Login
- Table of Contents
-
- 14-User Access and Authentication Configuration Guide
- 00-Preface
- 01-AAA configuration
- 02-802.1X configuration
- 03-MAC authentication configuration
- 04-Portal configuration
- 05-Web authentication configuration
- 06-Port security configuration
- 07-Password control configuration
- 08-User profile configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 07-Password control configuration | 173.56 KB |
Contents
Password updating and expiration
Password not displayed in any form
Restrictions and guidelines: Password control configuration
Password control tasks at a glance
Setting global password control parameters
Setting user group password control parameters
Setting local user password control parameters
Setting super password control parameters
Verifying and maintaining password control
Verifying password control configuration
Displaying and clearing information about users in the password control blacklist
Clearing history password records
Password control configuration examples
Example: Configuring password control
Configuring password control
About password control
Password control allows you to implement the following features:
· Manage login and super password setup, expirations, and updates for device management users.
· Control user login status based on predefined policies.
For more information about local users, see "Configuring AAA." For information about super passwords, see RBAC configuration in Fundamentals Configuration Guide.
Password setting
Minimum password length
You can define the minimum length of user passwords. The system rejects the setting of a password that is shorter than the configured minimum length.
Password composition policy
A password can be a combination of characters from the following types:
· Uppercase letters A to Z.
· Lowercase letters a to z.
· Digits 0 to 9.
· Special characters in Table 1.
|
Character name |
Symbol |
Character name |
Symbol |
|
Ampersand sign |
& |
Apostrophe |
' |
|
Asterisk |
* |
At sign |
@ |
|
Back quote |
` |
Back slash |
\ |
|
Blank space |
N/A |
Caret |
^ |
|
Colon |
: |
Comma |
, |
|
Dollar sign |
$ |
Dot |
. |
|
Equal sign |
= |
Exclamation point |
! |
|
Left angle bracket |
< |
Left brace |
{ |
|
Left bracket |
[ |
Left parenthesis |
( |
|
Minus sign |
- |
Percent sign |
% |
|
Plus sign |
+ |
Pound sign |
# |
|
Quotation marks |
" |
Right angle bracket |
> |
|
Right brace |
} |
Right bracket |
] |
|
Right parenthesis |
) |
Semi-colon |
; |
|
Slash |
/ |
Tilde |
~ |
|
Underscore |
_ |
Vertical bar |
| |
Depending on the system's security requirements, you can set the minimum number of character types a password must contain and the minimum number of characters for each type, as shown in Table 2.
Table 2 Password composition policy
|
Password combination level |
Minimum number of character types |
Minimum number of characters for each type |
|
Level 1 |
One |
One |
|
Level 2 |
Two |
One |
|
Level 3 |
Three |
One |
|
Level 4 |
Four |
One |
In non-FIPS mode, all the combination levels are available for a password. In FIPS mode, only the level 4 combination is available for a password.
When a user sets or changes a password, the system checks if the password meets the combination requirement. If it does not, the operation fails.
Password complexity checking policy
A less complicated password is more likely to be cracked, such as a password containing the username or repeated characters. For higher security, you can configure a password complexity checking policy to ensure that all user passwords are relatively complicated. When a user configures a password, the system checks the complexity of the password. If the password is complexity-incompliant, the configuration will fail.
You can apply the following password complexity requirements:
· A password cannot contain the username or the reverse of the username. For example, if the username is abc, a password such as abc982 or 2cba is not complex enough.
· A character or number cannot be included three or more times consecutively. For example, password a111 is not complex enough.
· A password cannot contain multiple horizontally-adjacent characters on the keyboard. For example, if a password can contain only two horizontally-adjacent characters on the keyboard, QWE12 and EWQ21 do not meet the complexity requirements.
Password updating and expiration
Password updating
This feature allows you to set the minimum interval at which users can change their passwords. A user can only change the password once within the specified interval.
The minimum interval does not apply to the following situations:
· A user is prompted to change the password at the first login.
· The password aging time expires.
Password expiration
Password expiration imposes a lifecycle on a user password. After the password expires, the user needs to change the password.
