Configuring a Local User

Procedure

1. Run system-view

   The system view is displayed.

2. Run aaa

   The AAA view is displayed.

3. Create a local user and set the password as required.

   • Run the local-user user-name password command to create a local user and set the password.

     By default, no local user exists in the system.

   • Run the local-user user-name password { cipher password | irreversible-cipher irreversible-cipher-password } command to create a local user and set the password.

     By default, no local user exists in the system.

     When the created local user uses 802.1X authentication, a login password must be configured using the cipher password command.

   If the user name contains a domain name delimiter, such as @, |, or %, the character string before the delimiter is the user name and that after the delimiter is the domain name. If the user name does not contain a domain name delimiter, the entire character string is the user name. Common users are authenticated in the default domain, and management users are authenticated in the default_admin domain.

   This command should be entered in interactive mode. This is because directly entering a plain text password without being in interactive mode poses potential security risks

4. (Optional) Run local-user user-name service-type { none | dot1x | { ftp | http | snmp | ssh | telnet | terminal } ^* }

   The access type is configured for the local user.

   By default, all access types are disabled for a local user.

5. (Optional) Run local-user user-name ftp-directory directory

   The FTP directory right is specified for the local user.

   By default, the FTP directory of the local user is empty.

   If the access type of the local user is set to FTP, the FTP directory of the local user must be specified and the level of the local user cannot be lower than management level. Otherwise, the FTP user cannot log in.

6. (Optional) Run local-user user-name level level

   The level of the local user is set.

   By default, the level of a local user is specified by a user management module.

7. (Optional) Run local-user user-name state { active | block [ fail-times fail-times-value interval interval-value ] }

   The state of the local user is set.

   By default, a local user is in the active state.

   The device processes requests from users in different states as follows:

   • If a local user is in the active state, the device accepts and processes authentication requests from the user.

   • If a local user is in the blocking state, the device rejects authentication requests from the user.

     If fail-times-value and interval-value are set in the local-user user-name state block command on the device and the number of a local user's unsuccessful login attempts exceeds fail-times-value, the device denies the local user's login requests within interval-value.

8. (Optional) Run local-user user-name access-limit max-number

   The maximum number of connections that can be established by the local user is set.

   By default, the number of connections that can be established by a user is not limited.

9. (Optional) Run local-user authentication lock times failed-times period

   The maximum number of continuous authentication failures for the local user is set.

   By default, the system does not allow a user to log in if the user fails to be authenticated for five times within five minutes.

   If a local user is locked, you need to unlock it using either of the following methods:

   • In the AAA view, run the local-user authentication lock duration duration-time command to configure the interval at which a local user will be automatically unlocked. When the locking time for a user exceeds the specified duration, the user will be automatically unlocked.
   • In the user view, run the activate aaa local-user user-name command to manually unlock the local user.

10. (Optional) Run the following commands based on actual requirements to improve security.
    Table 1-22 Configurations for improving user security

    Operation	Command	Description
    Enable the security policy function for local accounts.	local-user policy security-enhance	By default, the security policy function for local accounts is enabled. After the security policy function is enabled for local accounts, the user names and passwords must meet the following requirements: User name: Contains at least six characters. Password: Consists of at least eight characters. Contains digits, upper- and lower-case letters, and special characters, excluding the space and question mark (?). The password can contain spaces if you put it within double quotation marks (""). Cannot be the same as the user name or the user name in inverse order. Cannot be the same as any of 10 historical passwords (including the current password). A reset password must be changed when you log in to the device for the first time. NOTE: To cancel the preceding constraints, run the undo local-user policy security-enhance command.
    Enable password complexity check for local accounts.	local-user policy password complexity-enhance	By default, password complexity check is disabled for local accounts. After password complexity check is enabled, the passwords must meet the following requirements: Contains digits, upper-case letters, and special characters, excluding the space and question mark (?). The password can contain spaces if you put it within double quotation marks (""). Cannot be the same as 10 history passwords. NOTICE: You are advised to keep password complexity check enabled. This is because simple passwords pose potential security risks to the device and services.
    Set the minimum length of local user passwords in plain text.	local-user policy password min-len min-length	By default, the minimum length of a password in plain text is not set.
    Configure a login prompt that requires the administrator to change the initial password upon next login.	local-user policy password change	By default, the administrator is not required to change the initial password upon next login.
    Configure the aging period of a local user.	user-aging aging-period or local-user user-name aging aging-period	By default, a local user does not age. If local users have not been used for a long period of time, you can run this command to set the aging period for the local users in batches. If a user account is not used within the aging period, the account automatically expires. The user-aging command is run for a batch operation and takes effect for all users in the system. The local-user aging command only takes effect for specified users. When the aging period for all users is set using the user-aging command: If the local-user aging command is not used, a local user uses the aging period set by the user-aging command. If the local-user aging command is also executed, a local user uses the aging period set by this command.
    Set the expiration date for local user accounts.	local-user user-name expire date	By default, a user account is permanently valid. NOTE: To prevent all users on the device from expiring, the last management user to expire is permanently valid when the expiration date is set for all management users.
    Specify the minimum length of a local user name.	user-name minimum-length length	By default, the minimum length of a local user name is not limited. The name of a local user created after execution of this command is subject to the limitation. Otherwise, the local user cannot be created.
    Specify the time range within which local users can log in.	local-user user-name login-period begin-time to end-time begin-day to end-day	By default, a local user can log in at any time.
    Specify the password validity period for specified users.	local-user user-name password expire days	By default, a user password is permanently valid.
    Set the alarm threshold for unsuccessful login attempts of management users.	login-failed threshold-alarm upper-limit report-times lower-limit resume-times period period	By default, if a management user fails to log in for 30 or more consecutive times within five minutes, an alarm is generated. If the number of the management user's login attempts is smaller than 20, the alarm is cleared.
    Set the password validity period and the time for displaying a prompt before the password expires.	local-user policy password expire expire-days prompt prompt-days	By default, a password does not expire.
    Quit the AAA view.	quit	-
    Display the password security view.	security password	-
    Display the rule management view.	rule admin	-
    Specify forbidden words in passwords.	forbidden word word	By default, no forbidden words in passwords are specified. After a forbidden word is specified, any character string (case-insensitive) containing this word cannot be used as a password. The forbidden word command takes effect only for local account passwords. A password that is set or changed after the command is executed cannot contain the specified forbidden word; otherwise, the password will fail to be set or changed. The old passwords that contain the forbidden word are still valid. When a user logs in using an old password containing the forbidden word, the system prompts the user that the password is simple and should be changed. The user can continue to use this password without changing it.

11. Run commit

    The configuration is committed.

12. Run return

    The user view is displayed.

13. (Optional) Run local-user change-password

    The password of the local user is changed.

    To ensure device security, change the password frequently.