18
Configuring AAA schemes
This section includes information on configuring local users, RADIUS schemes, HWTACACS schemes,
and LDAP schemes.
Configuring local users
To implement local authentication, authorization, and accounting, create local users and configure user
attributes on the device. The local users and attributes are stored in the local user database on the device.
A local user is uniquely identified by the combination of a username and a user type. Local users are
classified into the following types:
•
Device management user
—User who logs in to the device for device management.
•
Network access user
—User who accesses network resources through the device.
The following shows the configurable local user attributes:
•
Service type
—Services that the user can use. Local authentication checks the service types of a local
user. If none of the service types is available, the user cannot pass authentication.
Service types include FTP, HTTP, HTTPS, LAN access, portal, SSH, Telnet, and terminal.
•
User state
—There are two user states: active and blocked. A user in active state can request network
services. A user in blocked state cannot request authentication, authorization, and accounting
services, but it can request to stop the accounting service in use.
•
Upper limit of concurrent logins using the same user name
—Maximum number of users who can
concurrently access the device by using the same user name. When the number reaches the upper
limit, no more local users can access the device by using the user name.
•
User group
—Each local user belongs to a local user group and has all attributes of the group. The
attributes include the password control attributes and authorization attributes. For more information
about local user group, see "
Configuring user group attributes
."
•
Binding attributes
—Binding attributes control the scope of users, and are checked during local
authentication of a user. If the attributes of a user do not match the binding attributes configured for
the local user account, the user cannot pass authentication. Binding attributes include the IP address,
access port, MAC address, and native VLAN. For support and usage information about binding
attributes, see "
Configuring local user attributes
."
•
Authorization attributes
—Authorization attributes indicate the user's rights after it passes local
authentication. Authorization attributes include the ACL, idle cut function, user profile, user role,
VLAN, and FTP/SFTP/SCP working directory. For support information about authorization
attributes, see "
Configuring local user attributes
."
Configure the authorization attributes based on the service type of local users.
You can configure an authorization attribute in user group view or local user view. The setting of
an authorization attribute in local user view takes precedence over the attribute setting in user
group view.
{
The attribute configured in user group view takes effect on all local users in the user group.
{
The attribute configured in local user view takes effect only on the local user.
•
Password control attributes
—Password control attributes help control password security for device
management users. Password control attributes include password aging time, minimum password
length, password composition checking, password complexity checking, and login attempt limit.