OS6860(E)_AOS_8.1.1.R01_Switch_Management_Guide
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Managing <strong>Switch</strong> User Accounts<br />
Configuring Global User Lockout Settings<br />
Configuring Global User Lockout Settings<br />
The following user lockout settings configured for the switch apply to all user accounts:<br />
• Lockout window—the length of time a failed login attempt is aged before it is no longer counted as a<br />
failed attempt.<br />
• Lockout threshold—the number of failed login attempts allowed within a given lockout window period<br />
of time.<br />
• Lockout duration—the length of time a user account remains locked until it is automatically unlocked.<br />
In addition to the above lockout settings, the network administrator also has the ability to manually lock<br />
and unlock user accounts. The following subsections describe how to configure user lockout settings and<br />
how to manually lock and unlock user accounts.<br />
Note. Only the admin user is allowed to configure user lockout settings. The admin account is protected<br />
from lockout; therefore, it is always available.<br />
Lockout settings are saved automatically; that is, these settings do not require the issu slot command to<br />
save user settings over a reboot. To view the current lockout settings configured for the switch, use the<br />
show user lockout-setting command.<br />
For more information about this command and those used in the configuration examples throughout this<br />
section, see the Omni<strong>Switch</strong> CLI Reference <strong>Guide</strong>.<br />
Configuring the User Lockout Window<br />
The lockout window is basically a moving observation window of time in which failed login attempts are<br />
counted. If the number of failed login attempts exceeds the lockout threshold setting (see “Configuring the<br />
User Lockout Threshold Number” on page 6-13) during any given observation window period of time, the<br />
user account is locked out of the switch.<br />
Note that if a failed login attempt ages beyond the observation window of time, that attempt is no longer<br />
counted towards the threshold number. For example, if the lockout window is set for 10 minutes and a<br />
failed login attempt occurred 11 minutes ago, then that attempt has aged beyond the lockout window time<br />
and is not counted. In addition, the failed login count is decremented when the failed attempt ages out.<br />
If the lockout window is set to 0 this means that there is no observation window and failed login attempts<br />
are never aged out and will never be decremented. To configure the lockout window time, in minutes, use<br />
the user lockout-window command. For example:<br />
-> user lockout-window 30<br />
Do not configure an observation window time period that is greater than the lockout duration time period<br />
(see “Configuring the User Lockout Duration Time” on page 6-14).<br />
Configuring the User Lockout Threshold Number<br />
The lockout threshold number specifies the number of failed login attempts allowed during any given<br />
lockout window period of time (see “Configuring the User Lockout Window” on page 6-13). For example,<br />
if the lockout window is set for 30 minutes and the threshold number is set for 3 failed login attempts,<br />
then the user is locked out when 3 failed login attempts occur within a 30 minute time frame.<br />
Omni<strong>Switch</strong> <strong>AOS</strong> Release 8 <strong>Switch</strong> <strong>Management</strong> <strong>Guide</strong> May 2014 page 6-13