|
Contents
- Login Password Retry Lockout
- Finding Feature Information
- Prerequisites for Login Password Retry Lockout
- Restrictions for Login Password Retry Lockout
- Information About Login Password Retry Lockout
- Lock Out of a Local AAA User Account
- How to Configure Login Password Retry Lockout
- Configuring Login Password Retry Lockout
- Unlocking a Login Locked-Out User
- Clearing the Unsuccessful Login Attempts of a User
- Monitoring and Maintaining Login Password Retry Lockout Status
- Configuration Examples for Login Password Retry Lockout
- Displaying the Login Password Retry Lockout Configuration Example
- Additional References
- Feature Information for Login Password Retry Lockout
- Glossary
Login Password Retry Lockout
The Login Password Retry Lockout feature allows system administrators to lock out a local authentication, authorization, and accounting (AAA) user account after a configured number of unsuccessful attempts by the user to log in.
- Finding Feature Information
- Prerequisites for Login Password Retry Lockout
- Restrictions for Login Password Retry Lockout
- Information About Login Password Retry Lockout
- How to Configure Login Password Retry Lockout
- Configuration Examples for Login Password Retry Lockout
- Additional References
- Feature Information for Login Password Retry Lockout
- Glossary
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Restrictions for Login Password Retry Lockout
- Authorized users can lock themselves out because there is no distinction between an attacker who is guessing passwords and an authorized user who is entering the password incorrectly multiple times.
- A denial of service (DoS) attack is possible; that is, an authorized user could be locked out by an attacker if the username of the authorized user is known to the attacker.
Information About Login Password Retry Lockout
Lock Out of a Local AAA User Account
The Login Password Retry Lockout feature allows system administrators to lock out a local AAA user account after a configured number of unsuccessful attempts by the user to log in using the username that corresponds to the AAA user account. A locked-out user cannot successfully log in again until the user account is unlocked by the administrator.
A system message is generated when a user is either locked by the system or unlocked by the system administrator. The following is an example of such a system message:
%AAA-5-USER_LOCKED: User user1 locked out on authentication failure.
The system administrator cannot be locked out.
This feature is applicable to any login authentication method, such as ASCII, Challenge Handshake Authentication Protocol (CHAP), and Password Authentication Protocol (PAP).
How to Configure Login Password Retry Lockout
- Configuring Login Password Retry Lockout
- Unlocking a Login Locked-Out User
- Clearing the Unsuccessful Login Attempts of a User
- Monitoring and Maintaining Login Password Retry Lockout Status
Configuring Login Password Retry Lockout
DETAILED STEPS
Unlocking a Login Locked-Out User
To unlock a login locked-out user, perform the following steps.
Note | This task can be performed only by users having the root privilege (level 15). |
DETAILED STEPS
Clearing the Unsuccessful Login Attempts of a User
This task is useful for cases in which the user configuration was changed and the unsuccessful login attempts of a user that are already logged must be cleared.
To clear the unsuccessful login attempts of a user that have already been logged, perform the following steps.
DETAILED STEPS
Monitoring and Maintaining Login Password Retry Lockout Status
To monitor and maintain the status of the Login Password Retry Lockout configuration, perform the following steps.
DETAILED STEPS
Configuration Examples for Login Password Retry Lockout
Displaying the Login Password Retry Lockout Configuration Example
The following show running-config command output illustrates that the maximum number of failed user attempts has been set for 2 as the login password retry lockout configuration:
Router # show running-config
Building configuration...
Current configuration : 1214 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname LAC-2
!
boot-start-marker
boot-end-marker
!
!
username sysadmin
username sysad privilege 15 password 0 cisco
username user1 password 0 cisco
aaa new-model
aaa local authentication attempts max-fail 2
!
!
aaa authentication login default local
aaa dnis map enable
aaa session-id common
Additional References
MIBs
Technical Assistance
Description |
Link |
---|---|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
Feature Information for Login Password Retry Lockout
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1 | Feature Information for Login Password Retry Lockout |
Feature Name |
Releases |
Feature Information |
---|---|---|
Login Password Retry Lockout |
12.3(14)T 12.2(33)SRE |
The Login Password Retry Lockout feature allows system administrators to lock out a local AAA user account after a configured number of unsuccessful attempts by the user to log in. This feature was introduced in Cisco IOS Release 12.3(14)T. This feature was integrated into Cisco IOS Release 12.2(33)SRE. The following commands were introduced or modified: aaa local authentication attempts max-fail, clear aaa local user fail-attempts, clear aaa local user lockout. |
Glossary
- local AAA method --Method by which it is possible to configure a local user database on a router and to have AAA provision authentication or authorization of users from this database.
- local AAA user --User who is authenticated using the local AAA method.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.