Contents

AAA commands· 1

General AAA commands· 1

aaa session-limit 1

access-limit 1

accounting default 2

accounting login· 3

authentication default 4

authentication login· 5

authorization default 6

authorization login· 7

display domain· 8

domain· 15

local-server log change-password-prompt 15

Local user commands· 17

access-limit 17

display local-user 17

display user-group· 19

group· 21

local-user 21

password (device management user view) 22

service-type (local user view) 23

state (local user view) 24

user-group· 25

AAA commands

General AAA commands

aaa session-limit

Use aaa session-limit to set the maximum number of concurrent users that can log on to the device through the specified method.

Use undo aaa session-limit to restore the default maximum number of concurrent users for the specified login method.

Syntax

aaa session-limit { ftp | ssh | telnet } max-sessions

undo aaa session-limit { ftp | ssh | telnet }

Default

The maximum number of concurrent users is 32 for each user type.

Views

System view

Predefined user roles

network-admin

Parameters

ftp: FTP users.

ssh: SSH users.

telnet: Telnet users.

max-sessions: Specifies the maximum number of concurrent login users. The value range for FTP, SSH, and Telnet services is 1 to 32.

Usage guidelines

After the maximum number of concurrent login users for a user type exceeds the upper limit, the system denies the subsequent users of this type.

Examples

# Set the maximum number of concurrent FTP users to 4.

<Sysname> system-view

[Sysname] aaa session-limit ftp 4

access-limit

Use access-limit to set the maximum number of users allowed to access an ISP domain.

Use undo access-limit to restore the default.

Syntax

access-limit limit-number

undo access-limit

Default

No limit is placed on the number of users allowed to access an ISP domain.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

limit-number: Specifies the maximum number of users allowed to access the ISP domain. The value range is 1 to 2147483647.

Usage guidelines

This command does not distinguish the service types of users. When the number of concurrent users in an ISP domain reaches the maximum number, the system denies access of subsequent users to the domain.

The maximum number of concurrent login users is also restricted by the aaa session-limit command in system view.

This limit does not affect reauthenticated users.

Examples

# Allow a maximum of 100 users to access ISP domain my-domain.

<Sysname> system-view

[Sysname] domain name my-domain

[Sysname-isp-my-domain] access-limit 100

Related commands

display domain

accounting default

Use accounting default to specify default accounting methods for an ISP domain.

Use undo accounting default to restore the default.

Syntax

accounting default { local [ none ] | none }

Default

The default accounting method of an ISP domain is local.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

local: Performs local accounting.

none: Does not perform accounting.

Usage guidelines

The default accounting method is used for all users that support this method and do not have an accounting method configured.

Local accounting is only used for monitoring and controlling the number of local user connections. It does not provide the statistics function that the accounting feature generally provides.

When the primary accounting method is local, the following rules apply to the accounting of a user:

·     The device uses the backup accounting methods in sequence only if local accounting is invalid for one of the following reasons:

¡     An exception occurs in the local accounting process.

¡     The user account is not configured on the device or the user is not allowed to use the access service.

·     The device does not turn to the backup accounting methods if local accounting is invalid because of any other reason. Accounting fails for the user.

Examples

# In ISP domain system, use local accounting as the default accouting method.

<Sysname> system-view

[Sysname] domain name system

[Sysname-isp-system] accounting default local

Related commands

local-user

 

accounting login

Use accounting login to specify accounting methods for login users.

Use undo accounting login to restore the default.

Syntax

accounting login { local [ none ] | none }

undo accounting login

Default

The default accounting methods of the ISP domain are used for login users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

local: Performs local accounting.

none: Does not perform accounting.

Usage guidelines

Accounting is not supported for FTP, SFTP, and SCP users.

When the primary accounting method is local, the following rules apply to the accounting of a user:

·     The device uses the backup accounting methods in sequence only if local accounting is invalid for one of the following reasons:

¡     An exception occurs in the local accounting process.

¡     The user account is not configured on the device.

·     The device does not turn to the backup accounting methods if local accounting is invalid because of any other reason. Accounting fails for the user.

Examples

# In ISP domain system, perform local accounting for login users.

<Sysname> system-view

[Sysname] domain name system

[Sysname-isp-system] accounting login local

Related commands

accounting default

local-user

authentication default

Use authentication default to specify default authentication methods for an ISP domain.

