Denial of service implications, Password interaction with remote aaa servers, Configuring password policies – Brocade Network OS Administrator’s Guide v4.1.1 User Manual

The account remains locked until explicit administrative action is taken to unlock the account. A user
account cannot be locked manually. An account that is not locked cannot be unlocked.

Failed login attempts are tracked on the local switch only. in VCS mode, the user account is locked only
on the switch where the lockout occurred; the same user can still try to log in on another switch in the
VCS fabric.

The account lockout policy is enforced across all user accounts except for the root account and
accounts with the admin role.

Denial of service implications

The account lockout mechanism may be used to create a denial of service (DOS) condition when a user
repeatedly attempts to log in to an account by using an incorrect password. Selected privileged
accounts, such as root and admin, are exempted from the account lockout policy to prevent these
accounts from being locked out by a DOS attack. However these privileged accounts may then become
the target of password-guessing attacks.

ATTENTION

Brocade advises that you periodically examine the Security Audit logs to determine if such attacks are
attempted. Refer to

Logging and analyzing security events

on page 276.

Password interaction with remote AAA servers

The password policies apply to local switch authentication only. External AAA servers such as RADIUS,
TACACS+, or LDAP provide server-specific password-enforcement mechanisms. The Network OS
password management commands operate on the switch-local password database only, even when the
switch is configured to use an external AAA service for authentication. When so configured,
authentication through remote servers is applied to login only.

When remote AAA server authentication is enabled, an administrator can still perform user and
password management functions on the local password database.

For more information on remote AAA server authentication, refer to

Managing User Accounts

on page

261.

Configuring password policies

Use the password-attributes command with specified parameters to define or modify existing
password policies.

Configuring the account lockout threshold

You can configure the lockout threshold with the password-attributes max-retry maxretry command.
The value of the maxretry specifies the number of times a user can attempt to log in with an incorrect
password before the account is locked. The number of failed login attempts is counted from the last
successful login. The maxretry can be set to a value from 0 through 16. A value of 0 disables the
lockout mechanism (default).

The following example sets the lockout threshold to 5.

Denial of service implications

Network OS Administrator’s Guide

267

53-1003225-04