Login Password Retry Lockout


You want to prevent hackers from using brute force login attacks on your routers.


To enable local user account locking, use the following set of commands:

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#username kwiley password test123
Router1(config)#aaa new-model
Router1(config)#aaa authentication login local_auth local
Router1(config)#aaa local authentication attempts max-fail 6
Router1(config)#line vty 0 4
Router1(config-line)#login authentication local_auth

This command can lead to a denial of service situation if a hacker is able to lock out all configured usernames.



By default, the router will allow an unlimited number of login attempts for routers configured with local authentication. It will drop the login session after three failed attempts, but you can attempt to login again immediately by starting a new session. With this in mind, a hacker can use a brute force attack to determine your passwords.

Beginning with IOS Version 12.3(14)T, Cisco introduced a feature that limits the number of unsuccessful login attempts for routers configured to use local authentication. Once the number of unsuccessful attempts is exceeded, then the user ID is locked until an administrator unlocks it. Once an account is locked the router will silently ignore further attempts to gain access with the locked user ID so there is no distinction between a locked account and a failed attempt.

Once you exceed the configured number of failed login attempts, the router locks your user ID and sends a system log message:

Sep 14 10:41:28.319 EDT: %AAA-5-USER_LOCKED: User kwiley locked out on authentication failure

Here, the router locked out user ID kwiley due to an exceeded number of login attempts. You can view all currently locked user IDs with the following command:

Router1#show aaa local user lockout 

 Local-user Lock time

 kwiley 10:41:28 EDT Thu Sep 14 2006

Once locked out, only an administrator with a higher privilege level then the locked user ID, can unlock you. In the following example we unlock user ID kwiley:

Router1#clear aaa local user lockout username kwiley

You can also unlock all currently locked users by using the keyword all:

Router1#clear aaa local user lockout all

Finally, you can clear the current number of failed login attempts for a user by using the following command:

Router1#clear aaa local user fail-attempts user ijbrown


See Also

Recipe 3.1

Router Configuration and File Management

Router Management

User Access and Privilege Levels


IP Routing





Frame Relay

Handling Queuing and Congestion

Tunnels and VPNs

Dial Backup

NTP and Time


Router Interfaces and Media

Simple Network Management Protocol





First Hop Redundancy Protocols

IP Multicast

IP Mobility




Appendix 1. External Software Packages

Appendix 2. IP Precedence, TOS, and DSCP Classifications


Cisco IOS Cookbook
Cisco IOS Cookbook (Cookbooks (OReilly))
ISBN: 0596527225
EAN: 2147483647
Year: 2004
Pages: 505

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net