Configuring local users

To implement local authentication, authorization, and accounting, create local users and configure user attributes on the device. The local users and attributes are stored in the local user database on the device. A local user is uniquely identified by the combination of a username and a user type. Local users are classified into the following types:

The following shows the configurable local user attributes:

Local user configuration task list

Configuring non-guest local user attributes

Non-guest local user attributes apply to all local users except guests. When you configure non-guest local user attributes, follow these guidelines:

To configure non-guest local user attributes:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Add a local user and enter local user view.

local-user user-name [ class { manage | network } ]

By default, no local users exist.

3. (Optional.) Configure a password for the local user.

  • For a network access user:password { cipher | simple } string

  • For a device management user:

    • In non-FIPS mode:password [ { hash | simple } string ]

    • In FIPS mode:password

The default settings are as follows:

  • In non-FIPS mode, no password is configured for a local user. A local user can pass authentication after entering the correct username and passing attribute checks.

  • In FIPS mode, no password is configured for a local user. A local user cannot pass authentication.

4. (Optional.) Configure a description for the local user.

description text

By default, no description is configured for a local user.

You can configure descriptions only for network access users.

5. Assign services to the local user.

  • For a network access user:service-type { lan-access | portal }

  • For a device management user:

    • In non-FIPS mode:service-type { ftp | { http | https | ssh | telnet | terminal } * }

    • In FIPS mode:service-type { https | ssh | terminal } *

By default, no services are authorized to a local user.

6. (Optional.) Place the local user to the active or blocked state.

state { active | block }

By default, a local user is in active state and can request network services.

7. (Optional.) Set the upper limit of concurrent logins using the local user name.

access-limit max-user-number

By default, the number of concurrent logins is not limited for the local user.

This command takes effect only when local accounting is configured for the local user. It does not apply to FTP, SFTP, or SCP users, who do not support accounting.

8. (Optional.) Configure binding attributes for the local user.

bind-attribute { call-number call-number [ : subcall-number ] | ip ip-address | location interface interface-type interface-number | mac mac-address | vlan vlan-id } *

By default, no binding attributes are configured for a local user.

9. (Optional.) Configure authorization attributes for the local user.

authorization-attribute { acl acl-number | idle-cut minutes | ip-pool ipv4-pool-name | ipv6-pool ipv6-pool-name | session-timeout minutes | url url-string | user-role role-name | vlan vlan-id | work-directory directory-name } *

The following default settings apply:

  • The working directory for FTP, SFTP, and SCP users is the root directory of the NAS. However, the users do not have permission to access the root directory.

  • The network-operator user role is assigned to local users that are created by a network-admin or level-15 user on the default MDC.

  • The mdc-operator user role is assigned to local users that are created by an mdc-admin or level-15 user on a non-default MDC.

10. (Optional.) Configure password control attributes for the local user.

  • Set the password aging time:password-control aging aging-time

  • Set the minimum password length:password-control length length

  • Configure the password composition policy:password-control composition type-number type-number [ type-length type-length ]

  • Configure the password complexity checking policy:password-control complexity { same-character | user-name } check

  • Configure the maximum login attempts and the action to take if there is a login failure:password-control login-attempt login-times [ exceed { lock | lock-time time | unlock } ]

By default, the local user uses password control attributes of the user group to which the local user belongs.

Only device management users support the password control feature.

11. (Optional.) Assign the local user to a user group.

group group-name

By default, a local user belongs to the user group system.

12. (Optional.) Configure the validity period for the local user.

validity-datetime { from start-date start-time to expiration-date expiration-time | from start-date start-time | to expiration-date expiration-time }

By default, a local user does not expire.

You can configure validity periods only for network access users.

Configuring local guest attributes

Create local guests and configure guest attributes to control temporary network access behavior. Guests can access the network after passing local authentication. You can configure the recipient addresses and email attribute information to the local guests and guest sponsors.

To configure local guest attributes:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Create a local guest and enter local guest view.

local-user user-name class network guest

By default, no local guests exist.

3. Configure a password for the local guest.

password { cipher | simple } string

By default, no password is configured for a local guest.

4. Configure a description for the local guest.

description text

By default, no description is configured for a local guest.

5. Specify the name of the local guest.

full-name name-string

By default, no name is specified for a local guest.

6. Specify the company of the local guest.

company company-name

By default, no company is specified for a local guest.

7. Specify the phone number of the local guest.

phone phone-number

By default, no phone number is specified for a local guest.

8. Specify the email address of the local guest.

email email-string

By default, no email address is specified for a local guest.