Use undo authentication default to restore the default.

Syntax

authentication default { local [ none ] | none }

undo authentication default

Default

The default authentication method of an ISP domain is local.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

local: Performs local authentication.

none: Does not perform authentication.

Usage guidelines

The default authentication method is used for all users that support this method and do not have an authentication method configured.

When the primary authentication method is local, the following rules apply to the authentication of a user:

·     The device uses the backup authentication methods in sequence only if local authentication is invalid for one of the following reasons:

¡     An exception occurs in the local authentication process.

¡     The user account is not configured on the device or the user is not allowed to use the access service.

·     The device does not turn to the backup authentication methods if local authentication is invalid because of any other reason. Authentication fails for the user.

Examples

# In ISP domain system, use local authentication as the default authentication method.

<Sysname> system-view

[Sysname] domain name system

[Sysname-isp-system] authentication default local

Related commands

local-user

authentication login

Use authentication login to specify authentication methods for login users.

Use undo authentication login to restore the default.

Syntax

authentication login { local [ none ] | none }

undo authentication login

Default

The default authentication methods of the ISP domain are used for login users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

local: Performs local authentication.

none: Does not perform authentication.

Usage guidelines

When the primary authentication method is local, the following rules apply to the authentication of a user:

·     The device uses the backup authentication methods in sequence only if local authentication is invalid for one of the following reasons:

¡     An exception occurs in the local authentication process.

¡     The user account is not configured on the device or the user is not allowed to use the service for accessing the device.

·     The device does not turn to the backup authentication methods if local authentication is invalid because of any other reason. Authentication fails for the user.

Examples

# In ISP domain system, perform local authentication for login users.

<Sysname> system-view

[Sysname] domain name system

[Sysname-isp-system] authentication login local

Related commands

authentication default

local-user

authorization default

Use authorization default to specify default authorization methods for an ISP domain.

Use undo authorization default to restore the default.

Syntax

authorization default { local [ none ] | none }

undo authorization default

Default

The default authorization method of an ISP domain is local.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

local: Performs local authorization.

none: Does not perform authorization. The following default authorization information applies after users pass authentication:

·     Non-login users can access the network.

·     Login users obtain the level-0 user role. Login users include the Telnet, FTP, SFTP, SCP, and terminal users. Terminal users can access the device through the console port. For more information about the level-0 user role, see RBAC configuration in Fundamentals Configuration Guide.

·     The working directory for FTP, SFTP, and SCP login users is the root directory of the NAS. However, the users do not have permission to access the root directory.

Usage guidelines

The default authorization method is used for all users that support this method and do not have an authorization method configured.

When the primary authorization method is local, the following rules apply to the authorization of a user:

·     The device uses the backup authorization methods in sequence only if local authorization is invalid for one of the following reasons:

¡     An exception occurs in the local authorization process.

¡     The user account is not configured on the device or the user is not allowed to use the access service.

·     The device does not turn to the backup authorization methods if local authorization is invalid because of any other reason. Authorization fails for the user.

Examples

# In ISP domain system, use local authorization as the default authorization method.

<Sysname> system-view

[Sysname] domain name system

[Sysname-isp-system] authorization default local

# In ISP domain test, use RADIUS scheme rd as the primary default authorization method and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] authorization default radius-scheme rd local

Related commands

local-user

authorization login

Use authorization login to specify authorization methods for login users.

Use undo authorization login to restore the default.

Syntax

authorization login { local [ none ] | none }

undo authorization login

Default

The default authorization methods of the ISP domain are used for login users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

local: Performs local authorization.

none: Does not perform authorization. The following default authorization information applies after users pass authentication:

·     Login users obtain the level-0 user role. Login users include the Telnet, FTP, SFTP, SCP, and terminal users. Terminal users can access the device through the console port. For more information about the level-0 user role, see RBAC configuration in Fundamentals Configuration Guide.

·     The working directory for FTP, SFTP, and SCP login users is the root directory of the NAS. However, the users do not have permission to access the root directory.

Usage guidelines

When the primary authorization method is local, the following rules apply to the authorization of a user:

·     The device uses the backup authorization methods in sequence only if local authorization is invalid for one of the following reasons:

¡     An exception occurs in the local authorization process.

¡     The user account is not configured on the device or the user is not allowed to use the service for accessing the device.

