Creating an Administrator Account (Local Authentication)

This section describes how to create an administrator account for local authentication.

Procedure

Set the authentication mode to AAA for the administrator UI.
1. Run the system-view command to access the system view.
2. Run the user-interface [ ui-type ] first-ui-number [ last-ui-number ] command to access the administrator user interface view.
3. Run the authentication-mode aaa command to set the authentication mode to AAA.
4. Run the quit command to return to the system view.
Create an administrator.
1. Run the aaa command to access the AAA view.
2. Run the manager-user user-name command to configure an administrator account and access the administrator view.
3. Run the service-type { api | ftp | ssh | telnet | terminal | web } ^* command to set the service type for the administrator account.
  By default, no service type is specified for an administrator created using the CLI.
  
  There are security risks if the service type is configured to be Telnet or FTP. So it is suggested to configure the service type to be SSH.
  
  Interface access control, administrator service type, and enabled service on the device determine the login method. For example, if an administrator wants to log in using HTTPS through the management interface, the management interface must enable the HTTPS access control, the administrator account must support HTTPS, and the device must enable HTTPS. For detailed configuration process, see Configuration Examples for Administrator.
  
  If the service type of an administrator account is changed from API to FTP/SSH/Telnet/Terminal/Web or vice versa, an administrator that logs in using this account is forced out.
  
  If the service type of an administrator account is changed among FTP/SSH/Telnet/Terminal/Web, the service type of an administrator that already logs in using this account is not changed, and the service type of an administrator that newly logs in using this account is subject to the change.
  
  The service types of virtual system administrators can be Web, Telnet, and SSH only.
  
  The API service is mutually exclusive with other service types. If you specify the API service type, you cannot specify other service types. The API service administrator must be in Level 15.
4. Run the password [ cipher cipher-password ] command to set a password for the administrator account.
  When setting a password, note the following points:
  - The value is a string that contains 8 to 64 characters.
  - To enhance security, a password must meet the minimum strength requirements, that is, the password needs to contain at least three types of the following characters: uppercase letters (A to Z), lowercase letters (a to z), digits (0 to 9), and special characters, such as exclamation points (!), at signs (@), number signs (#), dollar signs ($), and percent (%).
  - The password cannot contain more than two identical characters in a row.
  - The password cannot be the same as the administrator name or reverse of the administrator name.
  - The interactive mode is recommended for creating administrator passwords because the passwords configured by the cipher password command are not safe.
5. Run the quit command to return to the AAA view.
Set the administrator authentication mode to local authentication.

By default, the authentication scheme is default, and the administrator authentication mode is local (local authentication).
1. Run the authentication-scheme scheme-name command to create an authentication scheme and access the authentication scheme view.
2. Run the authentication-mode local command to configure the local authentication.
3. Run the quit command to return to the AAA view.
Optional: Create an authentication domain.
1. Run the domain domain-name to create a domain and access the domain view.
2. Run the authentication-scheme scheme-name command to bind the authentication scheme to the domain.
3. Run the service-type administrator-access command to allow administrators to access the authentication domain.

Configure the permission and other attributes for the administrator account.

Control the administrator permission based on the administrator role or level.
In the AAA view, run the bind manager-user manager-name role role-name command to bind the administrator account to a role.

If the administrator account is not bound to any role, you can run the level level command in the administrator view to set the administrator level. The FW will determine the administrator role based on the administrator level according to the following mappings:
- 1: Monitoring level corresponds to Configuration administrator (monitoring).
- 2: Configuration level corresponds to Configuration administrator.
- 3: Management level to the 15th level correspond to System administrator.
- The administrator role is prior to the administrator level. If an administrator is bound to a role, the administrator level does not take effect.
- If administrator permission levels are changed, the online administrators are forcibly logged out.

Optional: In the administrator view, configure attributes for the administrator account.

Operation	Command
Configure an FTP directory. NOTE: If administrator FTP directories are changed, the FTP directories of online administrators are not changed, but for the administrators logging in after FTP directories are changed, the new FTP directories take effect.	ftp-directory directory
Set the maximum number of logged-in users with the same administrator account.	access-limit max-number
Specify the status of an administrator account. You can specify either of the following parameters: active: The administrator account is available. block: The administrator account is unavailable.	state { active \| block }
Bind the administrator account to the ACL. Before binding, run the rule command to configure the ACL rule. NOTE: This function does not take effect on server authentication administrators and console login administrators.	acl-number acl-number

Optional: In the AAA view, enable the function of locking out the administrators that fail the authentication.
This function is invalid to the console administrators. After an administrator account is locked, using the account to log in fails even if the IP address is changed or another mode (except the console port mode) is used. The administrator account is unlocked only after the lockout duration expires.
1. Run the lock-authentication enable command to enable the administrator account lockout function.
2. Run the lock-authentication failed-count count command to set the limit of login authentication attempts.
3. Run the lock-authentication timeout timeout command to set the lockout duration for administrator accounts.
Optional: In the AAA view, enable the administrator password change function.
If an administrator logs in to the FW after password change function is enabled, the FW will prompt the administrator to perform the following operations based on the administrator account and password status:
- If the administrator logs in to the FW for the first time after password change function is enabled, the FW prompts for password change. The administrator can log in only after changing the password.
- If the administrator's password is about to expire in 10 days, the FW prompts for password change. The administrator can select to change the password immediately or ignore it.
- If the administrator's password has expired, the FW prompts for password change. The administrator can log in only after changing the password.
You cannot change the password to any of the latest 10 passwords.
1. Run the manager-user password-modify enable command to enable the administrator password change function.
2. Run the manager-user password valid-days days command to configure the validity period for administrator passwords.
  
  The default validity period for administrator passwords is 90 days.