Login Security and Behavior
Password policy can be defined on the System > Users > Local Users > Password Policy page to control and place restrictions on user login passwords (see Local Users). In addition to this, you can define further login behavior settings to provide a greater degree of control and security awareness for the users of your system. The “Login and Security Settings” section of the System > Global Settings page provides a number of configuration settings split broadly into two themes:
UI Screen Banners
Should you need to provide your users with a suitable message or reminder upon using the system, define these here.
|
Setting |
Description |
|
login_banner |
A banner text message to be displayed to anyone who attempts to log in to the Admin UI or Traffic Manager SSH command line. |
|
banner_accept |
Whether the user is required to explicitly acknowledge and agree to the login_banner text prior to logging into the Admin UI. A check box is added to the login page for this purpose. |
|
uipage_banner |
This is a text message that will be displayed at the top and bottom of each page of the Admin UI. |
Login Controls
You can place controls on the number of login attempts available to users, and the consequences of breaching this.
|
Setting |
Description |
|
max_login_attempts |
The number of login failures permitted before a user account is suspended. A value of 0 disables this feature. Default: 0. The user account is reactivated after the delay set in max_login_suspension_time; however, it can be reactivated sooner from the System > Users > Local Users > Edit page or the System > Users > Suspended Users page (see Suspended Users). Ivanti recommends exercising caution when using a login attempt limit with password based authentication. Always use additional security measures such as a firewall or unique user naming convention to avoid rendering your Traffic Manager potentially inaccessible through a Denial-of-Service attack on your administrative user logins. |
|
max_login_external |
Specifies whether externally authenticated (LDAP, RADIUS or TACACS+) users should be suspended after max_login_attempts login failures. |
|
max_login_suspension_time |
The length of time for which a user account is suspended after max_login_attempts login failures. |
|
login_delay |
The delay after a failed login before another login attempt can be made. Default: 4. |