·     The device does not turn to the backup authorization methods if local authorization is invalid because of any other reason. Authorization fails for the user.

Examples

# In ISP domain system, perform local authorization for login users.

<Sysname> system-view

[Sysname] domain name system

[Sysname-isp-system] authorization login local

Related commands

authorization default

local-user

display domain

Use display domain to display ISP domain configuration.

Syntax

display domain [ name isp-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

name isp-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters. If you do not specify an ISP domain, this command displays the configuration of all ISP domains.

Usage guidelines

To display load-sharing user groups in an ISP domain and the number of users in each group, you must specify the ISP domain when executing this command.

Examples

# Display the configuration of all ISP domains.

<Sysname> display domain

Total 1 domains

 

Domain: system

  Current state: Active

  State configuration: Active

  Default authentication scheme:  Local

  Default authorization  scheme:  Local

  Default accounting     scheme:  Local

  Accounting start failure action: Online

  Accounting update failure action: Online

  Accounting quota out policy: Offline

    Send accounting update:Yes

  Service type: HSI

  Session time: Exclude idle time

  DHCPv6-follow-IPv6CP timeout: 60 seconds

  Dual-stack accounting method: Merge

  NAS-ID: N/A

  Web server URL              : Not configured

  Web server URL parameters   : Not configured

  Web server IPv4 address     : Not configured

  Web server IPv6 address     : Not configured

  Redirect active time        : Not configured

  Redirect server IPv4 address: Not configured

  Redirect server IPv6 address: Not configured

  DHCP access user auto-save  : Disabled

  Authorization attributes:

    Idle cut: Disabled

    IGMP access limit: 4

    MLD access limit: 4

  Access limit: Not configured

 

