No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R010C00 Command Reference

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
local-user (AAA view)

local-user (AAA view)

Function

The local-user command creates a local user and sets parameters of the local user.

The undo local-user command deletes a local user.

By default, the local user admin exists in the system. The password of the user is admin@huawei.com, the irreversible encryption algorithm is used, the level is 15, and service type is http.

Format

local-user user-name { password { cipher | irreversible-cipher } password | access-limit max-number | ftp-directory directory | idle-timeout minutes [ seconds ] | privilege level level | state { block | active } | user-group group-name } *

local-user user-name password { cipher | irreversible-cipher } password state { block | active } user-group group-name [ service-type { 8021x | ftp | http [ role guest-admin ] | ssh | telnet | terminal | web } ]

undo local-user user-name [ access-limit | ftp-directory | idle-timeout | privilege level | user-group | service-type [ http role ] ]

Parameters

Parameter

Description

Value

user-name

Specifies the user name. If the user name contains a delimiter "@", the character before "@" is the user name and the character after "@" is the domain name. If the value does not contain "@", the entire character string represents the user name and the domain name is the default one.

The value is a string of 1 to 64 characters. It cannot contain spaces, asterisk, double quotation mark and question mark.
NOTE:

During local authentication or authorization, run the authentication-mode { local | local-case } or authorization-mode { local | local-case } command to configure case sensitivity for user names. If the parameter is set to local, user names are case-insensitive. If the parameter is set to local-case, user names are case-sensitive.

Note the following when configuring case sensitivity for user names:

  • Only the user name is case-sensitive and the domain name is case-insensitive.
  • For user security purposes, you cannot configure multiple local users with the user names that differ only in uppercase or lowercase. For example, after configuring ABC, you cannot configure Abc or abc as the user name.
  • When a device is upgraded from V200R008C10 or an earlier version to a version later than V200R008C10, all local user names in the original configuration file are saved in lowercase. When a configuration file that is manually configured or generated using the third-party tool is used for configuration restoration, local user names that differ only in uppercase or lowercase are considered as one user name and the first one among these local user names is used.

password { cipher | irreversible-cipher } password

Specifies the password of a local user.

  • The cipher parameter indicates that the user password is encrypted using the reversible encryption algorithm. Unauthorized users can obtain the plain text by using the corresponding decryption algorithm, so security is low.

  • The irreversible-cipher parameter indicates that the user password is encrypted using the irreversible encryption algorithm. Unauthorized users cannot obtain the plain text by using the special encryption algorithm. User security is ensured.

If a user is allowed to encrypt the local user password using the irreversible encryption algorithm, the device does not support CHAP authentication for the user.

NOTICE:

It is recommended that you set the user password when creating a user. The interaction method using the local-user password command is recommended.

The value is a case-sensitive string without question marks (?) or spaces.
  • If the cipher parameter is specified, the value of password can be a plain text of 8 to 128 characters or a cipher-text password of 48, 68, 88, 108, 128, 148, 168, or 188 characters.
  • If the irreversible-cipher parameter is specified, the value of password can be a plain text of 8 to 128 characters or a cipher-text password of 68 characters.

A simple local user password may bring security risks. The user password must consist of two types of characters, including uppercase letters, lowercase letters, numerals, and special characters. In addition, the password cannot be the same as the user name or user name in an inverse order.

access-limit max-number

Specifies the number of connections that can be created with a specified user name.

If this parameter is not specified, a user can establish a maximum of 4294967295 connections by default.

The value is an integer that ranges from 1 to 4294967295.

The actual number of connections is the smaller value between max-number and the maximum number of users of a type on different models.

ftp-directory directory

Specifies the directory that FTP users can access.

If this parameter is not specified, the FTP directory of the local user is empty. The device will check whether the default FTP directory has been set using the set default ftp-directory command. If no FTP directory exists, FTP users cannot log in to the device.

NOTE:
Ensure that the configured FTP directory is an absolute path; otherwise, the configuration does not take effect.

The value is a string of 1 to 64 case-sensitive characters without spaces.

idle-timeout minutes [ seconds ]

Specifies the timeout period for disconnection of the user.

  • minutes is the period when the user interface is disconnected in minutes.
  • seconds is the period when the user interface is disconnected in seconds.

If this parameter is not specified, the device uses the idle timeout interval configured by the idle-timeout command in the user view.

If minutes [ seconds ] is set to 0 0, the idle disconnection function is disabled.

NOTICE:

If the idle timeout interval is set to 0 or a large value, the terminal will remain in the login state, resulting in security risks. You are advised to run the lock command to lock the current connection.

