16
Configuring AAA schemes
Configuring local users
To implement local user authentication, authorization, and accounting, you must create local users and
configure user attributes on the router. The local users and attributes are stored in the local user
database on the router. A local user is uniquely identified by a username. Configurable local user
attributes are as follows:
Service type
The types of the services that the user can use. Local authentication checks the service types of a local
user. If none of the service types are available, the user cannot pass authentication.
Service types include FTP, LAN access, Portal, PPP, SSH, Telnet, and Terminal.
User state
Indicates whether or not a local user can request network services. There are two user states:
active
and
blocked
. A user in the
active
state can request network services, but a user in the
blocked
state cannot.
Maximum number of users using the same local user account
Indicates how many users can use the same local user account for local authentication.
Expiration time
Indicates the expiration time of a local user account. A user must use a valid local user account to pass
local authentication. When some users have to access the network temporarily, create a guest account
and specify an expiration time for the account to control the validity of the account.
User group
Each local user belongs to a local user group and bears all attributes of the group, such as the password
control attributes and authorization attributes. For more information, see "
Password control attributes
Password control attributes help you control the security of local users' passwords. Password control
attributes include password aging time, minimum password length, and password composition policy.
Configure a password control attribute in system view, user group view, or local user view, making the
attribute effective for all local users, all local users in a group, or only the local user. A password control
attribute with a smaller effective range has a higher priority. For more information about password
management and global password configuration, see "
Binding attributes
Binding attributes are used for controlling the scope of users. They are checked during local
authentication of a user. If the attributes of a user do not match the binding attributes configured for the
local user account, the user cannot pass authentication. Binding attributes include the ISDN calling
number, IP address, access port, MAC address, and native VLAN. For more information, see
"
Configuring local user attributes
." Be cautious when deciding which binding attributes to configure for
a local user.