< Home

Local Authentication and Authorization

Local AAA Server

A device functioning as an AAA server is called a local AAA server that performs user authentication and authorization and cannot perform user accounting.

Similar to the remote AAA server, the local AAA server requires the local user names, passwords, and authorization information of local users. The authentication and authorization speed of a local AAA server is faster than that of a remote AAA server, which reduces operation costs. However, the information storage capacity of a local AAA server is subject to the device hardware.

Security Policy for Local User Password

Password Length and Complexity

When an administrator creates local users on a device, the length and complexity of local users' passwords have been controlled by commands on the device. The complexity check requires that the password must be a combination of at least two of the following: digits, lowercase letters, uppercase letters, and special characters. In addition, a password must consist of at least eight characters.

Password Validity Period

After the local administrator password policy is enabled, the local administrator can set the password validity period. The default validity period is 90 days and can be changed.

If the password of a local user expires and the local user still uses this password to log in to the device, the device prompts the user that the password has expired, and asks the user whether to change the password. The device then performs the following operations depending on the user selection:
  • If the user enters Y, the user needs to enter the old password, new password, and confirm password. The password can be successfully changed only when the old password is correct and the new password and confirm password are the same and meet password length and complexity requirements.
  • If the user enters N or fails to change the password, the user cannot log in to the device.
The device also supports the password expiration prompt function. When a user logs in to the device, the device checks how many days the password is valid for. If the number of days is less than the prompt days set in the command, the device notifies the user how long the password will expire and asks the user whether to change the password.
  • If the user changes the password, the device records the new password and modification time.
  • If the user does not change the password or fails to change the password, the user can still log in to the device as long as the password has not expired.

Password Modification Policy

During password modification, you are not advised to use old passwords. By default, the new password cannot be the same as those used for the last five times.

The local administrator can change the password of an equal- or lower-level local user.

Parent Topic: Understanding AAA
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >