AAA Authentication Max Tries/ Timeout?

Using AAA New-Model I know there is a way to set the maximum number of authentication failures on a Cisco device: aaa local authentication attempts max-fail. However, it seems once they're locked out that's it. You need to manually reset the user account or "clear" the login attempts before they can try again. Is there a command that allows you to set a timer between max failures so that no one becomes permanently locked out without manual intervention? Or is this a security feature to prevent DDOS attacks and the like?

Find more posts tagged with

Comments

Hondabuff

Fulcrum45 wrote: »

Using AAA New-Model I know there is a way to set the maximum number of authentication failures on a Cisco device: aaa local authentication attempts max-fail. However, it seems once they're locked out that's it. You need to manually reset the user account or "clear" the login attempts before they can try again. Is there a command that allows you to set a timer between max failures so that no one becomes permanently locked out without manual intervention? Or is this a security feature to prevent DDOS attacks and the like?

I Think its this command If I remember.

Router(confg)#login block-for 300 attempts 5 within 60

Fulcrum45

Thank you! I'm going to try this in the lab when I get home. I found a Cisco forum where one poster said that there was no way to set this. I knew that couldn't be right otherwise everyone would be locking themselves out.