F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices Access Control Configuration Guide-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

281

282

283

284

285

286

287

288

289

290

282

Task Command

Remarks

Display information about

users in the password control

blacklist.

display password-control blacklist

[ user-name name | ip ipv4-address |

ipv6 ipv6-address ] [ | { begin | exclude

| include } regular-expression ]

Available in any view.

Support for the ipv6 ipv6-address

option depends on the device

model. For more information, see

Access Control Command

Reference.

Delete users from the

password control blacklist.

reset password-control blacklist

[ user-name name ]

Available in user view.

Clear history password

records.

reset password-control history-record

[ user-name name | super [ level level ] ]

Available in user view.

This command can delete the

history password records of one or

all users even when the password

history function is disabled.

89B

Password control configuration example

503BNetwork requirements

Implement the following global password control policy:

• An FTP or VTY user failing to provide the correct password in two successive login attempts is

permanently prohibited from logging in.

• A user can log in five times within 60 days after the password expires.

• The password aging time is 30 days.

• The minimum password update interval is 36 hours.

• The maximum account idle time is 30 days.

• A password cannot contain the username or the reverse of the username.

• No character occurs consecutively three or more times in a password.

Implement the following super password control policy:

A super password must contain at least three types of valid characters, five or more of characters

each type.

Implement the following password control policy for local Telnet user test:

• The password must contain at least 12 characters.

• The password must consist of at least two types of valid characters, five or more of each type.

• The password aging time is 20 days.

504BConfiguration procedure

# Enable the password control feature globally.

<Firewall> system-view

[Firewall] password-control enable

# Prohibit the user from logging in forever after two successive login failures.

[Firewall] password-control login-attempt 2 exceed lock

# Set the password aging time to 30 days for all passwords.

[Firewall] password-control aging 30