Login
- Table of Contents
-
- H3C S9500 Operation Manual-Release1648[v1.24]-07 Security Volume
- 00-1Cover
- 01-Protocol Port Security Configuration
- 02-802.1x Configuration
- 03-AAA RADIUS HWTACACS Configuration
- 04-Password Control Configuration
- 05-SSH Configuration
- 06-IDS Linkage Configuration
- 07-Portal Configuration
- 08-VBAS Configuration
- 09-Traffic Accounting Configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 04-Password Control Configuration | 79.68 KB |
Table of Contents
Chapter 1 Password Control Configuration
1.1 Introduction to Password Control Configuration
1.2 Password Control Configuration
1.2.2 Configuring the Aging Time of System Password
1.2.3 Configuring Alert Time Before Password Expires
1.2.4 Configuring the Minimum Length of Password
1.2.6 Configuring the Maximum Number of History Password Records
1.2.7 Configuring the Timeout Time for Password Authentication
1.3 Password Control Configuration Example
Chapter 1 Password Control Configuration
When configuring password control, go to these sections for information you are interested in:
l Introduction to Password Control Configuration
l Password Control Configuration
l Password Control Configuration Example
1.1 Introduction to Password Control Configuration
S9500 series switches provide the password control function. Before a user can log in to the switch, a system login password must be configured. After a password is configured, the user must enter the password each time he or she wants to log in to the switch. The user and can successfully log in to the switch and proceed with operations only if he or she passes the authentication. If the password authentication fails, the user will not be able to log in to the switch.
The user can either use the default password configuration, or perform his or her own password control configuration. When conducting password control, the user must follow the steps below:
1) Configuring system login password
If password authentication is required for a user to log in to the system, the system will protect the password, instead of displaying the input password in the command line. The password must not be displayed in plain text either in the system configuration file or on the terminal: the password must be encrypted be being stored.
When a user inputs the password, “******”, rather than the plain text of the user’s password, will appear on the terminal. When configuring a password, the user needs to input the password twice for confirmation. During password configuration, the password appears as “******” in the command line, and it appears in the form of encrypted text in the configuration file.
2) Enabling password control
After password configuration, the user can conduct password control, which includes the following aspects:
l Enabling password aging
l Enabling limitation of minimum password length
l Enabling history password recording
When a login password expires, the system will require the user to input a new password and will save the old password automatically. By recording the history passwords, the system can prevent the user from using a single password or repeated passwords when modifying a password, thus to enhance the security.
The system stores the history password records in a private file in the flash memory or a compact flash (CF) card. This file is not accessible to any user. In addition, the system automatically backs up the history password records and blacklist records, specifically as follows:
l When adding or deleting a history password record, the system requests the standby card to perform backup.
l When purging all history records or the history records of a certain user, the system requests the standby card to perform backup.
l When adding a user to or deleting a user from the blacklist, the system requests the standby card to perform backup.
l The CF card or the flash memory on the active card and that on the standby keep the same copies of history password records and blacklist records.
3) Configuring system password parameters
After password confirmation, the administrator can modify the password at the next login. Password parameters include:
l Password aging time
l Alert time before the password expires
l Minimum password length
l Maximum the number of attempts of entering a password and the processing mode for failed login attempts
l Maximum number of history password records
l Timeout time for user authentication
4) Configuring super password parameters
User levels are configured by the administrator during user configuration. The command super is used to change user levels. For example, a user of level 3 is allowed to log in to the system. After logging in, if the user wants to change his or her user level, the user needs to use the command super and pass the super password authentication. Password control, namely password aging and minimum password length limitation, must be enabled for this password.
5) Deleting history password records
After the history password record of a user is deleted, the configuration of a new password will not be restricted by the previously configured history password records. The system allows the deletion of the history password records of all users or a specific user.
