Security Enhancements
This feature includes the following changes and enhancements:
- Configurable timed lockout that is applied to accounts after a configurable number of failed logon attempts.
- Stronger hash algorithm for account passwords.
Note
Due to the stronger hash algorithm, if you create accounts in , and then downgrade to versions earlier than , you may encounter problems using the passwords for these accounts. For more information about this issue, visit:
http://extr.co/1KfSszY - Removal of unmasked passwords in the command line interface.
- Stronger obfuscation of RADIUS and TACACS+ shared secrets.
- Integrity checking of downloaded images.
- Syslog alert issued when a configurable percentage of the Syslog memory buffer is filled.
- Optionally restricting the use of show log and show diagnostics commands by non-administrator accounts.
- The “safe defaults” script (unconfigured switch startup wizard) enables these new options collectively, as well as forcing the user to change the default administrator and failsafe passwords.
Supported Platforms
- BlackDiamond X8 and BlackDiamond 8800 series switches
- Summit X770, X670, X670-G2, X480, X460, X460-G2, X450-G2, X440, and X430 series switches
- E4G-200 and E4G-400 cell site routers
New CLI Commands
configure account [all | <name>] password-policy lockout-time-period [num_mins | until-cleared]
configure log target memory-buffer alert percent-full [percent | none]
configure cli password prompting-only [on | off] configure log messages privilege [admin | user]
configure diagnostics privilege [admin | user]
Changed CLI Commands
The output of the this command now displays account lockout time period information:
show accounts password-policy
If a downloaded image does not have a signature, a warning message appears. You may choose to continue or terminate the installation:
download image [[hostname | ipaddress] filename {{vr} vrname} {block-size block_size} | memorycard filename] {partition} {slot slot number
The log buffer percentage full and configurable percentage threshold information appears in the output of the following command:
show log configuration {target {upm {upm_profile_name} | xml-notification {xml_target_name} | console | session | memory-buffer | primary-msm | primary-mm | primary-node | backup-msm | backup-mm | backup-node | nvram | syslog {ipaddress|ipPort} {vr vr_name} {local}} | filter {filter-name}}
The following command shows the current password prompting setting:
show management