Default domain name: system

Table 1 Command output

Field	Description
Domain	ISP domain name.
Current state	Current state of the ISP domain: ·     Blocked. ·     Active.
State configuration	State settings of the ISP domain: ·     Active—The ISP domain is set to the active state. ·     Blocked during specific time ranges—The ISP domain is set to the blocked state during the listed time ranges. ·     Blocked—The ISP domain is set to the blocked state.
Time ranges	Time ranges during which the ISP domain is in blocked state.
Online-user logoff	Status for the feature of logging off online users when the state of the ISP domain changes to blocked: ·     Enabled. ·     Disabled.
Default authentication scheme	Default authentication methods.
Default authorization scheme	Default authorization methods.
Default accounting scheme	Default accounting methods.
Login authentication scheme	Authentication methods for login users.
Login authorization scheme	Authorization methods for login users.
Login accounting scheme	Accounting methods for login users.
Super authentication scheme	Authentication methods for obtaining another user role without reconnecting to the device.
Command authorization scheme	Command line authorization methods.
Command accounting scheme	Command line accounting method.
RADIUS	RADIUS scheme.
HWTACACS	HWTACACS scheme.
LDAP	LDAP scheme.
Local	Local scheme.
None	No authentication, no authorization, or no accounting.
Accounting start failure action	Access control for users that encounter accounting-start failures: ·     Online—Allows the users to stay online. ·     Offline—Logs off the users.
Accounting update failure max-times	Maximum number of consecutive accounting-update failures allowed by the device for each user in the domain.
Accounting update failure action	Access control for users that have failed all their accounting-update attempts: ·     Online—Allows the users to stay online. ·     Offline—Logs off the users.
Accounting quota out policy	Access control for users that have used up their accounting quotas: ·     Online—Allows the users to stay online. ·     Offline—Logs off the users. ·     Redirect—Redirects the users to the specified URL.
Redirect URL	URL to which users are redirected when the users have used up their data quotas.
Stop accounting	Whether to send stop-accounting packets for users that have used up their data quotas.
User profile	Name of the user profile assigned to users that have used up their data quotas.
Send accounting update	Whether to send accounting-update packets to refresh users' data quotas: ·     Yes. ·     No.
Service type	Service type of the ISP domain, including HSI, STB, and VoIP.
Session time	Online duration sent to the server for users that went offline due to connection failure or malfunction: ·     Include idle time—The online duration includes the idle timeout period. ·     Exclude idle time—The online duration does not include the idle timeout period.
User address type	Type of IP addresses for users in the ISP domain. This field is not displayed if no user address type is specified for the ISP domain.
User basic service IP type	Types of IP addresses that PPPoE and L2TP users rely on to use the basic services: ·     IPv4. ·     IPv6. ·     IPv6-PD.
DHCPv6-follow-IPv6CP timeout	This field is not supported in the current software version. IPv6 address wait timer (in seconds) that starts after IPv6CP negotiation for PPPoE and L2TP users.
IPv6CP interface ID assignment	Whether the device is configured to forcibly assign interface IDs to PPP users during IPv6CP negotiation: ·     Enable—The device is configured to forcibly assign interface IDs to PPP users during IPv6CP negotiation. It ignores the non-zero and non-conflicted interface IDs carried in Configure-Request packets from PPP users. ·     Disable—The device is configured not to forcibly assign interface IDs to PPP users during IPv6CP negotiation. It accepts the non-zero and non-conflicted interface IDs carried in Configure-Request packets from PPP users.
Dual-stack accounting method	Accounting method for dual-stack users: ·     Merge—Merges IPv4 data with IPv6 data for accounting. ·     Separate—Separates IPv4 data from IPv6 data for accounting.
NAS-ID	NAS-ID of the device. This field displays N/A if no NAS-ID is set in the ISP domain.
Service rate-limit mode	Rate limit mode for EDSG services: ·     Merge—In-band mode. In this mode, the device limits the overall rates of both EDSG traffic and non-EDSG traffic for a user within the available basic bandwidth of the user. ·     Separate—Out-band mode. In this mode, the device limits the rate of EDSG traffic for a user within the independent EDSG bandwidth of the user. The bandwidth for the non-EDSG traffic is not affected.
Web server URL	URL of the Web server.
Web server URL parameters	Parameters added to the URL of the Web server.
format	Format of the MAC address added to the URL of the Web server: ·     XXXXXXXXXXXX (or xxxxxxxxxxxx)—The MAC address is in the one-section format. ·     XXXX-XXXX-XXXX (or xxxx-xxxx-xxxx)—The MAC address is in the three-section format. ·     XX-XX-XX-XX-XX-XX (or xx-xx-xx-xx-xx-xx)—The MAC address is in the six-section format. The delimiter in the three-section format and the six-section format is configurable.
Web server IPv4 address	IPv4 address of the Web server.
Web server IPv6 address	IPv6 address of the Web server.
Redirect active time	Active period (in seconds) during which all Web visit requests of a user are redirected to the redirect URL.
Redirect server IPv4 address	IPv4 address of the redirect server.
Redirect server IPv6 address	IPv6 address of the redirect server.
DHCP access user auto-save	Status of the automatic DHCP user backup feature.
Authorization attributes	Authorization attributes for users in the ISP domain.
Idle cut	Idle cut feature status: ·     Enabled—The feature is enabled. The device logs off users that do not meet the minimum traffic requirements in an idle timeout period. ·     Disabled—The feature is disabled. It is the default idle cut state.
Idle timeout	Idle timeout period, in minutes.
Flow	Minimum traffic that a login user must generate in an idle timeout period, in bytes.
Traffic direction	Traffic direction for the idle cut feature: ·     Both. ·     Inbound. ·     Outbound.
IP pool	Name of the authorization IPv4 address pool.
IP pool group	Name of the authorization IPv4 address pool group.
User profile	Name of the authorization user profile.
Session group profile	Name of the authorization session group profile.
Inbound CAR	Authorization inbound CAR: ·     CIR—Committed information rate in bps. ·     PIR—Peak information rate in bps. If no inbound CAR is authorized, this field displays N/A.
Outbound CAR	Authorization outbound CAR: ·     CIR—Committed information rate in bps. ·     PIR—Peak information rate in bps. If no outbound CAR is authorized, this field displays N/A.
ACL number	Authorization ACL for users.
User group	Authorization user group for users.
IPv6 prefix	Authorization IPv6 address prefix for users.
IPv6 pool	Name of the authorization IPv6 address pool for users.
IPv6 pool group	Name of the authorization IPv6 address pool group for users.
IPv6 ND prefix pool	Name of the authorization prefix pool for users.
Primary DNS server	IPv4 address of the authorization primary DNS server for users.
Secondary DNS server	IPv4 address of the authorization secondary DNS server for users.
Primary DNSV6 server	IPv6 address of the authorization primary DNS server for users.
Secondary DNSV6 server	IPv6 address of the authorization secondary DNS server for users.
URL	Authorization redirect URL for users.
Redirect limit	Maximum number of times the device redirects a user to the redirect URL. If no limit is set, this field displays Unlimited.
VPN instance	Name of the authorization VPN instance for users.
IGMP access limit	Maximum number of IGMP groups that an IPv4 user is authorized to join concurrently.
MLD access limit	Maximum number of MLD groups that an IPv6 user is authorized to join concurrently.
Inbound user priority	Authorization user priority for users' upstream packets.
Outbound user priority	Authorization user priority for users' downstream packets.
User session timeout	Authorization session timeout time for users, in seconds.
Access limit	Maximum number of users allowed to access the domain.
Load-sharing user groups	Load-sharing user groups and the number of users in each group.
User group and NAT instance bindings	Load-sharing user groups, the number of users in each group, and the NAT instance to which each load-sharing user group is bound.

