HP A7533A HP StorageWorks Fabric OS 6.1.1 administrator guide (5697-0235, Dece - Page 69

To enable the admin lockout policy: 1. Log in to the switch using an admin or securityAdmin account. 2. Issue the following command: passwdCfg --enableadminlockout The policy is now enabled. To unlock an account: 1. Log in to the switch using an admin or securityAdmin account. 2. Issue the following command: userConfig --change -u where is the name of the user account that is locked out. To disable the admin lockout policy: 1. Log in to the switch using an admin or securityAdmin account. 2. Issue the following command: passwdCfg --disableadminlockout The policy is now disabled. Denial of service implications The account lockout mechanism may be used to create a denial of service condition by repeatedly attempting to log in to an account using an incorrect password. Selected privileged accounts are exempted from the account lockout policy to prevent them from being locked out from a denial of service attack. However, these privileged accounts may then become the target of password guessing attacks. Audit logs may be examined to monitor whether such attacks are attempted. Authentication model Fabric OS 6.0.0 and later supports the use of both the local user database and the RADIUS service at the same time; and the local user database and LDAP using Microsoft's Active Directory in Windows at the same time. Table 12 on page 70. When configured to use RADIUS or LDAP, the switch acts as a network access server (NAS) and RADIUS or LDAP client. The switch sends all authentication, authorization, and accounting (AAA) service requests to the RADIUS or LDAP server. The RADIUS or LDAP server receives the request, validates the request, and sends its response back to the switch. The supported management access channels that integrate with RADIUS and LDAP include serial port, Telnet, SSH, Web Tools, and API. All these require the switch IP address or name to connect. The RADIUS server accepts only an IPv4 address. A switch can be configured to try both RADIUS or LDAP and local switch authentication. For systems such as the HP 4/256 SAN Director and DC SAN Backbone Director (DC Director), the switch IP addresses are aliases of the physical Ethernet interfaces on the CP blades. When specifying client IP addresses for the logical switches in such systems, make sure the CP IP addresses are used. For accessing both the active and standby CP, and for the purpose of HA failover, both CP IP addresses of a Director should be included in the RADIUS or LDAP server configuration. When configured for RADIUS or LDAP, a switch becomes a RADIUS or LDAP client. In either of these configurations, authentication records are stored in the RADIUS or LDAP host server database. Login and logout account name, assigned role, and time-accounting records are also stored on the RADIUS or LDAP server for each user. By default, the RADIUS and LDAP services are disabled, so AAA services default to the switch local database. To enable RADIUS or LDAP service, it is strongly recommended that you access the CLI through an SSH connection so that the shared secret is protected. Multiple login sessions can configure simultaneously, and the last session to apply a change leaves its configuration in effect. After a configuration is applied, it persists after a reboot or an HA failover. Fabric OS 6.1.1 administrator guide 69