Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 07-Password control configuration | 119.36 KB |
Contents
Password updating and expiration
Password not displayed in any form
Password control configuration task list
Setting global password control parameters
Setting user group password control parameters
Setting local user password control parameters
Setting super password control parameters
Displaying and maintaining password control
Password control configuration example
Overview
|
|
NOTE: To switch from one user role to another, a user must enter a password for authentication. This password is called a super password. For more information about super passwords, see Fundamentals Configuration Guide. |
Password setting
Minimum password length
You can define the minimum length of user passwords. If a user enters a password that is shorter than the minimum length, the system rejects the password.
Password composition checking
A password can be a combination of characters from the following types:
· Uppercase letters A to Z
· Lowercase letters a to z
· Digits 0 to 9
· 32 special characters: blank space, tilde (~), back quote (`), exclamation point (!), at sign (@), pound sign (#), dollar sign ($), percent sign (%), caret (^), ampersand sign (&), asterisk (*), left parenthesis ("("), right parenthesis (")"), underscore (_), plus sign (+), minus sign (-), equal sign (=), left brace ({), right brace (}), vertical bar (|), left bracket ([), right bracket (]), back slash (\), colon (:), quotation marks ("), semi-colon (;), apostrophe ('), left angle bracket (<), right angle bracket (>), comma (,), dot (.), and slash (/)
Depending on the system's security requirements, you can set the minimum number of character types a password must contain and the minimum number of characters for each type.
There are four password combination levels: 1, 2, 3, and 4. A level 1 password must contain characters of at least one type, level 2 at least two types, level 3 at least three types, and level 4 at least four types.
When a user sets or changes a password, the system checks if the password satisfies the combination requirement. If not, the operation will fail.
Password complexity checking
A less complicated password such as a password containing the username or repeated characters is more likely to be cracked. For higher security, you can configure a password complexity checking policy to make sure all user passwords are relatively complicated. With such a policy configured, when a user configures a password, the system checks the complexity of the password. If the password is not qualified, the configuration will fail.
You can apply the following password complexity requirements:
· A password cannot contain the username or the reverse of the username. For example, if the username is abc, a password such as abc982 or 2cba is unqualified.
· A character or number cannot be repeated three or more times consecutively. For example, password a111 is not qualified.
Password updating and expiration
Password updating
This function allows you to set the minimum interval at which users can change their passwords. If a user logs in to change the password but the time passed since the last change is less than this interval, the system denies the request. For example, if you set this interval to 48 hours, a user cannot change the password twice within 48 hours.
The set minimum interval is not effective on a user who is prompted to change the password at the first login or after its password has expired.
Password expiration
Password expiration imposes a lifecycle on a user password. After the password expires, the user needs to change the password.
If a user enters an expired password when logging in, the system displays an error message and prompts the user to provide a new password and to confirm it by entering it again. The new password must be valid, and the user must enter exactly the same password when confirming it.
Telnet users, SSH users, and console (or AUX) users can change their own passwords. The administrator must change passwords for FTP users.
Early notice on pending password expiration
When a user logs in, the system checks whether the password will expire in a time equal to or less than the specified period. If so, the system notifies the user of the expiration time and provides a choice for the user to change the password. If the user provides a new password that is qualified, the system records the new password and the time. If the user chooses to leave the password or the user fails to change it, the system allows the user to log in using the current password.
Telnet users, SSH users, and console (or AUX) users can change their own passwords. The administrator must change passwords for FTP users.
Login with an expired password
You can allow a user to log in a certain number of times within a specific period of time after the password expires. For example, if you set the maximum number of logins with an expired password to 3 and the time period to 15 days, a user can log in three times within 15 days after the password expires.
Password history
With this feature enabled, the system stores passwords that a user has used. When a user changes the password, the system checks the new password against the used ones. The new password must be different from the used ones by at least four characters and the four characters must be different from one another. Otherwise, the system will display an error message, and the password will not be changed.
You can set the maximum number of history password records for the system to maintain for each user. When the number of history password records exceeds your setting, the most recent record overwrites the earliest one.
Current login passwords of local users are not stored in the password history, because a local user password is saved in cipher text and cannot be recovered to a plaintext password.
User login control
First login
With the global password control function enabled, users must change the password at first login before they can access the system. In this situation, password changes are not subject to the minimum change interval.
Login attempt limit
Limiting the number of consecutive failed login attempts can effectively prevent password guessing.
If an FTP or VTY user fails authentication, the system adds the user to a password control blacklist. The system will not add nonexistent users, or users logging in to the device through console or AUX interfaces to the password control blacklist.
If a user fails to provide the correct password after the specified number of consecutive attempts, the system takes one of the following actions:
· Blocks the user's login attempts until the user is manually removed from the password control blacklist.
