Local User Management - Huawei Quidway S2700 Series Configuration Manual

Quidway S2700 Series Ethernet Switches
Configuration Guide - Security
The S2700 provides authorization schemes in the following modes:
l
l
l
l
The S2700 provides the following accounting modes:
l
l
l
In the RADIUS and HWTACACS accounting modes, the S2700 generates accounting packets
when a user goes online or goes offline, and then sends them to the RADIUS or HWTACACS
server. The server then performs accounting based on the information in the packets, such as
login time and logout time.
The S2700 supports realtime accounting. It means that the S2700 generates accounting packets
periodically and sends the accounting packets to the accounting server when a user is online. In
this way, the duration of abnormal accounting can be minimized when the communication
between the S2700 and the accounting server is interrupted.

Local User Management

To perform local user management, you need to set up the local user database, maintain user
information, and manage users on the S2700.
In local authentication or local authorization mode, you need to perform the task of
Configuring Local User
Domain-based User Management
The S2700 manages users based on the domain. You can configure authentication, authorization,
or accounting schemes in a domain. Then, the specified schemes are adopted to perform
authentication and authorization for users that belong to the domain.
All the users of the S2700 belong to a certain domain. The domain that a user belongs to depends
on the character string that follows the domain name delimiter. The domain name delimiter can
be @,|, or %.. For example, the user of "user@huawei" belongs to the domain "huawei". If there
is no "@" in the user name, the user belongs to the domain default.
By default, there are two domains named default and default_admin in the S2700, which cannot
be deleted but can be modified. If the domain of an access user cannot be obtained, the default
domain is used.
l
l
Issue 01 (2011-07-15)
Non-authorization: completely trusts users and directly authorizes them.
Local authorization: authorizes users according to the configured attributes of local user
accounts on the S2700.
Remote authorization: the S2700 functions as the client to communicate with the
authorization server through HWTACACS.
If-authenticated authorization: authorizes users after the users pass authentication in local
or remote authentication mode.
None: Users are not charged.
RADIUS accounting: The S2700 sends the accounting packets to the RADIUS server. Then
the RADIUS server performs accounting.
HWTACACS accounting: The S2700 sends the accounting packets to the HWTACACS
server. Then the HWTACACS server performs accounting.
Management.
Domain default is used for common access user. By default, local authentication is
performed for the users in domain default.
Domain default_admin is used for administrators. By default, local authentication is
performed for the users in domain default_admin.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
1 AAA and User Management Configuration
1.8
3