(Optional) Configuring Local Users

When the authentication and authorization are implemented in local mode, the authentication and authorization information (such as the user name, password, level, maximum number of user accesses, and maximum number of continuous authentication failures).

Procedure

  • Configuring local users in AAA view.
    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run local-user user-name service-type { { terminal | telnet | ftp | ssh | qx | snmp | mml | http } * | ppp | none }

      A local user is created, and the password of the user is configured.
      • If the user name contains the at sign (@), the characters before the at sign (@) are the user name, and the characters after the at sign (@) are the domain name
      • If the user name does not contain the at sign (@), the entire character string is the user name, and the domain name is default_admin.
      • The user name cannot contain two or more at signs (@).
      • Input in simple text: When the user security policy is configured, the password cannot be the same as the user name or its reverse. The password must contain the following characters: upper-case character, lower-case character, digit, and special character.
        • The question mark (?) is not counted as a special character.
        • A space contained can only be located in the middle but not the beginning or end of the password. Use double quotation marks (") around the password.
        • If the local-user service-type command has been run to configure a user as an administrator by specifying the user type as the Telnet, FTP, SSH, SNMP, or terminal user, the system automatically changes the user password to an irreversible ciphertext key.

    4. (Optional) Run local-user user-name service-type { { terminal | telnet | ftp | ssh | snmp | qx | mml | http } * | ppp | none }

      The access type of the local user is configured.

    5. (Optional) Run local-user user-name ftp-directory directory

      The FTP directory right of the local user is configured.

      If the access type of the local user is set to FTP, the FTP directory of the local user must be configured and the level of local user cannot be lower than management level. Otherwise, FTP user login will fail.

    6. Configure the level of the local user or the group to which the local user belongs according to the command-line authorization mode.

      • Run the local-user user-name level level command to configure the level of the local user.

        The configured level of the local user cannot be higher than that of the login-in user.

      • Run the local-user user-name user-group user-group-name command to add the local user to the specified user group.

    7. (Optional) Run local-user user-name state { active | block }

      The status of the local user is configured.

      The system processes the authentication requests of the users are as follows:

      • If a local user is in the active state, the system accepts the authentication request from the user and performs further processing.

      • If a local user is in the block state, the system rejects the authentication request from the user.

    8. (Optional) Run local-user user-name access-limit max-number

      The maximum number of user accesses is set.

    9. (Optional) Run user-block failed-times failed-times-value period period-value

      The maximum times of continuous authentication failures for the local user are configured.

      If a local user is in the locked state, you need to unlock it. Two ways are available for you to choose:

      • In the AAA view, run the user-block reactive reactive-time command to configure the interval at which a user will be automatically unlocked. If the locking time for a user exceeds the time set in the configuration, the user will be automatically unlocked.
      • In the user view, run the activate aaa local-user user-name command to manually unlock the specified local user.

    10. Run quit

      Return to the system view.

    11. (Optional) Run aaa abnormal-offline-record

      The abnormal logout events are recorded.

      After this function is enabled, information about abnormal logout events can be provided for administrators to manage and maintain user information.

    12. Run quit

      Return to the user view.

    13. (Optional) Run local-user change-password

      The password of the local user is changed.

    14. Run commit

      The configuration is committed.

  • Configuring a local user in the local AAA server view.
    1. Run system-view

      The system view is displayed.

    2. Run local-aaa-server

      The local AAA server view is displayed.

    3. Run user username { password { cipher cipher-password | irreversible-cipher irreversible-password } | authentication-type type-mask | { active | block [ fail-times fail-times-value interval interval-value ] } | ftp-directory ftp-directory | level level | callback-nocheck | callback-number callback-number | idle-cut | qos-profile qos-profile-name | ip-address ip-address [ vpn-instance instance-name ] | user-group user-group-name } *

      A local user account is added.

      If the user usr-name authentication-type authentication-type command has been run to configure a user as an administrator by specifying the user type as the Telnet, FTP, SSH, SNMP, or terminal user, the system automatically changes the user password to an irreversible ciphertext key.

    4. (Optional) Run user user-name expire expiretime

      The expiration time of the local user is modified.

    5. (Optional) Run user user-name block [ fail-times fail-times-value interval interval-value ]

      The local user is blocked.

      The parameters terminal, qx and mml are supported only on the Admin-VS.

    6. Run commit

      The configuration is committed.

Parent Topic: Configuring AAA
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >