Configuring Local Users - HP MSR Series Configuration Manual

Configuring local users

To implement local authentication, authorization, and accounting, create local users and configure
user attributes on the device. The local users and attributes are stored in the local user database on
the device. A local user is uniquely identified by the combination of a username and a user type.
Local users are classified into the following types:
•
Device management user—User who logs in to the device for device management.
•
Network access user—User who accesses network resources through the device.
The following shows the configurable local user attributes:
•
Service type—Services that the user can use. Local authentication checks the service types of
a local user. If none of the service types is available, the user cannot pass authentication.
Service types include ADVPN, FTP, HTTP, HTTPS, IPoE, LAN access, PAD, portal, PPP, SSH,
SSL VPN, Telnet, and terminal.
•
User state—Whether or not a local user can request network services. There are two user
states: active and blocked. A user in active state can request network services, but a user in
blocked state cannot.
•
Upper limit of concurrent logins using the same user name—Maximum number of users
who can concurrently access the device by using the same user name. When the number
reaches the upper limit, no more local users can access the device by using the user name.
•
User group—Each local user belongs to a local user group and has all attributes of the group.
The attributes include the password control attributes and authorization attributes. For more
information about local user group, see
•
Binding attributes—Binding attributes control the scope of users, and are checked during
local authentication of a user. If the attributes of a user do not match the binding attributes
configured for the local user account, the user cannot pass authentication. Binding attributes
include the ISDN calling number, IP address, access port, MAC address, and native VLAN. For
support and usage information about binding attributes, see
•
Authorization attributes—Authorization attributes indicate the user's rights after it passes
local authentication. Authorization attributes include the ACL, idle cut function, PPP callback
number, user profile, user role, VLAN, FTP/SFTP/SCP working directory, VPN instance, and IP
service attributes. The IP service attributes include IPv4 address, IPv6 address, IPv6 address
prefix, IPv6 address pool, primary or secondary DNS server address, and redirect URL. For
support information about authorization attributes, see
Configure the authorization attributes based on the service type of local users. For example,
you do not need to configure the FTP/SFTP/SCP working directory attribute for a PPP user.
You can configure an authorization attribute in user group view or local user view. The setting of
an authorization attribute in local user view takes precedence over the attribute setting in user
group view.
The attribute configured in user group view takes effect on all local users in the user group.
The attribute configured in local user view takes effect only on the local user.
•
Password control attributes—Password control attributes help control password security for
device management users. Password control attributes include password aging time, minimum
password length, password composition checking, password complexity checking, and login
attempt limit.
You can configure a password control attribute in system view, user group view, or local user
view. A password control attribute with a smaller effective range has a higher priority. For more
information about password management and global password configuration, see
password control."
"Configuring user group
"Configuring local user
"Configuring local user
20
attributes."
attributes."
attributes."
"Configuring