576 CHAPTER 30: PASSWORD CONTROL CONFIGURATION OPERATIONS
Password Control
Configuration
This section contains configuration information on Password Control.
Configuration
Prerequisites
A user PC is connected to the switch to be configured; both devices are operating
normally.
Configuration Tasks The following sections describe the configuration tasks for password control:
■Configuring Password Aging
■Configuring the Limitation of Minimum Password Length
■Configuring History Password Recording
■Configuring a User Login Password in Encryption Mode
■Configuring Login Attempts Limitation and Failure Processing Mode
■Configuring the Timeout Time for Users to be authenticated
After the above configuration, you can execute the display password-control
command in any view to check the information about the password control for all
users, including the enable/disable state of password aging, the aging time, the alert
time before password expiration; the enable/disable state of the minimum password
Login attempt
limitation and
failure
processing.
You can use this function to enable the switch to limit the number of login
attempts allowed for each user.
If the number of login attempts exceeds the configured maximum number,
the user fails to log in. In this case, the switch operates in one of the following
processing mode:
1Inhibit the user from re-logging in within a certain time period. After the
period, the user is allowed to log into the switch again.
2Inhibit the user from re-logging in forever. The user is allowed to log into
the switch again only after the administrator manually removes the user
from the user blacklist.
3Allow the user to log in again without any inhibition.
By default, the switch adopts the first mode, but you can actually specify the
processing mode as needed.
Telnet, SSH, and FTP passwords: the
limitation and all the three modes
of processing are applicable.
Super passwords: the limitation and
the first mode of processing are
applicable.
User blacklist If the maximum number of attempts is exceeded, the user cannot log into the
switch and is added to the blacklist by the switch. All users in the blacklist are
not allowed to log into the switch.
For the user inhibited from logging in for a certain time period, the switch will
remove the user from the blacklist when the time period expires.
For the user inhibited from logging in forever, the switch provides a command
which allows the administrator to manually remove the user from the blacklist.
The blacklist is saved in the RAM of the switch, so it will be lost when the
switch reboots.
Blacklist can be hot backups so that they keep synchronized between the
primary and secondary SRP cards of the switch.
—
System logging The switch automatically logs the following events:
1Successful user login: The switch logs the user name, user IP address, and
VTY ID.
2Inhibition of a user due to ACL rule: The switch logs the user IP address.
3User authentication failure. The switch logs the user name, user IP address,
VTY ID, and failure reason.
No configuration is needed for this
function.
Table634 Functions provided by password control (continued)
Function Description Application