Managing Local Users

Policy Manager lists all local users in the Local Users page. You can also add, import, export, set password policies, and configure the conditions for disabling accounts for the local users using the links provided at the top-right corner of the Local Users page.

To add a local user in the Local Users table:

1. Navigate to Configuration > Identity > Local Users.The Local Users page opens.

Figure 1  Local Users Page

2. Click the Add link at the top-right corner the page. The Add Local User page opens (see Figure 2).

Figure 2  Adding a Local User

3. Specify the Add Local User parameters as described in the following table, then click Add:

Adding a Local User Parameters
Parameter Action/Description

User ID

Specify the local user's user ID.

Name

Enter the local user's name.

Password/ Verify Password

Specify a password for the local user, then verify the password.

Enable User

You must enable this check box to enable the local user account. Otherwise, the local user account is disabled.

Change Password

Enable this check box to allow the user to change the password at the next TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  login (after authenticating with the old password).

Once the password is changed successfully, this option is automatically disabled.

NOTE: The option to change the password on the next login is applicable for network device administration logins using TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  only.

Role

Select a static role to be assigned to the user from the Role drop-down list.

Attributes

 

To add attributes for the local users, click Click to add...

A new row is created with a drop-down list in the Attribute column. This field is optional. The list of local user attributes are:

Department

Designation

Email

Phone

Sponsor

Title

1. To add a custom attribute in the Attribute column, select an attribute from the drop-down list or enter any string.

NOTE: If you add a new custom attribute, it is available for selection in the Attribute drop-down list for all local users.

2. In the Value column, enter a value for the attribute specified in the corresponding row.

NOTE: All attributes entered for a local user are available in the role-mapping rules editor under the LocalUser namespace.
When you click Add, you return to the Local User page where the following message is displayed:
User <username> added successfully

To modify a local user account:

1. Navigate to the Configuration > Identity > Local Users page.

2. Click the User ID row that you want to edit. The Edit Local User window opens.

Figure 3  Modifying a Local User

3. Modify any values as necessary in the Edit Local User dialog.

4. Click Save.

You can import or export the admin user accounts by using the Import and Export All links at the top-right corner of the Local Users page. ( For more information, see Importing and Exporting Information.) After selecting one or more user accounts from the list, you can also export specific user accounts by clicking the Export button .

 

The passwords of the local user accounts are not stored in clear text when exported to an XML Extensible Markup Language. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. file.

To set password policies for the local users:

1. Navigate to the Configuration > Identity > Local Users page.

2. Click the Account Settings link. The Account Settings page opens.

Figure 4  Account Settings > Password Policy Settings Dialog

3. Specify the Password Policy parameters as described in Table 1, then click Save.

Table 1: Password Policy Parameters

Parameter

Action/Description

Minimum Length

Specify the minimum length required for the password.

Complexity

Select the complexity setting from the Complexity drop-down list. The complexity settings can be one of the following:

No password complexity requirement

At least one uppercase and one lowercase letter

At least one digit

At lease one letter and one digit

At least one of each: uppercase letter, lowercase letter, digit

At least one symbol

At least one of each: uppercase letter, lowercase letter, digit, and symbol

Disallowed Characters

Specify the characters not to be allowed in the password.

NOTE: Password characters validation takes effect for users created or modified after changes are saved.

Disallowed Words (CSV Comma-Separated Values. A file format that stores tabular data in the plain text format separated by commas.)

Specify the words not to be allowed in the password. Separate the disallowed words with commas.

Additional Checks

Select any additional checks, if required. The options are:

May not contain User ID or its characters in reversed order.

May not contain a repeated character four or more times consecutively.

Expiry Days

Set the password expiration time for local users. The allowed range is 0 to 500 days. The default value is 0.

NOTE: If the value is set to 0, the password never expires. For any other value, local users will have to reset the expired password through the Policy Manager user interface. Policy Manager alerts users five days before the password expires.

History

Specify the number of previous passwords for this user to be compared against. This option prevents users from setting a password that was used recently. Valid options are from 1 to 99.

