local-user service-type
Function
The local-user service-type command sets the access type for a local user.
The undo local-user service-type command restores the default access type for a local user.
By default, a local user cannot use any access type.
Format
local-user user-name service-type { 8021x | ftp | http [ role guest-admin ] | ssh | telnet | terminal | web } *
undo local-user user-name service-type [ http role ]
Parameters
Parameter |
Description |
Value |
|---|---|---|
user-name |
Specifies a user name. If the user name contains a domain name delimiter such as @, the character before @ is the user name and the character behind @ is the domain name. If the value does not contain @, the entire character string is the user name and the domain name is the default one. |
The value is a string of 1 to 64 characters. It cannot contain spaces, asterisk,
double quotation mark and question mark.
NOTE:
During local authentication or authorization, run the authentication-mode { local | local-case } or authorization-mode { local | local-case } command to configure case sensitivity for user names. If the parameter is set to local, user names are case-insensitive. If the parameter is set to local-case, user names are case-sensitive. Note the following when configuring case sensitivity for user names:
|
8021x |
Indicates an 802.1X user. |
- |
ftp |
Indicates an FTP user. |
- |
http |
Indicates an HTTP user, which is usually used for web system login. |
- |
http role guest-admin |
Indicates the user whose user type is the foreground administrator. |
- |
ssh |
Indicates an SSH user. |
- |
telnet |
Indicates a Telnet user, which is usually a network administrator. |
- |
terminal |
Indicates a terminal user, which is usually a user connected using a console port. |
- |
web |
Indicates a Portal authentication user. |
- |
Usage Guidelines
Usage Scenario
The device can manage access types of local users. After you specify the access type of a user, the user can successfully log in only when the configured access type is the same as the actual access type of the user.
- Administrative: FTP, HTTP, SSH, Telnet, and Terminal
- Common: 802.1X, and web
Precautions
When MAC authentication users use AAA local authentication, the device does not match or check the access type of local users. However, the access type must be configured; otherwise, local authentication for MAC address authentication users fails.
Security risks exist if the user login mode is set to Telnet or FTP. You are advised set the user login mode to STelnet or SFTP and set the user access type to SSH.
When a device starts without any configuration, HTTP uses the randomly generated self-signed certificate to support HTTPs. The self-signed certificate may bring risks. Therefore, you are advised to replace it with the officially authorized digital certificate.
Common access types cannot be configured together with administrative access types.
If a user has been created and the password uses an irreversible encryption algorithm, the access type can only be set to an administrative one.
If a user has been created and the password uses a reversible encryption algorithm, the access type can be set to an administrative or common one. When the access type is set to an administrative one, the encryption algorithm of the password is automatically converted into an irreversible encryption algorithm.
- When configuring the local user as a foreground administrator, pay attention to the following points:
- A foreground administrator manages only accounts of Portal authentication users, and cannot manage and query accounts of other administrators (including the foreground administrator) and accounts of non-Portal authentication users. A foreground administrator can modify its own password.
- A foreground administrator supports only commands defined in the whitelist.
