-
Cisco IOS Security Configuration Guide, Release 12.4T
-
Security Overview
- Authentication, Authorization, and Accounting (AAA)
-
Security Server Protocols
-
RADIUS
-
Configuring RADIUS
-
AAA Dead-Server Detection
-
AAA-SERVER-MIB Set Operation
-
ACL Default Direction
-
Attribute Screening for Access Requests
-
Enable Multilink PPP via RADIUS for Preauthentication User
-
Enhanced Test Command
-
Framed-Route in RADIUS Accounting
-
Offload Server Accounting Enhancement
-
Per VRF AAA
-
RFC-2867 RADIUS Tunnel Accounting
-
RADIUS Attribute Screening
-
RADIUS Centralized Filter Management
-
RADIUS Debug Enhancements
-
RADIUS Logical Line ID
-
RADIUS NAS-IP-Address Attribute Configurability
-
RADIUS Route Download
-
RADIUS Server Load Balancing
-
RADIUS Support of 56-Bit Acct Session-Id
-
RADIUS Tunnel Preference for Load Balancing and Fail-Over
-
RADIUS Server Reorder on Failure
-
Tunnel Authentication via RADIUS on Tunnel Terminator
-
- TACACS+
-
Configuring Kerberos
-
RADIUS
-
Traffic Filtering, Firewalls, and Virus Detection
-
Automatic Signature Extraction
-
Access Control Lists (ACLs)
-
IP Access List Features Roadmap
-
IP Access List Overview
-
Creating an IP Access List and Applying It to an Interface
-
Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports, or TTL Values
-
ACL Syslog Correlation
-
Refining an IP Access List
-
Object Groups for ACLs
-
Displaying and Clearing IP Access List Data Using ACL Manageability
-
Controlling Access to a Virtual Terminal Line
-
Cisco IOS Firewall Overview
-
Configuring Lock-and-Key Security (Dynamic Access Lists)
-
Configuring IP Session Filtering (Reflexive Access Lists)
-
Configuring TCP Intercept (Preventing Denial-of-Service Attacks)
-
-
Configuring Context-Based Access Control
-
Configuring Context-based Access Control
-
Application Firewall - Instant Message Traffic Enforcement
-
Cisco IOS Firewall MIB
-
Cisco IOS Firewall Performance Improvements
-
Cisco IOS Firewall: SIP Enhancements: ALG and AIC
-
Email Inspection Engine
-
ESMTP Support for Cisco IOS Firewall
-
Firewall ACL Bypass
-
Firewall N2H2 Support
-
Firewall Stateful Inspection of ICMP
-
Firewall Support for SIP
-
Firewall Websense URL Filtering
-
Firewall Support of Skinny Client Control Protocol (SCCP)
-
Granular Protocol Inspection
-
H.323 RAS Support in Cisco IOS Firewall
-
HTTP Inspection Engine
-
Inspection of Router-Generated Traffic
-
TCP Out-of-Order Packet Support for Cisco IOS Firewall and Cisco IOS IPS
-
Transparent Cisco IOS Firewall
-
User Based Firewall Support
-
Virtual Fragmentation Reassembly
-
VRF Aware Cisco IOS Firewall
-
Zone-Based Policy Firewall
-
- Cisco IOS Intrusion Prevention System (IPS)
-
Flexible Packet Matching
-
Flexible Packet Matching XML Configuration
- Network Admission Control (NAC)
- Authentication Proxy
-
Configuring Port to Application Mapping
-
Lawful Intercept Architecture
-
-
IPSec and IKE
- Internet Key Exchange for IPSec VPNs
-
Security for VPNs with IPSec
-
Configuring Security for VPNs with IPSec
-
Cisco Easy VPN Remote
-
Cisco Group Encrypted Transport VPN
-
Crypto Access Check on Clear-Text Packets
-
DF Bit Override Functionality with IPSec Tunnels
-
Distinguished Name Based Crypto Maps
-
Dynamic Multipoint VPN (DMVPN)
-
Easy VPN Remote RSA Signature Support
-
Easy VPN Server
-
Invalid Security Parameter Index Recovery
-
IP Security VPN Monitoring
-
IPSec and IKE MIB Support for Cisco VRF-Aware IPSec
-
IPSec and Quality of Service
-
IPSec Anti-Replay Window: Expanding and Disabling
-
IPSec Dead Peer Detection Periodic Message Option
-
IPSec Diagnostics Enhancement
-
IPSec NAT Transparency
-
IPSec Preferred Peer
-
IPSec Security Association Idle Timers
-
IPSec--SNMP Support
-
IPsec Usability Enhancements
-
IPSec Virtual Tunnel Interface
-
IPSec VPN Accounting
-
IPSec VPN High Availability Enhancements
-
Low Latency Queueing (LLQ) for IPSec Encryption Engines
-
L2TP—IPSec Support for NAT and PAT Windows Clients
-
Per Tunnel QoS
-
Pre-Fragmentation for IPSec VPNs
-
Real-Time Resolution for IPSec Tunnel Peer
-
Reverse Route Injection
-
SafeNet IPSec VPN Client Support
-
Stateful Failover for IPSec
-
VRF-Aware Ipsec
-
-
Public Key Infrastructure (PKI)
-
Implementing and Managing PKI Features Roadmap
-
Cisco IOS PKI Overview: Understanding and Planning a PKI
-
Deploying RSA Keys Within a PKI
-
Configuring Authorization and Revocation of Certificates in a PKI
-
Configuring Certificate Enrollment for a PKI
-
Setting Up Secure Device Provisioning (SDP) for Enrollment in a PKI
-
Configuring and Managing a Cisco IOS Certificate Server for PKI Deployment
-
Storing PKI Credentials
-
- Other Security Features
- Secure Infrastructure
-
Appendixes
-
RADIUS Attributes
-
RADIUS Attributes Overview and RADIUS IETF Attributes
-
RADIUS Vendor-Proprietary Attributes
-
Vendor-Specific Attributes (VSA) and RADIUS Disconnect-Cause Attribute Values
-
Connect-Info RADIUS Attribute 77
-
Encrypted Vendor Specific Attributes
-
Local AAA Server
-
Per-User QoS via AAA Policy Name