The system displays an error message for a login attempt with an expired password. The user is asked to provide a new password. The new password must be valid, and the user must enter exactly the same password when confirming it.
Web users, Telnet users, SSH users, and console or AUX users can change their own passwords. FTP users must have their passwords changed by the administrator.
Early notice on pending password expiration
When a user logs in, the system checks whether the password will expire in a time equal to or less than the specified notification period. If so, the system notifies the user when the password will expire and provides a choice for the user to change the password.
· If the user sets a new valid password, the system records the new password and the setup time.
· If the user does not or fails to change the password, the system allows the user to log in by using the current password until the password expires.
Web users, Telnet users, SSH users, and console or AUX users can change their own passwords. FTP users must have their passwords changed by the administrator.
Login with an expired password
You can allow a user to log in a certain number of times within a period of time after the password expires. For example, if you set the maximum number of logins with an expired password to 3 and the time period to 15 days, a user can log in three times within 15 days after the password expires.
Password history
This feature allows the system to store passwords that a user has used.
The history device management user passwords and history super passwords are stored in hashed form.
· If you set a new password in hashed form, the system does not compare the new password with the current one or those stored in the history password records.
· If you set a new password in plaintext form, make sure the new password is different from the current one and those stored in the password history. In addition, the new password must have a minimum of four characters different from the current password. Otherwise, the password change will fail.
You can set the maximum number of history password records for the system to maintain for each user. When the number of history password records exceeds the setting, the most recent record overwrites the earliest one.
Current login passwords are not stored in the password history for device management users. Device management users have their passwords saved in cipher text, which cannot be recovered to plaintext passwords.
User login control
First login
By default, if the global password control feature is enabled, users must change the password at first login before they can access the system. In this situation, password changes are not subject to the minimum password update interval. If it is not necessary for users to change the password at first login, disable the password change at first login feature.
Password control blacklist
The password control blacklist prevents abnormal users from logging in by recording the login failures and maintaining the status of blacklisted user accounts.
The system adds the information of the following users that fail to log in to the password control blacklist:
· FTP users.
· VTY or Web users.
· Users logging in to the device through console, AUX, TTY, or USB lines.
The system does not add the user accounts of nonexistent users (users not configured on the device) to the password control blacklist if they fail to log in.
The device supports the following recording modes for adding the user information to the blacklist for users failing authentication:
· Username only—Adds only usernames to the blacklist. In this mode, a user account matches a blacklist entry as long as the username matches the entry.
· Username and IP address—Adds both usernames and IP addresses to the blacklist. In this mode, a user account matches a blacklist entry only when both the username and the login IP address match the entry.
The device will create a blacklist entry for each IP address for a user account when the following conditions are both met:
· Both usernames and IP addresses are added to the password control blacklist.
· A user uses the same user account to log in to the device from different IP addresses and fails the logins.
When the maximum number of blacklist entries for the user account is reached, a blacklist entry for a new IP address of the user account will overwrite the earliest blacklist entry for the user account.
Login attempt limit
Limiting the number of consecutive login failures can effectively prevent password guessing.
If a user fails to log in, the system adds the user account and the user's IP address to the password control blacklist. When a user fails the maximum number of consecutive attempts, login attempt limit limits the user and user account in any of the following ways:
· For an FTP, Web, or VTY user, the system prohibits the user from using the user account to log in through the user's IP address. For a console, AUX, TTY, or USB user, the system prohibits the user from logging in through the corresponding user line. The locked user can use their own account to log in to the device only after the account is manually removed from the password control blacklist.
· Allows the user to continue using the user account. The user's IP address and user account are removed from the password control blacklist when the user uses this account to successfully log in to the device.
· Locks the user account and the user's IP address for a period of time.
The user can use the account to log in from the IP address when either of the following conditions exists:
¡ The locking timer expires.
¡ The account is manually removed from the password control blacklist before the locking timer expires.
|
|
NOTE: The user account is locked only for the user at the locked IP address. A user from an unlocked IP address can still use this account, and the user at the locked IP address can use other unlocked user accounts. |
Maximum account idle time
You can set the maximum account idle time for user accounts. When an account is idle for this period of time since the last successful login, the account becomes invalid.
