Configuring local users
To implement local authentication, authorization, and accounting, create local users and configure user attributes on the device. The local users and attributes are stored in the local user database on the device. A local user is uniquely identified by the combination of a username and a user type. Local users are classified into the following types:
Device management user—User who logs in to the device for device management.
Network access user—User who accesses network resources through the device. Network access users also include guests who access the network temporarily. Guests can use LAN and portal services only.
The following shows the configurable local user attributes:
Service type—Services that the user can use. Local authentication checks the service types of a local user. If none of the service types is available, the user cannot pass authentication.
Service types include ADVPN, FTP, HTTP, HTTPS, IKE, IPoE, LAN access, PAD, portal, PPP, SSH, Telnet, and terminal.
User state—Whether or not a local user can request network services. There are two user states: active and blocked. A user in active state can request network services, but a user in blocked state cannot.
Upper limit of concurrent logins using the same user name—Maximum number of users who can concurrently access the device by using the same user name. When the number reaches the upper limit, no more local users can access the device by using the user name.
User group—Each local user belongs to a local user group and has all attributes of the group. The attributes include the password control attributes and authorization attributes. For more information about local user group, see "Configuring user group attributes."
Binding attributes—Binding attributes control the scope of users, and are checked during local authentication of a user. If the attributes of a user do not match the binding attributes configured for the local user account, the user cannot pass authentication. Binding attributes include the ISDN calling number, IP address, access port, MAC address, and native VLAN. For support and usage information about binding attributes, see "Configuring local user attributes."
Authorization attributes—Authorization attributes indicate the user's rights after it passes local authentication. For support information about authorization attributes, see "Configuring local user attributes."
Configure the authorization attributes based on the service type of local users. For example, you do not need to configure the FTP/SFTP/SCP working directory attribute for a PPP user.
You can configure an authorization attribute in user group view or local user view. The setting of an authorization attribute in local user view takes precedence over the attribute setting in user group view.
The attribute configured in user group view takes effect on all local users in the user group.
The attribute configured in local user view takes effect only on the local user.
Password control attributes—Password control attributes help control password security for device management users. Password control attributes include password aging time, minimum password length, password composition checking, password complexity checking, and login attempt limit.
You can configure a password control attribute in system view, user group view, or local user view. A password control attribute with a smaller effective range has a higher priority. For more information about password management and global password configuration, see "Configuring password control."
Local user configuration task list
Tasks at a glance |
---|
(Required.) Configuring local user attributes |
(Optional.) Configuring user group attributes |
(Optional.) Configuring local guest attributes |
(Optional.) Managing local guests |
(Optional.) Displaying and maintaining local users and local user groups |
Configuring local user attributes
When you configure local user attributes, follow these guidelines:
When you use the password-control enable command to globally enable the password control feature, local user passwords are not displayed.
You can configure authorization attributes and password control attributes in local user view or user group view. The setting in local user view takes precedence over the setting in user group view.
Configure the location binding attribute based on the service types of users.
For 802.1X users, specify the 802.1X-enabled Layer 2 Ethernet interfaces through which the users access the device.
For MAC authentication users, specify the MAC authentication-enabled Layer 2 Ethernet interfaces through which the users access the device.
For portal users, specify the portal-enabled interfaces through which the users access the device. Specify the Layer 2 Ethernet interfaces if portal is enabled on VLAN interfaces and the portal roaming enable command is not configured.
