16
Configuring AAA schemes
Configuring local users
For local authentication, you must create local users and configure user attributes on the device in
advance. The local users and attributes are stored in the local user database on the device. A local user
is uniquely identified by a username. Configurable local user attributes are as follows:
Service type
Types of services that the user can use. Local authentication checks the service types of a local user. If
none of the service types is available, the user cannot pass authentication.
Service types include FTP, LAN access, Portal, SSH, Telnet, and Terminal.
User state
Indicates whether or not a local user can request network services. There are two user states: active and
blocked. A user in the active state can request network services, but a user in the blocked state cannot.
Maximum number of users using the same local user account
Indicates how many users can use the same local user account for local authentication.
Expiration time
Indicates the expiration time of a local user account. A user must use a local user account that has not
expired to pass local authentication.
User group
Each local user belongs to a local user group and bears all attributes of the group, such as the password
control attributes and authorization attributes. For more information about local user group, see
―
Configuring user group attributes
.―
Password control attributes
Password control attributes help you improve the security of local users’ passwords. Password control
attributes include password aging time, minimum password length, and password composition policy.
You can configure a password control attribute in system view, user group view, or local user view,
making the attribute effective for all local users, all local users in a group, or only the local user. A
password control attribute with a smaller effective range has a higher priority. For more information about
password management and global password configuration, see the chapter ―Password control
configuration. ―
Binding attributes
Binding attributes are used to control the scope of users. Binding attributes are checked during
authentication. If the attributes of a user do not match the binding attributes configured for the user on the
access device, the user cannot pass authentication. Binding attributes include the ISDN calling number, IP
address, access port, MAC address, and native VLAN. For more information about binding attributes, see
―
Configuring local user attributes
.―
Authorization attributes
Authorization attributes indicate the rights that a user has after passing local authentication. Authorization
attributes include the ACL, PPP callback number, idle cut function, user level, user role, user profile, VLAN,
and FTP/SFTP work directory. For more information about authorization attributes, see ―
.―