Login control with a weak password
The system checks for weak passwords for Telnet, SSH, HTTP, or HTTPS device management users. A password is weak if it does not meet the following requirements:
· Password composition restriction.
· Minimum password length restriction.
· Password complexity checking policy.
By default, the system displays a message about a weak password but does not force the user to change it. To improve the device security, you can enable the mandatory weak password change feature, which forces the users to change the identified weak passwords. The users can log in to the device only after their passwords meet the password requirements.
Password not displayed in any form
For security purposes, nothing is displayed when a user enters a password.
Logging
The system generates a log each time a user changes its password successfully or is added to the password control blacklist because of login failures.
Restrictions and guidelines: Password control configuration
|
|
IMPORTANT: To successfully enable the global password control feature and allow device management users to log in to the device, make sure the device have sufficient storage space. |
The password control features can be configured in several different views, and different views support different features. The settings configured in different views or for different objects have the following application ranges:
· Settings for super passwords apply only to super passwords.
· Settings in local user view apply only to the password of the local user.
· Settings in user group view apply to the passwords of the local users in the user group if you do not configure password policies for these users in local user view.
· Global settings in system view apply to the passwords of the local users in all user groups if you do not configure password policies for these users in both local user view and user group view.
For local user passwords, the settings with a smaller application scope have higher priority. The system prefers to use the non-default setting in local user view for a local user.
· If the default setting is configured for the local user, the system uses the non-default setting for the user group to which the local user belongs.
· If the default setting is configured for the user group, the system uses the global setting.
Password control tasks at a glance
To configure password control, perform the following tasks:
2. (Optional.) Setting global password control parameters
3. (Optional.) Setting user group password control parameters
4. (Optional.) Setting local user password control parameters
5. (Optional.) Setting super password control parameters
Enabling password control
About this task
For device management users, enabling global password control is a prerequisite for password control functions to take effect except the following functions:
· Password composition policy.
· Minimum password length.
· Username checking.
For a specific password restriction setting (such as password expiration or password history management) to take effect, make sure you enable both the global password control feature and the specific password restriction.
For network access users, you must enable global password control for all password control configurations to take effect.
Restrictions and guidelines
After global password control is enabled, follow these restrictions and guidelines:
· You cannot display the password and super password configurations for local users by using the corresponding display commands.
· The password configured for local users must contain a minimum of four different characters.
· To ensure correct function of password control, configure the device to use NTP to obtain the UTC time. After global password control is enabled, password control will record the UTC time when the password is set. The recorded UTC time might not be consistent with the actual UTC time due to power failure or device reboot. The inconsistency will cause the password expiration feature to malfunction. For information about NTP, see Network Management and Monitoring Configuration Guide.
· When global password control is enabled, the device automatically generates a .dat file and saves it in the storage medium. This file records authentication and login information for local users. Do not manually delete or edit this file.
Procedure
1. Enter system view.
system-view
2. Enable the global password control feature.
password-control enable [ network-class ]
By default, the global password control feature is disabled for device management and network access users.
3. (Optional.) Enable a specific password control feature.
password-control { aging | composition | history | length } enable
By default, all four password control features are enabled.
Setting global password control parameters
Restrictions and guidelines
The global password control parameters in system view apply to all device management and network access local users.
You can configure all password control features for device management users. The password aging time, minimum password length, password complexity policy, password composition policy, and user login attempt limit can be configured in system view, user group view, and local user view.
You can configure only the following password control features for network access users:
· Minimum password length.
· Password complexity policy.
· Password composition policy.
· Minimum password update interval.
· Maximum number of history password records for each user.
Where, the minimum password length, password complexity policy, and password composition policy can be configured in system view, user group view, and local user view.
The password settings with a smaller application scope have higher priority. For local users, password settings configured in local user view have the highest priority, and global settings in system view have the lowest priority.