  • minutes: the value is an integer ranging from 0 to 35791 minutes.
  • seconds: the value is an integer ranging from 0 to 59 seconds.

privilege level level

Specifies the level of a local user. After logging in to the device, a user can run only the commands of the same level or lower levels.

NOTE:

If this parameter is not specified, the user level is 0.

The value is an integer that ranges from 0 to 15. The greater the value, the higher the level of a user.

state { active | block }

Specifies the status of a local user.

  • active indicates that a local user is in active state. the device accepts and processes the authentication request from the user, and allows the user to change the password.
  • block indicates that a local user is in blocking state. the device rejects the authentication request from the user and does not allow the user to change the password.

If a user has established a connection with the device, when the user is set in blocking state, the connection still takes effect but the device rejects subsequent authentication requests from the user.

If this parameter is not specified, the status of a local user is active.

-

user-group group-name

Specifies the name of a user group.

The value is a string of 1 to 64 case-sensitive characters without spaces. It cannot contain spaces or the following symbols: / \ : * ? " < > | @ ' %. The value cannot be - or --.

service-type { 8021x | ftp | http [ role guest-admin ] | ssh | telnet | terminal | web }

Local user access type, including:

  • 8021x: indicates an 802.1X user.
  • ftp: indicates an FTP user.
  • http: indicates an HTTP user, which is usually used for web system login.
  • http role guest-admin: indicates a user whose user type is the foreground administrator.
  • ssh: indicates an SSH user.
  • telnet: indicates a Telnet user, which is usually a network administrator.
  • terminal: indicates a terminal user, which is usually a user connected using a console port.
  • web: indicates a Portal authentication user.

-

Views

AAA view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To facilitate device maintenance, run the local-user command on the device to create a local user and set parameters such as the password, user level, status, user group, access type, and FTP directory.

Prerequisites

Before adding a local user to a user group, ensure that the user group has been created using the user-group command.

Precautions

  • For device security purposes, change the password periodically.
  • Security risks exist if the user login mode is set to Telnet or FTP. You are advised set the user login mode to STelnet or SFTP and set the user access type to SSH.

    When a device starts without any configuration, HTTP uses the randomly generated self-signed certificate to support HTTPs. The self-signed certificate may bring risks. Therefore, you are advised to replace it with the officially authorized digital certificate.

  • After a local administrator logs in to the device, the administrator can create, modify, or delete attributes of other local users of the same or a lower level. The attributes include password, user level, maximum number of access users, and account validity period.

    After you change the rights (for example, the password, level, FTP directory, idle timeout interval, or status) of a local account, the rights of users already online do not change. The change takes effect when the user next goes online.

  • The user name function may be invalid due to improper configuration of the domain name delimiter.
  • One user group can be used by multiple local users. However, a local user belongs to only one user group.

    If the user groups have been configured for the local user and in the service template, only the user group configured for the local user takes effect.

    The user groups that are used by a local user or an online user cannot be deleted.

  • When MAC authentication users use AAA local authentication, the device does not match or check the access type of local users. However, the access type must be configured; otherwise, local authentication for MAC address authentication users fails.

  • If the user already exists before you set the access type and the irreversible password algorithm is used, only the access types of the administrative category can be set. If the reversible password algorithm is used, the access types of administrative or common categories can be set; however, the access types of administrative and common categories cannot be mixedly configured. When an access type of administrative category is set, the password encryption algorithm is automatically changed to irreversible algorithm. If the user does not exist before you set the access type, only the access types of the administrative category can be set.
  • When configuring the local user as a foreground administrator, pay attention to the following points:
    • A foreground administrator manages only accounts of Portal authentication users, and cannot manage and query accounts of other administrators (including the foreground administrator) and accounts of non-Portal authentication users. A foreground administrator can modify its own password.
    • A foreground administrator supports only commands defined in the whitelist.
  • The idle-cut command configured in the service scheme view takes effect for administrators. For common users, the function takes effect only for wireless users.

Example

# Create a local user user1, and set the domain name to vipdomain, the password to admin@12345 in cipher text, the maximum number of connections to 100, and the idle timeout interval to 10 minutes.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] local-user user1@vipdomain password irreversible-cipher admin@12345 access-limit 100 idle-timeout 10

# Create a local user. Set the user name to user2, the domain name to vipdomain, the user password to admin@1234, user status to active, user group name to as, and access type to HTTP, and display the password in plain text.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] local-user user2@vipdomain password irreversible-cipher admin@1234 state active user-group as service-type http
Related Topics
Translation
Download
Updated: 2019-11-21

Document ID: EDOC1100064352

Views: 212698

Downloads: 122

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next