Administrator’s Guide for the Polycom RealPresence Group Series Security
Polycom, Inc. 114
Port lockout is supported only on the web interface, and only Admin users are allowed to log in to the web
interface. If external authentication is not in use, users can successfully log in to the web interface only by
using the local Admin account credentials. However, when external authentication is in use, any number of
external accounts can be considered to be Admin users on the system. Failed logins to any of these
accounts, or to an unknown account, are all counted against the configured number allowed failed login
attempts to the web interface.
The following is an example of how the port lockout feature works.
A RealPresence Group system web interface is configured with these settings:
● Admin Settings > Security > Global Security > Authentication> Enable Active Directory
External Authentication is enabled, a valid Active Directory Server Address is configured, as are
both the Active Directory Admin Group and Active Directory User Group settings.
● Admin Settings > Security > Global Security > Access > Lock Port after Failed Logins is set to
4.
● Admin Settings > Security > Global Security > Access > Port Lock Duration is set to 1 Minute.
● Admin Settings > Security > Global Security > Access > Reset Port Lock Counter After is set
to 1 Hour.
Scenario 1 - Web interface locked due to excessive failed logins
A user fails to log in to the local Admin account two times on the web interface, and another user fails to
log in to the external Active Directory ‘SuperUser’ account in a separate web interface session. The
‘SuperUser’ account is defined as part of the Active Directory Admin Group on the Active Directory Server.
This means that three failed attempts have been made on the web interface port—two by one user and one
by a second user. If the next attempt to log in to the web interface by either user or some other user is
successful, the failed login counter for the web interface port is reset to zero, allowing 4 more failed attempts
to occur on the web interface.
On the other hand, if after the third failed login attempt, any user makes a fourth unsuccessful attempt to
any account on the web interface, further attempts to access the web interface using any account
credentials from any user are locked out for 1 Minute, the value of the Port Lock Duration period. After the
1 Minute port lock period has past, logins will once again be allowed. As this example illustrates, the failed
Setting Description
Lock Port after Failed Logins Specifies the number of failed login attempts allowed before the system locks
the web interface from accepting logins. If set to Off, the system does not
lock the web interface due to failed login attempts.
Port Lock Duration Specifies the amount of time that a web interface remains locked due to failed
login attempts. After this time period expires, the failed login attempts counter
is reset to zero and logins to the web interface are once again allowed.
Reset Port Lock Counter After Specifies a “failed login window” period of time, starting with the first failed
login attempt, during which subsequent failed login attempts will be counted
against the maximum number allowed (Lock Port after Failed Logins). If the
number of failed login attempts made during this window does not reach the
maximum number allowed, the failed login attempts counter is reset to zero at
the end of this window.
Note: The failed login attempts counter is always reset to zero anytime a user
successfully logs in.
To Next Page
Loading...