· Allows the user to continue trying, and removes the user from the password control blacklist when the user logs in to the system successfully or the blacklist entry times out (the blacklist entry aging time is 1 minute).
· Blocks the user's login attempts within a configurable period of time, and allows the user to log in again after the period of time elapses or the user is removed from the password control blacklist.
Maximum account idle time
You can set the maximum account idle time to make accounts idle for this period of time become invalid and unable to log in again. For example, if you set the maximum account idle time to 60 days and the user with the account test has never logged in successfully within 60 days after the last successful login, the account becomes invalid.
Password not displayed in any form
For security purposes, nothing is displayed when a user enters a password.
Logging
The system logs all successful password changing events and user adding events to the password control blacklist.
Password control configuration task list
The password control functions can be configured in several different views, and different views support different functions. The settings configured in different views or for different objects have the following application ranges:
· Global settings in system view apply to all local user passwords.
· Settings in user group view apply to the passwords of all local users in the user group.
· Settings in local user view apply to only the password of the local user.
· Settings for super passwords apply to only super passwords.
For local user passwords, the settings with a smaller application scope have a higher priority.
To configure password control, perform the following tasks:
|
Tasks at a glance |
|
(Required.) Enabling password control |
|
(Optional.) Setting global password control parameters |
|
(Optional.) Setting user group password control parameters |
|
(Optional.) Setting local user password control parameters |
|
(Optional.) Setting super password control parameters |
Enabling password control
After the global password control feature is enabled, you cannot display the password and supper password configurations for local users by using the corresponding display commands.
To enable password control:
|
Step |
Command |
Remarks |
|
system-view |
N/A |
|
|
2. Enable the global password control feature. |
password-control enable |
By default, the global password control feature is disabled. |
|
3. (Optional.) Enable a specific password control function. |
password-control { aging | composition | history | length } enable |
By default, all four password control functions are enabled. |
Setting global password control parameters
The settings in system view have global significance and apply to all local users. The password expiration time, minimum password length, and password composition policy can be configured in system view, user group view, or local user view. The password settings with a smaller application scope have a higher priority.
The password-control login-attempt command takes effect immediately and can affect the users already in the password control blacklist. Other password control configurations do not take effect on users that have been logged in or on passwords that have been configured.
To set global password control parameters:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Set the password expiration time. |
password-control aging aging-time |
The default setting is 90 days. |
|
3. Set the minimum password update interval. |
password-control update interval interval |
The default setting is 24 hours. |
|
4. Set the minimum password length. |
password-control length length |
The default setting is 10 characters. |
|
5. Configure the password composition policy. |
password-control composition type-number policy-type [ type-length type-length ] |
By default, a password is valid if it has one valid character and does not have any invalid characters. |
|
6. Configure the password complexity checking policy. |
password-control complexity { same-character | user-name } check |
By default, the system does not perform password complexity checking. |
|
7. Set the maximum number of history password records for each user. |
password-control history max-record-num |
The default setting is 4. |
|
8. Specify the maximum number of login attempts and the action to be taken when a user fails to log in after the specified number of attempts. |
password-control login-attempt login-times [ exceed { lock | lock-time time | unlock } ] |
By default, the maximum number of login attempts is 3 and a user failing to log in after the specified number of attempts must wait for 1 minute before trying again. |
|
9. Set the number of days during which a user is notified of the pending password expiration. |
password-control alert-before-expire alert-time |
The default setting is 7 days. |
|
10. Set the maximum number of days and maximum number of times that a user can log in after the password expires. |
password-control expired-user-login delay delay times times |
By default, a user can log in three times within 30 days after the password expires. |
|
11. Set the maximum account idle time. |
password-control login idle-time idle-time |
The default setting is 90 days. |
Setting user group password control parameters
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a user group and enter user group view. |
user-group group-name |
By default, no user group exists. For information about how to configure a user group, see "Configuring AAA." |
|
3. Configure the password expiration time for the user group. |
password-control aging aging-time |
By default, the password expiration time configured in system view is used. |
|
4. Configure the minimum password length for the user group. |
password-control length length |
By default, the minimum password length configured in system view is used. |
|
5. Configure the password composition policy for the user group. |
password-control composition type-number type-number [ type-length type-length ] |
By default, the password composition policy configured in system view is used. |
Setting local user password control parameters
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a local user and enter local user view. |
local-user user-name class manage |
By default, no local user exists. For information about how to configure a local user, see "Configuring AAA." |
|
3. Configure the password expiration time for the local user. |
password-control aging aging-time |
By default, the setting for the user group to which the local user belongs is used. |
|
4. Configure the minimum password length for the local user. |
password-control length length |
By default, the setting for the user group to which the local user belongs is used. |
|
5. Configure the password composition policy for the local user. |
password-control composition type-number type-number [ type-length type-length ] |
By default, the settings for the user group to which the local user belongs are used. |
Setting super password control parameters
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Set the password expiration time for super passwords. |
password-control super aging aging-time |
The default setting is 90 days. |
|
3. Configure the minimum length for super passwords. |
password-control super length length |
The default setting is 10 characters. |
|
4. Configure the password composition policy for super passwords. |
password-control super composition type-number type-number [ type-length type-length ] |
By default, a super password is valid if it has one valid character and does not have any invalid characters. |
Displaying and maintaining password control
Execute display commands in any view and reset commands in user view.
