password-attributes
Configures global password attributes.
Syntax
password-attributes
{
[
max-logins
maxlogins
][
max-retry
maxretry
]
[
min-length
minlen
]
[
max-logins
maxlogin][
history
number]
[repeat
minnum
]
[
sequence
number]
[
login-notify-duration
hours]
[
admin-lockout
|
character-restriction
{
[
lower
numlower
]
[
numeric
numdigits
]
[
special-char
numsplchars
]
[
upper
numupper
]
}
}
no
password-attributes
{
[
max-logins
maxlogins
][
max-retry
maxretry
]
[
min-length
minlen
]
[
max-logins
maxlogin][
history
number]
[repeat
minnum
]
[
sequence
number]
[
login-notify-duration
hours]
[
admin-lockout
|
character-restriction
{
[
lower
numlower
]
[
numeric
numdigits
]
[
special-char
numsplchars
]
[
upper
numupper
]
}
]
}
Command Default
The default for
min-length is 8. All other defaults are 0.
Parameters
-
admin-lockout
- Enables lockout for admin role accounts.
-
character-restriction
- Configures the restriction on various types of characters.
- lower
numlower
- Specifies the minimum number of lowercase alphabetic characters that must occur in the password. Values range from 0 through 32 characters. The default value is 0.
- numeric
numdigits
- Specifies the minimum number of numeric characters that must occur in the password. Values range from 0 through 32 characters. The default is 0.
- special-char
numsplchars
- Specifies the number of punctuation
characters that must occur in the password. All printable,
non-alphanumeric punctuation characters, except colon (:) are
allowed. Values range from 0 through 32 characters. The default
value is 0.
- upper
numupper
- Specifies the minimum number of uppercase alphabetic characters that must occur in the password. Values range from 0 through 32 characters. The default value is 0.
-
max-logins
maxlogins
- Specifies the maximum number of log-in sessions for a user. Values range
from 0 through 10. The default value is 0.
-
max-retry
maxretry
- Specifies the number of failed password
log-ins permitted before a user is locked out. Values range from 0 through
16. The default value is 0.
-
min-length
minlen
- Specifies the minimum length of the password. Valid values range from 8
through 32 characters. The default is 8 characters.
-
max-logins
maxlogin
- Specifies the maximum number of log-in
sessions allowed per local user. Valid values range from 0 through 10. The
default is 0, representing an infinite number of log-ins.
-
history
number
- Specifies the number of old passwords
against which a newly configured password is checked. The new password is
discarded if it matches an old password. Valid values range from 0 through
10. The default is 0.
-
repeat
minimum
- Specifies the minimum number of consecutive
repetitive characters in a newly configured password. The new password is
discarded if it has consecutive repetitive characters (for example, aaa,
xxx,1111). Configure 1 for disabling. The default is 1.
-
sequence
number
- Specifies the minimum number of consecutive
sequential characters both in forward and reverse direction (for example,
abc, cba) in a newly configured password. The new password is discarded if
it has consecutive sequential characters (for example, abc, xyz, fedc).
Configure 1 for disabling. The default is 1.
-
login-notify-duration
hours
- Specifies the duration in hours for which
admin is notified of the number of last successful attempts. Use value 0 to
disable the notification. Valid values range from is from 0 through 120.
The default is 0.
Modes
Global configuration mode
Usage Guidelines
To reset password attributes to their default
values, run the no
form of this command.
If you use PuTTY to open a telnet session and then close the session by closing the
PuTTY window, the max-logins feature does not count the session
as closed because the client does not send an application layer closure message to
be processed by the PAM module. Therefore, if max-logins is
enabled when you use PuTTY to open a telnet session, use the exit
command to close the session.
The max-logins feature does not apply to REST log-ins and RESTCONF
log-ins.
Examples
The following example configures global password attributes and verifies the configuration.
device#configure terminal
device(config)# password-attributes max-retry 4
device(config)# password-attributes character-restriction lower 2
device(config)# password-attributes character-restriction upper 1 numeric 1 special-char 1
device(config)# exit
device# show running-config password-attributes
password-attributes max-retry 4
password-attributes character-restriction upper 1
password-attributes character-restriction lower 2
password-attributes character-restriction numeric 1
password-attributes character-restriction special-char 1
The following example resets the character restriction attributes and verifies the configuration.
device#configure terminal
device(config)# no password-attributes character-restriction lower
device(config)# no password-attributes character-restriction upper
device(config)# exit
device# show running-config password-attributes
password-attributes max-retry 4
password-attributes character-restriction numeric 1
password-attributes character-restriction special-char 1
The following example clears all global password attributes.
device#configure terminal
device(config)# no password-attributes
device(config)# exit
device# show running-config password-attributes
% No entries found.
The following example sets the maximum number of retries to 3 and enables lockout policy for admin role accounts.
device#configure terminal
device(config)# password-attributes max-retry 3 admin-lockout
