Introduction

An administrator configures and manages the device from the following aspects:

·     User account management—Manages user account information and attributes (for example, username and password).

·     Role-based access control—Manages user access permissions by user role.

·     Password control—Manages user passwords and controls user login status based on predefined policies.

The service type of an administrator can be HTTP, HTTPS, SSH, Telnet, FTP, PAD, or terminal. A terminal user can access the device through the console port.

User account management

A user account on the device manages attributes for users that log in to the device with the same username. The attributes include the username, password, role, services, and password control parameters.

Role-based access control

The device implements access permission control for users by assigning roles to the users. A role contains a set of features that are accessible or inaccessible to users.

Access permission control

On the Web interface, you can configure a role to have access permissions to specific Web pages and deny a role from accessing specific Web pages. These Web pages are called Web menus.

The Web menus are controlled based on the following options:

·     Read-only—If you select this option, the role that you configure has access permissions to the Web menus that display configuration and maintenance information of the specified item.

·     Read and write—If you select this option, the role that you configure has access permissions to the following Web menus of the specified item:

¡     Web menus that display configuration and maintenance information.

¡     Web menus that configure the item.

·     No permissions—If you select this option, the role that you configure does not have any access permission to the specified item.

Predefined roles

The system provides predefined roles. The access permissions of these roles differ, as shown in Table 1. If the predefined roles cannot meet users' requirements, administrators can configure roles for the users as required.

Table 1 Predefined roles and permissions matrix

Role name	Permissions
network-admin	This role has the rights to access all features in the system.
security-admin	This role has the rights to configure security service features and monitor processing status of security services.
audit-admin	This role only has the rights to audit device operations.
system-admin	This role has the rights to configure system features and monitor device running status.
context-admin	This role has the rights to access all features in a context.
vsys-admin	This role has the rights to access all features in a vSystem. Support for this role depends on the device model.

 

Role assignment

Assign access permissions to a user by assigning a role to the user. The user can use the collection of items accessible to the role assigned to the user.

Depending on the authentication method, role assignment has the following methods:

·     Local AAA authorization—If a user passes local authorization, the device assigns the role specified in the local user account to the user.

·     Remote AAA authorization—If a user passes remote authorization, the remote AAA server assigns the role specified on the server to the user.

If a user is not assigned any role, it cannot log in to the device.

You can assign only one role to a user.

Password control

Password control provides the following features:

·     Manage login and super password setup, expirations, and updates for local users.

·     Control user login status based on predefined policies.

Password control settings include global settings and user-specific settings.

·     The settings on the Administrator Password Control page are global password control settings, which apply to all administrator users.

·     The password control settings configured on the Create Administrator or Edit Administrator page are user-specific settings, which apply only to the user.

Unless otherwise stated, user-specific password control settings have higher priority than global password control settings.

Minimum password length

You can define the minimum length of user passwords. The system rejects a password if it is shorter than the configured minimum length.

Password complexity check

The strength of a password increases as its complexity grows. A less complicated password is more likely to be cracked. For example, a password that contains the username or repeated characters is more likely to be cracked than those do not. To increase system security, configure a password complexity policy to make sure the user-configured passwords are complex enough against most password attacks.

You can apply the following password complexity requirements:

·     A password cannot contain the username or the username spelled backwards. For example, if the username is abc, the password cannot be abc982 or 2cba. To have this requirement take effect on a user, you must enable it both on the global and user-specific password control configuration pages.

·     A password cannot contain more than two consecutive identical characters. For example, password a111 is not allowed. To have this requirement take effect on a user, you must enable it either on the user-specific password control configuration page or on the global password control configuration page.

Password composition check

To have the user-specific settings for this feature take effect, you must also enable this feature on the global password control configuration page.

A password can be a combination of characters from the following types:

·     Uppercase letters A to Z.

·     Lowercase letters a to z.

·     Digits 0 to 9.

·     Special characters. See Table 2.

Table 2 Special characters

Character name	Symbol	Character name	Symbol
Ampersand sign	&	Apostrophe	'
Asterisk	*	At sign	@
Back quote	`	Back slash	\
Blank space	N/A	Caret	^
Colon	:	Comma	,
Dollar sign	$	Dot	.
Equal sign	=	Exclamation point	!
Left angle bracket	<	Left brace	{
Left bracket	[	Left parenthesis	(
Minus sign	-	Percent sign	%
Plus sign	+	Pound sign	#
Quotation marks	"	Right angle bracket	>
Right brace	}	Right bracket	]
Right parenthesis	)	Semi-colon	;
Slash	/	Tilde	~
Underscore	_	Vertical bar	|

 

Depending on the system's security requirements, you can set the minimum number of character types a password must contain and the minimum number of characters for each type, as shown in Table 3.

Table 3 Password composition policy

Password combination level	Minimum number of character types	Minimum number of characters for each type
Level 1	One	One
Level 2	Two	One
Level 3	Three	One
Level 4	Four	One

 

When a user sets or changes a password, the system examines whether the password meets the combination requirement. If the password does not meet the requirement, the operation fails.

Password updating

This feature allows you to set the minimum interval at which users can change their passwords. A user can only change the password once within the specified interval.

