https://community.cisco.com/t5/network-security/locking-down-asa/m-p/2124228#M392260 <P>I am working on locking down the ASA and I am looking for the commands to set the number of failed authentications before it won't accept login attempts from that host.&nbsp; I found a single command to set the max times but what about the max duration or the time between attempts settings.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P> Tue, 12 Mar 2019 00:51:35 GMT bob.bartlett 2019-03-12T00:51:35Z https://community.cisco.com/t5/network-security/locking-down-asa/m-p/2124228#M392260 <P>I am working on locking down the ASA and I am looking for the commands to set the number of failed authentications before it won't accept login attempts from that host.&nbsp; I found a single command to set the max times but what about the max duration or the time between attempts settings.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P> Tue, 12 Mar 2019 00:51:35 GMT https://community.cisco.com/t5/network-security/locking-down-asa/m-p/2124228#M392260 bob.bartlett 2019-03-12T00:51:35Z https://community.cisco.com/t5/network-security/locking-down-asa/m-p/2124229#M392263 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>I would say there is no such a comand on the ASA,</P><P></P><P>You can set after how much idle time a user will need to reauthenticate but that's it.</P><P></P><P>timeout <SPAN style="font-size: 10pt;">uauth&nbsp; xx:xx:xx</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">Regards</SPAN></P></BODY></HTML> Thu, 24 Jan 2013 04:09:18 GMT https://community.cisco.com/t5/network-security/locking-down-asa/m-p/2124229#M392263 Julio Carvajal 2013-01-24T04:09:18Z https://community.cisco.com/t5/network-security/locking-down-asa/m-p/2124230#M392266 <HTML><HEAD></HEAD><BODY><P>For full control of the login-environment, you should use a TACACS- or RADIUS-Server. There you can configure the parameters as you want.<BR /><BR /><BR />Sent from Cisco Technical Support iPad App</P></BODY></HTML> Thu, 24 Jan 2013 06:34:13 GMT https://community.cisco.com/t5/network-security/locking-down-asa/m-p/2124230#M392266 Karsten Iwen 2013-01-24T06:34:13Z https://community.cisco.com/t5/network-security/locking-down-asa/m-p/2124231#M392269 <HTML><HEAD></HEAD><BODY><P> I have it locked down there but if the TACACS fails then their is nothing to prevent a dictionary attack.&nbsp; So how to you prevent that?</P></BODY></HTML> Thu, 24 Jan 2013 15:11:08 GMT https://community.cisco.com/t5/network-security/locking-down-asa/m-p/2124231#M392269 bob.bartlett 2013-01-24T15:11:08Z https://community.cisco.com/t5/network-security/locking-down-asa/m-p/2124232#M392271 <HTML><HEAD></HEAD><BODY><P>One thing is the max-fail you already mentioned. And then you can configure a password-policy:</P><P></P><P><SPAN style="font-family: 'courier new', courier;">asa1(config)# password-policy ?</SPAN></P><P></P><P></P><P><SPAN style="font-family: 'courier new', courier;">configure mode commands/options:</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">&nbsp; authenticate-enable&nbsp; Enable the user authentication feature</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">&nbsp; lifetime&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Set password lifetime</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">&nbsp; minimum-changes&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Set minimum character changes between old and new</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; password</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">&nbsp; minimum-length&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Set minimum password length</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">&nbsp; minimum-lowercase&nbsp;&nbsp;&nbsp; Set minimum number of lowercase password characters</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">&nbsp; minimum-numeric&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Set minimum number of numeric password characters</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">&nbsp; minimum-special&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Set minimum number of special password characters</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">&nbsp; minimum-uppercase&nbsp;&nbsp;&nbsp; Set minimum number of uppercase password characters</SPAN></P><P></P><P>It's from an 8.4.4 ASA.&nbsp; But that is gone on my v9.1-ASA (not sure if it's only a bug, RSA-authentication also doesn't work any more):</P><P></P><P><SPAN style="font-family: 'courier new', courier;">asa(config)# password-policy</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ^</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">ERROR: % Invalid input detected at '^' marker.</SPAN></P><P></P><P></P><P></P><P>--&nbsp; <BR />Don't stop after you've improved your network! Improve the world by lending money to the working poor: <BR /><A class="jive-link-external-small" href="http://www.kiva.org/invitedby/karsteni" rel="nofollow">http://www.kiva.org/invitedby/karsteni</A></P></BODY></HTML> Thu, 24 Jan 2013 15:32:27 GMT https://community.cisco.com/t5/network-security/locking-down-asa/m-p/2124232#M392271 Karsten Iwen 2013-01-24T15:32:27Z