The system has logging function, which can automatically log related information about the following events:
l When a user logs in successfully, the system will log the user name, IP address, and VTY number
l When a user is prohibited by the ACL rule, the system will log the user’s IP address
l When a user fails in authentication, the system will log the user name, IP address, VTY number, and failure cause
l When a user changes his or her password that has expired, the system will log the password change event
The administrator can query the login information of users based on these log records.
1.2 Password Control Configuration
1.2.1 Configuration Task List
The basic configuration tasks of password control are as follows:
l Configuring the Aging Time of System Password
l Configuring Alert Time Before Password Expires
l Configuring the Minimum Length of Password
l Configuring the Maximum Number of History Password Records
l Configuring the Timeout Time for Password Authentication
After the configuration, you can carry out display password-control in any view to view the password control information for all users, including the enabled/disabled state of password aging, the aging time, the enabled/disabled state of the minimum password length limitation and the configured minimum password length, the enabled/disabled state of history password recording, the alert time before password expiration, the timeout time for password authentication, the maximum number of password input attempts, the maximum number of history password records, the processing mode after failed password input attempts, the time when the password history was last cleared, and so on.
If a user fails to provide the correct password after the allowed number login-times, the system adds the user to the blacklist. To view the names and the IP addresses of such users, carry out display password-control blacklist in any view.
Table 1-1 Basic configuration tasks of password control
|
To do... |
Use the command... |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter local user view |
local-user username |
— |
|
Configure system login password |
password [ simple | cipher ] password |
If the command does not include simple or cipher, you need to enter the same password twice as prompted by the system. Otherwise, you only need to enter the password once without confirming the password again. |
|
Exit the current view and return to the system view |
quit |
— |
|
Enable password control |
password-control { aging | length | history } enable |
By default, password control is disabled |
|
Configure system password parameters |
password-control { aging aging-time | length length | login-attempt login-times | history max-record-num | alert-before-expire alert-time | authentication-timeout authentication-timeout | exceed { lock | unlock | locktime time } } |
Refer to the detailed description in the following paragraphs about the configuration of system password parameters The commands password-control aging aging-time and password-control length length can also be used in the local user mode |
|
Configure super password parameters |
password-control super { aging aging-time | length length } |
By default, the aging time of the super password is 90 days, and the minimum length of the super password is 10 characters. |
|
Delete history password records of one or all users |
reset password-control history-record [ username username ] |
— |
|
Delete history records of super password |
reset password-control history-record super [ level level-value ] |
— |
|
Display password control information for all users |
display password-control |
Available in any view |
|
Display super password control information |
display password-control super |
display can be carried out in any view |
To cancel an operation, use the undo form of the corresponding command.
Caution:
l If the history password recording function is not enabled, the password clearing command reset password-control history-record can also clear the history password records of a specific user or all users.
l If the password control function is not enabled, the password aging parameters can be configured, but will not take effect.
The following paragraphs will describe the configuration of password parameters;
1.2.2 Configuring the Aging Time of System Password
After the password aging function is enabled, when a user goes through authentication to log in, the system reads the creation time of the user’s password and compares the password creation time with the password aging time of the user. There can be the following three cases:
1) If the password has not expired but is within the alert time range, the system will remind the user of the remaining days before the password will expire, and ask the user whether he or she wants to change the password. The prompt message is as follows:
Current user’s password will age out in 2 day(s) ,Would you like to enter a new one ? [Y/N]
l If the user chooses to change the password, after the password is successfully changed, the system will record the new password and record the time when the new password is set, and will allow the user to log in.
l If the user chooses not to change the password or fails to change the password, the user can still log in normally before the password expires.
2) If the user password has expired, the system will notify the user about the expiration of the password, as follows:
your password has expired ,please enter a new password :
password: **********
confirm :**********
Namely, the user must enter a new password. After entering a new password, the user needs to confirm it by entering it again. If the password is not appropriate, or if the second input is different from the first input, the system will ask the user to enter a password again; otherwise the user cannot log in successfully.