The global password control feature enables the system to record history passwords. When the number of history password records of a user reaches the maximum number, the newest history record overwrites the earliest one. To delete the existing history password records, use one of the following methods:
· Use the undo password-control enable command to disable the password control feature globally.
· Use the reset password-control history-record command to clear the passwords manually.
The password-control login-attempt command takes effect immediately and can affect the users already in the password control blacklist. Other password control configurations do not take effect on users that have been logged in or passwords that have been configured.
Procedure
1. Enter system view.
system-view
2. Configure password settings.
¡ Set the minimum password length.
password-control length length
The default setting is 10 characters.
¡ Configure the password composition policy.
password-control composition type-number type-number [ type-length type-length ]
By default, a password must contain a minimum of two character types and a minimum of one character for each type.
¡ Configure the password complexity checking policy.
password-control complexity { adjacent-character | same-character | user-name } check
By default, username checking is enabled but repeated character checking and horizontally-adjacent character checking are disabled.
¡ Specify the maximum number of horizontally-adjacent characters on the keyboard that can be included in a password.
password-control adjacent-character max-number number
By default, a maximum of three horizontally-adjacent characters on the keyboard can be included in a password.
¡ Set the maximum number of history password records for each user.
password-control history max-record-number
The default setting is 4.
3. Configure password updating and expiration.
¡ Set the minimum password update interval.
password-control update interval interval
The default setting is 24 hours.
¡ Set the password aging time.
password-control aging aging-time
The default setting is 90 days.
¡ Set the number of days during which a user is notified of the pending password expiration.
password-control alert-before-expire alert-time
The default setting is 7 days.
¡ Set the maximum number of days and maximum number of times that a user can log in after the password expires.
password-control expired-user-login delay delay times times
By default, a user can log in three times within 30 days after the password expires.
4. Configure user login control.
¡ Enable the password control blacklist feature for all user line types.
password-control blacklist all-line
By default, the password control blacklist feature is disabled for all user line types. The password control blacklist feature is enabled only for FTP and VTY or Web users when you enable the global password control feature.
¡ Set the maximum number of blacklist entries for a user account.
password-control per-user blacklist-limit max-number
By default, the maximum number of blacklist entries for a user account is 32.
¡ Add only usernames to the password control blacklist for users failing authentication.
password-control blacklist user-info username-only
By default, both usernames and IP addresses are added to the password control blacklist when the users fail authentication.
¡ Configure the login attempt limit.
password-control login-attempt login-times [ exceed { lock | lock-time time | unlock } ]
By default, the maximum number of login attempts is 3 and a user failing to log in after the specified number of attempts must wait for 1 minute before trying again.
¡ Set the maximum account idle time.
password-control login idle-time idle-time
The default setting is 90 days.
¡ Set the user authentication timeout time.
password-control authentication-timeout timeout
The default setting is 600 seconds.
This command takes effect only on Telnet and terminal users.
¡ Disable password change at first login.
undo password-control change-password first-login enable
By default, the password change at first login feature is enabled.
Setting user group password control parameters
1. Enter system view.
system-view
2. Create a user group and enter its view.
user-group group-name
For information about how to configure a user group, see "Configuring AAA."
3. Enable the password expiration feature for the user group.
password-control aging enable
By default, the password expiration feature is enabled for a user group, and the setting equals the global setting.
4. Configure the password aging time for the user group.
password-control aging aging-time
By default, the password aging time of the user group equals the global password aging time.
5. Configure the minimum password length for the user group.
password-control length length
By default, the minimum password length of the user group equals the global minimum password length.
6. Configure the password composition policy for the user group.
password-control composition type-number type-number [ type-length type-length ]
By default, the password composition policy of the user group equals the global password composition policy.
7. Configure the password complexity checking policy for the user group.
password-control complexity { same-character | user-name } check
By default, the password complexity checking policy of the user group equals the global password complexity checking policy.
8. Configure the login attempt limit.
password-control login-attempt login-times [ exceed { lock | lock-time time | unlock } ]
By default, the login-attempt policy of the user group equals the global login-attempt policy.
