Local Authentication and Authorization

Local AAA Server

A device functioning as an AAA server is called a local AAA server, which performs user authentication and authorization, but not user accounting.

Similar to the remote AAA server, the local AAA server requires a local user database, holding information about local users, such as usernames, passwords, and permissions. A local AAA server performs authentication and authorization faster than a remote AAA server, which reduces operation costs. However, the storage capacity of a local AAA server is limited by the available space on the device hardware.

Password Policy for Local Users

The password policy of local users is vital to user security. The security policy function for local user accounts is enabled by default. The device also supports password complexity check, password change policies for local administrators, and password validity period restrictions to improve local user security.

Restrictions on the username and password

After the security policy function is enabled for local user accounts, the username and password must meet the following requirements:

The username must contain at least six characters.
The password must meet the following requirements:
- The password must be greater than or equal to eight characters.
- The password must contain digits, uppercase letters, lowercase letters, and special characters excluding spaces and question marks. Spaces are allowed in the password if the password is enclosed in quotation marks.
- The password cannot repeat or reverse the username.
- A new password cannot be the same as the last 10 passwords including the current password.

After the password complexity check function is enabled, the password must contain the following four types of characters: lowercase letters, uppercase letters, digits, and special characters. In addition, the password cannot be the same as the last 10 passwords including the current password.

In addition, the username length, password length, and number of previous passwords that cannot be used as new passwords, can be configured as needed. The device restricts the username and password of a local user based on the strictest username and password configuration rules.

Password change policy

The local administrator can change the password of an equal- or lower-level local user. After an administrator adds a local user or resets the password of a local user, the local user must change the password upon the first login.

Password validity period

The local administrator can set a password validity period. If the password expires and the local user still uses this password to log in to the device, the device prompts the user to change the password. The device then performs the following operations depending on the user selection:

If the user changes the password, the user needs to enter the old password, a new password, and then a new password confirmation. The password can only be successfully changed when the old password is correct, the new password and password confirmation are the same, and the new password meets the password length and complexity requirements.
If the user does not change the password or fails to change the password, the user cannot log in to the device.

The device also offers the password expiration prompt function. When a user logs in to the device, the validity period of the user's password is checked. If the number of days is within the specified number of prompt days, the user is notified how many days the password will expire in, and asked if they wish to change the password:

If the user changes the password, the device records the new password and updates the time of password change.
If the user does not change the password or fails to change the password, the user can still log in as long as the current password is still valid.