password-entry

Configures user-account lockout and unlock parameters. Use this option to configure the maximum number of consecutive, failed login attempts allowed before an account is locked out, and the duration of lockout.

Supported in the following platforms:

Syntax

passwd-entry role [device-provisioning-admin|helpdesk|monitor|network-admin|security-admin|
superuser|system-admin|vendor-admin|web-user-admin] max-fail <1-100> lockout-time <0-600>

Parameters

passwd-entry role [device-provisioning-admin|helpdesk|monitor|network-admin|security-admin|
superuser|system-admin|vendor-admin|web-user-admin] max-fail <1-100> lockout-time <0-600>
passwd-entry role [device-provisioning-admin|helpdesk| monitor| network-admin| security-admin| superuser|system-admin|vendor-admin| web-user-admin] max-fail <1-100> lockout-time <0-600> Configures user-role based account lockout criteria
  • role – Select the user-role. The options are:
    • device-provisioning-admin
    • helpdesk
    • monitor
    • network-admin
    • security-admin
    • system-admin
    • vendor-admin
    • web-user-admin
      • max-fail <1-100> – Specify the maximum number of consecutive, failed attempts allowed before an account is locked. Specify a value from 1 - 100.
        • lockout-time <<0-600> – Specify the maximum time, in minutes, for which an account remains locked. The value ‘0‘ indicates that the account is permanently locked. Specify a value from 0 - 600 minutes.

When configured, the lockout is individually applied to each account within the specified role/roles. For example, consider the ‘monitor‘ role having two users: ‘user1‘ and ‘user2‘. The max-fail and lockout-time is set at ‘5‘ attempts and ‘10‘ minutes respectively. In this scenario, user2 makes 5 consecutive, failed login attempts, and the user2 account is locked out for 10 minutes. However, during this lockout time the user1 account remains active.

Note: In the event-system-policy context, enable ‘login-lockout‘ and ‘login-unlocked‘ event notification to trigger e-mail or syslog notification to users on occurrence of the login-lockout and login-unlock events. For more information, see event.

Example

nx9500-6C8809(config-management-policy-default)#passwd-retry role monitor max-fail 5 lockout-time 10
nx9500-6C8809(config-management-policy-default)#show con
management-policy default
no telnet
no http server
https server
ssh
user admin password 1 979cfb9288837ee26d74d07b5ea328fd0e9a2b55cf5104649c2b496cc94e7003 role superuser access all
passwd-retry role monitor max-fail 2 lockout-time 5
snmp-server community 0 private rw
snmp-server community 0 public ro
snmp-server user snmptrap v3 encrypted des auth md5 0 admin123
snmp-server user snmpmanager v3 encrypted des auth md5 0 admin123
nx9500-6C8809(config-management-policy-default)#

Related Commands

no Removes the user-account lockout and unlock parameters configured here