Setting local user password control parameters
1. Enter system view.
system-view
2. Create a device management or network access user and enter its view.
¡ Create a device management user and enter its view.
local-user user-name class manage
¡ Create a network access user and enter its view.
local-user user-name class network
By default, no local user exists.
For information about how to configure a local user, see "Configuring AAA."
3. Enable the password expiration feature for the local user.
password-control aging enable
By default, the password expiration feature is enabled for a local user, and the setting equals that for the user group to which the local user belongs.
4. Configure the password aging time for the local user.
password-control aging aging-time
By default, the setting equals that for the user group to which the local user belongs. If no aging time is configured for the user group, the global setting applies to the local user.
5. Configure the minimum password length for the local user.
password-control length length
By default, the setting equals that for the user group to which the local user belongs. If no minimum password length is configured for the user group, the global setting applies to the local user.
6. Configure the password composition policy for the local user.
password-control composition type-number type-number [ type-length type-length ]
By default, the settings equal those for the user group to which the local user belongs. If no password composition policy is configured for the user group, the global settings apply to the local user.
7. Configure the password complexity checking policy for the local user.
password-control complexity { same-character | user-name } check
By default, the settings equal those for the user group to which the local user belongs. If no password complexity checking policy is configured for the user group, the global settings apply to the local user.
8. Configure the login attempt limit.
password-control login-attempt login-times [ exceed { lock | lock-time time | unlock } ]
By default, the settings equal those for the user group to which the local user belongs. If no login-attempt policy is configured for the user group, the global settings apply to the local user.
Setting super password control parameters
1. Enter system view.
system-view
2. Set the password aging time for super passwords.
password-control super aging aging-time
The default setting is 90 days.
3. Configure the minimum length for super passwords.
password-control super length length
The default setting is 10 characters.
4. Configure the password composition policy for super passwords.
password-control super composition type-number type-number [ type-length type-length ]
By default, a super password must contain a minimum of two character types and a minimum of one character for each type.
5. Configure the super password complexity checking policy.
password-control super complexity { adjacent-character | same-character } check
By default, the system does not perform password complexity checking on super passwords. That is, a super password can contain consecutive identical characters and horizontally-adjacent characters on the keyboard.
6. Specify the maximum number of horizontally-adjacent characters on the keyboard that can be included in a super password.
password-control super adjacent-character max-number number
By default, a maximum of three horizontally-adjacent characters on the keyboard can be included in a super password.
Verifying and maintaining password control
Verifying password control configuration
To display password control configuration, execute the following command in any view:
display password-control [ super ]
Displaying and clearing information about users in the password control blacklist
To display information about users in the password control blacklist, execute the following command in any view:
display password-control blacklist [ user-name user-name | ip ipv4-address | ipv6 ipv6-address ]
To delete users from the password control blacklist, execute the following command in user view:
reset password-control blacklist [ user-name user-name ]
Clearing history password records
To clear history password records, execute the following command in any view:
reset password-control history-record [ super [ role role-name ] | network-class [ user-name user-name ] | user-name user-name ]
Password control configuration examples
Example: Configuring password control
Network configuration
Configure a global password control policy to meet the following requirements:
· A password must contain a minimum of 16 characters.
· A password must contain a minimum of four character types and a minimum of four characters for each type.
· An FTP or VTY user failing to provide the correct password in two successive login attempts is permanently prohibited from logging in with the current IP address.
· A user can log in five times within 60 days after the password expires.
· A password expires after 30 days.
· The minimum password update interval is 36 hours.
· The maximum account idle time is 30 days.
· A password cannot contain the username or the reverse of the username.
· No character appears consecutively three or more times in a password.
Configure a super password control policy for user role network-operator to meet the following requirements:
· A super password must contain a minimum of 24 characters.
· A super password must contain a minimum of four character types and a minimum of five characters for each type.
Configure a password control policy for local Telnet user test to meet the following requirements:
· The password cannot contain more than four horizontally-adjacent characters on the keyboard.
· The password must contain a minimum of 24 characters.
