HP VPN Firewall Appliances Access Control Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

281

282

283

284

285

286

287

288

289

290

274

• Password history

With this feature enabled, the system maintains certain entries of passwords that a user has used.

When a user changes the password, the system checks the new password against the used ones.

The new password must be different from the used ones by at least four characters and the four

characters must not be the same. Otherwise, the user will fail to change the password and the

system displays an error message.

You can set the maximum number of history password records for the system to maintain for each

user. When the number of history password records exceeds your setting, the latest record

overwrites the earliest one.

• Login attempt limit

Limiting the number of consecutive failed login attempts can effectively prevent password

guessing.

If an FTP or VTY user fails authentication due to a password error, the system adds the user to a

password control blacklist. If a user fails to provide the correct password after the specified

number of consecutive attempts, the system takes action as configured:

{ Prohibiting the user from logging in until the user is removed from the password control blacklist

manually.

{ Allowing the user to try continuously and removing the user from the password control blacklist

when the user logs in to the system successfully or the blacklist entry times out (the blacklist entry

aging time is 1 minute).

{ Prohibiting the user from logging in within a configurable period of time, and allowing the user

to log in again after the period of time elapses or the user is removed from the password control

blacklist.

A password control blacklist can contain up to 1024 entries.

A login attempt using a wrong username will undoubtedly fail but the username will not be added

into the password control blacklist.

Users accessing the system through the console or AUX interface are not blacklisted, because the

system is unable to obtain the IP addresses of these users and these users are privileged and

therefore relatively secure to the system. Support for the AUX login depends on the device model.

For more information about AUX login, see Getting Started Guide.

• Password composition checking

A password can be a combination of characters from the following four types:

{ Uppercase letters A to Z.

{ Lowercase letters a to z.

{ Digits 0 to 9.

{ 32 special characters. For information about special characters, see the password command in

Security Command Reference.

Depending on the system security requirements, you can set the minimum number of character

types a password must contain and the minimum number of characters of each type.

There are four password combination levels in non-FIPS mode: 1, 2, 3, and 4, each representing

the number of types that a password must at least contain. Level 1 means that a password must

contain characters of one type, level 2 at least two types, and so on.

In FIPS mode, a password must contain four types of characters and each type contains at least

one character.