Reminder

Configure the reminder message. Setting this option displays a reminder after n days to change the password. The valid options are from 1 to 365. When set, this option only displays a reminder; it does not prompt for a new password. The message to be displayed can be set accordingly.

NOTE: The Reminder parameter is applicable for TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  authentication only. The other settings are applied to all users.

Table 2: Password Policy Parameters

Parameter

Action/Description

Minimum Length

Specify the minimum length required for the password.

Complexity

Select the complexity setting from the Complexity drop-down list. The complexity settings can be one of the following:

No password complexity requirement

At least one uppercase and one lowercase letter

At least one digit

At lease one letter and one digit

At least one of each: uppercase letter, lowercase letter, digit

At least one symbol

At least one of each: uppercase letter, lowercase letter, digit, and symbol

Disallowed Characters

Specify the characters not to be allowed in the password.

NOTE: Password characters validation takes effect for users created or modified after changes are saved.

Disallowed Words (CSV Comma-Separated Values. A file format that stores tabular data in the plain text format separated by commas.)

Specify the words not to be allowed in the password. Separate the disallowed words with commas.

Additional Checks

Select any additional checks, if required. The options are:

May not contain User ID or its characters in reversed order.

May not contain a repeated character four or more times consecutively.

Expiry Days

Set the password expiration time for local users.

The allowed range is 0 to 500 days. The default value is 0.

NOTE: If the value is set to 0, the password never expires. For any other value, local users must reset the expired password when they log in and local users will have to reset the expired password through the Policy Manager user interface. Policy Manager alerts users five days before the password expires.

History

Specify the number of previous passwords for this user to be compared against. This option prevents users from setting a password that was used recently. Valid options are from 1 to 99.

Reminder

Configure the reminder message. Setting this option displays a reminder after n days to change the password. The valid options are from 1 to 365. When set, this option only displays a reminder; it does not prompt for a new password. The message to be displayed can be set accordingly.

NOTE: The Reminder parameter is applicable for TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  authentication only. The other settings are applied to all users.

Disabling a local user account can happen in two ways:

When a local user tries to log in with an invalid password for a configured number of times defined by the Failed attempts count parameter, the local user account is locked.

 

If the mechanism for logging in to Policy ManagerPolicy Manager is Certificate + Password, the local user is allowed to enter the password even if the certificate is invalid.

When the local user tries to log in with an invalid user certificate for a configured number of times defined by the Failed attempts count parameter, the local user account is disabled.

 

A local user’s failed login attempts are counted only when the Password_Mismatch, Password_Not_Available, and User_Authentication_Failed error messages occur.

To reset the Failed attempts count and enable a disabled local user account, click the Reset button (see Table 3). For Local users whose accounts are locked due to account settings validations, and whose accounts are enabled again after being locked out, entries are logged in both the Audit Viewer (see Audit Viewer) and the Event Viewer (see Event Viewer).

The Disable Account check occurs every day at midnight, except for the Failed attempts count. Other local user configuration settings are applied to all local users.

To specify the conditions for disabling local user accounts:

1. Navigate to Configuration > Identity > Local Users.

2. Click the Account Settings link. The Account Settings page opens.

3. Select the Disable Accounts tab. The Disable Accounts dialog opens.

Figure 5  Disable Accounts Dialog

4. Specify the Disable Accounts parameters as described in Table 3, then click Save.

Table 3: Disable Accounts Parameters

Parameter

Action/Description

Days Exceed

Specify the number of days before the account is disabled.

The range is from 1 to 100 days.

Date Exceeds

Specify the date when local users are disabled when the current date exceeds the configured date. The configured date can either be the current system date or a future date. Entering a date prior to the current date is not supported.

Password not changed for

Specify the number of days allowed before the password must be changed

The range is from 1 to 365 days.

Failed attempts count

Specify the number of failed log-in attempts are allowed before the account is disabled. The range is from 1 to 100 attempts.

Reset failed attempts count

To reset the failed attempts count to zero and reenable those local users who were disabled after exceeding the failed attempts count, click Reset.