In this section:
Choose Users from the Configuration Menu. The Session/User Management - Advanced page appears.
Select the Enable Session Management checkbox and click Submit.
NoteThe process of enabling user management requires you to enter a new password; you are automatically directed to the Change Password page once you click Submit.
Enter your username and password and click Submit. Session management fields become active.
- Configure settings using the information in the following table as a guide. When you finish configuring settings, click Submit to make your changes take effect.
Session/User Management - Advanced Parameters
Item | Description |
---|---|
Enable Session Management | Enables session management for the web user interface. You must enable Session Management before you can use the User Management configuration page. |
Enable User Management | Enables user management configuration parameters. |
| |
Terminal Inactivity Timeout (seconds) | Enter a timeout value between 0 (disabled) and 86400 seconds. This timer applies to Console, Telnet, and SSH logins. Changes to this value do not affect sessions that are already open. The timer starts counting when the session is available to receive a command. The timer is not reset until a complete command is entered. The largest allowed timeout value is 86400 seconds. The default is '0'. |
| |
GUI Inactivity Timeout (minutes) | Enter the time in minutes after which a GUI session will expire. Range is 5 to 60 minutes. |
GUI Maximum Sessions | Enter the maximum allowed number of GUI sessions for the system. Range is 1 to 100. |
GUI Maximum Sessions Per User | Enter the maximum allowed GUI sessions for a single user. Range is 1 to 10. |
| |
Disable Strong Password Enforcement | Box is unchecked by default: Strong Password Enforcement is enabled to require that new passwords be complex.
Note: If user management is enabled, this check-box is not available on the configuration page and you have the option to edit all of the password enforcement parameters. |
Minimum Password Length | Minimum number of required characters a password must contain. Note: Maximum password length is 32 characters. Configurable range is 8-15 characters. |
Minimum Password Age | Minimum number of days before a password can be changed. Range is 0 to 30 days. |
Maximum Password Age | Maximum number days after which the password will expire. Range is 30 to 180 days. Once a user password has reached the maximum age, the user is forced to perform a password change prior to gaining system access. A user account will be disabled if the user fails to perform a password change after three notifications of password expiration. |
Password Changes Till Reuse | To prevent password flipping, the user is denied the ability to re-use recently used passwords. Range is 0 to 16 previous passwords. |
Minimum Changed Characters Required | Minimum number of characters that must be changed from the previously used password. Range is 1 to 4. |
Minimum Alphabet Characters Required | Range is 0 to 4. |
Minimum Upper Case Alphabet Characters Required | Range is 0 to 2. |
Minimum lower Case Alphabet Characters Required | Range is 0 to 2. |
Minimum Numeric Characters Required | Range is 0 to 2. |
Minimum Special Characters Required | Range is 0 to 2. Special characters are the non alphabet or numeric ASCII characters between codes 33 and 127. |
Maximum Consecutive Repeating Characters Allowed | Range is 0 to 4. |
Intrusion Prevention | Configure Intrusion prevention by selecting the link. Refer to Intrusion Prevention. |
Default Password Change and Strong Password Enforcement
Administrators can now configure the EdgeMarc to require users to change their default password the first time they log in. The password must adhere to the strong password policy configured by the administrator.
When this feature is enabled and a root or read-only (rouser) user tries to log in to the EdgeMarc GUI with the default password, they will be redirected to the Change Password page to change their password.
CLI (SSH or Serial) users are also prompted to change their password. This feature is enabled by default.
A user is not allowed to access the system until they create a strong password that meets the following criteria:
- 6-8 (for root) total characters
- 1 lower case alphabet
- 1 numeric
- 1 special
To enable or disable Strong Password Enforcement from the EdgeMarc configuration GUI:
Choose Users. The Session/User Management - Advanced configuration page appears by default.
The Disable Strong Password Enforcement check-box is unchecked by default. Strong Password Enforcement is enabled and configuration fields are active.NoteIf User Management is enabled, Strong Password Enforcement settings are not available on the Session/User Management - Advanced configuration page.
Enter required password information in the following active Password Configuration Settings fields:
Minimum Alphabet Characters Required (0-4)
Minimum Upper Case Alphabet Characters Required (0-2)
Minimum lower Case Alphabet Characters Required (0-2)
Minimum Numeric Characters Required (0-2)
Minimum Special Characters Required (0-2)
Maximum Consecutive Repeating Characters Allowed (0-4)
Click Submit.
When the user logs in to the system for the first time with their default password, they are directed to the Change Password page.To disable Strong Password Enforcement, check the Disable Strong Password Enforcement check-box on the Session/User Management - Advanced configuration page. Password Configuration Settings fields become inactive (grayed out) on the page.
Strong Password Enforcement can also be configured through the CLI by setting parameters in the user_mgmt.conf file. Two new PASSWD configuration commands are added, as described in the following table.
Strong Password Enforcement CLI
Command | Description |
---|---|
DISABLE_STRONG_PASSWORD_ENFORCEMENT=off | The Strong Password Enforcement feature is on. |
PASSWD_MIN_UPPER_ALPHABET_CHARS=0 | Sets the minimum number of upper case letters required. |
PASSWD_MIN_LOWER_ALPHABET_CHARS=1 | Sets the minimum number of lower case letters required. |
Intrusion Prevention
To configure Intrusion Prevention on EdgeMarc:
- Go to the Session/User Management - Advanced page by selecting Users under the Configuration Menu.
Scroll down to Intrusion Prevention and select the link provided.
You are redirected to the Security - Advanced page.
Configure settings using the information in the following table as a guide.
To enable Intrusion Prevention, select the Enable Intrusion Prevention check-box and click Submit. The Intrusion Prevention fields are now active.- When you have finished configuring settings, click Submit to make your changes take effect.
Intrusion Prevention - Configuration Parameters
Item | Description |
---|---|
| |
Enable CSRF Defense | Enable this option to embed a token into HTML pages to prevent CSRF attacks. The token is validated before any configuration changes are saved to the system. |
CSRF Defense Token Lifetime (10-120 mins) | Specifies the time duration for which the CSRF token is valid. Valid range is from 10 to 120 minutes. The default value for this field is 60. |
| |
Enable Intrusion Prevention | Select this check-box to enable Intrusion Prevention. When the feature is disabled or if the system is rebooted, all records of failed attempts are deleted and all remote hosts can attempt to login. When the feature is re-enabled or when the system recovers from the reboot, all monitoring starts again. |
Failed Login Attempts (2-10) | Specify the number of failed attempts the remote host has when logging into the system’s service application. The range of this field is from 2 to 10. The default value is 2. For example: Setting Failed Login Attempts to 2 allows the remote host 2 attempts to login. After a second failed attempt, the remote host is locked out for the rest of the lockout duration. |
Host Lockout Duration (1-480 mins) | Specifies the time duration for which the remote host is locked out and restricted from attempting to log in to the system’s service application. The valid range of this field is from 1 to 480 minutes. The default value is 1. If a remote host has not exceeded the specified number of Failed Login Attempts, but the Host Lockout Duration has expired since the last unsuccessful login attempt, then the number of Failed Login Attempts is reset to 0. |
Locked Out Hosts | Specifies the number of locked out remote hosts. |