  10. (Optional) Run:

    local-user user-name time-range time-name

    The access permission time range of the local account is set.

    By default, a local account can access the network anytime.

  11. (Optional) Run:

    local-user user-name state { active | block }

    The state of the local user is configured.

    By default, a local user is in active state.

    The device processes requests from users in different states as follows:

    • If a local user is in active state, the device accepts and processes the authentication request from the user.

    • If a local user is in blocking state, the device rejects the authentication request from the user.

  12. (Optional) Run:

    local-user user-name access-limit max-number

    The maximum number of connections that can be established by the local user is configured.

    By default, the number of connections established by a user is not limited.

  13. (Optional) Run:

    local-aaa-user wrong-password retry-interval retry-interval retry-time retry-time block-time block-time

    Local account locking is enabled and the retry interval, consecutive authentication failure counts, and locking duration are set.

    By default, the local account locking function is enabled, retry interval is 5 minutes, maximum number of consecutive incorrect password attempts is 3, and account locking period is 5 minutes.

  14. (Optional) Configure a password policy according to the local user type to improve password security.

    • For local access users

      Table 1-23  Password policy configuration for local access users

      Action

      Command

      Description

      Enable the local access user password policy and enter the local access user password policy view.

      local-aaa-user password policy access-user

      By default, the password policy of local access users is disabled.

      Set the maximum number of historical passwords recorded for each user.

      password history record number number

      By default, a maximum of five historical passwords are recorded for each user.

      Quit the local access user password policy view.

      quit

      -

    • For local administrators

      Table 1-24  Password policy configuration for local administrators

      Action

      Command

      Description

      Enable the local administrator password policy and enter the local administrator password policy view.

      local-aaa-user password policy administrator

      By default, the password policy of local administrators is disabled.

      Enable the password expiration prompt function and set the password expiration prompt period.

      password alert before-expire day

      By default, the number of password expiration prompt days is 30 days.

      Enable the initial password change prompt function.

      password alert original

      By default, the device prompts users to change initial passwords.

      Enable the password expiration function and set the password validity period.

      password expire day

      By default, the password validity period is 90 days.

      Set the maximum number of historical passwords recorded for each user.

      password history record number number

      By default, a maximum of five historical passwords are recorded for each user.

      Quit the local administrator password policy view.

      quit

      -

  15. Run:

    return

    The user view is displayed.

  16. (Optional) Run:

    local-user change-password

    The password of the local user is changed.

    To ensure device security, change the password periodically.

Translation
Download
Updated: 2019-05-25

Document ID: EDOC1000097287

Views: 13482

Downloads: 40

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next