‌

Table 2 Command output

Field	Description
Domain	ISP domain name.
Current state	This field is not supported in the current software version. Current state of the ISP domain: ·     Blocked. ·     Active.
State configuration	This field is not supported in the current software version. State settings of the ISP domain: ·     Active—The ISP domain is set to the active state. ·     Blocked during specific time ranges—The ISP domain is set to the blocked state during the listed time ranges. ·     Blocked—The ISP domain is set to the blocked state.
Default authentication scheme	Default authentication methods.
Default authorization scheme	Default authorization methods.
Default accounting scheme	Default accounting methods.
Login authentication scheme	Authentication methods for login users.
Login authorization scheme	Authorization methods for login users.
Login accounting scheme	Accounting methods for login users.
Local	Local scheme.
None	No authentication, no authorization, or no accounting.
Accounting start failure action	This field is not supported in the current software version. Access control for users that encounter accounting-start failures: ·     Online—Allows the users to stay online. ·     Offline—Logs off the users.
Accounting update failure action	This field is not supported in the current software version. Access control for users that have failed all their accounting-update attempts: ·     Online—Allows the users to stay online. ·     Offline—Logs off the users.
Accounting quota out policy	This field is not supported in the current software version. Access control for users that have used up their accounting quotas: ·     Online—Allows the users to stay online. ·     Offline—Logs off the users. ·     Redirect—Redirects the users to the specified URL.
Send accounting update	This field is not supported in the current software version. Whether to send accounting-update packets to refresh users' data quotas: ·     Yes. ·     No.
Service type	This field is not supported in the current software version. Service type of the ISP domain, including HSI, STB, and VoIP.
Session time	This field is not supported in the current software version. Online duration sent to the server for users that went offline due to connection failure or malfunction: ·     Include idle time—The online duration includes the idle timeout period. ·     Exclude idle time—The online duration does not include the idle timeout period.
DHCPv6-follow-IPv6CP timeout	This field is not supported in the current software version. IPv6 address wait timer (in seconds) that starts after IPv6CP negotiation for PPPoE and L2TP users.
Dual-stack accounting method	Accounting method for dual-stack users: ·     Merge—Merges IPv4 data with IPv6 data for accounting. ·     Separate—Separates IPv4 data from IPv6 data for accounting.
NAS-ID	This field is not supported in the current software version. NAS-ID of the device. This field displays N/A if no NAS-ID is set in the ISP domain.
Web server URL	This field is not supported in the current software version. URL of the Web server.
Web server URL parameters	This field is not supported in the current software version. Parameters added to the URL of the Web server.
Web server IPv4 address	This field is not supported in the current software version. IPv4 address of the Web server.
Web server IPv6 address	This field is not supported in the current software version. IPv6 address of the Web server.
Redirect active time	This field is not supported in the current software version. Active period (in seconds) during which all Web visit requests of a user are redirected to the redirect URL.
Redirect server IPv4 address	This field is not supported in the current software version. IPv4 address of the redirect server.
Redirect server IPv6 address	This field is not supported in the current software version. IPv6 address of the redirect server.
DHCP access user auto-save	This field is not supported in the current software version. Status of the automatic DHCP user backup feature.
Authorization attributes	Authorization attributes for users in the ISP domain.
Idle cut	Idle cut feature status: ·     Enabled—The feature is enabled. The device logs off users that do not meet the minimum traffic requirements in an idle timeout period. ·     Disabled—The feature is disabled. It is the default idle cut state.
IGMP access limit	This field is not supported in the current software version. Maximum number of IGMP groups that an IPv4 user is authorized to join concurrently.
MLD access limit	This field is not supported in the current software version. Maximum number of MLD groups that an IPv6 user is authorized to join concurrently.
Access limit	Maximum number of users allowed to access the domain.

