Information
Lockout users after password expiration. After a user's password has expired, they have this number of days to log in and change it. If they do change their password within that number of days they will be unable to log in: They are locked out. A value of never allows the user to wait as long as they want to change their password.
Rationale:
User accounts and their passwords are the front-line of defense against malicious users gaining access to critical systems and data. Just as important as ensuring strong passwords are used and changed regularly, unused accounts should be closely monitored and disabled, whenever possible. Inactive accounts could become targets of brute force or dictionary attacks to gain access to the network and critical data/devices attached to it.
Solution
Run the following command to set the expiration-lockout-days setting.
CLI:
Hostname>set password-controls expiration-lockout-days 1
GUI:
Navigate to User Management > Password Policy > Mandatory Password Changes > Lockout users after password expiration:
Checked 'Lockout user after' setting and set to 1 day.
Default Value:
Never lockout users after password expires