Configuring User Login Restrictions

Overview

To effectively reduce security risks caused by user account leakage, CBH allows you to enable or disable multifactor verification, set the account validity period, and configure login limit by time range, IP address, and MAC address.

• Multifactor verification: authenticates user login by SMS, OTP token, or USB key as well as password.
• Period of validity: determines the validity period of a user account for logging in to the CBH system.
• Login limit by time: allows or forbids a user account to log in to the CBH system at the specified duration.
• Login limit by IP address: allows or forbids only users from specified IP addresses to log in to the CBH system.
• Login limit by MAC address: allows or forbids only users with specified MAC addresses on a LAN to log in to the CBH system.

Constraints

• To use the Mobile OTP authentication, ensure that the CBH system time and the mobile phone system time are synchronized, accurate to the seconds. Otherwise, the mobile OTP authentication will fail.
• The built-in SMS gateway has restrictions on the frequency and number of SMS messages that can be sent. To avoid these restrictions, use a third-party SMS gateway. For more details, see Configuring SMS Message Outgoing.
• MAC addresses belong to the data link layer and are used for LAN addressing. The parameter MAC Limit takes effect only on the LAN.
• If multifactor verification is configured for the admin user, the first time login will fail. Submit a service ticket for technical support to deselect all multifactor verification options.

Prerequisites

• You have the operation permissions for the User module.
• To enable Mobile OTP in multifactor verification, bind a mobile OTP to the user account in Profile. Otherwise, the user account cannot be used to log in to the system.

Procedure

1. Log in to the CBH system.
2. Choose User > User in the navigation pane.
3. Click the login name of the user whose information you want to change, or click Manage in the row of the user in the Operation column.
4. Click Edit in the User Setting area.
   Figure 1 Editing user setting
   

   Table 1 User login limit parameters

   Parameter	Description
   Multifactor Verification	Specifies the authentication methods for users to log in to the CBH system. The options are Mobile SMS, Mobile OTP, USBKey, and OTP token. By default, all options are deselected. If no options are selected, only the local password is used for identity authentication. Mobile SMS: Mobile SMS can be enabled in multifactor verification only after a mobile number is bound to the user account for receiving SMS messages. Mobile OTP: To make the mobile OTP authentication take effect, bind a mobile OTP to the user account in Profile first. USBKey: To make the USBKey multifactor verification take effect, relate the user account to an issued USB Key. For details, see Issuing a USB Key. OTP token: To make the OTP token authentication take effect, relate the user account to an OTP token. For details, see Issuing an OTP Token.
   Period of validity	Specifies the validity period of the user account.
   Logon Time Limit	Specifies the allowed or forbidden login time range. The time limit is set by the day and the hour.
   Edit IP limit	Specifies the IP address or IP address range to be blacklisted or whitelisted. Blacklist: forbids all user logins from the specified IP address or IP address range. Whitelist: allows only user logins from the specified IP address or IP address range. Blacklist-Multifactor Verification for within the List: allows you to configure the IP address or IP address range for the blacklist. Users whose IP addresses or IP address ranges are in the blacklist are allowed to log in to the CBH system only when multifactor verification is configured for them. Blacklist-Multifactor Verification for beyond the List: allows you to configure the IP address or IP address range for the whitelist. Users whose IP addresses or IP address ranges are not in the whitelist are allowed to log in to the CBH system only when multifactor verification is configured for them. If no IP address is specified, there is no IP-based login limit.
   MAC Limit	Specifies the MAC address or address range to be blacklisted or whitelisted. Blacklist: forbids all users from configured MAC addresses to log in to the CBH system. Whitelist: allows only users from configured MAC addresses to log in to the CBH system. If no MAC address is specified, there is no login limit by MAC address.

5. Click OK. You can view the user login configurations on the user details page.

Batch Changing User Login Configurations

1. Log in to the CBH system.
2. In the navigation pane on the left, choose User > User to go to the user list page.
3. Select the user accounts you want to edit and click More in the lower left corner.
   Figure 2 Batch editing login configurations
   

4. Edit or disable multifactor verification configuration for several users at a time.
   1. Click Edit multifactor.
      Figure 3 Batch editing multifactor verification
      
   2. In the displayed Edit Multifactor Verification dialog box, select or deselect one or more multifactor verification methods.
   3. Click OK.

5. Edit or disable period of validity for several users at a time.
   1. Click Edit validity period.
      Figure 4 Batch changing user account validity period
      
   2. In the displayed Edit period of validity dialog box, select Edit StartTime or Edit EndTime and specify the time. If you deselect the check box, the corresponding validity period configuration is disabled.
   3. Click OK.

6. Edit login limit configurations for several users at a time.
   1. Click Edit time limit.
      Figure 5 Edit time limit
      
   2. In the displayed Edit time limit dialog box, select Allowed or Forbidden and specify time limit by the day and hour.
   3. Click OK.

7. Edit or disable IP address login limit for several users at a time.
   1. Click Edit IP limit.
      Figure 6 Edit IP limit
      
   2. In the displayed Edit IP limit dialog box, select Blacklist or Whitelist and enter or delete the IP address or address range.
   3. Click OK.

8. Edit or disable the MAC login limit for several users at a time.
   1. Click Edit MAC limit.
      Figure 7 Edit MAC limit
      
   2. In the displayed Edit MAC limit dialog box, select Blacklist or Whitelist and enter or delete the MAC address.
   3. Click OK.