‌

domain

Use domain to create an ISP domain and enter its view, or enter the view of an existing ISP domain.

Use undo domain to delete an ISP domain.

Syntax

domain name isp-name

undo domain name isp-name

Default

A system-defined ISP domain exists. The domain name is system.

Views

System view

Predefined user roles

network-admin

Parameters

name isp-name: Specifies the ISP domain name, a case-insensitive string of 1 to 255 characters. The name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

Usage guidelines

All ISP domains are in active state when they are created.

You can modify settings for the system-defined ISP domain system, but you cannot delete this domain.

Examples

# Enter the view of ISP domain system.

<Sysname> system-view

[Sysname] domain name system

[Sysname-isp-system]

Related commands

display domain

local-server log change-password-prompt

Use local-server log change-password-prompt to enable password change prompt logging.

Use undo local-server log change-password-prompt to disable password change prompt logging.

Syntax

local-server log change-password-prompt

undo local-server log change-password-prompt

Default

Password change prompt logging is enabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Use this feature to enhance the protection of passwords for Telnet, SSH, HTTP, HTTPS, NETCONF over SSH, and NETCONF over SOAP users and improve the system security.

This feature enables the device to generate logs to prompt users to change their weak passwords at an interval of 24 hours and at the users' login.

A password is a weak password if it does not meet the following requirements:

·     Password composition restriction configured by using the password-control composition command.

·     Minimum password length restriction set by using the password-control length command.

·     Password complexity checking policy configured by using the password-control complexity command.

For a NETCONF over SSH or NETCONF over SOAP user, the device also generates a password change prompt log if any of the following conditions exists:

·     The current password of the user is the default password or has expired.

·     The user logs in to the device for the first time or uses a new password to log in after global password control is enabled.

The device will no longer generate password change prompt logs for a user when one of the following conditions exists:

·     The password change prompt logging feature is disabled.

·     The user has changed the password and the new password meets the password control requirements.

·     The enabling status of a related password control feature has changed so the current password of the user meets the password control requirements.

·     The password composition policy or the minimum password length has changed.

You can use the display password-control command to display password control configuration. For more information about password control commands, see "Password control commands."

Examples

# Enable password change prompt logging.

<Sysname> system-view

[Sysname] local-server log change-password-prompt

Related commands

display password-control

password-control complexity

password-control composition

password-control length

Local user commands

access-limit

Use access-limit to set the maximum number of concurrent logins using the local user name.

Use undo access-limit to restore the default.

Syntax

access-limit max-user-number

undo access-limit

Default

The number of concurrent logins using the local user name is not limited.

Views

Local user view

Predefined user roles

network-admin

Parameters

max-user-number: Specifies the maximum number of concurrent logins, in the range of 1 to 1024.

Usage guidelines

This command takes effect only when local accounting is configured for the local user. The command does not apply to FTP, SFTP, or SCP users. The users do not support accounting.

Examples

# Set the maximum number of concurrent logins to 5 for the local user account named abc.

<Sysname> system-view

[Sysname] local-user abc

[Sysname-luser-manage-abc] access-limit 5

Related commands

display local-user

display local-user

Use display local-user to display the local user configuration and online user statistics.

Syntax

display local-user [ class  manage | idle-cut { disable | enable } | service-type { ftp | ssh | telnet | terminal } | state { active | block } | user-name user-name class  manage ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

class: Specifies the local user type.

manage: Device management user.

idle-cut { disable | enable }: Specifies local users with the idle cut feature disabled or enabled.

service-type: Specifies the local users that use a specific type of service.

ftp: FTP users.

ssh: SSH users.

telnet: Telnet users.

terminal: Terminal users that log in through console ports.

state { active | block }: Specifies local users in active or blocked state. A local user in active state can access network services, but a local user in blocked state cannot.

user-name user-name: Specifies all local users using the specified username, a string of 1 to 80 characters. The specified username can be a pure username or contain a domain name (in the format of pure-username@domain-name).

