Cisco CCNA (640-553) Security Training
Using the “aaa local authentication attempts max-fail” command
By Charles Ross CCNA - CCNP #CSCO10444244
In today’s article, I’m going to quickly inform you about the Cisco IOS global configuration mode command named “aaa local authentication attempts max-fail”.
Network administrators (like you) use the “aaa local authentication attempts max-fail” command, to specify the maximum number of unsuccessful authentication attempts before a user is locked out.
In other words, once a CCNA configures a router with the command, the router will generate a system message like you see below:
(%AAA-5-USER_LOCKED: User user1 locked out on authentication failure)
Whenever a user is either locked out by the router (system) or unlocked by the network administrator (CCNA); by the way, the command doesn’t work on network administrators (CCNAs) only users.
Below is the command’s syntax:
aaa local authentication attempts max-fail number-of-unsuccessful-attempts
The number-of-unsuccessful-attempts argument is the number of unsuccessful authentication attempts.
Note: No messages are displayed to users after authentication failures that are due to the locked status (that is, there is no difference between a normal authentication failure and an authentication failure due to the locked status of the user.
Also, if you use the word “no” in front of the command to remove the number of unsuccessful attempts that you set on the router, like you see below:
Router(config)#no aaa local authentication attempts max-fail 5
Those users that were locked out by the command will remain locked out; but, to clear the existing locked-out or number-of-failed attempts, you’ll have to explicitly clear the status of the user(s) using clear commands.
Below is an example of the command being used:
Router>enable
Router#configure terminal
Router(config)#username netadmin
Router(config)#username user1 password 0 ittechtips
Router(config)#aaa new-model
Router(config)#aaa local authentication attempts max-fail 3
Router(config)#aaa authentication login default local
Router(config)#exit
Router#copy run start
In the example above, the maximum number of unsuccessful authentication attempts before a user(s) is locked out has been set to 3:
By the way, if you decide to use the command, make sure your router(s) is running Cisco IOS 12.3(14)T or higher.
I hope this article was very informative and helped you quickly understand the usage of the aaa local authentication attempts max-fail command. If you need to learn more; I suggest you visit my website, (www.ccnaittechtips.com) were you’ll find the latest information regarding the Cisco CCNA (640-553) Security exam techniques.
To your success,
Charles Ross
CCNA- CCNP #CSCO10444244