3) If the user’s password has not expired and the gap between the aging time and the expiration time is not in the range of alert time, the user can normally log in.
After the user successfully changes his or her password, the current password is saved into the file in the flash memory or the CF card.
The password for super commands is processed in a similar way. However, no pre-expiration alert is given when the super password is to expire; the user is only notified whether the password has expired or not.
For an FTP user, no pre-expiration alert is given either when the password is to expire. The user is only notified about password errors but cannot change the password. Only the administrator can change the password.
Follow these steps to configure system password aging time:
|
To do... |
Use the command... |
Remarks |
|
Enter system view |
system-view |
— |
|
Configure password aging time |
password-control aging aging-time |
The value range of password aging time is 1 to 365 days. By default, the password aging time is 90 days. This command can also be carried out in user view |
The configuration command for password aging time can be used either in the system view or in the user view. In the system view, this command is used to configure global parameters; in the user view, this command is used to configure the parameters for the user. When user parameters conflict with system parameters, the parameters configured in the user view will prevail.
1.2.3 Configuring Alert Time Before Password Expires
Within the set period of time before the user password expires, the system will automatically give the following reminder information: Current user’s password will age out in 2 day (s) ,Would you like to enter a new one ? [Y/N], to remind the user of the remaining number of days in which the password will expire, and ask the user whether to change the password.
Follow these steps to configure alert time before password expiration:
|
To do... |
Use the command... |
Remarks |
|
Enter system view |
system-view |
— |
|
Configure alert time before password expires |
password-control alert-before-expire alert-time |
By default, the alert time is 7 days before the password expires. |
1.2.4 Configuring the Minimum Length of Password
There is a limitation for the minimum length of user-configured passwords. When a user configures a password, the system checks the password length. If the length of the password entered by the user is impropriate, the system will give a prompt message to the user and ask the user to enter a new password.
If the password entered by the user is shorter than the set minimum length, the system will refuse this password, and will give the following prompt message: Password is too short. Please enter minimum length password.
The password for super commands is processed in the same way.
Follow these steps to configure the minimum password length:
|
To do... |
Use the command... |
Remarks |
|
Enter system view |
system-view |
— |
|
Configure the minimum password length |
password-control length length |
The value range of the minimum password length is 4 to 32 characters. The default value is 10 characters. This command can also be carried out in user view |
The configuration of minimum password length involves two situations: the global configuration command can be used in the system view to configure the minimum length of all user passwords, and the minimum password length can be configure for a certain user in the user view. Similar to the password aging time configuration, when the two types of parameters conflict, the parameters configured in the user view will prevail.
1.2.5 Configuring the Maximum Number of Attempts of Entering a Password and the Processing Mode for Failed Login Attempts
There is a limitation of the number of entering a password. When the number of attempts exceeds the configured maximum number of attempts, the system will have three options:
l The system will add the user to the blacklist and lock the user for a period of time by putting the user name + IP address and the lock time into the blacklist. Each time when the user logs in, the system will search in the blacklist. If the user name and IP address appear in the blacklist, the system will directly prohibit the user from going into password authentication. After a preset period of time, the system will remove the user from the backlist and re-activate the user. The lock time is specified by the system administrator. The value range is 3 to 360 minutes, and the default value is 120 minutes.
l The system will permanently lock the user. In this case, the user can log in again only if he or she is removed from the blacklist and unlocked by the administrator manually. The blacklist can contain a maximum of 1024 entries.
l The system will allow the user to log in again instead of locking him or her.
Once the system administrator manually removes locked users from the blacklist, these user are unlocked and can log in to the switch again.
