Alcatel-Lucent 6850-48 补充手册
Managing Switch User Accounts
Configuring Global User Lockout Settings
OmniSwitch AOS Release 6 Switch Management Guide
September 2009
page 8-15
Configuring Global User Lockout Settings
The following user lockout settings configured for the switch apply to all user accounts:
• Lockout window—the length of time a failed login attempt is aged before it is no longer counted as a
failed attempt.
• Lockout threshold—the number of failed login attempts allowed within a given lockout window period
of time.
• Lockout duration—the length of time a user account remains locked until it is automatically unlocked.
In addition to the above lockout settings, the network administrator also has the ability to manually lock
and unlock user accounts. The following subsections describe how to configure user lockout settings and
how to manually lock and unlock user accounts.
and unlock user accounts. The following subsections describe how to configure user lockout settings and
how to manually lock and unlock user accounts.
Note. Only the admin user is allowed to configure user lockout settings. The admin account is protected
from lockout; therefore, it is always available.
from lockout; therefore, it is always available.
Lockout settings are saved automatically; that is, these settings do not require the
,
, or
command to save user settings over a reboot. To
view the current lockout settings configured for the switch, use the
command.
For more information about this command and those used in the configuration examples throughout this
section, see the OmniSwitch CLI Reference Guide.
section, see the OmniSwitch CLI Reference Guide.
Configuring the User Lockout Window
The lockout window is basically a moving observation window of time in which failed login attempts are
counted. If the number of failed login attempts exceeds the lockout threshold setting (see
counted. If the number of failed login attempts exceeds the lockout threshold setting (see
) during any given observation window period of time, the
user account is locked out of the switch.
Note that if a failed login attempt ages beyond the observation window of time, that attempt is no longer
counted towards the threshold number. For example, if the lockout window is set for 10 minutes and a
failed login attempt occurred 11 minutes ago, then that attempt has aged beyond the lockout window time
and is not counted. In addition, the failed login count is decremented when the failed attempt ages out.
counted towards the threshold number. For example, if the lockout window is set for 10 minutes and a
failed login attempt occurred 11 minutes ago, then that attempt has aged beyond the lockout window time
and is not counted. In addition, the failed login count is decremented when the failed attempt ages out.
By default, the lockout window is set to 0; this means that there is no observation window and failed login
attempts are never aged out and will never be decremented. To configure the lockout window time, in
minutes, use the
attempts are never aged out and will never be decremented. To configure the lockout window time, in
minutes, use the
command. For example:
-> user lockout-window 30
Do not configure an observation window time period that is greater than the lockout duration time period
(see
(see
).
Configuring the User Lockout Threshold Number
The lockout threshold number specifies the number of failed login attempts allowed during any given
lockout window period of time (see
lockout window period of time (see
). For exam-
ple, if the lockout window is set for 30 minutes and the threshold number is set for 3 failed login attempts,
then the user is locked out when 3 failed login attempts occur within a 30 minute time frame.
then the user is locked out when 3 failed login attempts occur within a 30 minute time frame.