Configuring local users
To implement local authentication, authorization, and accounting, create local users and configure user attributes on the device. The local users and attributes are stored in the local user database on the device. A local user is uniquely identified by the combination of a username and a user type. Local users are classified into the following types:
Device management user—User who logs in to the device for device management.
Network access user—User who accesses network resources through the device. Network access users also include guests who access the network temporarily. Guests can use only LAN and portal services.
The following shows the configurable local user attributes:
Description—Descriptive information of the user.
Service type—Services that the user can use. Local authentication checks the service types of a local user. If none of the service types is available, the user cannot pass authentication.
Service types include FTP, HTTP, HTTPS, LAN access, portal, SSH, Telnet, and terminal.
User state—Whether or not a local user can request network services. There are two user states: active and blocked. A user in active state can request network services, but a user in blocked state cannot.
Upper limit of concurrent logins using the same user name—Maximum number of users who can concurrently access the device by using the same user name. When the number reaches the upper limit, no more local users can access the device by using the user name.
User group—Each local user belongs to a local user group and has all attributes of the group. The attributes include the password control attributes and authorization attributes. For more information about local user group, see "Configuring user group attributes."
Binding attributes—Binding attributes control the scope of users, and are checked during local authentication of a user. If the attributes of a user do not match the binding attributes configured for the local user account, the user cannot pass authentication. Binding attributes include the ISDN calling number, IP address, access port, MAC address, and native VLAN. For support and usage information about binding attributes, see "Configuring non-guest local user attributes."
Authorization attributes—Authorization attributes indicate the user's rights after it passes local authentication. For support information about authorization attributes, see "Configuring non-guest local user attributes."
Configure the authorization attributes based on the service type of local users.
You can configure an authorization attribute in user group view or local user view. The setting of an authorization attribute in local user view takes precedence over the attribute setting in user group view.
The attribute configured in user group view takes effect on all local users in the user group.
The attribute configured in local user view takes effect only on the local user.
Password control attributes—Password control attributes help control password security for device management users. Password control attributes include password aging time, minimum password length, password composition checking, password complexity checking, and login attempt limit.
You can configure a password control attribute in system view, user group view, or local user view. A password control attribute with a smaller effective range has a higher priority. For more information about password management and global password configuration, see "Configuring password control."
Validity period—Time period in which a network access user is considered valid for authentication.
Local user configuration task list
Tasks at a glance |
---|
(Required.) Configure local user attributes based on the user type: |
(Optional.) Configuring user group attributes |
(Optional.) Managing local guests |
(Optional.) Configuring the auto-delete feature of local users |
Configuring non-guest local user attributes
Non-guest local user attributes apply to all local users except guests. When you configure non-guest local user attributes, follow these guidelines:
When you use the password-control enable command to globally enable the password control feature, local user passwords are not displayed.
You can configure authorization attributes and password control attributes in local user view or user group view. The setting in local user view takes precedence over the setting in user group view.
Configure the location binding attribute based on the service types of users.
For 802.1X users, specify the 802.1X-enabled Layer 2 Ethernet interfaces through which the users access the device.
For MAC authentication users, specify the MAC authentication-enabled Layer 2 Ethernet interfaces through which the users access the device.
For portal users, specify the portal-enabled interfaces through which the users access the device. Specify the Layer 2 Ethernet interfaces if portal is enabled on VLAN interfaces and the portal roaming enable command is not configured.
To configure non-guest local user attributes:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Add a local user and enter local user view. | local-user user-name [ class { manage | network } ] | By default, no local users exist. |
3. (Optional.) Configure a password for the local user. |
| The default settings are as follows:
|
4. (Optional.) Configure a description for the local user. | description text | By default, no description is configured for a local user. You can configure descriptions only for network access users. |
5. Assign services to the local user. |
| By default, no services are authorized to a local user. |
6. (Optional.) Place the local user to the active or blocked state. | state { active | block } | By default, a local user is in active state and can request network services. |
7. (Optional.) Set the upper limit of concurrent logins using the local user name. | access-limit max-user-number | By default, the number of concurrent logins is not limited for the local user. This command takes effect only when local accounting is configured for the local user. It does not apply to FTP, SFTP, or SCP users, who do not support accounting. |
8. (Optional.) Configure binding attributes for the local user. | bind-attribute { call-number call-number [ : subcall-number ] | ip ip-address | location interface interface-type interface-number | mac mac-address | vlan vlan-id } * | By default, no binding attributes are configured for a local user. |
9. (Optional.) Configure authorization attributes for the local user. | authorization-attribute { acl acl-number | idle-cut minutes | ip-pool ipv4-pool-name | ipv6-pool ipv6-pool-name | session-timeout minutes | url url-string | user-role role-name | vlan vlan-id | work-directory directory-name } * | The following default settings apply:
|
10. (Optional.) Configure password control attributes for the local user. |
| By default, the local user uses password control attributes of the user group to which the local user belongs. Only device management users support the password control feature. |
11. (Optional.) Assign the local user to a user group. | group group-name | By default, a local user belongs to the user group system. |
12. (Optional.) Configure the validity period for the local user. | validity-datetime { from start-date start-time to expiration-date expiration-time | from start-date start-time | to expiration-date expiration-time } | By default, a local user does not expire. You can configure validity periods only for network access users. |
Configuring local guest attributes
Create local guests and configure guest attributes to control temporary network access behavior. Guests can access the network after passing local authentication. You can configure the recipient addresses and email attribute information to the local guests and guest sponsors.
