The user command adds or modifies a local user account.
The undo user command cancels the configuration.
The default attributes of a user account are as follows: access type: - (no access type allowed), status: blocked (a blocking of 5 minutes for local administrative users in case of three login failures), idle-cut: disabled; intercommunication group number: 0; maximum number of connections: 24; MAC restrict: disabled; UCL group number: 0; traffic control: disabled; user priority: 0.
For NetEngine 8000 F1A:
user user-name { password { cipher cipher-password | irreversible-cipher irreversible-password } | authentication-type type-mask | { active | block [ fail-times fail-times-value interval interval-value ] } | ftp-directory ftp-directory | level level | callback-nocheck | callback-number callback-number | idle-cut | qos-profile qos-profile-name | ip-address ip-address [ vpn-instance vpn-instance ] | user-group user-group-name } *
For NetEngine 8000 F1A:
undo user user-name [ authentication-type | ftp-directory | level | callback-nocheck | callback-number | idle-cut | qos-profile | ip-address | user-group ]
For NetEngine 8000 F2A:
user user-name { password { cipher cipher-password | irreversible-cipher irreversible-password } | authentication-type type-mask | { active | block [ fail-times fail-times-value interval interval-value ] } | ftp-directory ftp-directory | level level | user-group user-group-name } *
undo user user-name [ authentication-type | ftp-directory | level | user-group ]
For NetEngine 8000 F1A, NetEngine 8000 F2A:
user user-name password
user user-name expire expiretime
undo user user-name expire [ expiretime ]
| Parameter | Description | Value |
|---|---|---|
| user-name |
Specifies the user name. |
The value is a string of 1 to 253 case-sensitive characters, spaces not supported. |
| password |
Specifies the password for the user. |
- |
| cipher cipher-password |
Specifies the password in cipher text. The password is input in simple or encrypt text but stored in cipher text in the configuration file. The new password is at least eight characters long and contains at least two of the following types: upper-case letters, lower-case letters, digits, and special characters. |
When cipher is entered, the password is displayed in either simple text or ciphertext during input. When being input in simple text, the password is a string of 8 to 128 case-sensitive characters when the user security policy is configured the password is a string of 1 to 128 case-sensitive characters when the user security policy is not configured. When you input a password in simple text, the system displays the password in simple text mode, which brings risks. When being input in ciphertext, the password must be a string of 32 to 268 consecutive characters. When the user security policy is configured, the password cannot be the same as the user name, or in reverse order with the user name. The password must contain the following characters: upper-case character, lower-case character, digit, and special character. Except the question mark (?) and space. However, when quotation marks are used around the password, spaces are allowed in the password. |
| cipher-password |
Specifies the password in ciphertext. |
It is a string of 1 to 128 unencrypted characters or 32 to 268 encrypted characters. It is case sensitive, excluding special characters of command lines such as space and question mark. |
| irreversible-cipher irreversible-password |
Specifies the password in irreversible-cipher text. The password is input in simple or irreversible-cipher text but stored in cipher text in the configuration file. |
When irreversible-cipher is entered, the password is displayed in either simple text or ciphertext during input. When being input in simple text, the password is a string of 8 to 128 case-sensitive characters when the user security policy is configured the password is a string of 1 to 128 case-sensitive characters when the user security policy is not configured When being input in ciphertext, the password must be a string of 48 to 128 consecutive characters.When the user security policy is configured, the password cannot be the same as the user name, or in reverse order with the user name. The password must contain the following characters: upper-case character, lower-case character, digit, and special character. Except the question mark (?) and space. However, when quotation marks are used around the password, spaces are allowed in the password. |
| authentication-type type-mask |
Specifies the mask of the access type for the authentication user. |
The value is a string of 1 to 14 case-sensitive characters, spaces not supported. |
| active |
Sets the user status to active. |
- |
| block |
Sets the user status to Blocked. This parameter takes effect for both management users and non-management users. |
- |
| fail-times fail-times-value |
Specifies the number of allowable user authentication failures. This parameter takes effect only for management users. |
The value is an integer ranging from 1 to 10. |
| interval interval-value |
Specifies the interval at which user authentication is performed. This parameter takes effect only for management users. |
The value is an integer ranging from 1 to 65535, in minutes. |
| ftp-directory ftp-directory |
Specifies the FTP directory. |
The value is a string of 1 to 255 characters. |
| level level |
Specifies the user priority. |
The value ranges from 0 to 15. |
| callback-nocheck |
Indicates that the callback signal of the modem is not authenticated. |
- |
| callback-number callback-number |
Specifies the string for the callback user to dial. |
The value is a string of 1 to 64 characters. |
| idle-cut |
Sets the idle-cut function of the user. |
- |
| qos-profile qos-profile-name |
Indicates the QoS profile referenced by the user. |
The value is a string of 1 to 63 characters. |
| ip-address ip-address |
Indicates the IP address of the local user. This keyword is valid only for local authentication of PPP users. The specified IP address must be in the local address pool and you must exclude this address by using the excluded-ip-address command. |
The value is in dotted decimal notation. |
| vpn-instance vpn-instance |
Indicates the VPN instance that the local user belongs to. |
The value is a string of 1 to 31 characters. |
| user-group user-group-name |
Specifies the name of the user group. |
The value is a string of 1 to 32 case-sensitive characters, spaces not supported. |
| expire expiretime |
The expiration time. |
The value is in the format of YYYY-MM-DD. YYYY specifies the year, which is an integer ranging from 2000 to 2099. MM specifies the month, which is an integer ranging from 1 to 12. DD specifies the day, which is an integer ranging from 1 to 31. The date cannot be earlier than the current date. |
Usage Scenario
After you run the user-password min-len command, you cannot configure a password with a length less than the minimum length configured using this command.
