Starting from release 20.3.3 administrators are able to configure the account expiry period for inactive users other than root and the default admin. It means if a user other than the root or default admin has not logged in for a period in number of days specified under the configuration as expiry period, then this user get automatically locked.
An administrator needs to explicitly unlocks this user to become active again. Unlocking the user resets the inactivity polling of the user account and polling starts again until the specified period. Resetting of the polling timer also happens when this user successfully logins before the inactivity period expires.
The configuration can be done for each user account when the user account is created or modified in SLX. In the below example the user Mike will get locked out if Mike hasn‘t logged in for 40 days and Mike will get a warning raslog alert if Mike hasn‘t logged in for 20 days.
SLX(config)#username Mike acct-inactivity-expiry-period 40 acctinactivity- warning-period 20 password xyz@12345 role admin
The range for inactivity expiry period for an account can be configured between 1 to 180 days and the range for inactivity warning period is between 1 to 120 days.
Note
These configurations cannot be done to the root and default admin users, but can be done for the default user account or any other account.The warning RASLOG is generated only once when the user do not login for
the specified inactivity warning period.
Once the inactive user expires after the
specified inactivity expiry period an error RASLOG indicating expiry will be
sent every 24 hours. If the user configures SNMP trap severity level to
warning these RASLOGs will also send an SNMP trap.
RASLOG Example
2021/03/04-09:50:00, [SEC-3138], 3445,, WARNING, SLX, Event: user inactivity warning USER test will expire in 25 days. 2021/03/15-09:51:49, [SEC-3139], 3448,, ERROR, SLX, Event: user expired USER test expired 12 days ago.
SNMP Trap Example
03:27:30.135220 IP 10.24.15.197.50000 > ldap.testsqa.com.SNMPtrap: C="cm1" Trap(276) E:1588.2.1.1.1 10.24.15.197 enterpriseSpecific s=4 365800 S:18.1.3.0=10.24.15.197 E:1588.2.1.1.1.8.5.1.1.1918=1918 E:1588.2.1.1.1.8.5.1.2.1918="2020/12/26-02:53:09" E:1588.2.1.1.1.8.5.1.3.1918=3 E:1588.2.1.1.1.8.5.1.4.1918=1 E:1588.2.1.1.1.8.5.1.5.1918="SEC-3138 Event: user inactivity warning, USER user will expire in 2 days."
03:27:30.313334 IP 10.24.15.197.50000 > ldap.testsqa.com.SNMPtrap: C="cm1" Trap(246) E:1588.2.1.1.1 10.24.15.197 enterpriseSpecific s=4 365800 S:18.1.3.0=10.24.15.197 E:1588.2.1.1.1.8.5.1.1.1919=1919 E:1588.2.1.1.1.8.5.1.2.1919="2020/12/26-02:53:09" E:1588.2.1.1.1.8.5.1.3.1919=2 E:1588.2.1.1.1.8.5.1.4.1919=1 E:1588.2.1.1.1.8.5.1.5.1919="SEC-3139 Event: user expired USER Extuser expired 3 days ago."Locking out the inactive accounts enhances security by presenting lesser options for a brute force attacker to enter the system by making use of a
dormant SLX account that
could also be an administrator.