To configure local guest attributes:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Create a local guest and enter local guest view. | local-user user-name class network guest | By default, no local guests exist. |
3. Configure a password for the local guest. | password { cipher | simple } string | By default, no password is configured for a local guest. |
4. Configure a description for the local guest. | description text | By default, no description is configured for a local guest. |
5. Specify the name of the local guest. | full-name name-string | By default, no name is specified for a local guest. |
6. Specify the company of the local guest. | company company-name | By default, no company is specified for a local guest. |
7. Specify the phone number of the local guest. | phone phone-number | By default, no phone number is specified for a local guest. |
8. Specify the email address of the local guest. | email email-string | By default, no email address is specified for a local guest. The device sends email notifications to this address to inform the guest of the account information. |
9. Specify the sponsor name for the local guest. | sponsor-full-name name-string | By default, no sponsor name is specified for a local guest. |
10. Specify the sponsor department for the local guest. | sponsor-department department-string | By default, no sponsor department is specified for a local guest. |
11. Specify the sponsor email address for the local guest. | sponsor-email email-string | By default, no sponsor email address is specified for a local guest. The device sends email notifications to this address to inform the sponsor of the guest information. |
12. Configure the validity period for the local guest. | validity-datetime { from start-date start-time to expiration-date expiration-time | from start-date start-time | to expiration-date expiration-time } | By default, a local guest does not expire. Expired guests cannot pass local authentication. |
13. Assign the local guest to a user group. | group group-name | By default, a local guest belongs to the system-defined user group system. |
14. Configure the local guest status. | state { active | block } | By default, a local guest is in active state and is allowed to request network services. |
Configuring user group attributes
User groups simplify local user configuration and management. A user group contains a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized user attributes management for the local users in the group. Local user attributes that are manageable include authorization attributes.
By default, every new local user belongs to the default user group system and has all attributes of the group. To assign a local user to a different user group, use the group command in local user view.
To configure user group attributes:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Create a user group and enter user group view. | user-group group-name | By default, a system-defined user group exists. The group name is system. |
3. Configure authorization attributes for the user group. | authorization-attribute { acl acl-number | idle-cut minutes | ip-pool ipv4-pool-name | ipv6-pool ipv6-pool-name | session-timeout minutes | url url-string | vlan vlan-id | work-directory directory-name } * | By default, no authorization attributes are configured for a user group. |
4. (Optional.) Configure password control attributes for the user group. |
| By default, the user group uses the global password control settings. For more information, see "Configuring password control." |
Managing local guests
The local guest management features are for maintenance and access control of local guests.
The device provides the following local guest management features:
Local guest creation—Allows to manually create local guests and configure guest account attributes, including user name, password, and email address.
Email notification—The device notifies the local guests or guest sponsors by email of the guest account information.
Local guest creation in batch—Create a batch of local guests.
Local guest import—Import guest account information from a .csv file to create local guests on the device based on the imported information.
Local guest export—Export local guest account information to a .csv file. You can import the account information to other devices as needed.
To manage local guests:
Step | Command | Remarks |
---|---|---|
1. Enter system view | system-view | N/A |
2. Configure the subject and body of email notifications. | local-guest email format to { guest | manager | sponsor } { body body-string | subject sub-string } | By default, no subject and body are configured. The manager keyword is not supported in the current software version. |
3. Configure the email sender address in the email notifications sent by the device for local guests. | local-guest email sender email-address | By default, no email sender address is configured for the email notifications sent by the device. |
4. Specify an SMTP server for sending email notifications of local guests. | local-guest email smtp-server url-string | By default, no SMTP server is specified. |
5. (Optional.) Import guest account information from a .csv file in the specified path to create local guests based on the imported information. | local-user-import class network guest url url-string validity-datetime start-date start-time to expiration-date expiration-time [ auto-create-group | override | start-line line-number ] * | N/A |
6. (Optional.) Create local guests in batch. | local-guest generate username-prefix name-prefix [ password-prefix password-prefix ] suffix suffix-number [ group group-name ] count user-count validity-datetime start-date start-time to expiration-date expiration-time | Batch generated local guests share the same name prefix. You can also configure a password prefix to be shared by the guests. |
7. (Optional.) Export local guest account information to a .csv file in the specified path. | local-user-export class network guest url url-string | N/A |
8. Return to user view. | quit | N/A |
9. (Optional.) Send email notifications to the local guest or the guest sponsor. | local-guest send-email user-name user-name to { guest | sponsor } | The email contents include the user name, password, and validity period of the guest account. |
Configuring the auto-delete feature of local users
This feature enables the device to examine the validity of local users at fixed time periods of 10 minutes and automatically delete expired local users.
To configure the auto-delete feature of local users:
Step | Command | Remarks |
---|---|---|
1. Enter system view | system-view | N/A |
2. Enable the local user auto-delete feature. | local-user auto-delete enable | By default, the feature is disabled. |
Displaying and maintaining local users and local user groups
Execute display commands in any view.
Task | Command |
---|---|
Display the local user configuration and online user statistics. | display local-user [ class { manage | network [ guest ] } | idle-cut { disable | enable } | service-type { ftp | http | https | lan-access | portal | ssh | telnet | terminal } | state { active | block } | user-name user-name class { manage | network [ guest ] } | vlan vlan-id ] |
Display the user group configuration information. | display user-group { all | name group-name } |