Fabric OS Administrator’s Guide 93
53-1001763-02
Password policies 5

Password expiration policy

The password expiration policy forces expiration of a password after a configurable period of time,
and is enforced across all user accounts. A warning that password expiration is approaching is
displayed when the user logs in. When a user’s password expires, he or she must change the
password to complete the authentication process and open a user session. You can specify the
number of days prior to password expiration during which warnings will commence. Password
expiration does not disable or lock out the account.
Use the following attributes to set the password expiration policy:
MinPasswordAge
Specifies the minimum number of days that must elapse before a user can change a
password. MinPasswordAge values range from 0 to 999. The default value is zero. Setting this
parameter to a non-zero value discourages users from rapidly changing a password in order to
circumvent the password history setting to select a recently-used password. The
MinPasswordAge policy is not enforced when an administrator changes the password for
another user.
MaxPasswordAge
Specifies the maximum number of days that can elapse before a password must be changed,
and is also known as the password expiration period. MaxPasswordAge values range from 0 to
999. The default value is zero. Setting this parameter to zero disables password expiration.
Warning
Specifies the number of days prior to password expiration that a warning about password
expiration is displayed. Warning values range from 0 to 999. The default value is 0 days.
NOTE
When MaxPasswordAge is set to a non-zero value, MinPasswordAge and Warning must be set
to a value that is less than or equal to MaxPasswordAge.

Account lockout policy

The account lockout policy disables a user account when that user exceeds a specified number of
failed login attempts, and is enforced across all user accounts. You can configure this policy to
keep the account locked until explicit administrative action is taken to unlock it, or the locked
account can be automatically unlocked after a specified period. Administrators can unlock a locked
account at any time.
A failed login attempt counter is maintained for each user on each switch instance. The counters
for all user accounts are reset to zero when the account lockout policy is enabled. The counter for
an individual account is reset to zero when the account is unlocked after a lockout duration period
expires.
The admin account can also have the lockout policy enabled on it. The admin account lockout
policy is disabled by default and uses the same lockout threshold as the other roles. It can be
automatically unlocked after the lockout duration passes or when it is manually unlocked by either
a user account that has a securityAdmin or other Admin role.
Virtual Fabric considerations: The home logical fabric context is used to validate user enforcement
for the account lockout policy.