The local-user service-type command sets the access type for a local user.
The undo local-user service-type command restores the default access type for a local user.
By default, a local user cannot use any access type.
local-user user-name service-type { 8021x | api | ftp | http | ppp | ssh | telnet | terminal | web | x25-pad } *
undo local-user user-name service-type
Parameter |
Description |
Value |
|---|---|---|
user-name |
Specifies a user name. If the user name contains a domain name delimiter such as @, the character before @ is the user name and the character behind @ is the domain name. If the value does not contain @, the entire character string is the user name and the domain name is the default one. |
The value is a string of 1 to 64 characters. It cannot contain spaces, asterisk, double quotation mark and question mark.
NOTE:
During local authentication or authorization, run the authentication-mode { local | local-case } or authorization-mode { local | local-case } command to configure case sensitivity for user names. If the parameter is set to local, user names are case-insensitive. If the parameter is set to local-case, user names are case-sensitive. Note the following when configuring case sensitivity for user names:
|
8021x |
Indicates an 802.1X user. |
- |
api |
Indicates an API user, which is typically used for NETCONF access. NOTE:
If the access type of a user is API, the user name cannot be set to root. |
- |
ftp |
Indicates an FTP user. |
- |
http |
Indicates an HTTP user, which is usually used for web system login. |
- |
ppp |
Indicates a PPP user. |
- |
ssh |
Indicates an SSH user. |
- |
telnet |
Indicates a Telnet user, which is usually a network administrator. |
- |
terminal |
Indicates a terminal user, which is usually a user connected using a console port. |
- |
web |
Indicates a Portal authentication user. |
- |
x25-pad |
Indicates an X25-PAD user. NOTE:
Currently, the device does not support X25-PAD. |
- |
Usage Scenario
The device can manage access types of local users. After you specify the access type of a user, the user can successfully log in only when the configured access type is the same as the actual access type of the user.
Precautions
When MAC authentication users use AAA local authentication, the device does not match or check the access type of local users. However, the access type must be configured; otherwise, local authentication for MAC address authentication users fails.
Security risks exist if the user login mode is set to Telnet or FTP. You are advised set the user login mode to STelnet or SFTP and set the user access type to SSH.
When a device starts without any configuration, HTTP uses the randomly generated self-signed certificate to support HTTPs. The self-signed certificate may bring risks. Therefore, you are advised to replace it with the officially authorized digital certificate.
Common access types cannot be configured together with administrative access types.
The API access type cannot be configured together with other access types.
If a user has been created and the password uses an irreversible encryption algorithm, the access type can only be set to an administrative one.
If a user has been created and the password uses a reversible encryption algorithm, the access type can be set to an administrative or common one. When the access type is set to an administrative one, the encryption algorithm of the password is automatically converted into an irreversible encryption algorithm.