Creating accounts with different permissions on the USG2000&5000

4

Create accounts with different permissions on the USG2000&5000 as follows:

1. Perform as follows to create services of different permissions in the CLI:

system-view
Enter system view, return user view with Ctrl+Z.

[USG5100]aaa

[USG5100-aaa]local-user admin service-type ?
dot1x 802.1X user
ftp FTP user
ppp Indicate PPP user
ssh SSH user
telnet Telnet user
terminal Terminal user
web Web authentication user
//This indicates service permissions that can be allocated to the user.//
[USG5100-aaa]local-user admin service-type telnet web
//This indicates allocating web and Telnet access permissions to the admin account.//

Other related questions:
Creating accounts of different service types on the USG6000
Create accounts of different service types on the USG6000 as follows: 1. Perform as follows to create services of different permissions in the CLI: system-view Enter system view, return user view with Ctrl+Z. [sysname]aaa [sysname-aaa]manager-user admin [sysname-aaa-manager-user-admin]service-type ? ftp FTP user ssh SSH user telnet Telnet user terminal Terminal user web Web authentication user //Select corresponding permissions based on your requirements.// [sysname-aaa-manager-user-admin]service-type ssh telnet web //Configure the ssh telnet web permission for the admin account.

Login method if the account and password are forgotten for the USG2000&5000 series
Upon the factory delivery, default administrator account admin and password Admin@123 are provided for the access to the USG2000&5000 series in three modes: Telnet, web UI, and console port.

ACLs for the USG2000&5000
An access control list (ACL) is a general tool for traffic matching. It can filter and match traffic in terms of MAC addresses, IP addresses, protocols, and time ranges. ACL Rule and Matching Order In common cases, any security function can reference multiple ACLs. Therefore, overlaps and conflicts may occur among the traffic defined by these ACLs. Additionally, to effectively use the ACL, an ACL contains multiple ACL rules, each of which can specify certain traffic, and define the permit or deny action accordingly. As a result, the traffic defined by these rules may overlap and actions for overlapped traffic may conflict with each other. Therefore, it is necessary to specify the matching orders of ACLs and of multiple rules in an ACL. The matching orders on the USG are as follows: ? ACLs applied to the same function in the same direction are matched according to the configuration time. The earlier the ACL is created; the earlier it is matched. Once the matching succeeds, no subsequent matching is performed. ? ACL rules in the same ACL are matched according to the specified matching type. Two matching types are available: ? Automatic order: indicates automatic matching. It is also called minimal matching or in-depth matching. Actions are performed according to the rule with the minimal matching range. For example, rule 1 allows packets at 192.168.1.0/24 through; rule 2 denies packets at 192.168.1.100. In this case, the final action for packets at 192.168.1.100 is deny. This is because the IP address range specified by rule 2 is smaller and more accurate. ? Configuration order: indicates that ACL rules are matched based on the rule ID. It is the default matching mode. The smaller the rule ID is; the earlier the matching occurs. Once the matching succeeds, no subsequent matching is performed. Step and Dynamic Insertion of an ACL Rule After an ACL rule is created, its ID cannot be changed. Therefore, it is difficult for you to manually adjust matching orders of rules in ACLs in configuration order mode. You can only delete existing rules and create new ones. To address this issue, the step function is added. During the creation of an ACL rule, if no rule ID is specified, the system automatically assigns a rule ID. Rule IDs increase based on the step. For example, the step is 5. If you create a rule but do not assign a rule ID, the system automatically assigns the minimal ID (which is larger than that of the previous rule and its number takes 5 as the base and increases by 5) to the rule. Suppose that you do not specify the rule ID for rule 1, the system assigns 5 to the rule. When creating rule 2, you assign 12 to it. Then you do not specify the rule ID for rule 3. In this case, the system assigns 15 (larger than 12) to it. Therefore, the IDs of three rules in the ACL are 5, 12, and 15 respectively. After the step mechanism is used, rule IDs are reserved for rules in an ACL for the further use. In this example, to ensure that rule 4 takes effect between rule 2 and rule 3, you can specify 13 as the ID for the rule during the creation. Through the dynamic insertion of new rules between two rules, you can control the valid sequences of rules in the ACL.

Configuring ACLs for the USG2000&5000
The USG2000&5000 series supports configuring ACLs using the CLI. acl [ number ] acl-number [ vpn-instance vpn-instance-name ] [ match-order { config | auto } ] undo acl { all | [ number ] acl-number } The default matching order is config. An access control list contains a series of rules with permit or deny statements. You need to first create an access control list and then configure its rules. Example # Create an ACL numbered 2000. system-view [sysname] acl number 2000 [sysname-acl-basic-2000]

Method used to delete unnecessary accounts from the USG2000&5000 series
1. Check the device accounts and identify unnecessary ones. display local-user ---------------------------------------------------------------------------- Username State Type CAR Access-limit Online L2TP-IP Vpn-instance ---------------------------------------------------------------------------- admin Active PWTM Dft No 4 --- public ---------------------------------------------------------------------------- Total 1,1 printed 2. Delete unnecessary accounts. [sysname] aaa [sysname-aaa] undo local-user user-name

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top