Dell Brocade G620 Brocade 8.0.1 Fabric OS Administratiors Guide - Page 155
Account lockout policy, Enabling the admin lockout policy, Unlocking an account
![]() |
View all Dell Brocade G620 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 155 highlights
Managing User Accounts Account lockout policy The account lockout policy disables a user account when that user exceeds a specified number of failed login attempts, and is enforced across all user accounts. You can configure this policy to keep the account locked until explicit administrative action is taken to unlock it, or the locked account can be automatically unlocked after a specified period. Administrators can unlock a locked account at any time. A failed login attempt counter is maintained for each user on each switch instance. The counters for all user accounts are reset to zero when the account lockout policy is enabled. The counter for an individual account is reset to zero when the account is unlocked after a lockout duration period expires, or when the account user logs in successfully. The admin account can also have the lockout policy enabled on it. The admin account lockout policy is disabled by default and uses the same lockout threshold as the other permissions. It can be automatically unlocked after the lockout duration passes or when it is manually unlocked by either a user account that has a securityAdmin or other admin permissions. Virtual Fabrics considerations: The home logical fabric context is used to validate user enforcement for the account lockout policy. Note that the account-locked state is distinct from the account-disabled state. Use the following attributes to set the account lockout policy: ∙ LockoutThreshold Specifies the number of times a user can attempt to log in using an incorrect password before the account is locked. The number of failed login attempts is counted from the last successful login. LockoutThreshold values range from 0 through 999, and the default value is 0. Setting the value to 0 disables the lockout mechanism. ∙ LockoutDuration Specifies the time, in minutes, after which a previously locked account is automatically unlocked. LockoutDuration values range from 0 through 99999, and the default value is 30. Setting the value to 0 disables lockout duration, and requires a user to seek administrative action to unlock the account. The lockout duration begins with the first login attempt after the LockoutThreshold has been reached. Subsequent failed login attempts do not extend the lockout period. Enabling the admin lockout policy 1. Log in to the switch using an account that has admin or securityAdmin permissions. 2. Enter the passwdCfg --enableadminlockout command. Unlocking an account 1. Log in to the switch using an account that has admin or securityAdmin permissions. 2. Enter the userConfig --change account_name -u command, specifying the -u option to unlock the account. Disabling the admin lockout policy 1. Log in to the switch using an account that has admin or securityAdmin permissions. 2. Enter the passwdCfg --disableadminlockout command. Denial of service implications The account lockout mechanism may be used to create a denial of service condition when a user repeatedly attempts to log in to an account by using an incorrect password. Selected privileged accounts are exempted from the account lockout policy to prevent users from being locked out from a denial of service attack. However, these privileged accounts may then become the target of passwordguessing attacks. Audit logs should be examined to monitor if such attacks are attempted. Brocade Fabric OS Administration Guide, 8.0.1 53-1004111-02 155
![](/manual_guide/products/dell-brocade-g620-brocade-801-fabric-os-administratiors-guide-fdaf46d/155.png)