-
RADIUS Attribute 5 (NAS-Port) Format Specified on a Per-Server Group Level
-
RADIUS Attribute 8 (Framed-IP-Address) in Access Requests
-
RADIUS Attribute 82: Tunnel Assignment ID
-
RADIUS Attribute 104
-
RADIUS Progress Codes
-
RADIUS Timeout Set During Pre-Authentication
-
RADIUS Tunnel Attribute Extensions
-
V.92 Reporting Using RADIUS Attribute v.92-info
-
-
TACACS+ Attribute-Value Pairs
-
RADIUS Attributes
-
Table Of Contents
Prerequisites for Login Password Retry Lockout
Restrictions for Login Password Retry Lockout
Information About Login Password Retry Lockout
Locking Out a Local AAA User Account
How to Configure Login Password Retry Lockout
Configuring Login Password Retry Lockout
Clearing the Unsuccessful Attempts of a User
Monitoring and Maintaining Login Password Retry Lockout
Configuration Examples for Login Password Retry Lockout
Login Password Retry Lockout: Example
show aaa local user lockout Command: Example
Login Password Retry Lockout
The Login Password Retry Lockout feature allows system administrators to lock out a local authentication, authorization, and accounting (AAA) user account after a configured number of unsuccessful attempts by the user to log in.
Feature History for Login Password Retry Lockout
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Prerequisites for Login Password Retry Lockout
•
•
•
•
Prerequisites for Login Password Retry Lockout
•
Restrictions for Login Password Retry Lockout
•
•
Information About Login Password Retry Lockout
To configure the Login Password Retry Lockout feature, you should understand the following concept:
•
Locking Out a Local AAA User Account
The Login Password Retry Lockout feature allows system administrators to lock out a local AAA user account after a configured number of unsuccessful attempts by the user to log in using the username that corresponds to the AAA user account. A locked-out user cannot successfully log in again until the user account is unlocked by the administrator.
A system message is generated when a user is either locked by the system or unlocked by the system administrator. The following is an example of such a system message:
%AAA-5-USER_LOCKED: User user1 locked out on authentication failure.
The system administrator cannot be locked out.
Note
This feature is applicable to any login authentication method, such as ASCII, Challenge Handshake Authentication Protocol (CHAP), and Password Authentication Protocol (PAP).
Note
How to Configure Login Password Retry Lockout
This section contains the following procedures:
•
•
•
Configuring Login Password Retry Lockout
To configure Login Password Retry Lockout, perform the following steps.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Unlocking a Locked-Out User
To unlock the locked-out user, perform the following steps.
Note
SUMMARY STEPS
1.
2.
DETAILED STEPS
Clearing the Unsuccessful Attempts of a User
To clear the unsuccessful attempts of a user that have already been logged, perform the following steps.
SUMMARY STEPS
1.
2.
DETAILED STEPS
Monitoring and Maintaining Login Password Retry Lockout
To monitor and maintain the Login Password Retry Lockout configuration, perform the following steps.
SUMMARY STEPS
1.
2.
DETAILED STEPS
Configuration Examples for Login Password Retry Lockout
This section provides the following configuration examples:
•
•
Login Password Retry Lockout: Example
The following show running-config command output illustrates that the maximum number of failed user attempts has been set for 2:
Router # show running-configBuilding configuration...Current configuration : 1214 bytes!version 12.3no service padservice timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname LAC-2!boot-start-markerboot-end-marker!!username sysadminusername sysad privilege 15 password 0 ciscousername user1 password 0 ciscoaaa new-modelaaa local authentication attempts max-fail 2!!aaa authentication login default localaaa dnis map enableaaa session-id commonshow aaa local user lockout Command: Example
The following output shows that user1 is locked out:
Router# show aaa local user lockoutLocal-user Lock timeuser1 04:28:49 UTC Sat Jun 19 2004Additional References
The following sections provide references related to Login Password Retry Lockout.
Related Documents
Standards
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.
—
MIBs
RFCs
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.
—
Technical Assistance
Command Reference
The following commands are introduced or modified in the feature or features documented in this module. For information about these commands, see the Cisco IOS Security Command Reference at http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_book.html. For information about all Cisco IOS commands, go to the Command Lookup Tool at http://tools.cisco.com/Support/CLILookup or to the Cisco IOS Master Commands List.
•
•
•
Glossary
•
•
Note
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2007 Cisco Systems, Inc. All rights reserved.