·     The pure username is a case-sensitive string and must meet the following requirements:

¡     Cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

¡     Cannot be a, al, or all.

·     The domain name is a case-insensitive string and cannot contain an at sign (@).

Usage guidelines

If you do not specify any parameters, this command displays information about all local users.

Examples

# Display information about all local users.

<Sysname> display local-user

Total 1 local users matched.

 

Device management user root:

  State:                     Active

  Service type:              SSH/Telnet/Terminal

  Access limit:              Enabled           Max access number: 3

  Current access number:     1

  User group:                system

  Bind attributes:

  Authorization attributes:

    Work directory:          flash:

    User role list:          network-admin

  Password control configurations:

    Password aging:          3 days

  Password remaining lifetime: 2 days 12 hours 30 minutes 30 seconds

  Password history was last reset: 0 days ago

Table 3 Command output

Table 4  

display user-group

Use display user-group to display user group configuration.

Syntax

display user-group { all | name group-name }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Specifies all user groups.

name group-name: Specifies a user group by its name, a case-insensitive string of 1 to 32 characters.

Examples

# Display the configuration of all user groups.

<Sysname> display user-group all

Total 2 user groups matched.

 

User group: system

  Authorization attributes:

    Work directory:          flash:

User group: jj

  Authorization attributes:

    Idle timeout:            2 minutes

    Work directory:          flash:/

    ACL number:              2000

  Password control configurations:

    Password aging:          2 days

# Display information about identity members for all user groups.

<Sysname> display user-group identity-member

Total 2 user groups matched.

 

User group: system

  Identity groups: 0

User group: jj

  Identity groups: 2

  Group ID        Group name

  0xffffffff      group1

  0x567           group2

  Identity users: 2

  User ID         Username

  0x234           user1

  0xffffffff      user2

Table 5 Command output

Field	Description
Authorization attributes	Authorization attributes of the user group.
Idle timeout	Idle timeout period, in minutes.
Session-timeout	Session timeout timer, in minutes.
Work directory	Directory that FTP, SFTP, or SCP users in the group can access.
ACL number	Authorization ACL.
IP pool	IPv4 address pool authorized to the user group.
IPv6 prefix	IPv6 address prefix authorized to the user group.
IPv6 pool	IPv6 address pool authorized to the user group.
Primary DNS server	IPv4 address of the primary DNS server authorized to the user group.
Secondary DNS server	IPv4 address of the secondary DNS server authorized to the user group.
Primary DNSV6 server	IPv6 address of the primary DNS server authorized to the user group.
Secondary DNSV6 server	IPv6 address of the secondary DNS server authorized to the user group.
URL	PADM URL for the user group.
Subscriber ID	Subscriber ID for the user group.
Password control configurations	Password control attributes that are configured for the user group.
Password aging	Password expiration time.
Password length	Minimum number of characters that a password must contain.
Password composition	Password composition policy: ·     Minimum number of character types that a password must contain. ·     Minimum number of characters from each type in a password.
Password complexity	Password complexity checking policy: ·     Reject a password that contains the username or the reverse of the username. ·     Reject a password that contains any character repeated consecutively three or more times.
Maximum login attempts	Maximum number of consecutive failed login attempts.
Action for exceeding login attempts	Action to take on the user that failed to log in after using up all login attempts.
Identity users	Number of identity users.
Identity groups	Number of identity groups.
User ID	Identity user ID.
Group ID	Identity group ID.
Username	Identity user name.
Group name	Identity group name.

‌

group

Use group to assign a local user to a user group.

Use undo group to restore the default.

Syntax

group group-name

undo group

Default

A local user belongs to user group system.

Views

Local user view

Predefined user roles

network-admin

Parameters

group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters.

Examples

# Assign device management user 111 to user group abc.

<Sysname> system-view

[Sysname] local-user 111 class manage

[Sysname-luser-manage-111] group abc

Related commands

display local-user

local-user

Use local-user to add a local user and enter its view, or enter the view of an existing local user.

Use undo local-user to delete local users.

Syntax

local-user user-name [ class  manage  ]

undo local-user { user-name class  manage  | all [ service-type { ftp | ssh |  telnet | terminal } | class manage ] }

Default

No local users exist.