|
Task |
Command |
|
Display password control configuration. |
display password-control [ super ] |
|
Display information about users in the password control blacklist. |
display password-control blacklist [ user-name name | ip ipv4-address | ipv6 ipv6-address ] |
|
Delete users from the password control blacklist. |
reset password-control blacklist [ user-name name ] |
|
Clear history password records. |
reset password-control history-record [ user-name name | super [ role role name ] ] |
|
|
NOTE: The reset password-control history-record command can delete the history password records of one or all users even when the password history function is disabled. |
Password control configuration example
Network requirements
Implement the following global password control policy:
· An FTP or VTY user failing to provide the correct password in two successive login attempts is permanently prohibited from logging in.
· A user can log in five times within 60 days after the password expires.
· The password expiration time is 30 days.
· The minimum password update interval is 36 hours.
· The maximum account idle time is 30 days.
· A password cannot contain the username or the reverse of the username.
· No character appears consecutively three or more times in a password.
Implement the following super password control policy required for switching to user role network-operator: A super password must contain at least three types of valid characters, five or more characters of each type.
Implement the following password control policy for local Telnet user test:
· The password must contain at least 12 characters.
· The password must consist of at least two types of valid characters, five or more characters of each type.
· The password expiration time is 20 days.
Configuration procedure
# Enable the password control feature globally.
<Sysname> system-view
[Sysname] password-control enable
# Prohibit the user from logging in forever after two successive login failures.
[Sysname] password-control login-attempt 2 exceed lock
# Set the password expiration time to 30 days for all passwords.
[Sysname] password-control aging 30
# Set the minimum password update interval to 36 hours.
[Sysname] password-control update-interval 36
# Specify that a user can log in five times within 60 days after the password expires.
[Sysname] password-control expired-user-login delay 60 times 5
# Set the maximum account idle time to 30 days.
[Sysname] password-control login idle-time 30
# Refuse any password that contains the username or the reverse of the username.
[Sysname] password-control complexity user-name check
# Specify that no character of the password can be repeated three or more times consecutively.
[Sysname] password-control complexity same-character check
# Specify that a super password must contain at least three types of characters and each type must contain at least five characters.
[Sysname] password-control super composition type-number 3 type-length 5
# Configure a super password used for switching to user role network-operator as 12345ABGFTweuix in plain text.
[Sysname] super password network-operator simple 12345ABGFTweuix
# Create a local user named test.
[Sysname] local-user test class manage
# Set the service type of the user to Telnet.
[Sysname-luser-manage-test] service-type telnet
# Set the minimum password length to 12 for the local user.
[Sysname-luser-manage-test] password-control length 12
# Specify that the password of the local user must contain at least two types of characters and each type must contain at least five characters.
[Sysname-luser-manage-test] password-control composition type-number 2 type-length 5
# Set the password expiration time to 20 days for the local user.
[Sysname-luser-manage-test] password-control aging 20
# Configure the password of the local user in interactive mode.
[Sysname-luser-manage-test] password
Password:
Confirm :
Updating user information. Please wait ... ...
[Sysname-luser-test] quit
Verifying the configuration
# Display the global password control configuration.
<Sysname> display password-control
Global password control configurations:
Password control: Enabled
Password aging: Enabled (30 days)
Password length: Enabled (10 characters)
Password composition: Enabled (1 types, 1 characters per type)
Password history: Enabled (max history record:4)
Early notice on password expiration: 7 days
Maximum login attempts: 2
Action for exceeding login attempts: lock
Minimum interval between two updates: 36 hours
User account idle time: 30 days
Logins with aged password: 5 times in 60 days
Password complexity: Enabled (username checking)
Enabled (repeated characters checking)
# Display the password control configuration for super passwords.
<Sysname> display password-control super
Super password control configurations:
Password aging: Enabled (30 days)
Password length: Enabled (10 characters)
Password composition: Enabled (3 types, 5 characters per type)
# Display the password control configuration for local user test.
<Sysname> system-view
[Sysname] local-user test class manage
[Sysname-luser-manage-test] display this
#
local-user test class manage
service-type telnet
authorization-attribute user-role network-operator
password-control aging 20
password-control length 12
password-control composition type-number 2 type-length 5
#
return
