LOCAL Server Group Account Lockout

securityengineering — Wed, 22 Mar 2023 18:48:27 GMT

Scenario: I'm on ASA 5555

Users/AAA > AAA Server Groups > LOCAL Server Group

Edit > Enable Local User Lockout > Maximum Attempts = 3

I can't find any info about how/where to unlock an account or if it happens automatically.

Re: LOCAL Server Group Account Lockout

Rob Ingram — Wed, 22 Mar 2023 20:12:35 GMT

From ASA 9.17 - The ASA can lock out local users after a configurable number of failed login attempts. This feature did not apply to users with privilege level 15. Also, a user would be locked out indefinitely until an admin unlocked their account. Now, users will be unlocked after 10 minutes (from 9.17) unless an admin uses the clear aaa local user lockout command before then. Privilege level 15 users are also now affected by the lockout setting.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa919/asdm719/general/asdm-719-general-config/aaa-local.html

Unfortunately 9.17 is not available on the ASA 5555 hardware you are running, so you'd have to manually unlock the accounts.

topic LOCAL Server Group Account Lockout in Network Security

LOCAL Server Group Account Lockout

Re: LOCAL Server Group Account Lockout