local-aaa-user wrong-password

Function

The local-aaa-user wrong-password command enables local account locking function and sets the retry interval, consecutive incorrect password attempts, and locking duration.

The undo local-aaa-user wrong-password command disables local account locking function.

By default, the local account locking function is enabled, retry interval is 5 minutes, maximum number of consecutive incorrect password attempts is 3, and account locking period is 5 minutes.

Format

local-aaa-user wrong-password retry-interval retry-interval retry-time retry-time block-time block-time

undo local-aaa-user wrong-password

Parameters

Parameter	Description	Value
retry-interval retry-interval	Specifies the retry interval of a local account.	The value is an integer that ranges from 5 to 65535, in minutes.
retry-time retry-time	Specifies the consecutive incorrect password attempts.	The value is an integer that ranges from 3 to 65535.
block-time block-time	Specifies the local account locking duration. In actual application, there is a one minute difference in locking time.	The value is an integer that ranges from 5 to 65535, in minutes.

Parameter

Description

Value

retry-interval retry-interval

Specifies the retry interval of a local account.

The value is an integer that ranges from 5 to 65535, in minutes.

retry-time retry-time

Specifies the consecutive incorrect password attempts.

The value is an integer that ranges from 3 to 65535.

block-time block-time

Specifies the local account locking duration.

In actual application, there is a one minute difference in locking time.

The value is an integer that ranges from 5 to 65535, in minutes.

Views

AAA view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

This command applies to the following scenarios:

The command locks a local account to improve password security of the local user. If the password is entered incorrectly more than a certain number of times within the given retry period, the account is locked. The device does not authenticate the user when the account is locked.
The command locks a local account to ensure that the password will not be cracked by a brute force from a malicious user. When attempting to change the password, if the original password is entered incorrectly more than a certain number of times within the given retry period, the account is locked. The user cannot modify the password when the account is locked.

Follow-up Procedure

After a local account is locked, you can run the local-user user-name state active command to unlock the local account.

Precautions

Only entering the incorrect password can lock the account. Other local authentication failures will not lock the account.

When the number of login failures or initial password change failures of the local user does not reach the limit specified using the local-aaa-user wrong-password command, the user is not locked. In this case, if the limit is changed using the local-aaa-user wrong-password command and the new limit is smaller than the number of login failures or initial password change failures of the user, the user still has a chance to log in to the device or change the password.

Example

# Enable local account locking, and set the authentication retry interval to 5 minutes, maximum number of consecutive incorrect password attempts to 3, and account locking period to 5 minutes.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] local-aaa-user wrong-password retry-interval 5 retry-time 3 block-time 5