Password History Enforcement
This feature prevents a user from updating their password to some password that was used in the recent past. A configurable number of previous password hashes are saved in the system. Any future proposed password update is compared against this list and marked invalid if there is a perfect match.
The administrator controls this feature via Avi Vantage’s CLI or REST API. The setting for it is maintained within the UserAccountProfile
object. By default, all the users in the system are attached to “Default-User-Account-Profile,” as shown below. If required, the admin can create a new user account profile with different thresholds.
admin:10-10-24-52]: > show useraccountprofile Default-User-Account-Profile
+-------------------------------+---------------------------------------------------------+
| Field | Value |
+-------------------------------+---------------------------------------------------------+
| uuid | useraccountprofile-6753548e-7ac5-4601-939b-ad4394405db4 |
| name | Default-User-Account-Profile |
| max_password_history_count | 0 |
| max_login_failure_count | 20 |
| account_lock_timeout | 30 |
| max_concurrent_sessions | 0 |
| credentials_timeout_threshold | 0 |
+-------------------------------+---------------------------------------------------------+
Use the CLI to change the password history count:
[admin:10-10-24-52]: > configure useraccountprofile Default-User-Account-Profile
[admin:10-10-24-52]: useraccountprofile> max_password_history_count 5
Overwriting the previously entered value for max_password_history_count
[admin:10-10-24-52]: useraccountprofile> save
+-------------------------------+---------------------------------------------------------+
| Field | Value |
+-------------------------------+---------------------------------------------------------+
| uuid | useraccountprofile-6753548e-7ac5-4601-939b-ad4394405db4 |
| name | Default-User-Account-Profile |
| max_password_history_count | 5 |
| max_login_failure_count | 20 |
| account_lock_timeout | 30 |
| max_concurrent_sessions | 0 |
| credentials_timeout_threshold | 0 |
+-------------------------------+---------------------------------------------------------+