To configure local user attributes:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Add a local user and enter local user view. | local-user user-name [ class { manage | network } ] | By default, no local users exist. |
3. (Optional.) Configure a password for the local user. |
| The default settings are as follows:
|
4. Assign services to the local user. |
| By default, no services are authorized to a local user. |
5. (Optional.) Place the local user to the active or blocked state. | state { active | block } | By default, a local user is in active state and can request network services. |
6. (Optional.) Set the upper limit of concurrent logins using the local user name. | access-limit max-user-number | By default, the number of concurrent logins is not limited for the local user. This command takes effect only when local accounting is configured for the local user. It does not apply to FTP, SFTP, or SCP users, who do not support accounting. |
7. (Optional.) Configure binding attributes for the local user. | bind-attribute { call-number call-number [ : subcall-number ] | ip ip-address | location interface interface-type interface-number | mac mac-address | vlan vlan-id } * | By default, no binding attributes are configured for a local user. |
8. (Optional.) Configure authorization attributes for the local user. | authorization-attribute { acl acl-number | callback-number callback-number | idle-cut minute | ip ipv4-address | ip-pool ipv4-pool-name | ipv6 ipv6-address | ipv6-pool ipv6-pool-name | ipv6-prefix ipv6-prefix prefix-length | { primary-dns | secondary-dns } { ip ipv4-address | ipv6 ipv6-address } | session-timeout minutes | url url-string | user-profile profile-name | user-role role-name | vlan vlan-id | vpn-instance vpn-instance-name | work-directory directory-name } * | The following default settings apply:
|
9. (Optional.) Configure password control attributes for the local user. |
| By default, the local user uses password control attributes of the user group to which the local user belongs. Only device management users support the password control feature. |
10. (Optional.) Assign the local user to a user group. | group group-name | By default, a local user belongs to the user group system. |
11. (Optional.) Configure a description for the local user. | description text | By default, a local user does not have a description. This command is applicable to network access users. |
Configuring user group attributes
User groups simplify local user configuration and management. A user group contains a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized user attributes management for the local users in the group. Local user attributes that are manageable include authorization attributes.
By default, every new local user belongs to the default user group system and has all attributes of the group. To assign a local user to a different user group, use the group command in local user view.
To configure user group attributes:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Create a user group and enter user group view. | user-group group-name | By default, a system-defined user group exists. The group name is system. |
3. Configure authorization attributes for the user group. | authorization-attribute { acl acl-number | callback-number callback-number | idle-cut minute | ip-pool ipv4-pool-name | ipv6-pool ipv6-pool-name | ipv6-prefix ipv6-prefix prefix-length | { primary-dns | secondary-dns } { ip ipv4-address | ipv6 ipv6-address } | session-timeout minutes | url url-string | user-profile profile-name | vlan vlan-id | vpn-instance vpn-instance-name | work-directory directory-name } * | By default, no authorization attributes are configured for a user group. |
4. (Optional.) Configure password control attributes for the user group. |
| By default, the user group uses the global password control settings. For more information, see "Configuring password control." |
Configuring local guest attributes
Create local guests and configure guest attributes to control temporary network access behavior. Guests can access the network after passing local authentication. You can configure the recipient addresses and send attribute information to the local guests and guest sponsors by email.
To configure local guest attributes:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Create a local guest and enter local guest view. | local-user user-name class network guest | By default, no local guests exist. |
3. Configure a password for the local guest. | password { cipher | simple } string | By default, no password is configured for a local guest. |
4. Configure a description for the local guest. | description text | By default, no description is configured for a local guest. |
5. Specify the name of the local guest. | full-name name-string | By default, no name is specified for a local guest. |
6. Specify the company of the local guest. | company company-name | By default, no company is specified for a local guest. |
7. Specify the phone number of the local guest. | phone phone-number | By default, no phone number is specified for a local guest. |
8. Specify the email address of the local guest. | email email-string | By default, no email address is specified for a local guest. The device sends email notifications to this address to inform the guest of the account information. |
9. Specify the sponsor name for the local guest. | sponsor-full-name name-string | By default, no sponsor name is specified for a local guest. |
10. Specify the sponsor department for the local guest. | sponsor-department department-string | By default, no sponsor department is specified for a local guest. |
11. Specify the sponsor email address for the local guest. | sponsor-email email-string | By default, no sponsor email address is specified for a local guest. The device sends email notifications to this address to inform the sponsor of the guest information. |
12. Configure the validity period for the local guest. | validity-datetime start-date start-time to expiration-date expiration-time | By default, a local guest does not expire. Expired guests cannot pass local authentication. |
13. Assign the local guest to a user group. | group group-name | By default, a local guest belongs to the system-defined user group system. |
Managing local guests
The local guest management features are for registration, approval, maintenance, and access control of local guests.
