No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Feature Description - Security 01

This is NE40E V800R010C10SPC500 Feature Description - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Domain-based User Management

Domain-based User Management

Access User Management

In AAA implementations, users belong to respective domains. The domain to which a user belongs depends on the character string following "@" in the user name. For example, the user named "user@hua" belongs to the domain named "hua". If there is no "@" in a user name, the user belongs to the system default domain.

The NE40E has three default domains: default0, default1, and default_admin, as shown in Table 2-1.
Table 2-1 Default domains of the NE40E

Name

Description

Default Attributes

default0

It is a domain to which a user belongs before authentication. When a user access the NE40E and is not authenticated, the NE40E does not know the domain of the user, and therefore by default considers that the user belongs to default0.

Local authentication

Non-accounting

default1

It is a domain to which a user belongs during authentication. During authentication, if a user inputs a user account that does not contain a domain name, the NE40E by default considers that the user belongs to default1.

RADIUS authentication

RADIUS accounting

default_admin

It is a domain to which an operation user belongs. In the case that an operation user logs in to the NE40E through Telnet or SSH, if the operation user inputs a user account that does not contain a domain name during authentication, the NE40E by default considers that the operation user belongs to default_admin.

First local authentication and later RADIUS authentication

Non-accounting

A router can manage users based on their domains. For each domain, users can configure the default authorization, RADIUS or HWTACACS server template, and authentication and accounting schemes.

To implement AAA for access users, an admin user needs to configure authentication, authorization, and accounting schemes in the AAA view of the router and then apply the configurations in the domain view.

The default AAA scheme adopts local authentication, local authorization, and non-accounting. If no AAA scheme is applied to a new domain, the default AAA scheme applies. In addition, to use the RADIUS or HWTACACS scheme for a user, an admin user must pre-configure the RADIUS or HWTACACS server template in the system view and then apply it in the view of the domain to which the user belongs.

When a domain and the users in the domain are configured with the same attribute, the user-based configurations take precedence over domain-based configurations.

The authorization configured in the domain view has a lower priority than the authorization applied by an AAA server. When the AAA server does not support the authorization type, the authorization configured in the domain view takes effect. Users can increase service authorization flexibly through domain management, regardless of the AAA server authorization.

To facilitate management of user access devices, you can specify a limit for online users in a domain or for each local user.

To ensure local user security, take the following measures:
  • Configure the limit for consecutive authentication failures in a specified period for local users.
  • Configure the password life for local users. The user is prompted to change the password when the password is about to expire. When the password expires, the user must change it immediately to log in.
Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055047

Views: 12817

Downloads: 31

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next