Configuration and Use of No-Lockout-User-Account-Profile on Avi Vantage

Background

User Profiles option on Avi Vantage is used to control a user access to Avi Vantage. It can be used to control various attributes related to the user account.

Avi Vantage has two default User Profiles.

  1. Default-User-Account-Profile
  2. No-Lockout-User-Account-Profile

By default, all the users in the system are assocaited with Default-User-Account-Profile.

The main difference between the default and the no lockout user profile is the value set for Max Login Failure Count. Max Login Failure Count is the number of login attempts allowed before lockout of the user account. By default, this value is set to 3 for the default profile.
For the no lockout user profile, Max login Failure Count is set to 0. It means that a user can have an unlimited number of login failures without the risk of account getting locked.

Use Cases

In GSLB deployments, it is recommended to use No-Lockout-User-Account-Profile. This prevents locking of the user account due to various reasons. Sometimes the user account, in this case, an admin account, gets locked as one node of the GSLB pair is trying to reach the another node with the admin credentials but the other node is not reachable.

Instructions

Configuration from Avi Vantage user interface

The User Profiles option is available under Administration > Accounts> User Profiles. To check or edit the attributes for No-Lockout-User-Account-Profile, navigate to Administration > Accounts > User Profiles and click the pencil icon on the right side, as shown in the below snapshot.

Note: Max login failure count is set to 0. We can use the existing No-Lockout-User-Account-Profile available or create a new one. Max Login Failure Count must be set to 0 for any profile to work like a No-Lockout-User-Account-Profile.

Creating a new user

Login to the Avi Controller using admin credentials. Navigate to Administration > Accounts > Users. Click Create.

Provide the username of your choice. In this example, we are using GSLB-User.

Choose No-Lockout-Ser-Profile from the dropdown option for User Profile as shown in the below snapshot.

Use desired Tenant and Role for this new user and click Save.

Note Use the user that we created in the previous step while doing GSLB configuration. For example, the user “admin” should be replaced with the newly created user (GSLB-User) with No-Lockout-User-Account-Profile.

For more information on Avi GSLB site configuration, refer Avi GSLB Site Configuration and Operations.

Additional Information