HP A 5120 Manual

							 
161 
User profile configuration 
User profile overview 
A user  profile  provides  a  configuration  template  to  save  predefined  configurations,  such  as  a  Quality  of 
Service (QoS) policy. Different user profiles are applicable to different application scenarios. 
The  user  profile  supports  working  with  802.1X,  MAC and  portal  authentications.  It  is  capable  of 
restricting authenticated users behaviors. After the authentication server verifies a user, it sends the device 
the name of the user profile that is associated with the user. Then the device applies the configurations in 
the  user  profile  if  the  profile  is  enabled,  and  allows  user  access based  on  all  valid  configurations.  If  the 
user  profile  is  not  enabled,  the  device  denies  the  user  access.  After  the  user  logs  out,  the  device 
automatically disables the configurations in the user profile, and the restrictions on the users are removed. 
Without  user  profiles,  service  applications  are  based  on  interface,  VLAN,  or  globally,  and  a  policy 
applies  to  any  user  that  accesses  the  interface,  or  VLAN,  or  device.  If  a  user  moves  between  ports  to 
access a device, to restrict the user behavior, you must remove the policy from the previous port and then 
configure  the  same  policy  on  the  port  that  the  user  currently  uses.  The  configuration  task  is  tedious  and 
error prone. 
User  profiles provide  flexible  user-based  service  applications  because  a  user  profile  is  associated  with  a 
target user. Every time the user accesses the device, the device automatically applies the configurations in 
the associated user profile. 
User profile configuration task list 
Complete the following tasks to configure a user profile: 
Task Remarks 
Creating a user profile Required 
Configuring a user profile Required 
Enabling a user profile Required 
 
Creating a user profile 
Configuration prerequisites 
Before you create a user profile, complete the following tasks: 
 Configure authentication parameters on the device.  
 Perform configurations on  the  client,  the  access  device,  and  the  authentication  server, for  example, 
username, password, authentication scheme, domain, and binding a user profile with a user.  
Creating a user profile 
Follow these steps to create a user profile:  
						

							 
162 
To do… Use the command… Remarks 
Enter system view system-view — 
Create a user profile, and enter its 
view user-profile profile-name 
Required 
You can use the command to 
enter the view of an existing user 
profile. 
 
Configuring a user profile 
After a user profile is created, apply a QoS policy in user profile view to implement restrictions on online 
users. The QoS policy takes effect when the user profile is enabled and a user using the user profile goes 
online.  
Follow these steps to configure user profile: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enter user profile view user-profile profile-name Required 
Apply the QoS policy qos apply policy policy-name 
{ inbound | outbound } 
Required 
The inbound keyword applies the QoS policy to 
incoming traffic of the switch (traffic sent by 
online users). The outbound keyword applies the 
QoS policy to outgoing traffic of the switch 
(traffic sent to online users). 
 
 NOTE: 
 If a user profile is enabled but not used by any online user, you can edit only the content of the ACL that is 
referenced by the QoS policy in the profile. If the user profile is being used by online users, you cannot edit any 
configuration in the QoS policy.  
 The QoS policies that can be applied to user profiles support only the remark, car, and filter actions. 
 Do not apply an empty policy in user profile view because a user profile with an empty policy applied cannot be 
enabled.  
Enabling a user profile 
Enable  a  user  profile  so  that  configurations  in  the  profile  can  be  applied  by  the  device  to  restrict  user 
behaviors.  If  the  device  detects  that  the  user  profile  is  disabled,  the  device  denies  the  associated  user 
even the user has been verified by the authentication server.  
Follow these steps to enable a user profile: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enable a user profile user-profile profile-name enable 
Required 
A user profile is disabled by 
default. 
  
						

							 
163 
 NOTE: 
 You can only edit or remove the configurations in a disabled user profile. 
 Disabling a user profile logs out the users that are using the user profile.  
Displaying and maintaining user profile
To do… Use the command… Remarks 
Display information about all the 
created user profiles 
display user-profile [ | { begin | 
exclude | include } regular-
expression ] 
Available in any view 
  
						

