User Account Overview
Fixed Switch Configuration Guide 5-3
• The emergency access user is still subject to the system lockout interval even on the console
port.
Account Lockout
User accounts can be locked out based on the number of failed login attempts or a period of
inactivity. Lockout is configured at the system level, not at the user account level. Use the set
system lockout command to:
• Set the number of failed login attempts allowed before disabling a read-write or read-only
user account or locking out a super-user account.
– When a read-only or read-write user makes the configured number of failed attempts,
that user is disabled, and cannot log back in until re-enabled by a super-user with the set
system login command.
– When a super-user makes the configured number of failed attempts, that user is locked
out for the configured lockout period. The configurable lockout period for super-user
accounts is 0 to 65535 minutes.
Note that only super-user accounts are temporarily locked out for a configured period. Read-
only and read-write accounts are disabled and must be enabled by a super-user.
• Configure lockout based on a period of inactivity. Valid values for the period of inactivity are 0
to 65535 days. A value of 0 indicates no inactivity checking.
– When a read-only or read-write user session is inactive for the configured period of time,
that user is disabled, and cannot log back in until re-enabled by a super-user with the set
system login command.
– Super-user accounts are not affected by inactivity checking.
Port Lockout
The account lockout functionality also supports a “port lockout” mechanism (set system lockout
port {enable|disable}). When enabled, the system monitors the results of all login attempts,
including via RADIUS, SSH, or Telnet, and on the console port. Separate counts are maintained for
each interface — local and network/remote (SSH, Telnet, or WebView).
When the number of sequential failed attempts equals the maximum configured attempts for any
user, the lockout will be applied (as configured) to all login attempts made through the given
interface (SSH, Telnet, or the console port). Any successful login will restart the count. By default,
port lockout is disabled.
If the default admin super user account has been locked out, and if the password reset button
functionality is enabled, you can press the reset button on the switch to re-enable the admin
account with its default values. The emergency-access user is restored as the default, the admin
account.
If the password reset button functionality has been disabled, you can wait until the lock out time
has expired or you can reboot the switch in order to re-enable the admin account.
See “Password Reset Button Functionality” on page 5-9 for more information about password
reset button functionality.
User Account Configuration
Procedure 5-1 on page 5-4 shows how a super-user creates a new read-write or read-only user
account and sets the password for the account. All other optional parameters are not shown.
To Next Page
Loading...
