Welcome to Dell Technologies Connectrix Brocade B-Series: How to Series.
How to configure Account Lockout Policy on a Brocade switch. Reference Dell Knowledge Article Number 184981. This video was created to demonstrate: How to configure Account Lockout Policy on a Brocade switch.
The Account Lockout Policy disables a user account when that user exceeds a specified number of failed login attempts, and is enforced across all user accounts.
You can configure this policy to keep the account locked until explicit administrative action is taken to unlock it. Or the locked account can be automatically unlocked after a specified period.
Administrators can unlock a locked account at any time. The admin account can also have the Lockout Policy enabled on it. The admin Account Lockout Policy is disabled by default, and uses the same lockout threshold as the other permissions.
It can be automatically unlocked after the lockout duration passes, or when it is manually unlocked by either a user account that has a "securityAdmin" or other admin permissions.
This video presents the following: Use the following attributes to set the Account Lockout Policy. LockoutThreshold: Specifies the number of times that a user can attempt to log in using an incorrect password before the account is blocked.
The number of failed login attempts is counted from the last successful login. LockoutThreshold values range from 0 through 999, and the default value is 0.
Setting the value to 0 disables the Lockout mechanism. LockoutDuration: Specifies the time in minutes after which a previously locked account is automatically unlocked.
LockoutDuration values range from 0 through 99999, and the default value is 30. Setting the value to 0 disables lockout duration, and requires a user to seek administrative action to unlock the account.
The lockout duration begins with the first login attempt, after the "LockoutThreshold" has been reached. Subsequent failed login attempts do not extend the lockout period.
When to do this: The account lockout mechanism can be used to create a denial of service condition when a user repeatedly attempts to log in to an account using an incorrect password.
Selected privileged accounts are exempted from the Account Lockout Policy to prevent users from being locked out from a denial of service attack.
However, these privileged accounts may then become the target of password-guessing attacks. Audit logs should be examined to monitor if such attacks are attempted.
Before you begin, please review the following commands. Pause the video as needed. Enable the Admin Lockout Policy. Set the "LockoutThreshold". Set the "LockoutDuration". Unlock an account.
Disable the Admin Lockout Policy. Log in to the switch using an account that has admin or security admin permissions. Enable the Admin Lockout Policy.
Setting the "LockoutThreshold". Here, we are setting it to three times. This means a user can enter an incorrect password for a maximum of three times during login before the account is locked.
Setting the "LockoutDuration". Here, we are setting it to 40 minutes. This means a previously locked account unlocks after 40 minutes. Verify the changes.
In order to test the changes applied, log in to the switch with the same account, and enter an incorrect password three times. You can see an error: Account locked - maximum login failure threshold reached.
To unlock an account, log in to the switch using an alternate user account that has admin or security admin permissions, or log in to the switch with the root account.
Run the command "userconfig--change admin -u" You can now re-log in to the switch with the same account that was locked previously, and enter the correct password.
Disable the Admin Lockout Policy using the following command, and verify the changes. Please refer to the following important notes: A failed login attempt counter is maintained for each user on each switch instance.
The counters for all user accounts are reset to zero when the Account Lockout Policy is enabled. The counter for an individual account is reset to zero when the account is unlocked after a lockout duration period expires, or when the account user logs in successfully.
Virtual Fabrics considerations: The home logical fabric context is used to validate user enforcement for the Account Lockout Policy. The account-locked state is distinct from the account-disabled state.
Refer to the following for more information: KB Number 184981. docu83435 - Brocade Fabric OS Administrator's guide. Account Lockout Policy. docu83446 - Brocade Fabric OS Command reference guide.
Thank you for watching.