Cisco Catalyst SD-WAN User Management Guide, Releases 26.x and Later

PDF

Account lockout

Updated: April 24, 2026

Want to summarize with AI?

Log in

Explains account lockout mechanisms, outlining login options, procedures for configuring account lockout policies, and steps for enforcing lockout after unsuccessful login attempts to enhance security.

Account Lockout

Account Lockout is a configuration category within Cisco SD-WAN Manager that

  • defines security features to control and manage user access to Cisco SD-WAN Manager, and

  • includes mechanisms such as inactivity lockout and unsuccessful login attempts lockout.

Account Lockout options

From Cisco Catalyst SD-WAN Manager Release 20.12.1, a netadmin user can enable the following account lockout options:

  • Inactivity lockout: You can configure SD-WAN Manager to lock out users who have not logged in for a designated number of consecutive days. Locked out users cannot log in to SD-WAN Manager until an administrator unlocks their accounts. See Configure Account Lockout.

  • Unsuccessful login lockout: You can configure SD-WAN Manager to prevent users who make a designated number of consecutive unsuccessful login attempts within a designated time period from logging in to SD-WAN Manager until a configured amount of time passes or an administrator unlocks their user accounts.

    By default, SD-WAN Manager locks out users for 15 minutes after five consecutive unsuccessful login attempts within 15 minutes. After the lockout period expires, a user can log in with the correct user name and password.

    See Configure unsuccessful login attempts lockout.

Configure Account Lockout

Note

To unlock a user account, see Reset a Locked User.

Use this procedure to lock out users.

Before you begin

From Cisco Catalyst SD-WAN Manager Release 20.12.1, you can configure Cisco SD-WAN Manager to lock out users who have not logged in for a designated number of consecutive days.

Cisco SD-WAN Manager marks locked out users as inactive, and they cannot log in again until an administrator unlocks their accounts in Cisco SD-WAN Manager.

Procedure

1.

From the Cisco SD-WAN Manager menu, choose Administration > Settings.
2.

Click Account Lockout and enable the Inactive days before locked out option.

In Cisco Catalyst SD-WAN Manager Release 20.12.x, locate Account Lockout, click Edit, and enable Inactive days before locked out.)
3.

Configure the following options:

Field

Description

Inactive days before account locked out

Enable this option and enter the number of consecutive inactive days after which Cisco SD-WAN Manager locks out a user.

An inactive day is defined as a day on which a user does not log in to Cisco SD-WAN Manager.

Valid values are 2 through 90.

Number of failed login attempts before lockout

Enter the number of failed login attempts after which Cisco SD-WAN Manager locks out a user.

Possible values: 1 through 3600

Default: 3600

Duration within which the failed attempts are counted (minutes)

Enter the period, in minutes, during which the system counts consecutive unsuccessful login attempts.

For example, if you set this period to 10 minutes, and set the number of failed login attempts before lockout to 5, Cisco SD-WAN Manager locks out a user if the user makes 5 consecutive unsuccessful login attempts within 10 minutes.

Possibe values: 1 through 60

Default: 60
Cooldown or Lockout period

This option controls whether Cisco SD-WAN Manager automatically resets a user who is locked because of unsuccessful login attempts.

This option is enabled by default. If you disable it, an administrator must manually unlocks the account of a locked-out user.

  1. Click Enabled adjacent to Cooldown or Lockout period.

  2. In the Lockout Interval (minutes) field, enter the number of minutes after which Cisco SD-WAN Manager automatically resets a locked out user.

    Possible values: 1 through 60

    Default: 15
4.

Click Save.

Configure unsuccessful login attempts lockout

Use this procedure to configure Cisco SD-WAN Manager to lock out users after a specified number of consecutive unsuccessful login attempts within a defined timeframe

Before you begin

From Cisco Catalyst SD-WAN Manager Release 20.12.1, you can configure Cisco SD-WAN Manager to lock out users who have made a designated number of consecutive unsuccessful login attempts within a period of time.

Note

From Cisco Catalyst SD-WAN Manager Release 20.13.1 or later, use the procedure described in Configure Account Lockout.

Cisco SD-WAN Manager prevents locked out users from logging in again until a configured amount of time has passed or an administrator unlocks their accounts in Cisco SD-WAN Manager.

Note

To unlock a user account, see Reset a Locked User

Procedure

1.

From the Cisco SD-WAN Manager menu, choose Administration > Settings.
2.

Click Account Lockout.
3.

In the Lockout on failed login attempts row, click Edit.
4.

Configure the following options:

Field

Description

Number of failed login attempts before lockout

Enter the number of failed login attempts after which Cisco SD-WAN Manager locks out a user.

Possible values: 1 through 3600

Default: 3600

Duration within which the failed attempts are counted (minutes)

Enter the period, in minutes, during which the system counts consecutive unsuccessful login attempts.

For example, if you set this period to 10 minutes, and set the number of failed login attempts before lockout to 5, Cisco SD-WAN Manager locks out a user if the user makes 5 consecutive unsuccessful login attempts within 10 minutes.

Possibe values: 1 through 60

Default: 60
Cooldown or Lockout period

This option controls whether Cisco SD-WAN Manager automatically resets a user who is locked because of unsuccessful login attempts.

This option is enabled by default. If you disable it, an administrator must manually unlocks the account of a locked-out user.

  1. Click Enabled adjacent to Cooldown or Lockout period.

  2. In the Lockout Interval (minutes) field, enter the number of minutes after which Cisco SD-WAN Manager automatically resets a locked out user.

    Possible values: 1 through 60

    Default: 15