The device provides the following local guest management features:
Guest auto-delete—The device checks the validity status of each local guest and automatically deletes expired local guests.
Registration and approval—The device creates local guests after the guest registration information is approved by a guest manager.
Email notification—The device notifies the local guests, guest sponsors, or guest managers by email of the guest account information or guest registration requests.
Local guest creation in batch—Create a batch of local guests.
Local guest import—Import guest account information from a .csv file to create local guests on the device based on the imported information.
Local guest export—Export local guest account information to a .csv file. You can import the account information to other devices as needed.
The registration and approval processes are as follows:
The device pushes the portal user registration page to a user who wants to access the network as a local guest.
The user submits account information for registration, including the user name, password, and email address.
The device forwards the registration request to the guest manager in an email notification.
The guest manager adds supplementary information as needed and approves the registration information.
The guest manager must process the registration request before the waiting-approval timeout timer expires. The device automatically deletes expired registration request information.
The device creates a local guest account and sends an email notification to the user and guest sponsor. The email contains local guest account, password, validity period, and other account information.
The user can access the network as a local guest.
To manage local guests:
Step | Command | Remarks |
---|---|---|
1. Enter system view | system-view | N/A |
2. Configure the subject and body of email notifications. | local-guest email format to { guest | manager | sponsor } { body body-string | subject sub-string } | By default, no subject and body are configured. |
3. Configure the email sender address in the email notifications sent by the device for local guests. | local-guest email sender email-address | By default, no email sender address is configured for the email notifications sent by the device. |
4. Specify an SMTP server for sending email notifications of local guests. | local-guest email smtp-server url-string | By default, no SMTP server is specified. |
5. Configure the guest manager's email address. | local-guest manager-email email-address | By default, the guest manager's email address is not configured. |
6. (Optional.) Set the waiting-approval timeout timer for guest registration requests. | local-guest timer waiting-approval time-value | The default is 24 hours. |
7. (Optional.) Import guest account information from a .csv file in the specified path to create local guests based on the imported information. | local-user-import class network guest url url-string validity-datetime start-date start-time to expiration-date expiration-time [ auto-create-group | override | start-line line-number ] * | N/A |
8. (Optional.) Create local guests in batch. | local-guest generate username-prefix name-prefix [ password-prefix password-prefix ] suffix suffix-number [ group group-name ] count user-count validity-datetime start-date start-time to expiration-date expiration-time | Batch generated local guests share the same name prefix. You can also configure a password prefix to be shared by the guests. |
9. (Optional.) Export local guest account information to a .csv file in the specified path. | local-user-export class network guest url url-string | N/A |
10. (Optional.) Enable the guest auto-delete feature. | local-guest auto-delete enable | By default, the guest auto-delete feature is disabled. |
11. Return to user view. | quit | N/A |
12. Send email notifications to the local guest or the guest sponsor. | local-guest send-email user-name user-name to { guest | sponsor } | The email contents include the user name, password, and validity period of the guest account. |
Displaying and maintaining local users and local user groups
Execute display commands in any view.
Task | Command |
---|---|
Display the local user configuration and online user statistics. | display local-user [ class { manage | network } | idle-cut { disable | enable } | service-type { advpn | ftp | http | https | ike | ipoe | lan-access | pad | portal | ppp | ssh | telnet | terminal } | state { active | block } | user-name user-name class { manage | network } | vlan vlan-id ] |
Display user group configuration. | display user-group { all | name group-name } |
Display pending registration requests for local guests. | display local-guest waiting-approval [ user-name user-name ] |
Clear pending registration requests for local guests. | reset local-guest waiting-approval [ user-name user-name ] |