· The password must contain a minimum of four character types and a minimum of five characters for each type.
· The password for the local user expires after 20 days.
Procedure
# Enable the password control feature globally.
<Sysname> system-view
[Sysname] password-control enable
# Allow a maximum of two consecutive login failures on a user account, and lock the user account and the user's IP address permanently if the limit is reached.
[Sysname] password-control login-attempt 2 exceed lock
# Set all passwords to expire after 30 days.
[Sysname] password-control aging 30
# Globally set the minimum password length to 16 characters.
[Sysname] password-control length 16
# Set the minimum password update interval to 36 hours.
[Sysname] password-control update-interval 36
# Specify that a user can log in five times within 60 days after the password expires.
[Sysname] password-control expired-user-login delay 60 times 5
# Set the maximum account idle time to 30 days.
[Sysname] password-control login idle-time 30
# Refuse any password that contains the username or the reverse of the username.
[Sysname] password-control complexity user-name check
# Specify that no character can be included three or more times consecutively in a password.
[Sysname] password-control complexity same-character check
# Globally specify that all passwords must each contain a minimum of four character types and a minimum of four characters for each type.
[Sysname] password-control composition type-number 4 type-length 4
# Set the minimum super password length to 24 characters.
[Sysname] password-control super length 24
# Specify that a super password must contain a minimum of four character types and a minimum of five characters for each type.
[Sysname] password-control super composition type-number 4 type-length 5
# Configure a super password used for switching to user role network-operator as 123456789ABGFTweuix@#$%! in plain text.
[Sysname] super password role network-operator simple 123456789ABGFTweuix@#$%!
# Create a device management user named test.
[Sysname] local-user test class manage
# Set the service type of the user to Telnet.
[Sysname-luser-manage-test] service-type telnet
# Refuse a password that contains more than four horizontally-adjacent characters on the keyboard.
[Sysname-luser-manage-test] password-control complexity adjacent-character check
[Sysname-luser-manage-test] password-control adjacent-character max-number 4
# Set the minimum password length to 24 for the local user.
[Sysname-luser-manage-test] password-control length 24
# Specify that the password of the local user must contain a minimum of four character types and a minimum of five characters for each type.
[Sysname-luser-manage-test] password-control composition type-number 4 type-length 5
# Set the password for the local user to expire after 20 days.
[Sysname-luser-manage-test] password-control aging 20
# Configure the password of the local user in interactive mode.
[Sysname-luser-manage-test] password
Password:
Confirm :
Updating user information. Please wait ... ...
[Sysname-luser-manage-test] quit
Verifying the configuration
# Display the global password control configuration.
<Sysname> display password-control
Global password control configurations:
Password control: Enabled (device management users)
Disabled (network access users)
Password aging: Enabled (30 days)
Password length: Enabled (16 characters)
Password composition: Enabled (4 types, 4 characters per type)
Password history: Enabled (max history record:4)
Early notice on password expiration: 7 days
Maximum login attempts: 2
User authentication timeout: 600 seconds
Action for exceeding login attempts: Lock
Minimum interval between two updates: 36 hours
User account idle time: 30 days
Logins with aged password: 5 times in 60 days
Password complexity: Enabled (username checking)
Enabled (repeated characters checking)
Disabled (adjacent characters checking)
Password change: Enabled (first login)
Disabled (mandatory weak password change)
All line: Disabled (all line blacklist)
User information in blacklist: Username and IP
# Display the password control configuration for super passwords.
<Sysname> display password-control super
Super password control configurations:
Password aging: Enabled (90 days)
Password length: Enabled (24 characters)
Password composition: Enabled (4 types, 5 characters per type)
# Display the password control configuration for local user test.
<Sysname> display local-user user-name test class manage
Total 1 local users matched.
Device management user test:
State: Active
Service type: Telnet
User group: system
Bind attributes:
Authorization attributes:
Work directory: flash:
User role list: network-operator
Password control configurations:
Password aging: 20 days
Password length: 24 characters
Password composition: 4 types, 5 characters per type
Password complexity: username checking
adjacent characters checking
