Contents

Configuring AAA·· 1

About AAA· 1

AAA implementation· 1

AAA extended functions· 1

Configuring local users· 1

About local users· 1

Configuring attributes for device management users· 2

Display and maintenance commands for local users and local user groups· 2

Configuring AAA

‌

About AAA

AAA implementation

Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. This feature specifies the following security functions:

·     Authentication—Identifies users and verifies their validity.

·     Authorization—Grants different users different rights, and controls the users' access to resources and services. For example, you can permit office users to read and print files and prevent guests from accessing files on the device.

·     Accounting—Records network usage details of users, including the service type, start time, and traffic. This function enables time-based and traffic-based charging and user behavior auditing.

AAA extended functions

The device provides the following login services to enhance device security:

·     Command authorization—Enables the NAS to let the authorization server determine whether a command entered by a login user is permitted. Login users can execute only commands permitted by the authorization server. For more information about command authorization, see Fundamentals Configuration Guide.

·     Command accounting—When command authorization is disabled, command accounting enables the accounting server to record all valid commands executed on the device. When command authorization is enabled, command accounting enables the accounting server to record all authorized commands. For more information about command accounting, see Fundamentals Configuration Guide.

·     User role authentication—Authenticates each user that wants to obtain another user role without logging out or getting disconnected. For more information about user role authentication, see Fundamentals Configuration Guide.

Configuring local users

About local users

To implement local authentication, authorization, and accounting, create local users and configure user attributes on the device. The local users and attributes are stored in the local user database on the device. A local user is uniquely identified by the combination of a username and a user type.

The device supports device management users that log in to the device for device management and does not support network access users.

You can configure the service type attributes to control services that the users can use. Local authentication checks the service types of a local user. If none of the service types is available, the user cannot pass authentication.

Configuring attributes for device management users

Restrictions and guidelines

If password control is globally enabled for device management users by using the password-control enable command, the device neither displays local user passwords nor retains them in the running configuration. When you globally disable password control for device management users, local user passwords are automatically restored to the running configuration. To display the running configuration, use the display current-configuration command.

Procedure

1.     Enter system view.

system-view

2.     Add a device management user and enter device management user view.

local-user user-name class manage

3.     Configure a password for the device management user.

password [ { hash | simple } string ]

A non-password-protected user passes authentication if the user provides the correct username and passes attribute checks. To enhance security, configure a password for each device management user.

4.     Assign services to the device management user.

service-type { ftp | { http | https | ssh | telnet | terminal } * }

By default, no services are authorized to a device management user.

Display and maintenance commands for local users and local user groups

Execute display commands in any view.

‌