576
C
HAPTER
30: P
ASSWORD
C
ONTROL
C
ONFIGURATION
O
PERATIONS
Password Control
Configuration
This section contains configuration information on Password Control.
Configuration
Prerequisites
A user PC is connected to the switch to be configured; both devices are operating
normally.
Configuration Tasks
The following sections describe the configuration tasks for password control:
■
Configuring Password Aging
■
Configuring the Limitation of Minimum Password Length
■
Configuring History Password Recording
■
Configuring a User Login Password in Encryption Mode
■
Configuring Login Attempts Limitation and Failure Processing Mode
■
Configuring the Timeout Time for Users to be authenticated
After the above configuration, you can execute the
display password-control
command in any view to check the information about the password control for all
users, including the enable/disable state of password aging, the aging time, the alert
time before password expiration; the enable/disable state of the minimum password
Login attempt
limitation and
failure
processing.
You can use this function to enable the switch to limit the number of login
attempts allowed for each user.
If the number of login attempts exceeds the configured maximum number,
the user fails to log in. In this case, the switch operates in one of the following
processing mode:
1
Inhibit the user from re-logging in within a certain time period. After the
period, the user is allowed to log into the switch again.
2
Inhibit the user from re-logging in forever. The user is allowed to log into
the switch again only after the administrator manually removes the user
from the user blacklist.
3
Allow the user to log in again without any inhibition.
By default, the switch adopts the first mode, but you can actually specify the
processing mode as needed.
Telnet, SSH, and FTP passwords: the
limitation and all the three modes
of processing are applicable.
Super passwords: the limitation and
the first mode of processing are
applicable.
User blacklist
If the maximum number of attempts is exceeded, the user cannot log into the
switch and is added to the blacklist by the switch. All users in the blacklist are
not allowed to log into the switch.
For the user inhibited from logging in for a certain time period, the switch will
remove the user from the blacklist when the time period expires.
For the user inhibited from logging in forever, the switch provides a command
which allows the administrator to manually remove the user from the blacklist.
The blacklist is saved in the RAM of the switch, so it will be lost when the
switch reboots.
Blacklist can be hot backups so that they keep synchronized between the
primary and secondary SRP cards of the switch.
—
System logging
The switch automatically logs the following events:
1
Successful user login: The switch logs the user name, user IP address, and
VTY ID.
2
Inhibition of a user due to ACL rule: The switch logs the user IP address.
3
User authentication failure. The switch logs the user name, user IP address,
VTY ID, and failure reason.
No configuration is needed for this
function.
Table 634
Functions provided by password control (continued)
Function
Description
Application
Summary of Contents for 5500 SI - Switch - Stackable
Page 24: ...24 ABOUT THIS GUIDE...
Page 50: ...50 CHAPTER 1 GETTING STARTED...
Page 54: ...54 CHAPTER 2 ADDRESS MANAGEMENT CONFIGURATION...
Page 78: ...78 CHAPTER 3 PORT OPERATION...
Page 88: ...88 CHAPTER 4 XRN CONFIGURATION...
Page 122: ...122 CHAPTER 8 VLAN VPN CONFIGURATION...
Page 216: ...216 CHAPTER 15 SSH TERMINAL SERVICES...
Page 268: ...268 CHAPTER 16 IP ROUTING PROTOCOL OPERATION...
Page 308: ...308 CHAPTER 17 NETWORK PROTOCOL OPERATION...
Page 349: ...349...
Page 350: ...350 CHAPTER 18 MULTICAST PROTOCOL...
Page 522: ...522 CHAPTER 22 FILE SYSTEM MANAGEMENT...
Page 584: ...584 CHAPTER 30 PASSWORD CONTROL CONFIGURATION OPERATIONS...
Page 600: ...600 CHAPTER 31 MSDP CONFIGURATION...
Page 614: ...614 CHAPTER 32 CLUSTERING...
Page 670: ...670 CHAPTER C AUTHENTICATING THE SWITCH 5500 WITH CISCO SECURE ACS...