							 
164 
Password control configuration 
Password control overview 
Password  control  refers  to a  set  of functions  provided  by  the  local  authentication  server to control  user 
login  passwords,  super  passwords,  and  user  login  status based  on predefined  policies. The  rest  of  this 
section describes the password control functions in detail. 
1. Minimum password length 
By setting a minimum  password  length,  you  can  enforce  users  to  use  passwords  long  enough for system 
security. If a  user specifies a shorter password,  the  system rejects  the  setting and  prompts  the  user to re-
specify a password. 
2. Minimum password update interval 
This function allows you to set the minimum interval at which users can change their passwords. If a non-
manage  level  user  logs  in  to  change  the  password  but the  time  that  elapses  since  the  last  change  is  less 
than  this  interval,  the  system  denies  the  request.  For  example,  if  you  set  this  interval  to  48  hours,  a  non-
manage level user cannot change the password twice within 48 hours. This prevents users from changing 
their passwords frequently.  
 NOTE: 
 This function is not effective for users of the manage level. For information about user levels, see the 
Fundamentals Configuration Guide. 
 This function is not effective for a user who is prompted to change the password at the first login or a user whose 
password has just been aged out.  
3. Password aging 
Password  aging imposes  a lifecycle  on a  user  password.  After  the  password  aging  time  expires, the  user 
needs to change the password. 
If a user enters an expired password when logging in, the system displays an error message and prompts 
the  user to provide a  new  password and  to  confirm  it  by  entering  it  again. The  new  password must  be  a 
valid one and the user must enter exactly the same password when confirming it. 
4. Early notice on pending password expiration 
When a  user logs in,  the  system checks  whether  the  password  will  expire  in  a  time  equal  to  or  less  than 
the  specified  period.  If  so, the system  notifies the  user of  the  expiry  time  and  provides  a  choice  for  the 
user to change the  password.  If the user provides  a  new,  qualified password,  the  system  records the  new 
password and the time. If the user chooses to leave the password or the user fails to change it, the system 
allows the user to log in using the present password.  
 NOTE: 
Telnet, SSH, and terminal users can change their passwords by themselves. FTP users, on the contrary, 
can only have their passwords changed by the administrator.  
5. Login with an expired password  
						

							 
165 
You  can  allow  a  user to  log  in  a  certain  number  of  times  within  a  specified  period  of  time  after  the 
password  expires,  so  that  the  user  does  not  need  to  change  the  password  immediately.  For  example,  if 
you set the maximum number of logins with an expired password to three and the time period to 15 days, 
a user can log in three times within 15 days after the password expires. 
6. Password history 
With  this  feature  enabled,  the system maintains  certain  entries  of  passwords  that  a  user  has  used. When 
a user changes the password, the system checks the new password against the used ones to see whether 
it was used before and, if so, displays an error message. 
You  can  set  the maximum  number  of  history  password records  for the  system  to  maintain  for  each user. 
When  the  number  of  history  password  records  exceeds your  setting,  the  latest  record  will  overwrite  the 
earliest one. 
7. Login attempt limit 
Limiting the number of consecutive failed login attempts can effectively prevent password guessing. 
If an  FTP or virtual  terminal  line (VTY) user fails authentication due  to  a  password  error,  the  system  adds 
the  user to  a  blacklist. If a  user fails  to  provide  the  correct  password  after  the  specified  number  of 
consecutive attempts, the system takes action as configured: 
 Prohibiting the user from logging in until the user is removed from the blacklist manually. 
 Allowing  the  user  to try  continuously and  removing  the  user from  the  blacklist  when  the  user logs in 
to  the  system successfully or the  blacklist entry  times  out (the  blacklist entry aging  time  is one 
minute). 
 Prohibiting  the  user  from  logging  in within a  configurable  period  of time,  and allowing  the  user  to 
log in again after the period of time elapses or the user is removed from the blacklist.  
 NOTE: 
 A blacklist can contain up to 1024 entries. 
 A login attempt using a wrong username will undoubtedly fail but the username will not be added into the 
blacklist. 
 Users failing web authentication are not blacklisted. Users accessing the system through the Console or AUX 
interface are not blacklisted either, because the system is unable to obtain the IP addresses of these users and 
these users are privileged and relatively secure to the system.  
8. Password composition checking 
A password can be a combination of characters from the following four categories: 
 Uppercase letters A to Z 
 Lowercase letters a to z 
 Digits 0 to 9 
 32 special characters including blank space and ~`!@#$%^&*()_+-={}|[]\:‖;’,./.  
Depending  on  the system  security  requirements,  you can  set  the  minimum number  of  categories  a 
password must contain and the minimum number of characters of each category.  
Password  combination has  four levels: 1,  2,  3,  and  4,  each representing the  number  of categories  that a 
password must at  least contain.  Level  1  means  that  a  password  must  contain characters  of one category, 
level 2 at least two categories, and so on. 
When a  user sets or changes the password,  the  system  checks if the  password  satisfies the composition 
requirement. If not, the system displays an error message.  
						

