user-block(Local AAA server view)

Function

The user-block reactive command sets the period for automatically activating blocked users.

The undo user-block reactive command restores the default period for automatically activating blocked users.

The user-block failed-times command enables the device to block users automatically when users consecutively type a specified number of incorrect passwords within a period.

The undo user-block failed-times command disables the device from blocking users automatically when users consecutively type a specified number of incorrect passwords within a period.

By default, when users consecutively type incorrect passwords, the device will not block the users, the period for automatically activating blocked users is 30 minutes.

Format

user-block failed-times failed-times-value period period-value

user-block reactive reactive-time

undo user-block failed-times

undo user-block reactive

Parameters

Parameter	Description	Value
period period-value	Specifies the period when users consecutively type incorrect passwords.	The value is an integer ranging from 1 to 120, in minutes.
reactive reactive-time	Specifies the period for automatically activating blocked users.	The value is an integer ranging from 0 to 1000, in minutes. If the parameter is set to 0, the device cannot unlock the local user account automatically. In this case, the administrative user can run the activate command to unlock the user account.
failed-times failed-times-value	Specifies the maximum number of times that users consecutively type incorrect passwords.	The value is an integer ranging from 0 to 10. The default value is 0, meaning that the device does not block users when users consecutively type incorrect passwords.

Parameter

Description

Value

period period-value

Specifies the period when users consecutively type incorrect passwords.

The value is an integer ranging from 1 to 120, in minutes.

reactive reactive-time

Specifies the period for automatically activating blocked users.

The value is an integer ranging from 0 to 1000, in minutes.

If the parameter is set to 0, the device cannot unlock the local user account automatically. In this case, the administrative user can run the activate command to unlock the user account.

failed-times failed-times-value

Specifies the maximum number of times that users consecutively type incorrect passwords.

The value is an integer ranging from 0 to 10. The default value is 0, meaning that the device does not block users when users consecutively type incorrect passwords.

Views

Local AAA server view

Default Level

3: Management level

Task Name and Operations

Task Name	Operations
aaa	write

Usage Guidelines

Usage Scenario

To prevent unauthorized users from using the brute force attack to test the passwords of authorized users, you can run the user-block failed-times command to enable the device to block users automatically when users consecutively type a specified number of incorrect passwords within a period.

Configuration Impact

If users are blocked, they will be activated automatically after a specified period. You can run the user-block reactive command to set the default period for activating users to 30 minutes.

The user-block failed-times command run in the local AAA server view and AAA view takes effect to the users configured in the respective views.

Example

# Enable the device to block users automatically when users consecutively type two incorrect passwords within 100 minutes.

<HUAWEI> system-view
[~HUAWEI] local-aaa-server
[~HUAWEI-local-aaa-server] user-block failed-times 2 period 100