User Account and Password Management
Enterasys C3 Configuration Guide 5-3
– 0 to 40 characters are supported.
– If a substring-match-len option is set to zero, no substring matching will be performed
when validating new passwords.
If the substring-match-len option is configured with a nonzero length, any substring of
the specified length appearing in the current password for this user may not appear in a
new password.
If the configured history size is nonzero, then all historical passwords up to that size will
also be compared with the input of the new password. Any substring of the configured
length appearing in any of the historical passwords may not be used in the new password.
• The switch allows you to specify if new users are required to change their password upon first
login (see “set system password change-first-login” on page 5-13s).
• When local authentication without RADIUS authentication is enabled, a login delay of at least
4 seconds is supported when a user fails to authenticate using SSH, Telnet, or CLI.
• Enterasys edge switches support the following account lockout features (see “set system
lockout” on page 5-18):
– Lockout based on the number of failed login attempts. Valid values are 1 to 15 for Normal
security mode and 2 to 5 for C2 security mode.
- When a read-only or read-write user makes the configured number of failed attempts,
that user is disabled, and cannot log back in until re-enabled by a super-user.
- When a super-user makes the configured number of failed attempts, that user is
locked out for the configured lockout period.
– Lockout based on a period of inactivity. Valid values for the period of inactivity are 0 to
65565 days. A value of 0 indicates no inactivity checking.
- When a read-only or read-write user session is inactive for the configured period of
time, that user is disabled, and cannot log back in until re-enabled by a super-user.
- Super-user accounts are not affected by inactivity checking.
– A configurable lockout period for super-user accounts of 0 to 65565 minutes.
Note that only super-user accounts are temporarily locked out for a configured period.
Read-only and read-write accounts are disabled and must be enabled by a super-user.
– A trap is generated when the threshold for the number of failed login attempts is met.
• The switch supports a "port lockout" mechanism within the lockout feature. When enabled,
the system monitors the results of all login attempts, including RADIUS, using SSH or Telnet,
and on the console port. Separate counts are maintained for each interface — local and
network/remote (SSH, Telnet, or WebView).
When the number of sequential failed attempts equals the maximum configured attempts for
any user, the lockout will be applied (as configured) to all login attempts made through the
given interface (SSH, Telnet, or the console port).
– Any successful login will restart the count.
– By default, port lockout is disabled.
• The switch supports the ability to identify the emergency access user (see "set system lockout
emergency-access <username>" (page 5-18)):
– The emergency access user is still subject to the system lockout interval even on the
console port.
– The user must be a configured super-user for a set command to be accepted.
To Next Page
Loading...
Need help?
General