R3721-F3210-F3171-HP High-End Firewalls Access Control Configuration Guide-6PW101
165
• Validity time and expiration time
Indicates the validity time and expiration time of a local user account. A user must use a valid local
user account to pass local authentication. When some users need to access the network
temporarily, you can create a guest account and specify a validity time and an expiration time for
the account to control the validity of the account.
• User group
Each local user belongs to a local user group and bears all attributes of the group, such as the
password control attributes and authorization attributes. For more information about local user
group, see "Configuring user group attributes."
• Password control attributes
Password control attributes help you control the security of local users' passwords. Password
control attributes include password aging time, minimum password length, and password
composition policy.
You can configure a password control attribute in system view, user group view, or local user view,
making the attribute effective for all local users, all local users in a group, or only the local user. A
password control attribute with a smaller effective range has a higher priority. For more
information about password management and global password configuration, see " Configuring
password control."
When the firewall is operating in FIPS mode, you must use the password control feature to set
passwords for local users.
• Binding attributes
Binding attributes are used for controlling the scope of users. They are checked during local
authentication of a user. If the attributes of a user do not match the binding attributes configured for
the local user account, the user cannot pass authentication. Binding attributes include the ISDN
calling number, IP address, access port, MAC address, and native VLAN. For more information
about binding attributes, see "Configuring local user attributes." Be
cautious when deciding which
binding attributes to configure for a local user.
• Authorization attributes
Authorization attributes indicate the rights that a user has after passing local authentication.
Authorization attributes include the ACL, PPP callback number, idle cut function, user level, user
role, user profile, VLAN, and FTP/SFTP work directory. For more information about authorization
attributes, see "Configuring local user attributes."
Every c
onfigurable authorization attribute has its definite application environments and purposes.
When you configure authorization attributes for a local user, consider which attributes are needed
and which are not. For example, for PPP users, you do not need to configure the work directory
attribute.
You can configure an authorization attribute in user group view or local user view to make the
attribute effective for all local users in the group or for only the local user. The setting of an
authorization attribute in local user view takes precedence over that in user group view.
Local user configuration task list
Task Remarks
Configuring local user attributes Required
Configuring user group attributes Optional
Displaying and maintaining local users and local user groups Optional