R3166-R3206-HP High-End Firewalls Access Control Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

131

132

133

134

135

136

137

138

139

140

130

NOTE:

• If you configure the local-user password-display-mode cipher-force command, all existin

local user

passwords will be displayed in cipher text, regardless of the configuration of the password command.

If you also save the configuration and restart the device, all existing local user passwords will always be

displayed in cipher text, no matter how you configure the local-user password-display-mode

command or the password command. The passwords configured after you restore the display mode to

auto by using the local-user password-display-mode auto command, however, are displayed as

defined by the password command.

• If the user interface authentication mode (set by the authentication-mode command in user interface

view) is AAA (scheme), which commands a login user can use after login depends on the privilege level

authorized to the user. If the user interface authentication mode is password (password) or no

authentication (none), which commands a login user can use after login depends on the level

configured for the user interface (set by the user privilege level command in user interface view). For an

SSH user using public key authentication, which commands are available depends on the level

configured for the user interface. For more information about user interface authentication mode and

user interface command level, see

Getting Started Guide.

• You can configure the user profile authorization attribute in local user view, user group view, and ISP

domain view. The setting in local user view has the highest priority, and that in ISP domain view has the

lowest priority.

• You cannot delete a local user that is the only security lo

mana

er in the system, nor can you chan

or delete the security log manager role of the user. To do so, you must specify a new security log

manager first.

Configuring user group attributes

User groups simplify local user configuration and management. A user group comprises a group of local

users and has a set of local user attributes. You can configure local user attributes for a user group to

implement centralized user attributes management for the local users in the group. Configurable user

attributes include authorization attributes.

By default, every newly added local user belongs to the system default user group system and bears all

attributes of the group. To change the user group to which a local user belongs, use the user-group

command in local user view.

Follow these steps to configure attributes for a user group:

To do… Use the command… Remarks

Enter system view system-view —

Create a user group and enter user group

view

user-group group-name Required

Configure the authorization attributes for

the user group

authorization-attribute { acl

acl-number | callback-number

callback-number | idle-cut minute |

level level | user-profile profile-name |

vlan vlan-id | work-directory

directory-name } *

Optional

By default, no

authorization attribute is

configured for a user

group.