The local-user command creates a local user and sets parameters of the local user.
The undo local-user command deletes a local user.
By default, the privilege level of a new local user is 0, and no service type is configured for the user.
The system has a local user named admin. The password of the user is admin@huawei.com, which is encrypted using an irreversible algorithm. By default, no privilege level or service type is configured for the user. In the factory default settings of the device, the privilege level of the user is 15, and the service types are HTTP and terminal.
local-user user-name { password { cipher | irreversible-cipher } password | access-limit max-number | ftp-directory directory | idle-timeout minutes [ seconds ] | privilege level level | state { block | active } | user-group group-name } *
local-user user-name http-directory directory
undo local-user user-name [ access-limit | ftp-directory | http-directory | idle-timeout | privilege level | user-group ]
Parameter |
Description |
Value |
|---|---|---|
user-name |
Specifies the user name. If the user name contains a domain name delimiter such as @, the character before @ is the user name and the character behind @ is the domain name. If the value does not contain @, the entire character string is the user name and the domain name is the default one. |
The value is a string of 1 to 64 characters. It cannot contain spaces, asterisk, double quotation mark and question mark.
NOTE:
During local authentication or authorization, run the authentication-mode { local | local-case } or authorization-mode { local | local-case } command to configure case sensitivity for user names. If the parameter is set to local, user names are case-insensitive. If the parameter is set to local-case, user names are case-sensitive. Note the following when configuring case sensitivity for user names:
|
password { cipher | irreversible-cipher } password |
Specifies the password of a local user.
NOTE:
|
The value is a case-sensitive string without question marks (?), single quotation marks ('), or spaces.
A simple local user password may bring security risks. The user password must consist of two types of characters, including uppercase letters, lowercase letters, numerals, and special characters. In addition, the password cannot be the same as the user name or user name in an inverse order. |
access-limit max-number |
Specifies the number of connections that can be created with a specified user name. If this parameter is not specified, a user can establish a maximum of 4294967295 connections by default. |
The value is an integer that ranges from 1 to 4294967295. The actual number of connections is the smaller value between max-number and the maximum number of users of a type on different models. |
ftp-directory directory |
Specifies the directory that FTP users can access. If this parameter is not specified, the FTP directory of the local user is empty. The device will check whether the default FTP directory has been set using the set default ftp-directory command. If no FTP directory exists, FTP users cannot log in to the device. NOTE:
Ensure that the configured FTP directory is an absolute path; otherwise, the configuration does not take effect. |
The value is a string of 1 to 64 case-sensitive characters without spaces. |
http-directory directory |
Specifies the directory that HTTP users can access. If this parameter is not specified, the HTTP directory of the local user is empty. |
The value is a string of 1 to 64 case-sensitive characters without spaces. |
idle-timeout minutes [ seconds ] |
Specifies the timeout period for disconnection of the user:
If this parameter is not specified, the device uses the idle timeout interval configured by the idle-timeout command in the user view. If minutes [ seconds ] is set to 0 0, the idle disconnection function is disabled. NOTICE:
If the idle timeout interval is set to 0 or a large value, the terminal will remain in the login state, resulting in security risks. You are advised to run the lock command to lock the current connection. |
minutes: the value is an integer ranging from 0 to 35791 minutes. seconds: the value is an integer ranging from 0 to 59 seconds. |
privilege level level |
Specifies the level of a local user. After logging in to the device, a user can run only the commands of the same level or lower levels. NOTE:
If this parameter is not specified, the user level is 0. The permission of API users is not controlled by this parameter. Therefore, you do not need to configure this parameter. |
The value is an integer that ranges from 0 to 15. The greater the value, the higher the level of a user. |
state { active | block } |
Indicates the state of a local user:
If a user has established a connection with the device, when the user is set in blocking state, the connection still takes effect but the device rejects subsequent authentication requests from the user. If this parameter is not specified, the status of a local user is active. |
- |
user-group group-name |
Specifies the name of a user group. NOTE:
This parameter is supported only by the switches in the NAC common mode. |
The value is a string of 1 to 64 case-sensitive characters without spaces. It cannot contain spaces or the following symbols: / \ : * ? " < > | @ ' %. The value cannot be - or --. |
Usage Scenario
To facilitate device maintenance, run the local-user command on the device to create a local user and set parameters such as the password, user level, and FTP directory.
Prerequisites
Before adding a local user to a user group, ensure that the user group has been created using the user-group command.
Precautions
Security risks exist if the user login mode is set to Telnet or FTP. You are advised set the user login mode to STelnet or SFTP and set the user access type to SSH.
When a device starts without any configuration, HTTP uses the randomly generated self-signed certificate to support HTTPs. The self-signed certificate may bring risks. Therefore, you are advised to replace it with the officially authorized digital certificate.
After a local administrator logs in to the device, the administrator can create, modify, or delete attributes of other local users of the same or a lower level. The attributes include password, user level, maximum number of access users, and account validity period.
After you change the rights (for example, the password, FTP directory, idle timeout interval, or status) of a local account, the rights of users already online do not change. The change takes effect when the user next goes online.
A local administrator who goes online using local authorization will go offline after the user level of the administrator is changed. If no authorization template is configured, a local administrator who goes online using local authentication will also go offline after the user level of the administrator is changed.
One user group can be used by multiple local users. However, a local user belongs to only one user group. If the user groups have been configured for the local user and in the service template, only the user group configured for the local user takes effect. The user groups that are used by a local user or an online user cannot be deleted.
The idle-cut command configured in the service scheme view takes effect for administrators. For common users, the function takes effect only for wireless users.
# Create a local user user1, and set the domain name to vipdomain, the password to admin@12345 in ciphertext, the maximum number of connections to 100, and the idle timeout interval to 10 minutes.
<HUAWEI> system-view [HUAWEI] aaa [HUAWEI-aaa] local-user user1@vipdomain password irreversible-cipher admin@12345 access-limit 100 idle-timeout 10