Configuring authentication and authorization on the FTP server
To allow an FTP user to access certain directories on the FTP server, you need to create an account for the user, authorizing access to the directories and associating the username and password with the account.
The following configuration is used when the FTP server authenticates and authorizes a local FTP user. If the FTP server needs to authenticate a remote FTP user, you need to configure authentication, authorization and accounting (AAA) policy instead of the local user. For detailed configuration, see the Security Command Reference.
In local authentication, the switch checks the input username and password against those configured on the switch. In remote authentication, the switch sends the input username and password to the remote authentication server, which then checks whether they are consistent with those configured on the switch.
Follow these steps to configure authentication and authorization for FTP server:
To do… | Use the command… | Remarks |
|---|---|---|
Enter system view | system-view | — |
Create a local user and enter its view | local-user user-name | Required No local user exists by default, and the system does not support FTP anonymous user access. |
Assign a password to the user | password { simple | cipher } password | Required |
Assign the FTP service to the user | service-type ftp | Required By default, the system does not support anonymous FTP access, and does not assign any service. If the FTP service is assigned, the root directory of the switch is used by default. |
Configure user properties | authorization-attribute { acl acl-number | callback-number callback-number | idle-cut minute | level level | user-profile profile-name | user-role security-audit | vlan vlan-id | work-directory directory-name } * | Optional By default, the FTP/SFTP users can access the root directory of the switch, and the user level is 0. You can change the default configuration by using this command. |
![[NOTE: ]](images/note.png) | NOTE: For more information about the local-user, password, service-type ftp, and authorization-attribute commands, see the Security Command Reference. When the switch serves as the FTP server, if the client is to perform the write operations (upload, delete, create, and delete for example) on the device's file system, the FTP login users must be level 3 users; if the client is to perform other operations, for example, read operation, the switch has no restriction on the user level of the FTP login users. | |