User Login Control - HPE FlexNetwork 7500 Series Security Configuration Manual
Hide thumbs
Also See for FlexNetwork 7500 Series:
- Security configuration manual (506 pages) ,
- Command reference manual (474 pages) ,
- Network management and monitoring command reference (430 pages)
Table of Contents
Advertisement
Telnet users, SSH users, and console users can change their own passwords. The administrator
must change passwords for FTP users.
Early notice on pending password expiration
When a user logs in, the system checks whether the password will expire in a time equal to or less
than the specified notification period. If so, the system notifies the user when the password will expire
and provides a choice for the user to change the password. If the user sets a new password that is
complexity-compliant, the system records the new password and the setup time. If the user chooses
not to change the password or the user fails to change it, the system allows the user to log in using
the current password.
Telnet users, SSH users, and console users can change their own passwords. The administrator
must change passwords for FTP users.
Login with an expired password
You can allow a user to log in a certain number of times within a period of time after the password
expires. For example, if you set the maximum number of logins with an expired password to 3 and
the time period to 15 days, a user can log in three times within 15 days after the password expires.
Password history
With this feature enabled, the system stores passwords that a user has used. When a user changes
the password, the system compares the new password with the current password and those stored
in the password history records. The new password must be different from the current one and those
stored in the history records by a minimum of four characters. The four characters must be different
from one another. Otherwise, the system will display an error message, and the password will not be
changed.
You can set the maximum number of history password records for the system to maintain for each
user. When the number of history password records exceeds your setting, the most recent record
overwrites the earliest one.
Current login passwords of device management users are not stored in the password history,
because a device management user password is saved in cipher text and cannot be recovered to a
plaintext password.
User login control
First login
If the global password control feature is enabled, users must change the password at first login
before they can access the system. In this situation, password changes are not subject to the
minimum password update interval.
Login attempt limit
Limiting the number of consecutive login failures can effectively prevent password guessing.
Login attempt limit takes effect on FTP and VTY users. It does not take effect on the following types
of users:
•
Nonexistent users (users not configured on the device).
•
Users logging in to the device through console ports.
If a user fails to log in, the system adds the user account and the user's IP address to the password
control blacklist. After making the maximum number of consecutive attempts, login attempt limit
limits the user and user account in any of the following ways:
•
Disables the user account until the account is manually removed from the password control
blacklist.
•
Allows the user to continue using the user account. The user's IP address and user account are
removed from the password control blacklist when the user uses this account to successfully
log in to the device.
247
Advertisement
Table of Contents
Troubleshooting
