Login Policy

The Login Policy controls concurrent system access to a specified number of users, sets the maximum number of unsuccessful login attempts, specifies the response to login failure, and specifies the login mode (single-factor or two-factor).

Note:

If user authentication fails or a user is locked out of the system, the SBC will not display the reason why the login failed.

The single instance login-config configuration element defines login policy.

From an admin class account, access the login-config configuration element:

ORACLE# configure terminal
ORACLE(configure)# security 
ORACLE(security)# admin-security
ORACLE(admin-security)# login-config
ORACLE(login-config)#

concurrent-session-limit         2
max-login-attempts               3
login-attempt-interval           4
lockout-interval                 60
send-alarm                       enabled
login-auth-mode                  single-factor
enable-login-banner              enabled

concurrent-session-limit—specifies the maximum number of simultaneous connections allowed per user name
Allowable values are integers within the range 1 through 10, with a default of 2 (simultaneous connections).

Retain the default value, or specify a new connection limit.
```
ORACLE(login-config)# concurrent-session limit 4
ORACLE(login-config)#
```
max-login-attempts—specifies the number of consecutive unsuccessful login attempts that trigger disconnection of a console, SSH, or SFTP session.
Allowable values are integers within the range 2 through 100, with a default of 3 (sessions).

Retain the default value, or specify a new threshold value.
```
ORACLE(login-config)# max-login-attempts 5
ORACLE(login-config)# 
```
login-attempt-interval—specifies an idle interval in seconds imposed after an unsuccessful login attempt.
Allowable values are integers within the range 4 through 60, with a default value of 4 seconds.

Retain the default value, or specify a new login interval.
```
ORACLE(login-config)# login-attempt-interval 6
ORACLE(login-config)#
```
lockout-interval—specifies the number of seconds that logins from an interface are not allowed after the max-login-attempts threshold has been reached
Allowable values are integers within the range of 15 through 300. The default value is 60 seconds.

Note:
The minimum lockout-interval is 15 when the JITC feature is enabled, but remains 30 when only the Admin Security feature is provisioned.

Retain the default value, or specify a new lockout interval.
```
ORACLE(login-config)# lockout-interval 30
ORACLE(login-config)# 
```
send-alarm—enables the generation and transmission of alarms in the event of an interface lockout
Allowable values are enabled (the default) or disabled.

Retain the default value, or select disabled to squelch alarm generation.
```
ORACLE(login-config)# send-alarm disabled
ORACLE(login-config)# 
```
enable-login-banner—enables or disables display of the login banner
Allowable values are enable (the default) or disable.

Retain the default value, or disable login banner display.
```
ORACLE(login-config)# enable-login-banner disable
ORACLE(login-config)# 
```
A sample login policy configuration appears below:
```
ORACLE(login-config)# concurrent-session limit 4 
ORACLE(login-config)# max-login-attempts 5 
ORACLE(login-config)# login-attempt-interval 6 
ORACLE(login-config)# lockout-interval 30 
ORACLE(login-config)# done 
ORACLE(login-config)# exit 
ORACLE(admin-security)# 
```
Defines a login-config configuration element that allows four simultaneous connections per username. An idle interval of 6 seconds is imposed after an unsuccessful login attempt. Five consecutive unsuccessful login attempts trigger a 30-second lockout of the interface over which the unsuccessful logins were received. By default, single-factor authentication, alarm generation, and login banner display are enable.