password-attributes

Configures global password attributes.

Syntax

password-attributes { [ max-retry maxretry ] [ min-length minlen ] [ max-lockout-duration duration ] [ admin-lockout | character-restriction { [ lower numlower ] [ numeric numdigits ] [ special-char numsplchars ] [ upper numupper ] } }

no password-attributes { [ max-retry maxretry ] [ min-length minlen ] [ max-lockout-duration duration ] [ admin-lockout | character-restriction { [ lower numlower ] [ numeric numdigits ] [ special-char numsplchars ] [ upper numupper ] } ] }

Command Default

The default for min-length is 8. All other defaults are 0.

Parameters

admin-lockout

Enables lockout for admin role accounts.

character-restriction

Configures the restriction on various types of characters.

lower numlower: Specifies the minimum number of lowercase alphabetic characters that must occur in the password. Values range from 0 through 32 characters. The default value is 0.
numeric numdigits: Specifies the minimum number of numeric characters that must occur in the password. Values range from 0 through 32 characters. The default is 0.
special-char numsplchars: Specifies the number of punctuation characters that must occur in the password. All printable, nonalphanumeric punctuation characters, except colon (:) are allowed. Values range from 0 through 32 characters. The default value is 0.
upper numupper: Specifies the minimum number of uppercase alphabetic characters that must occur in the password. Values range from 0 through 32 characters. The default value is 0.

max-retry maxretry

Specifies the number of failed password logins permitted before a user is locked out. Values range from 0 through 16 attempted logins. The default value is 0.

min-length minlen

Specifies the minimum length of the password. Valid values range from 8 through 32 characters. The default is 8 characters.

max-lockout-duration duration

Specifies the maximum number of minutes after which the user account is unlocked. Range is from 0 through 99999. The default is 0, representing an infinite duration.

Modes

Global configuration mode

Usage Guidelines

To reset password attributes to their default values, enter the no form of this command.

Examples

The following example configures global password attributes and verifies the configuration.

device#configure terminal
device(config)# password-attributes max-retry 4 
device(config)# password-attributes character-restriction lower 2 
device(config)# password-attributes character-restriction upper 1 numeric 1 special-char 1 
device(config)# exit 
device# show running-config password-attributes
 
password-attributes max-retry 4
password-attributes character-restriction upper 1
password-attributes character-restriction lower 2
password-attributes character-restriction numeric 1
password-attributes character-restriction special-char 1

The following example resets the character restriction attributes and verifies the configuration.

device#configure terminal
device(config)# no password-attributes character-restriction lower 
device(config)# no password-attributes character-restriction upper 
device(config)# exit
device# show running-config password-attributes
 
password-attributes max-retry 4
password-attributes character-restriction numeric 1
password-attributes character-restriction special-char 1

The following example clears all global password attributes.

device#configure terminal
device(config)# no password-attributes 
device(config)# exit 
device# show running-config password-attributes
 
% No entries found.

The following example sets the maximum number of retries to 3 and enables lockout policy for admin role accounts.

device#configure terminal
device(config)# password-attributes max-retry 3 admin-lockout

The following example specifies that the user account be unlocked after 5 minutes and enables lockout policy for admin role accounts.

device#configure terminal
device(config)# password-attributes max-lockout-duration 5 admin-lockout