Failed authentication lockout

Information

By default, there is no limit on the number of login attempts a user can make before successfully authenticating; this introduces the risk of an unauthorized user gaining access to a switch by guessing an account password. This risk can be mitigated by specifying a limit on failed login attempts; once this limit is reached, the user account is locked out.

Solution

To set the number of failed login attempts before account lockout to 2, with a lockout time of 300 seconds (5 minutes), use the following command:

switch(config)# aaa authentication limit-login-attempts 2 lockout-time 300

The limit on failed login attempts can be set between 1 and 10; if set to 1, any failed login attempt will result in the account being locked out. The lockout time can be set in a range from 1 to 3,600 seconds (1 hour).

This setting applies only to login attempts through SSH or the Web UI using local authentication; it does not apply to login attempts through the serial console. This feature cannot be configured when RADIUS or TACACS+ are being used for user authentication; account lockout policies should be configured on the respective authentication server instead.

See Also

https://support.hpe.com/hpesc/public/docDisplay?docId=a00053695en_us

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-7

Plugin: ArubaOS

Control ID: d132cca8d9478097cfaa039feeac4667f22d34c474aaf25e8eda8c1c30c4edbc