set system lockout

Use this command to set the number of failed login attempts before locking out (disabling) a read-write or read-only user account, the number of minutes to lockout the default admin super user account after maximum login attempts, and the number of inactive days before a non-superuser account is locked out.

Syntax

set system lockout {[attempts attempts] [time minutes [all]] [port {enable | disable] [inactive days [all]] [emergency-access]}

Parameters

attempts `attempts`	Specifies the number of failed login attempts allowed before a read-write or read-only user‘s account will be disabled. Valid values are: If the security profile = C2, range is from 2 - 5 If the security profile = normal, range is from 1 - 15
time `minutes`	Specifies the number of minutes the default admin user account will be locked out after the maximum login attempts. Valid values are 0–65565. If the security profile = C2, the default value is 1 minute If the security profile = normal, the default value is 15 minutes
port enable \| disable	Specifies port type lockout behavior: When enabled, if the number of failed logins, configured in set system lockout attempts, is exceeded for port types telnet, SSH, webView, or console, access for the offending port type will be locked out for the time specified in the set system lockout time configuration. When disabled, no lockout occurs for port type failed attempts.
inactive `days`	Specifies the period of inactivity in days after which a non-superuser account will be locked out. Valid values are 0–65565. If the security profile = C2, the default value is 90 days If the security profile = normal, the default value is 0, accounts will not be locked out due to inactivity
all	(Optional) Specifies that the setting is to be applied to all user accounts including super-user.
emergency-access `user-name`	Specifies the user name of an account with super-user privileges that is always available through the console.

Defaults

attempts: 3
time: normal mode: 15 minutes; C2 mode 60 minutes
inactive: normal mode: 0 days; C2 mode 90 days

Mode

All command modes, Super User.

Usage

A disabled account can only be restored administratively using an account with super-user privileges. A locked out account will be accessible after a period of time has passed.

An inactivity timer value of zero means that no account will be locked out due to inactivity.

Once a user account is disabled, it can only be re-enabled by a super user with the set system login command (set system login).

The admin user is set to emergency access by default. Emergency access can only be applied to a user with super-user privileges. Except for port lockout, all other lockout behaviors are not applied to a super-user account set for emergency access, when that user is accessing the device from the console. In the case of a port being lockedout, all users are denied access to the port until the lockout expires.

Example

This example shows how to set login attempts to 5 and lockout time to 30 minutes and the inactivity timer to 60 days:

System(su)->set system lockout attempts 5 time 30 inactive 60

Published May 2016prev | next

Email this topic

Print this page Print this page

Leave feedback Feedback