Views

System view

Predefined user roles

network-admin

Parameters

user-name: Specifies the username of a local user, a string of 1 to 80 characters. The specified username can be a pure username or contain a domain name (in the format of pure-username@domain-name).

·     The pure username is a case-sensitive string and must meet the following requirements:

¡     Cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

¡     Cannot be a, al, or all.

·     The domain name is a case-insensitive string and cannot contain an at sign (@).

class: Specifies the local user type. If you do not specify this keyword, the command adds a device management user.

manage: Device management user that can configure and monitor the device after login. Device management users can use FTP, Telnet, SSH, and terminal services.

all: Specifies all users.

service-type: Specifies the local users that use a specific type of service.

ftp: FTP users.

ssh: SSH users.

telnet: Telnet users.

terminal: Terminal users that log in through console ports.

Examples

# Add a device management user named user1 and enter local user view.

<Sysname> system-view

[Sysname] local-user user1 class manage

[Sysname-luser-manage-user1]

Related commands

display local-user

service-type

password (device management user view)

Use password to configure a password for a device management user.

Use undo password to restore the default.

Syntax

password [ { hash | simple } string ]

undo password

Default

A device management user does not have a password and can pass authentication after entering the correct username and passing attribute checks.

Views

Device management user view

Predefined user roles

network-admin

Parameters

hash: Specifies a password encrypted by the hash algorithm.

simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.

string: Specifies the password string. This argument is case sensitive. The hashed form of the password is a string of 1 to 110 characters. The plaintext form of the password is a string of 1 to 63 characters.

Usage guidelines

If you do not specify any parameters, you enter the interactive mode to set a plaintext password.

A device management user for which no password is specified can pass authentication after entering the correct username and passing attribute checks. To enhance security, configure a password for each device management user.

Examples

# Set the password to 123456TESTplat&! in plaintext form for device management user user1.

<Sysname> system-view

[Sysname] local-user user1 class manage

[Sysname-luser-manage-user1] password simple 123456TESTplat&!

# Configure the password in interactive mode for device management user test.

<Sysname> system-view

[Sysname] local-user test class manage

[Sysname-luser-manage-test] password

Password:

Confirm :

Related commands

display local-user

service-type (local user view)

Use service-type to specify the service types that a local user can use.

Use undo service-type to remove service types configured for a local user.

Syntax

service-type { ftp | { ssh | telnet | terminal } * }

undo service-type { ftp | { ssh | telnet | terminal } * }

Default

A local user is authorized to use the SSH and Telnet services.

Views

Local user view

Predefined user roles

network-admin

Parameters

ftp: Authorizes the user to use the FTP service. The authorized directory can be modified by using the authorization-attribute work-directory command.

ssh: Authorizes the user to use the SSH service.

telnet: Authorizes the user to use the Telnet service.

terminal: Authorizes the user to use the terminal service and log in from a console port.

Usage guidelines

You can assign multiple service types to a user.

Examples

# Authorize device management user user1 to use the Telnet and FTP services.

<Sysname> system-view

[Sysname] local-user user1 class manage

[Sysname-luser-manage-user1] service-type telnet

[Sysname-luser-manage-user1] service-type ftp

Related commands

display local-user

state (local user view)

Use state to set the status of a local user.

Use undo state to restore the default.

Syntax

state { active | block }

undo state

Default

A local user is in active state.

Views

Local user view

Predefined user roles

network-admin

Parameters

active: Places the local user in active state to allow the local user to request network services.

block: Places the local user in blocked state to prevent the local user from requesting network services.

Examples

# Place device management user user1 in blocked state.

<Sysname> system-view

[Sysname] local-user user1 class manage

[Sysname-luser-manage-user1] state block

Related commands

display local-user

user-group

Use user-group to create a user group and enter its view, or enter the view of an existing user group.

Use undo user-group to delete a user group.

Syntax

user-group group-name

undo user-group group-name

Default

A system-defined user group exists. The group name is system.

Views

System view

Predefined user roles

network-admin

Parameters

group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

A user group consists of a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group.

A user group that has local users cannot be deleted.

You can modify settings for the system-defined user group system, but you cannot delete the user group.

Examples

# Create a user group named abc and enter user group view.

<Sysname> system-view

[Sysname] user-group abc

[Sysname-ugroup-abc]

Related commands

display user-group