No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R011C10 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, DAA, NAC, PPPoE, Policy Association, and IP session.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a Local User

Configuring a Local User

Context

When configuring a local user, you can configure the number of connections that can be established by the local user, local user level, idle timeout period, and login time, and allow the local user to change the password.

NOTE:
  • To ensure device security, enable password complexity check and change the password periodically.
  • After you change the local account's rights (including the password, access type, FTP directory, and level), the rights of users who are already online remain unchanged. Rather, the rights are only changed once a user goes online again.
  • Local users' access types include:

    • Administrative: api, ftp, http, ssh, telnet, x25-pad, and terminal
    • Common: 802.1x, bind, ppp, and web
  • Security risks exist if the user login mode is set to Telnet or FTP. You are advised set the user login mode to STelnet or SFTP and set the user access type to SSH.

    When a device starts without any configuration, HTTP uses the randomly generated self-signed certificate to support HTTPs. The self-signed certificate may bring risks. Therefore, you are advised to replace it with the officially authorized digital certificate.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run aaa

    The AAA view is displayed.

  3. Create a local user.

    Procedure

    Command

    Description

    (Optional) Enable the password complexity check.

    user-password complexity-check

    By default, the password complexity check is enabled.

    Create a local user name and a password (using either of the commands).

    local-user user-name password

    By default, the local account password is not configured.

    This command should be entered in interactive mode. This is because directly entering a plain text password without being in interactive mode poses potential security risks.

    If a user name contains a domain name delimiter (such as @, |, or %) and the domain name parsing direction is not configured using the domainname-parse-direction right-to-left command, the character string before the delimiter is considered as the user name, and that after the delimiter is considered as the domain name. If a user name does not contain a domain name delimiter, the entire character string is considered as the user name. By default, common users are authenticated in the domain default, and administrators are authenticated in the domain default_admin.

    local-user user-name password { cipher | irreversible-cipher } password

    Configure an access type for the local user.

    local-user user-name service-type { 8021x | api | bind | ftp | http | ppp | ssh | telnet | terminal | web | x25-pad } *

    By default, all access types are disabled for a local user.

    The access type configured for portal access users is web.

    If the user exists, note that:
    • If the irreversible password algorithm is used, the access type can only be administrative.
    • If the reversible password algorithm is used, the access type can be common or administrative, but cannot be a combination of common and administrative. In addition, when the access type is set to an administrative type, the password encryption algorithm is automatically changed to the irreversible algorithm.

  4. (Optional) Set the user level, user group, access time range, idle timeout period, and number of connections that can be established by the user.

    Procedure

    Command

    Description

    Set the local user level.

    local-user user-name privilege level level

    The default level of a local user is 0.

    Set the local user group.

    local-user user-name user-group group-name

    By default, a local user does not belong to any group.

    NOTE:

    This command is supported only in the NAC common mode.

    Set the access time range for the local user.

    local-user user-name time-range time-name

    By default, no access time range is configured and the local user can access the network anytime.

    Set the idle timeout period for the specified user.

    local-user user-name idle-timeout minutes [ seconds ]

    You can specify the idle timeout period. If the local user is idle for longer than the specified period, the user automatically goes offline.

    If the idle timeout period is set to 0 or a large value, the terminal will remain in the login state, resulting in security risks. Instead, you are advised to run the lock command to lock the connection.

    Set the maximum number of connections that can be established by the local user.

    local-user user-name access-limit max-number

    By default, the number of connections that can be established by a user is not limited.

    To configure the local account to be logged in to on only one terminal, set max-number to 1.

  5. (Optional) Configure security of the local user.

    Procedure

    Command

    Description

    Enable the local account lock function, and set the retry interval, maximum number of consecutive authentication failures, and account lock period.

    local-aaa-user wrong-password retry-interval retry-interval retry-time retry-time block-time block-time

    By default, the local account lock function is enabled, the retry interval is 5 minutes, the maximum number of consecutive authentication failures is 3, and the account lock period is 5 minutes.

    Configure the password policy for local access users.

    Enable the password policy for local access users and enter the local access user password policy view.

    local-aaa-user password policy access-user

    By default, the password policy for local access users is disabled.

    Set the maximum number of historical passwords recorded for each user.

    password history record number number

    By default, a maximum of five historical passwords are recorded for each user.

    Exit the local access user password policy view.

    quit

    -

    Configure the password policy for local administrators.

    Enable the password policy for local administrators and enter the local administrator password policy view.

    local-aaa-user password policy administrator

    By default, the password policy of local administrators is disabled.

    Enable the password expiration prompt function and set the password expiration prompt period.

    password alert before-expire day

    By default, the system displays a prompt 30 days before the password expires.

    Enable the initial password change prompt function.

    password alert original

    By default, the system prompts users to change initial passwords.

    Enable the password expiration function and set the password validity period.

    password expire day

    By default, the password validity period is 90 days.

    Set the maximum number of historical passwords recorded for each user.

    password history record number number

    By default, a maximum of five historical passwords are recorded for each user.

    Exit the local administrator password policy view.

    quit

    -

    In V200R010C00 and later versions, when the device starts with the default configurations, it automatically performs the following configurations and saves the configurations to the configuration file:
    • Run the local-aaa-user password policy administrator command to enable the password policy for local administrators.
    • Run the password expire 0 command to configure the passwords of local administrators to be permanently valid.
    • Run the password history record number 0 command to configure the device not to check whether a changed password of a local administrator is the same as any historical password.

  6. (Optional) Set parameters of access rights for the local user.

    Procedure

    Command

    Description

    Set the type of terminals allowed to access the network.

    local-user user-name device-type device-type &<1-8>

    By default, the type of terminals allowed to access the network is not configured.

    For example, to use an iPhone to access the network, set device-type to iphone.

    Configure the FTP directory that FTP users can access.

    local-user user-name ftp-directory directory

    By default, the FTP directory that FTP users can access is not configured.

    If the access type of the local user is FTP, you must configure the FTP directory, and set the local user level to be lower than the management level; otherwise, the FTP user cannot log in to the device.

    Configure the HTTP directory that HTTP users can access.

    local-user user-name http-directory directory

    By default, the HTTP directory that HTTP users can access is not configured.

    Set the local user state.

    local-user user-name state { active | block }

    By default, a local user is in the active state.

    The device processes requests from users in different states as follows:

    • If the local user is in the active state, the device accepts and processes the authentication request from the user.

    • If the local user is in the block state, the device rejects the authentication request from the user.

    Set the expiration date for the local account.

    local-user user-name expire-date expire-date

    By default, a local account is permanently valid.

    Configure the local user as an NMS user.

    local-user user-name user-type netmanager

    When the number of login VTY users has reached the maximum, an NMS user can log in using the reserved VTYs 16-20.

    The user must pass the AAA local authentication.

  7. (Optional) Change the login password of the local user.

    Procedure

    Command

    Description

    Return to the user view.

    return

    -

    Change the login password of the local user.

    local-user change-password

    -

Translation
Download
Updated: 2019-10-21

Document ID: EDOC1000178117

Views: 123059

Downloads: 58

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next