The minimum interval does not apply to the following situations:

·     A user is prompted to change the password at the first login.

·     The password expiration time expires.

Password expiration

To have the user-specific settings for this feature take effect, you must also enable this feature on the global password control configuration page.

Password expiration imposes a lifecycle on a user password. After the password expires, the user needs to change the password.

The system displays an error message for a login attempt with an expired password. The user is asked to provide a new password. The new password must be valid, and the user must enter exactly the same password when confirming it.

Telnet users, SSH users, and console users can change their own passwords. FTP users must have their passwords changed by the administrator.

Password expiration notification

When a user logs in, the system determines whether the password will expire in a time equal to or less than the specified notification period. If so, the system notifies the user when the password will expire and provides a choice for the user to change the password.

·     If the user sets a new valid password, the system records the new password and the setup time.

·     If the user does not or fails to change the password, the system allows the user to log in by using the current password until the password expires.

Telnet users, SSH users, and console users can change their own passwords. FTP users must have their passwords changed by the administrator.

Login with an expired password

You can allow a user to log in a certain number of times within a period of time after the password expires. For example, if you set the maximum number of logins with an expired password to 3 and the time period to 15 days, a user can log in three times within 15 days after the password expires.

Password history

This feature allows the system to store passwords that a user has used. When a user changes the password, the system compares the new password with the current password and those stored in the password history records. The new password must be different from the current one and those stored in the history records by a minimum of four different characters. If the new password does not meet this requirement, the system displays an error message and rejects the password change operation.

You can set the maximum number of history password records for the system to maintain for each user. When the number of history password records exceeds the setting, the most recent record overwrites the earliest one.

Current login passwords are not stored in the password history for administrators. Administrators have their passwords saved in cipher text, which cannot be recovered to plaintext passwords.

Login attempt limit

Limiting the number of consecutive login failures can effectively prevent password guessing. To have the user-specific settings for this feature take effect, you must also enable this feature on the global password control configuration page.

Login attempt limit takes effect on FTP and VTY users. It does not take effect on the following types of users:

·     Nonexistent users (users not configured on the device).

·     Users logging in to the device through console ports.

If a user fails to log in, the system adds the user account and the user's IP address to the password control blacklist. When the user fails to log in after making the maximum number of consecutive attempts, login attempt limit limits the user and user account in any of the following ways:

·     Lock permanently—Disables the user account until the account is manually removed from the password control blacklist.

·     Not lock—Allows the user to continue using the user account. The user's IP address and user account are removed from the password control blacklist when the user uses this account to successfully log in to the device.

·     Lock temporarily—Disables the user account for a period of time.

The user can use the account to log in when either of the following conditions exist:

¡     The locking timer expires.

¡     The account is manually removed from the password control blacklist before the locking timer expires.

	This account is locked only for this user. Other users can still use this account, and the blacklisted user can use other user accounts.

 

Maximum account idle time

You can set the maximum account idle time for user accounts. When an account is idle for this period of time since the last successful login, the account becomes invalid.

Password strength management

When an administrator user logs in with a weak password, the device prompts the user to change the password regardless of whether password control is enabled.

·     If mandatory weak password change is enabled, the user must change its weak password to a complicated enough password in order to log in to the device.

·     If mandatory weak password change is disabled, the user can ignore the password change prompt and continue to log in to the device.

The device determines a password is weak if that password has the following characteristics:

·     Shorter than the minimum password length. For more information, see "Minimum password length."

·     Incompliant with the password composition policy. For more information, see "Password composition check."

·     Contain the username or the username spelled backwards. For more information, see "Password complexity check."

·     Contain three or more identical consecutive characters when password control is enabled. For more information, see "Password complexity check."

Restrictions and guidelines

Restrictions and guidelines: Role-based access control

Any access permission modification for a role takes effect only on users that are logged in with the role after the modification.

Restrictions and guidelines: Password control

·     When a user fails the maximum number of consecutive attempts, the system prevents the user from using the user account to log in through the user's IP address.

·     For password control settings to take effect, you must enable password control. To enable password control, click Password control on the Administrators page to enter the Administrator Password Control page and select Enable password control.

·     The Administrator Password Control page and the User Password Control page share the password control settings. If you change a password control setting on one page, the system automatically synchronizes the new setting to the other page.

·     When the password control feature is enabled, a new password must contain a minimum of four different characters.

·     The following settings can be configured on both the Administrator Password Control page and in the Advanced settings area on the Create Administrator or Edit Administrator page:

¡     Password expiration time.

¡     Minimum password length.

¡     Password complexity policy.

¡     Password composition policy.

¡     Maximum login attempts.

The password control settings on the Administrator Password Control page take effect on all administrators. However, the settings on the Create Administrator or Edit Administrator page have a higher priority than those on the Administrator Password Control page.

Restrictions and guidelines: Password strength management

To enable mandatory weak password change, you must enable a minimum of one password strength check criterion.

The mandatory weak password change feature takes effect only on users that log in to the device after the feature is enabled. The feature does not affect users that have logged in to the device.

Restrictions and guidelines: FTP users

FTP users do not support accounting. These users are not restricted by the value in the Max concurrent logins field.

An FTP user cannot log in to the device with an expired password. FTP users must have their passwords changed by the administrator.