User account policy settings - Chassis Management Module 2

You can modify the CMM user account policy settings to create a Custom policy.

The individual user account policy settings are configured to default values according to the security policy setting, Legacy or Secure, that is set for the CMM. Modifying any of the individual user account policy settings automatically sets the CMM user account policy to Custom. User account policy settings cannot conflict with the security policy setting that has been set for Flex System chassis resources. An error will occur if you attempt to set values that are incompatible.

You can view or modify the user account security policy settings from their default values using the CMM web interface or the CMM CLI:

In the CMM web interface, user account security policy settings are on the General tab of the Account Security Level page in the Global Login Settings window. The location of each setting is identified in Table 1. Access these settings as follows:
1. Select User Accounts from the Mgt Module Management menu.
2. Click Global Login Settings on the Accounts page on the User Accounts page.
3. Click the General tab or the Account Security Level tab in the Global Login Settings window, as indicated for each setting.
4. If you clicked the Account Security Level tab, select Custom Security Settings to access the custom settings.
In the CMM CLI, access the user account security policy settings by using the various accseccfg command options (see accseccfg command for information about command use).

The following table lists the user account policy settings for the CMM, and their default values for the Legacy and High policy levels, if applicable. Also listed are the CMM web interface fields and CMM CLI accseccfg command options that can modify any values that can be changed in each interface.

Table 1. User account policy settings
User account policy setting	Description	Default Legacy setting	Default High setting	Web interface field	CLI command
User authentication method	The method for authenticating CMM users (local, LDAP, or both)	Retains the set value	Retains the set value	User authentication method (General* tab)*	`accseccfg -am`
Maximum simultaneous user sessions	The number of concurrent login sessions allowed for each user through all CMM interfaces	Retains the set value	Retains the set value	Number of simultaneous active sessions for LDAP users (General* tab)*	`accseccfg -mls`
Log new login events from same user	Whether the CMM logs multiple simultaneous login sessions from the same user	Retains the set value	Retains the set value	Do not log new authentication events for the same user (General* tab)*	`accseccfg -ici`
Authentication logging timeout	The amount of time that the CMM will not log repeated logins by the same user	Retains the set value	Retains the set value	Authentication logging timeout (General* tab)*	`accseccfg -alt`
Web session inactivity timeout	The amount of time a web interface session can be inactive before it automatically terminates	Retains the set value	Retains the set value	Web inactivity session timeout (General* tab)*	`accseccfg -wt`
CLI session inactivity timeout	The amount of time a CLI session can be inactive before it automatically terminates	Retains the set value	Retains the set value	CLI inactivity session timeout (in seconds) (General* tab)*	`accseccfg -ct`
User inactivity alert	The amount of time a user account can be inactive before it generates an alert	No limit	120 days	Inactivity alert period (in days) (Account Security Level* tab)*	`accseccfg -ia`
User inactivity disable	The amount of time a user account can be inactive before it is disabled and generates an alert	No limit	180 days	Inactivity alert and disable period (in days) (Account Security Level* tab)*	`accseccfg -id`
Maximum login failures	The maximum number of failed login attempts by a user before the account is locked out	20 attempts	20 attempts	Maximum number of login failures (Account Security Level* tab)*	`accseccfg -lf`
Lockout period login failure	The amount of time a user account is locked out after the maximum number of unsuccessful login attempts has been reached	2 minutes	60 minutes	Lockout period after maximum login failures (in minutes) (Account Security Level* tab)*	`accseccfg -lp`
Complex password	Whether the CMM follows more secure complex password rules	Off	On	Complex password rules (Account Security Level* tab)*	`accseccfg -cp`
Minimum number of different password characters	The minimum number of different character types that must be used in a password.	Not checked	2 characters	Minimum different characters in passwords (Account Security Level* tab)*	`accseccfg -dc`
Default 'USERID' account password must be changed on next login	The requirement that the default user must change the password at the next login in to the CMM	Off	On	Factory default 'USERID' account password must be changed on next login (Account Security Level* tab)*	`accseccfg -de`
Password change on first access	The requirement that users change their password the first time they log in to the CMM	Off	On	Force user to change password on first access (Account Security Level* tab)*	`accseccfg -pc`
Password expiration period	The amount of time a user password remains valid before requiring change	No limit	90 days	Password expiration period (days) (Account Security Level* tab)*	`accseccfg -pe`
Minimum password change interval	The minimum amount of time between user password changes	No limit	24 hours	Minimum password change interval (hours) (Account Security Level* tab)*	`accseccfg -pi`
Password reuse cycle	The number of password changes before a password can be reused	Not checked	5 cycles	Minimum password reuse cycle (Account Security Level* tab)*	`accseccfg -rc`