No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a Local User

Configuring a Local User

Context

When local authentication and authorization are configured, configure authentication and authorization information on the device, including the user name, password, and user level.

NOTE:

After you change a local account's rights (including the password, access type, FTP directory, and level), the rights of users who are already online remain unchanged. Rather, the rights are only changed once a user goes online again.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run aaa

    The AAA view is displayed.

  3. Create a local user and set the password as required.

    • Run the local-user user-name password command to create a local user and set the password.

      By default, no local user exists in the system.

    • Run the local-user user-name password { cipher password | irreversible-cipher irreversible-cipher-password } command to create a local user and set the password.

      By default, no local user exists in the system.

      When the created local user uses 802.1X authentication, a login password must be configured using the cipher password command.

    NOTE:

    If the user name contains a domain name delimiter, such as @, |, or %, the character string before the delimiter is the user name and that after the delimiter is the domain name. If the user name does not contain a domain name delimiter, the entire character string is the user name. Common users are authenticated in the default domain, and management users are authenticated in the default_admin domain.

    This command should be entered in interactive mode. This is because directly entering a plain text password without being in interactive mode poses potential security risks

  4. (Optional) Run local-user user-name service-type { none | dot1x | { ftp | http | snmp | ssh | telnet | terminal } * }

    The access type is configured for the local user.

    By default, all access types are disabled for a local user.

  5. (Optional) Run local-user user-name ftp-directory directory

    The FTP directory right is specified for the local user.

    By default, the FTP directory of the local user is empty.

    NOTE:

    If the access type of the local user is set to FTP, the FTP directory of the local user must be specified and the level of the local user cannot be lower than management level. Otherwise, the FTP user cannot log in.

  6. (Optional) Run local-user user-name level level

    The level of the local user is set.

    By default, the level of a local user is specified by a user management module.

  7. (Optional) Run local-user user-name state { active | block [ fail-times fail-times-value interval interval-value ] }

    The state of the local user is set.

    By default, a local user is in the active state.

    The device processes requests from users in different states as follows:

    • If a local user is in the active state, the device accepts and processes authentication requests from the user.

    • If a local user is in the blocking state, the device rejects authentication requests from the user.

      If fail-times-value and interval-value are set in the local-user user-name state block command on the device and the number of a local user's unsuccessful login attempts exceeds fail-times-value, the device denies the local user's login requests within interval-value.

  8. (Optional) Run local-user user-name access-limit max-number

    The maximum number of connections that can be established by the local user is set.

    By default, the number of connections that can be established by a user is not limited.

  9. (Optional) Run local-user authentication lock times failed-times period

    The maximum number of continuous authentication failures for the local user is set.

    By default, the system does not allow a user to log in if the user fails to be authenticated for five times within five minutes.

    NOTE:

    If a local user is locked, you need to unlock it using either of the following methods:

    • In the AAA view, run the local-user authentication lock duration duration-time command to configure the interval at which a local user will be automatically unlocked. When the locking time for a user exceeds the specified duration, the user will be automatically unlocked.
    • In the user view, run the activate aaa local-user user-name command to manually unlock the local user.

  10. (Optional) Run the following commands based on actual requirements to improve security.

    Table 1-16 Configurations for improving user security

    Operation

    Command

    Description

    Enable the security policy function for local accounts.

    local-user policy security-enhance

    By default, the security policy function for local accounts is enabled.

    After the security policy function is enabled for local accounts, the user names and passwords must meet the following requirements:
    • User name: Contains at least six characters.
    • Password:
      • Consists of at least eight characters.
      • Contains digits, upper- and lower-case letters, and special characters, excluding the space and question mark (?). The password can contain spaces if you put it within double quotation marks ("").
      • Cannot be the same as the user name or the user name in inverse order.
      • Cannot be the same as any of 10 historical passwords (including the current password).
      • A reset password must be changed when you log in to the device for the first time.
    NOTE:
    To cancel the preceding constraints, run the undo local-user policy security-enhance command.

    Enable password complexity check for local accounts.

    local-user policy password complexity-enhance

    By default, password complexity check is disabled for local accounts.

    After password complexity check is enabled, the passwords must meet the following requirements:
    • Contains digits, upper-case letters, and special characters, excluding the space and question mark (?). The password can contain spaces if you put it within double quotation marks ("").
    • Cannot be the same as 10 history passwords.
    NOTICE:

    You are advised to keep password complexity check enabled. This is because simple passwords pose potential security risks to the device and services.

    Set the minimum length of local user passwords in plain text.

    local-user policy password min-len min-length

    By default, the minimum length of a password in plain text is not set.

    Configure a login prompt that requires the administrator to change the initial password upon next login.

    local-user policy password change

    By default, the administrator is not required to change the initial password upon next login.

    Configure the aging period of a local user.

    user-aging aging-period or local-user user-name aging aging-period

    By default, a local user does not age.

    If local users have not been used for a long period of time, you can run this command to set the aging period for the local users in batches. If a user account is not used within the aging period, the account automatically expires.

    The user-aging command is run for a batch operation and takes effect for all users in the system. The local-user aging command only takes effect for specified users.

    When the aging period for all users is set using the user-aging command:
    • If the local-user aging command is not used, a local user uses the aging period set by the user-aging command.
    • If the local-user aging command is also executed, a local user uses the aging period set by this command.

    Set the expiration date for local user accounts.

    local-user user-name expire date

    By default, a user account is permanently valid.

    NOTE:
    To prevent all users on the device from expiring, the last management user to expire is permanently valid when the expiration date is set for all management users.

    Specify the minimum length of a local user name.

    user-name minimum-length length

    By default, the minimum length of a local user name is not limited.

    The name of a local user created after execution of this command is subject to the limitation. Otherwise, the local user cannot be created.

    Specify the time range within which local users can log in.

    local-user user-name login-period begin-time to end-time begin-day to end-day

    By default, a local user can log in at any time.

    Specify the password validity period for specified users.

    local-user user-name password expire days

    By default, a user password is permanently valid.

    Set the alarm threshold for unsuccessful login attempts of management users.

    login-failed threshold-alarm upper-limit report-times lower-limit resume-times period period

    By default, if a management user fails to log in for 30 or more consecutive times within five minutes, an alarm is generated. If the number of the management user's login attempts is smaller than 20, the alarm is cleared.

    Set the password validity period and the time for displaying a prompt before the password expires.

    local-user policy password expire expire-days prompt prompt-days

    By default, a password does not expire.

    Quit the AAA view.

    quit

    -

    Display the password security view.

    security password

    -

    Display the rule management view.

    rule admin

    -

    Specify forbidden words in passwords.

    forbidden word word

    By default, no forbidden words in passwords are specified.

    After a forbidden word is specified, any character string (case-insensitive) containing this word cannot be used as a password.

    The forbidden word command takes effect only for local account passwords. A password that is set or changed after the command is executed cannot contain the specified forbidden word; otherwise, the password will fail to be set or changed. The old passwords that contain the forbidden word are still valid. When a user logs in using an old password containing the forbidden word, the system prompts the user that the password is simple and should be changed. The user can continue to use this password without changing it.

  11. Run commit

    The configuration is committed.

  12. Run return

    The user view is displayed.

  13. (Optional) Run local-user change-password

    The password of the local user is changed.

    NOTE:

    To ensure device security, change the password frequently.

Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100074765

Views: 22428

Downloads: 92

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next