							 
166 
9. Password complexity checking 
A  less  complicated  password  such  as  a  password  containing  the  username  or  repeated  characters  is 
more  likely  to  be  cracked.  For  higher  security,  you  can configure  a  password  complexity  checking  policy 
to  ensure  that  all  user  passwords  are  relatively  complicated.  With  such  a  policy  configured,  when  a  user 
configures a password, the system checks the complexity of the password. If the password is not qualified, 
the system refuses the password and displays a password configuration failure message.  
You can impose the following password complexity requirements: 
 A  password  cannot  contain  the  username  or  the  reverse  of  the username.  For  example,  if  the 
username is abc, a password such as abc982 or 2cba is unqualified. 
 No character of the password is repeated three or more times consecutively. For example, password 
a111 is not qualified. 
10. Password display in the form of a string of * 
For the sake of security, the password a user enters is displayed in the form of a string of *. 
11. Authentication timeout management 
The  authentication  period  is  from  when  the  server  obtains  the  username  to  when  the  server  finishes 
authenticating the user’s password. If a Telnet user fails to log in within the configured period of time, the 
system tears down the connection.  
12. Maximum account idle time 
You can set the maximum account idle time to make accounts staying idle for this period of time become 
invalid  and  unable  to  log  in  again.  For  example,  if  you  set  the  maximum  account  idle  time  to  60  days 
and  user  using  the  account test has  never  logged  in  successfully  within  60  days  after  the  last  successful 
login, the account becomes invalid. 
13. Logging 
The system logs all successful password changing events and user blacklisting events due to login failures. 
Password control configuration task list 
The  password  control  functions  can  be  configured  in  several  views,  and different views  support  different 
functions.  The  settings  configured  in  different  views  or  for  different  objects  have  different  application 
ranges and different priorities: 
 Global settings in system view apply to all local user passwords and super passwords. 
 Settings in user group view apply to the passwords of all local users in the user group. 
 Settings in local user view apply to only the password of the local user. 
 Settings for super passwords apply to only super passwords. 
The four types of settings have different priorities: 
 For local user passwords, the settings with a smaller application range have a higher priority. 
 For  super  passwords,  the  settings  configured  specifically  for  super  passwords,  if  any,  override  those 
configured in system view. 
Complete the following tasks to configure password control: 
Task Remarks 
Enabling password control Required 
Setting global password control parameters Optional  
						

							 
167 
Task Remarks 
Setting user group password control parameters Optional 
Setting local user password control parameters Optional 
Setting super password control parameters Optional 
Setting a local user password in interactive mode Optional 
 
Configuring password control 
Enabling password control 
To enable password control functions, you need to: 
1. Enable the password control feature in system view. Only after the password control feature is 
enabled globally, can password control configurations take effect. 
2. Enable password control functions. Some password control functions need to be enabled 
individually after the password control feature is enabled globally. These functions include: 
 Password aging 
 Minimum password length 
 Password history 
 Password composition checking 
You must enable a function for its relevant configurations to take effect. 
Follow these steps to enable password control: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enable the password control 
feature password-control enable Required 
Disabled by default 
Enable a password control 
function individually 
password-control { aging | 
composition | history | length } 
enable 
Optional 
All of the four password control 
functions are enabled by default. 
 
 NOTE: 
After global password control is enabled, local user passwords configured on the device are not 
displayed when you use the corresponding display command.  
Setting global password control parameters 
Follow these steps to set global password control parameters: 
To do… Use the command… Remarks 
Enter system view system-view — 
Set the password aging time password-control aging aging-time Optional 
90 days by default  
						

