- Securing User Services Overview
- Autosecure
-
-
-
- Configuring RADIUS
- AAA Dead-Server Detection
- ACL Default Direction
- Attribute Screening for Access Requests
- Enable Multilink PPP via RADIUS for Preauthentication User
- Enhanced Test Command
- Framed-Route in RADIUS Accounting
- Offload Server Accounting Enhancement
- Per VRF AAA
- RFC-2867 RADIUS Tunnel Accounting
- RADIUS Attribute Screening
- RADIUS Centralized Filter Management
- RADIUS Debug Enhancements
- RADIUS Logical Line ID
- RADIUS NAS-IP-Address Attribute Configurability
- RADIUS Route Download
- RADIUS Support of 56-Bit Acct Session-Id
- RADIUS Tunnel Preference for Load Balancing and Fail-Over
- RADIUS Server Reorder on Failure
- Tunnel Authentication via RADIUS on Tunnel Terminator
-
-
-
- RADIUS Attributes Overview and RADIUS IETF Attributes
- RADIUS Vendor-Proprietary Attributes
- Vendor-Specific Attributes (VSA) and RADIUS Disconnect-Cause Attribute Values
- Connect-Info RADIUS Attribute 77
- Encrypted Vendor Specific Attributes
- Local AAA Server
- Per-User QoS via AAA Policy Name
- RADIUS Attribute 5 (NAS-Port) Format Specified on a Per-Server Group Level
- RADIUS Attribute 8 (Framed-IP-Address) in Access Requests
- RADIUS Attribute 82: Tunnel Assignment ID
- RADIUS Attribute 104
- RADIUS Progress Codes
- RADIUS Timeout Set During Pre-Authentication
- RADIUS Tunnel Attribute Extensions
- V.92 Reporting Using RADIUS Attribute v.92-info
-
- Cisco IOS Login Enhancements (Login Block)
- Cisco IOS Resilient Configuration
- Image Verification
- IP Source Tracker
- Role-Based CLI Access
- Finding Feature Information
- Contents
- Prerequisites for Login Password Retry Lockout
- Restrictions for Login Password Retry Lockout
- Information About Login Password Retry Lockout
- How to Configure Login Password Retry Lockout
Login Password Retry Lockout
The Login Password Retry Lockout feature allows system administrators to lock out a local authentication, authorization, and accounting (AAA) user account after a configured number of unsuccessful attempts by the user to log in.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Login Password Retry Lockout" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.
Contents
•Prerequisites for Login Password Retry Lockout
•Restrictions for Login Password Retry Lockout
•Information About Login Password Retry Lockout
•How to Configure Login Password Retry Lockout
•Configuration Examples for Login Password Retry Lockout
•Feature Information for Login Password Retry Lockout
Prerequisites for Login Password Retry Lockout
•You must be running a Cisco IOS image that contains the AAA component.
Restrictions for Login Password Retry Lockout
•Authorized users can lock themselves out because there is no distinction between an attacker who is guessing passwords and an authorized user who is entering the password incorrectly multiple times.
•A denial of service (DoS) attack is possible; that is, an authorized user could be locked out by an attacker if the username of the authorized user is known to the attacker.
Information About Login Password Retry Lockout
To configure the Login Password Retry Lockout feature, you should understand the following concept:
•Lock Out of a Local AAA User Account
Lock Out of a Local AAA User Account
The Login Password Retry Lockout feature allows system administrators to lock out a local AAA user account after a configured number of unsuccessful attempts by the user to log in using the username that corresponds to the AAA user account. A locked-out user cannot successfully log in again until the user account is unlocked by the administrator.
A system message is generated when a user is either locked by the system or unlocked by the system administrator. The following is an example of such a system message:
%AAA-5-USER_LOCKED: User user1 locked out on authentication failure.
The system administrator cannot be locked out.

Note The system administrator is a special user who has been configured using the maximum privilege level (root privilege—level 15). A user who has been configured using a lesser privilege level can change the privilege level using the enable command. A user that can change to the root privilege (level 15) is able to act as a system administrator.
This feature is applicable to any login authentication method, such as ASCII, Challenge Handshake Authentication Protocol (CHAP), and Password Authentication Protocol (PAP).

Note No messages are displayed to users after authentication failures that are due to the locked status (that is, there is no distinction between a normal authentication failure and an authentication failure due to the locked status of the user).
How to Configure Login Password Retry Lockout
This section contains the following procedures:
•Configuring Login Password Retry Lockout (optional)
•Unlocking a Login Locked-Out User (optional)
•Clearing the Unsuccessful Login Attempts of a User (optional)
•Monitoring and Maintaining Login Password Retry Lockout Status (optional)
Configuring Login Password Retry Lockout
To configure the Login Password Retry Lockout feature, perform the following steps.
SUMMARY STEPS
1. enable
2. configure terminal
3. username name [privilege level] password encryption-type password
4. aaa new-model
5. aaa local authentication attempts max-fail number-of-unsuccessful-attempts
6. aaa authentication login default method
DETAILED STEPS
Unlocking a Login Locked-Out User
To unlock a login locked-out user, perform the following steps.

Note This task can be performed only by users having the root privilege (level 15).
SUMMARY STEPS
1. enable
2. clear aaa local user lockout {username username | all}
DETAILED STEPS
Clearing the Unsuccessful Login Attempts of a User
This task is useful for cases in which the user configuration was changed and the unsuccessful login attempts of a user that are already logged must be cleared.
To clear the unsuccessful login attempts of a user that have already been logged, perform the following steps.
SUMMARY STEPS
1. enable
2. clear aaa local user fail-attempts {username username | all}
DETAILED STEPS
Monitoring and Maintaining Login Password Retry Lockout Status
To monitor and maintain the status of the Login Password Retry Lockout configuration, perform the following steps.
SUMMARY STEPS
1. enable
2. show aaa local user lockout
DETAILED STEPS
Examples
The following output shows that user1 is locked out:
Router# show aaa local user lockout
Local-user Lock time
user1 04:28:49 UTC Sat Jun 19 2004
Configuration Examples for Login Password Retry Lockout
This section provides the following configuration examples:
•Displaying the Login Password Retry Lockout Configuration: Example
Displaying the Login Password Retry Lockout Configuration: Example
The following show running-config command output illustrates that the maximum number of failed user attempts has been set for 2 as the login password retry lockout configuration:
Router # show running-config
Building configuration...
Current configuration : 1214 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname LAC-2
!
boot-start-marker
boot-end-marker
!
!
username sysadmin
username sysad privilege 15 password 0 cisco
username user1 password 0 cisco
aaa new-model
aaa local authentication attempts max-fail 2
!
!
aaa authentication login default local
aaa dnis map enable
aaa session-id common
Additional References
The following sections provide references related to Login Password Retry Lockout.
Related Documents
|
|
---|---|
Cisco IOS security commands |
Standards
|
|
---|---|
None |
— |
MIBs
|
|
---|---|
None |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
RFCs
|
|
---|---|
None |
— |
Technical Assistance
Feature Information for Login Password Retry Lockout
Table 1 lists the release history for this feature.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.

Note Table 1 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.
Glossary
•local AAA method—Method by which it is possible to configure a local user database on a router and to have AAA provision authentication or authorization of users from this database.
•local AAA user—User who is authenticated using the local AAA method.