Print
this page
Email this topic
Feedback
View PDF
Download EPUBSecurity Enhancements
This feature includes the following changes and enhancements:
- Configurable timed lockout that is applied to accounts after a configurable number of failed logon attempts.
- Stronger hash algorithm for account passwords.
Note
Due to the stronger hash algorithm, if you create accounts in ExtremeXOS 16.2, and then downgrade to versions earlier than ExtremeXOS 16.2, you may encounter problems using the passwords for these accounts. For more information about this issue, visit:
http://extr.co/1KfSszY - Removal of unmasked passwords in the command line interface.
- Stronger obfuscation of RADIUS and TACACS+ shared secrets.
- Integrity checking of downloaded images.
- Syslog alert issued when a configurable percentage of the Syslog memory buffer is filled.
- Optionally restricting the use of show log and show diagnostics commands by non-administrator accounts.
- The “safe defaults” script (unconfigured switch startup wizard) enables these new options collectively, as well as forcing the user to change the default administrator and failsafe passwords.
Supported Platforms
- BlackDiamond X8 and BlackDiamond 8800 series switches
- Summit X770, X670, X670-G2, X480, X460, X460-G2, X450-G2, X440, and X430 series switches
- E4G-200 and E4G-400 cell site routers
New CLI Commands
configure account [all | <name>] password-policy lockout-time-period [num_mins | until-cleared]
configure log target memory-buffer alert percent-full [percent | none]
configure cli password prompting-only [on | off] configure log messages privilege [admin | user]
configure diagnostics privilege [admin | user]
Changed CLI Commands
The output of the this command now displays account lockout time period information:
show accounts password-policy
If a downloaded image does not have a signature, a warning message appears. You may choose to continue or terminate the installation:
download image [[hostname | ipaddress] filename {{vr} vrname} {block-size block_size} | memorycard filename] {partition} {slot slot number
The log buffer percentage full and configurable percentage threshold information appears in the output of the following command:
show log configuration {target {upm {upm_profile_name} | xml-notification {xml_target_name} | console | session | memory-buffer | primary-msm | primary-mm | primary-node | backup-msm | backup-mm | backup-node | nvram | syslog {ipaddress|ipPort} {vr vr_name} {local}} | filter {filter-name}}
The following command shows the current password prompting setting:
show management