							 
168 
To do… Use the command… Remarks 
Set the minimum password 
update interval 
password-control password 
update interval interval 
Optional 
24 hours by default 
Set the minimum password length password-control length length Optional 
10 characters by default 
Configure the password 
composition policy 
password-control composition 
type-number policy-type [ type-
length type-length ] 
Optional 
By default, the minimum number 
of password composition types is 
1 and the minimum number of 
characters of a password 
composition type is 1 too. 
Configure the password 
complexity checking policy 
password-control complexity { 
same-character | user-name } 
check 
Optional 
By default, the system does not 
perform password complexity 
checking. 
Set the maximum number of 
history password records for each 
user 
password-control history max-
record-num 
Optional 
4 by default 
Specify the maximum number of 
login attempts and the action to 
be taken when a user fails to log 
in after the specified number of 
attempts 
password-control login-attempt 
login-times [ exceed { lock | 
unlock | lock-time time | unlock } 
] 
Optional 
By default, the maximum number 
of login attempts is 3 and a user 
failing to log in after the specified 
number of attempts must wait for 
one minute before trying again. 
Set the number of days during 
which the user is warned of the 
pending password expiration 
password-control alert-before-
expire alert-time 
Optional 
7 days by default 
Set the maximum number of days 
and maximum number of times 
that a user can log in after the 
password expires 
password-control expired-user-
login delay delay times times 
Optional 
By default, a user can log in three 
times within 30 days after the 
password expires. 
Set the authentication timeout time password-control authentication-
timeout authentication-timeout 
Optional 
60 seconds by default 
Set the maximum account idle 
time 
password-control login idle-time 
idle-time 
Optional 
90 days by default 
 
 CAUTION: 
The specified action to be taken after a user fails to log in for the specified number of attempts takes 
effect immediately, and can affect the users already in the blacklist. Other configurations take effect 
only for users logging in later and passwords configured later.  
Setting user group password control parameters 
Follow these steps to set password control parameters for a user group:   
						

							 
169 
To do… Use the command… Remarks 
Enter system view system-view — 
Create a user group and enter 
user group view user-group group-name — 
Configure the password aging 
time for the user group password-control aging aging-time 
Optional 
By default, the password aging 
time configured in system view is 
used. 
Configure the minimum password 
length for the user group password-control length length 
Optional 
By default, the minimum 
password length configured in 
system view is used. 
Configure the password 
composition policy for the user 
group 
password-control composition 
type-number type-number [ type-
length type-length ] 
Optional 
By default, the password 
composition policy configured in 
system view is used. 
 
Setting local user password control parameters 
Follow these steps to set password control parameters for a local user: 
To do… Use the command… Remarks 
Enter system view system-view — 
Create a local user and enter 
local user view local-user user-name — 
Configure the password aging 
time for the local user password-control aging aging-time 
Optional 
By default, the setting for the user 
group to which the local user 
belongs is used; if no aging time 
is configured for the user group, 
the setting in system view is used. 
Configure the minimum password 
length for the local user password-control length length 
Optional 
By default, the setting for the user 
group to which the local user 
belongs is used; if no minimum 
password length is configured for 
the user group, the setting in 
system view is used. 
Configure the password 
composition policy for the local 
user 
password-control composition 
type-number type-number [ type-
length type-length ] 
Optional 
By default, the settings for the 
user group to which the local user 
belongs are used; if no password 
composition policy is configured 
for the user group, the settings in 
system view are used. 
  
						

							 
170 
Setting super password control parameters  
 NOTE: 
 CLI commands fall into four levels: visit, monitor, system, and manage, in ascending order. Accordingly, login 
users fall into four levels, each corresponding to a command level. A user of a certain level can only use the 
commands at that level or lower levels.  
 To switch from a lower user level to a higher one, a user needs to enter a password for authentication. This 
password is called a “super password”. For details on super passwords, see the Fundamentals Configuration 
Guide.  
Follow these steps to set super password control parameters: 
To do… Use the command… Remarks 
Enter system view system-view — 
Set the password aging time for 
super passwords 
password-control super aging 
aging-time 
Optional 
90 days by default 
Configure the minimum length for 
super passwords 
password-control super length 
length 
Optional 
10 characters by default 
Configure the password 
composition policy for super 
passwords 
password-control super 
composition type-number type-
number [ type-length type-length ] 
Optional 
By default, the minimum number 
of password composition types is 
1 and the minimum number of 
characters of a password 
composition type is 1 too. 
 
Setting a local user password in interactive mode 
You  can set a password  for  a local  user  in  interactive  mode.  When  doing  so,  you  need  to  confirm  the 
password. 
Follow these steps to set a password for a local user in interactive mode: 
To do... Use the command… Remarks 
Enter system view system-view — 
Create a local user and enter 
local user view local-user user-name — 
Set the password for the local 
user in interactive mode password Required 
 
Displaying and maintaining password control 
To do… Use the command… Remarks 
Display password control 
configuration information 
display password-control [ super ] 
[ | { begin | exclude | include } 
regular-expression ] 
Available in any view