nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

AAA Authentication Max Tries/ Timeout?

Fulcrum45

Using AAA New-Model I know there is a way to set the maximum number of authentication failures on a Cisco device: aaa local authentication attempts max-fail. However, it seems once they're locked out that's it. You need to manually reset the user account or "clear" the login attempts before they can try again. Is there a command that allows you to set a timer between max failures so that no one becomes permanently locked out without manual intervention? Or is this a security feature to prevent DDOS attacks and the like?

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

Hondabuff

Fulcrum45 wrote: »

Using AAA New-Model I know there is a way to set the maximum number of authentication failures on a Cisco device: aaa local authentication attempts max-fail. However, it seems once they're locked out that's it. You need to manually reset the user account or "clear" the login attempts before they can try again. Is there a command that allows you to set a timer between max failures so that no one becomes permanently locked out without manual intervention? Or is this a security feature to prevent DDOS attacks and the like?

I Think its this command If I remember.

Router(confg)#login block-for 300 attempts 5 within 60

Fulcrum45

Thank you! I'm going to try this in the lab when I get home. I found a Cisco forum where one poster said that there was no way to set this. I knew that couldn't be right otherwise everyone would be locking themselves out.