Requirement:If Administrator wants to configure number of successive unsuccessful authentication attempts made remotely in order to get access into CLI/SSH he can lockout the "appadmin" account.
Solution:Once this feature is enabled after account getting locked out, administrators cannot log in to the system via the CLI until local administrator logs into the CLI and resets the lockout configuration or the remote administrator has to wait for the lockout duration to be elapsed and re-attempt to login.
[The lockout will still be active even if the server is rebooted ]
How can Local Administrator Login:
Local Administrator have 2 ways to get access into CLI once appadmin is locked.
1. He can login into CLI using SSH public Key authentication. [Note this should be pre-confgiured on ClearPass, Please click here for configuring CPPM to accept SSH Public Key Authentication
2. Console can be still accessed using appadmin username, even if account is locked. Local Administrator need to console to the CPPM server and login to reset the lockout or to unlock the account.
This feature is node specific and will not be replicated. Administrator need to enable the SSH lockout count and time on each server in a cluster environment.
Configuration:Configuring SSH Account Lockout
Please login to the CLI of your CPPM server and execute the command #ssh lockout. SSH account lockout has following options as shown below:
Administrator can specify the lockout count, duration, as well to reset the lockout.
In order to activate this feature, please execute the following command with number of unsuccessful attempts allowed #ssh lockout count <No. of attempts>
We can also specify the duration in minutes the time period account should remain locked using the command # ssh lockout duration <Duration in minutes minimum value =1 and maximum value = 10080>
We can view if the lockout configuration and active sessions to SSH using the command : # show ssh
Once a remote user locks out the account after specific number of lockout attempts. Administrator can unlock the account by logging in and executing following commands:
1. # ssh unlock > Unlocking the account
2. # ssh lockout reset > Resetting the ssh lockout and disabling this feature
VerificationOnce the feature is enabled if remote administrator try to login into SSH with incorrect credentials we can see the account is locked out:
After which even if he uses the correct credentials the access will be denied till the lockout time-period is elapsed.
In GUI event viewer events will be logged once lockout configuration is made, will generate an ERROR once user has locked out the account, as well as once the account unlocks
