Configuring a Local User
Context
When configuring a local user, you can configure the number of connections that can be established by the local user, local user level, idle timeout period, and login time, and allow the local user to change the password.
For device security purposes, do not disable password complexity check, and change the password periodically.
- After you change the local account's rights (including the password, access type, FTP directory, and level), the rights of users who are already online remain unchanged, and new users obtain new rights when they go online.
Local users' access types include:
- Administrative: api, ftp, http, ssh, telnet, x25-pad, and terminal
- Common: 8021x, ppp and web
Security risks exist if the user login mode is set to Telnet or FTP. You are advised set the user login mode to STelnet or SFTP and set the user access type to SSH.
When a device starts without any configuration, HTTP uses the randomly generated self-signed certificate to support HTTPs. The self-signed certificate may bring risks. Therefore, you are advised to replace it with the officially authorized digital certificate.
Procedure
- Run system-view
The system view is displayed.
- Run aaa
The AAA view is displayed.
- Create a local user.
Procedure
Command
Description
(Optional) Enable password complexity check.
user-password complexity-check [ three-of-kinds ]
By default, password complexity check is enabled on a device. The password must contain at least two of the following: uppercase letters, lowercase letters, digits, and special characters.
Create a local user name and password (using either of the commands).
local-user user-name password
By default, the local account password is not configured.
This command should be entered in interactive mode. This is because directly entering a plain text password without being in interactive mode poses potential security risks.
If a user name contains a domain name delimiter (such as @ | %) and the domain name resolution direction is not configured using the domainname-parse-direction right-to-left command, the character string before the delimiter is considered as the user name, and that after the delimiter is considered as the domain name. If a user name does not contain a domain name delimiter, the entire character string is considered as the user name. By default, common users are authenticated in the default domain, and administrative users are authenticated in the default_admin domain.
local-user user-name password { cipher | irreversible-cipher } password
Configure an access type for the local user.
local-user user-name service-type { 8021x | api | ftp | http | ppp | ssh | telnet | terminal | web | x25-pad } *
By default, all access types are disabled for a local user.
The access type configured for Portal access users is web.
If a local user already exists before an access type is configured for the user, note the following:- If the irreversible password algorithm is used, the access type can only be administrative.
- If the reversible password algorithm is used, the access type can be common or administrative, but cannot be a mixed type of common and administrative. In addition, when the access type is set to an administrative type, the password encryption algorithm is automatically changed to the irreversible algorithm.
- (Optional) Set the user level, user group, access time range, idle-cut function, and number of connections that can be established by the user.
Procedure
Command
Description
Set the local user level.
local-user user-name privilege level level
The default level of a local user is 0.
Set the local user group.
local-user user-name user-group group-name
By default, a local user does not belong to any group.
NOTE:This command is supported only in NAC common mode.
Set the access time range for the local user.
local-user user-name time-range time-name
By default, no access time range is configured and the local user can access the network anytime.
Set the idle timeout period for a specified user.
local-user user-name idle-timeout minutes [ seconds ]
You can specify the idle timeout period. If a local user is idle for longer than the specified period, the user automatically goes offline.
If the idle timeout period is set to 0 or a large value, the terminal remains logged in to a device, posing security risks. You are advised to run the lock command to lock the connection.
Set the maximum number of connections that can be established by the local user.
local-user user-name access-limit max-number
By default, the number of connections that can be established by a user is not limited.
To configure the local account to log in through only one terminal, set max-number to 1.
- (Optional) Configure the local user security.
Procedure
Command
Description
Enable the local account lock function, and set the retry interval, maximum number of consecutive authentication failures, and account lock period.
local-aaa-user wrong-password retry-interval retry-interval retry-time retry-time block-time block-time
By default, the local account lock function is enabled, the retry interval is 5 minutes, the maximum number of consecutive authentication failures is 3, and the account lock period is 5 minutes.
Configure a user to access the network using a specified IP address when the user account is locked.
aaa-quiet administrator except-list { ipv4-address | ipv6-address } &<1-32>
By default, a user cannot access the network when the account is locked.
To check information about the specified IP addresses, run the display aaa-quiet administrator except-list command.
Configure the password policy for local access users.
Enable the password policy for local access users and enter the local access user password policy view.
local-aaa-user password policy access-user
By default, the password policy for local access users is disabled.
Set the maximum number of historical passwords recorded for each user.
password history record number number
By default, a maximum of five historical passwords are recorded for each user.
Exit the local access user password policy view.
quit
-
Configure the password policy for local administrators.
Enable the password policy for local administrators and enter the local administrator password policy view.
local-aaa-user password policy administrator
By default, the password policy for local administrators is disabled.
Enable the password expiration prompt function and set the password expiration prompt period.
password alert before-expire day
By default, the system displays a prompt 30 days before the password expires.
Enable the initial password change prompt function.
password alert original
By default, the system prompts users to change initial passwords.
Enable the password expiration function and set the password validity period.
password expire day
By default, the password validity period is 90 days.
Set the maximum number of historical passwords recorded for each user.
password history record number number
By default, a maximum of five historical passwords are recorded for each user.
Exit the local administrator password policy view.
quit
-
In V200R010C00 and later versions, when the device starts with the default configurations, it automatically performs the following configurations and saves the configurations to the configuration file:- Run the local-aaa-user password policy administrator command to enable the password policy for local administrators.
- Run the password expire 0 command to configure the passwords of local administrators to be permanently valid.
- Run the password history record number 0 command to configure the device not to check whether a changed password of a local administrator is the same as any historical password.
- (Optional) Set parameters of access rights for the local user.
Procedure
Command
Description
Set the type of terminals allowed to access the network.
local-user user-name device-type device-type &<1-8>
By default, the type of terminals allowed to access the network is not configured.
For example, if the terminal is an iPhone, you can set device-type to iphone.
NOTE:This function is supported only by S5730-HI, S5731-H, S5731S-H, S6730-H, S6730S-H, S5732-H, S6720-HI, and S5720-HI.
Configure the FTP directory that FTP users can access.
local-user user-name ftp-directory directory
By default, the FTP directory that FTP users can access is not configured.
If the access type of local users is FTP, you must configure the FTP directory, and set the local user level to be lower than the management level; otherwise, FTP users cannot log in to the device.
Configure the HTTP directory that HTTP users can access.
local-user user-name http-directory directory
By default, the HTTP directory that HTTP users can access is not configured.
Set the local user state.
local-user user-name state { active | block }
By default, a local user is in the active state.
The device processes requests from users in different states as follows:
If a local user is in active state, the device accepts and processes the authentication request from the user.
If a local user is in block state, the device rejects the authentication request from the user.
Set the expiration date for the local account.
local-user user-name expire-date expire-date
By default, a local account is permanently valid.
Configure the local user as an NMS user.
local-user user-name user-type netmanager
When the number of login VTY users has reached the maximum, an NMS user can log in using the reserved VTY numbers 16-20.
The user must pass the AAA local authentication.
- Run the undo local-aaa-user change-password verify command to disable the function of verifying the original password when local administrators change their own passwords.
By default, when local administrators change their passwords using the local-user user-name privilege level level command in the AAA view, the administrators need to enter the original password for verification.
- (Optional) Change the login password of a local user.
Procedure
Command
Description
Return to the user view.
return
-
Change the login password of a local user.
local-user change-password
-