Configure UC APL

To make a system UC APL compliant, the following configuration steps are required:

■

accept only HTTPS web server certificates from a DoD authorized certificate authority. Refer to Accept DoD Web Server Certificates.

■

enable login failure tracking. Refer to Enable Login Failure Tracking.

Accept DoD Web Server Certificates

UC APL requires that the web server only accept certificates from a DoD authorized certificate authority. By default, this is disabled. Use the following CLI command to enable it:

(config) # web https require-dod-cert

Disable acceptance of DoD web server certificates with the following CLI command:

(config) # no web https require-dod-cert

Enable Login Failure Tracking

UC APL requires that login failure tracking be enabled. By default, this is disabled. Use the following CLI command to enable it:

(config) # aaa authentication attempts track enable

Disable login failure tracking with the following CLI command:

(config) # no aaa authentication attempts track enable

Unsuccessful login attempts are displayed on the CLI. Refer to Display Unsuccessful Login Attempts.

Display Unsuccessful Login Attempts

UC APL requires the system display the number of unsuccessful login attempts since the last successful login for a particular user when they log in. An unsuccessful login attempt includes an incorrect username or incorrect password.

After an unsuccessful login attempt, there is a delay of a few seconds before you can attempt to log in again.

If there has been an unsuccessful login attempt, a message is displayed in the UI when you successfully log in.

If there have not been any unsuccessful login attempts, no message is displayed.