After you run the user-password complexity-check command, when you create a local user or modify a local user's password, the password must contain an upper-case letter, a digit, and a special character. If the password to be configured does not contain all of them, the configuration fails. If the user name does not exist, a user account is created. If you do not specify any attribute, the default settings are adopted. If the user name exists, you can modify the attributes of the user account. When you do this, you can type in the wildcard () to set multiple user accounts at the same time. Before configuring the QoS profile to be referenced by a user, ensure that the user account exists. If the user account does not exist, you need to run the user command to create a user account and then configure the QoS profile to be referenced by the user. When you try to remove a user account, there must not be any online user under the account. You cannot use the wildcard () in this case. The system can support a maximum of 1024 local user accounts. The access type of local users can be a combination of several access types. For example, TF indicates the Telnet and FTP access. Users whose accounts for local authentication do not correspond to an access type, such as leased line users, use B (VLAN access). Passwords for the administrative FTP, Telnet, SSH, or terminal users can only be in irreversible-cipher. Even if you specify the password in cipher, the device automatically changes it to irreversible-cipher, and the keyword cipher is changed to irreversible-cipher in the command. PPP users cannot specify the passwords in the irreversible ciphertext when the users use the local CHAP authentication. If they specify the passwords in the irreversible ciphertext, the authentication fails. An activated user account can receive authentication requests and perform subsequent processing. A blocked user account does not process authentication requests, but the existing online connections are not affected. If the fail-times parameter value exceeds the threshold, no authentication requests from the administrative user are received within the specified interval. After the load security weak-password-dictionary command is run to load the weak password dictionary file, the password to be created or modified for the local user cannot be a password in the weak password dictionary file. Otherwise, the operation fails. You can run the display security weak-password-dictionary command to view the password saved in the weak password dictionary file.Precautions
In VS mode, this command is supported only by the admin VS.
The command cannot be configured while the qos-profile is in time-range mode. The command cannot be configured while the qos-profile is in 8cos-enhance mode.<HUAWEI> system-view [~HUAWEI] local-aaa-server [~HUAWEI-local-aaa-server] user hello1@domain expire 2050-12-12
<HUAWEI> system-view [~HUAWEI] local-aaa-server [~HUAWEI-local-aaa-server] user hello@domain password Please configure the password (1-128) Enter Password: Confirm Password: Info: A new user is added.
<HUAWEI> system-view [~HUAWEI] local-aaa-server [~HUAWEI-local-aaa-server] user hello2@domain password cipher 1qaz@WSX Please enter old password:
<HUAWEI> system-view [~HUAWEI] local-aaa-server [~HUAWEI-local-aaa-server] user hello1@domain password cipher 1qaz@WSX
<HUAWEI> system-view [~HUAWEI] local-aaa-server [~HUAWEI-local-aaa-server] user hello@domain password cipher 1qaz@WSX
<HUAWEI> system-view [~HUAWEI] local-aaa-server [~HUAWEI-local-aaa-server] user hello2@domain password cipher 1qaz@WSX12345678 Please enter old password:
<HUAWEI> system-view [~HUAWEI] local-aaa-server [~HUAWEI-local-aaa-server] user hello1@domain password cipher 1qaz@WSX12345678
<HUAWEI> system-view [~HUAWEI] local-aaa-server [~HUAWEI-local-aaa-server] user hello@domain password cipher Please-pass12345
<HUAWEI> system-view [~HUAWEI] local-aaa-server [~HUAWEI-local-aaa-server] user hello2@domain password cipher 1qaz@WSX Please enter old password:
<HUAWEI> system-view [~HUAWEI] local-aaa-server [~HUAWEI-local-aaa-server] user hello1@domain password cipher 1qaz@WSX
<HUAWEI> system-view [~HUAWEI] local-aaa-server [~HUAWEI-local-aaa-server] user hello@domain password cipher 1qaz@WSX