The device sends email notifications to this address to inform the guest of the account information.

9. Specify the sponsor name for the local guest.

sponsor-full-name name-string

By default, no sponsor name is specified for a local guest.

10. Specify the sponsor department for the local guest.

sponsor-department department-string

By default, no sponsor department is specified for a local guest.

11. Specify the sponsor email address for the local guest.

sponsor-email email-string

By default, no sponsor email address is specified for a local guest.

The device sends email notifications to this address to inform the sponsor of the guest information.

12. Configure the validity period for the local guest.

validity-datetime { from start-date start-time to expiration-date expiration-time | from start-date start-time | to expiration-date expiration-time }

By default, a local guest does not expire.

Expired guests cannot pass local authentication.

13. Assign the local guest to a user group.

group group-name

By default, a local guest belongs to the system-defined user group system.

14. Configure the local guest status.

state { active | block }

By default, a local guest is in active state and is allowed to request network services.

Configuring user group attributes

User groups simplify local user configuration and management. A user group contains a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized user attributes management for the local users in the group. Local user attributes that are manageable include authorization attributes.

By default, every new local user belongs to the default user group system and has all attributes of the group. To assign a local user to a different user group, use the group command in local user view.

To configure user group attributes:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Create a user group and enter user group view.

user-group group-name

By default, a system-defined user group exists. The group name is system.

3. Configure authorization attributes for the user group.

authorization-attribute { acl acl-number | idle-cut minutes | ip-pool ipv4-pool-name | ipv6-pool ipv6-pool-name | session-timeout minutes | url url-string | vlan vlan-id | work-directory directory-name } *

By default, no authorization attributes are configured for a user group.

4. (Optional.) Configure password control attributes for the user group.

  • Set the password aging time:password-control aging aging-time

  • Set the minimum password length:password-control length length

  • Configure the password composition policy:password-control composition type-number type-number [ type-length type-length ]

  • Configure the password complexity checking policy:password-control complexity { same-character | user-name } check

  • Configure the maximum login attempts and the action to take for login failures:password-control login-attempt login-times [ exceed { lock | lock-time time | unlock } ]

By default, the user group uses the global password control settings. For more information, see "Configuring password control."

Managing local guests

The local guest management features are for maintenance and access control of local guests.

The device provides the following local guest management features:

To manage local guests:

Step

Command

Remarks

1. Enter system view

system-view

N/A

2. Configure the subject and body of email notifications.

local-guest email format to { guest | manager | sponsor } { body body-string | subject sub-string }

By default, no subject and body are configured.

The manager keyword is not supported in the current software version.

3. Configure the email sender address in the email notifications sent by the device for local guests.

local-guest email sender email-address

By default, no email sender address is configured for the email notifications sent by the device.

4. Specify an SMTP server for sending email notifications of local guests.

local-guest email smtp-server url-string

By default, no SMTP server is specified.

5. (Optional.) Import guest account information from a .csv file in the specified path to create local guests based on the imported information.

local-user-import class network guest url url-string validity-datetime start-date start-time to expiration-date expiration-time [ auto-create-group | override | start-line line-number ] *

N/A

6. (Optional.) Create local guests in batch.

local-guest generate username-prefix name-prefix [ password-prefix password-prefix ] suffix suffix-number [ group group-name ] count user-count validity-datetime start-date start-time to expiration-date expiration-time

Batch generated local guests share the same name prefix. You can also configure a password prefix to be shared by the guests.

7. (Optional.) Export local guest account information to a .csv file in the specified path.

local-user-export class network guest url url-string

N/A

8. Return to user view.

quit

N/A

9. (Optional.) Send email notifications to the local guest or the guest sponsor.

local-guest send-email user-name user-name to { guest | sponsor }

The email contents include the user name, password, and validity period of the guest account.

Configuring the auto-delete feature of local users

This feature enables the device to examine the validity of local users at fixed time periods of 10 minutes and automatically delete expired local users.

To configure the auto-delete feature of local users:

Step

Command

Remarks

1. Enter system view

system-view

N/A

2. Enable the local user auto-delete feature.

local-user auto-delete enable

By default, the feature is disabled.

Displaying and maintaining local users and local user groups

Execute display commands in any view.

Task

Command

Display the local user configuration and online user statistics.

display local-user [ class { manage | network [ guest ] } | idle-cut { disable | enable } | service-type { ftp | http | https | lan-access | portal | ssh | telnet | terminal } | state { active | block } | user-name user-name class { manage | network [ guest ] } | vlan vlan-id ]

Display the user group configuration information.

display user-group { all | name group-name }