Follow these steps to configure the maximum number of login attempts and the processing mode for failed login attempts:
|
To do... |
Use the command... |
Remarks |
|
Enter system view |
system-view |
— |
|
Configure the maximum number of attempts of entering a password |
password-control login-attempt login-times |
The value range of the maximum attempts of entering a password is 2 to 10; the default value is 3. |
|
Configure the processing mode for failed login attempts |
password-control login-attempt attempt-time exceed { lock | unlock | locktime time } |
By default, the system will still allow the user to try to log in again after a failed login attempt. |
|
View information of users added to the blacklist |
display password-control blacklist |
display can be carried out in any view |
|
Remove a user or users from the blacklist |
reset password-control blacklist [ username username ] |
If the command is carried out without username, all users will be removed from the blacklist If the command is carried out with username, the specified user will be removed from the blacklist |
1.2.6 Configuring the Maximum Number of History Password Records
When a password used to log in to the system expires, the system will ask the user to enter a new password and will automatically save the password. You can configure the maximum number of history records allowable for each user. The purpose is to prevent users from using a single password or repeated passwords, thus enhancing the security.
Follow these steps to configure the maximum number of history password records:
|
To do... |
Use the command... |
Remarks |
|
Enter system view |
system-view |
— |
|
Configure the maximum number of history password records |
password-control history max-record-num |
The value range of maximum number of history password records is 2 to 10, and the default value is 4 |
Caution:
l When a new password is added but the number of the recorded history passwords has reached the configured maximum number, the system replaces the oldest record with the new one.
l When you configure the maximum number of history password records, if the number of history password records is larger than the configured value, the system will give a prompt and allow you to make configuration for the user.
l When changing a password, do not use any recorded history password; otherwise, the system will give the following prompt: The system failed to assign password. It has been used previously. In this case, the change to the password will not take effect, and you need to configure another password.
l A password currently in use is not recorded as a history password.
1.2.7 Configuring the Timeout Time for Password Authentication
An authentication process for a user starts when the server obtains the user name and ends when the password authentication is completed for the user.
If the password authentication is not completed before the authentication times out, the authentication fails, and the system will terminate the user connection and record the log information; if the password authentication is completed before the authentication times out, the user will log in to the switch normally.
Follow these steps to configure the timeout time for password authentication:
|
To do... |
Use the command... |
Remarks |
|
Enter system view |
system-view |
— |
|
Configure password timeout time |
password-control authentication-timeout authentication-timeout |
The value range of password authentication timeout time is 30 to 120 seconds, and the default value is 60 seconds |
1.3 Password Control Configuration Example
I. Network requirements
A PC is connected with an S9500 switch. You can either use the default configuration or configure the password control parameters as required.
II. Network diagram
Figure 1-1 Network diagram for password control configuration
III. Configuration procedure
# Configure the system login password:
<H3C> system-view
System View: return to User View with Ctrl+Z.
[H3C] local-user test
[H3C-luser-test] password
Password:**********
confirm:**********
Updating the password file, please wait ...
# Change the system login password to 0123456789:
[H3C-luser-test] password
Password:**********
Confirm :**********
Updating the password-file ,please wait...
# Enable password aging:
[H3C] password-control aging enable
Password aging enabled for all users. Default: 90 days.
# Enable limitation of the minimum password length:
[H3C] password-control length enable
Password minimum length enabled for all users. Default: 10 characters.
# Enable history password recording:
[H3C] password-control history enable
Password history enabled for all users. Default: 10 history records
# Set the aging time of super passwords to 10 days:
[H3C] password-control super aging 10
# Display the password control information of all users:
[H3C] display password-control
Global password settings for all users:
Password aging: Enabled(90 days)
Password length: Enabled(10 Characters)
Password history: Enabled(Max history records:4)
Password alert-before-expire : 7 days
Password authentication-timeout : 60 seconds
Password attempt times : 3 times
Password attempt-failed action : Lock for 120 minutes
# Delete the history password records of all users:
<H3C> reset password-control history-record
Are you sure to delete all the history record?[Y/N]
If you type "Y", the system will delete the history records of all users and gives the following prompt:
Updating the password file, please wait...
All historical passwords have been cleared.
