Configures login and password parameters specific to a user.

enable user { disable-on-login-failure [ invalid-attempts login-recovery-time { in-hours | in-mins | in-secs } recovery-time ] | password-aging | password-history [ previous-passwords ] | password-masking }
no enable user { disable-on-login-failure [ invalid-attempts login-recovery-time { in-hours | in-mins | in-secs } recovery-time ] | password-aging | password-history [ previous-passwords ] | password-masking }

Three login attempts are allowed.

Three minutes of recovery time is enforced before re-enabling user accounts.

In CC mode, the default recovery time is 3 seconds.

The ICX device stores the last five user passwords for each user.

disable-on-login-failure invalid-attempts
Specifies the number of login attempts before a user is locked out (disabled). The range is from 1 through 10. The default is 3.
login-recovery-time { in-hours | in-mins | in-secs } recovery-time
Specifies the recovery time in designated units (hours, minutes, or seconds) after which the locked-out user accounts are re-enabled automatically. The valid range for in-hours is 1 through 2. The valid range for in-minutes is 3 through 120. The valid range for in-seconds is 2 through 7200.
password-aging
Enables password aging.
password-history previous-passwords
Specifies how many previous passwords should be stored. The range is from 1 through 15. The default is 5.
password-masking
Enables password masking.

Global configuration mode

When password masking is enabled, the CLI displays an asterisk (*) on the console instead of the actual password character entered.

When password aging is enabled, the software records the system time that each user password was configured or last changed. After 180 days, the CLI automatically prompts users to change their passwords when they attempt to sign on. The time displays in the output of the show running configuration command, indicated by set-time.

When changing a user password, the user cannot use any of the five previously configured passwords. You can configure the ICX device to store up to 15 passwords for each user, so that users do not use the same password multiple times. If a user attempts to use a password that is stored, the system prompts the user to choose a different password.

If a user fails to log in after three attempts, that user is locked out. You can increase or decrease the number of login attempts before the user is locked-out.

The no form of the command removes the login and password configurations.

The no form of enable user disable-on-login-failure disables both the maximum number of login attempts and recovery time configurations. To disable only the recovery time configuration, use the no enable user { disable-on-login-failure [ invalid-attempts login-recovery-time recovery-time ] } command.

The following example sets the number of login attempts for a user to 10.

device(config)# enable user disable-on-login-failure 10

The following example configures the user account to automatically re-enable the locked-out users after 5 minutes of the lockout.

device(config)# enable user disable-on-login-failure 4 login-recovery-time in-mins 5

The following example shows enables password aging.

device(config)# enable user password-aging

The following example enables password masking. The following example shows how the CLI displays an asterisk (*) on the console instead of the actual password character entered.

device(config)# enable user password-masking

device(config)# username xyz password
Enter Password: ********

The following example configures the device to store up to 10 previous passwords.

device(config)# enable user password-history 10
Release version Command history
08.0.40 The command was modified to include the login-recovery-time recovery-time option.
08.0.70 The command was modified to specify recovery-time in hours, minutes, or seconds. The default recovery-time in CC mode was changed to 3 seconds.