https://community.cisco.com/t5/network-security/asa-ipsec-remote-access-vpn-limit-number-of-auth-retries/m-p/4002305#M4951 <P>for the ASA vpn configuration if custom configuration is not define then it always go and match the default configuraton.</P><P>&nbsp;</P><P>show run all tunnel-group</P><P>!</P><P>tunnel-group DefaultRAGroup type remote-access<BR />tunnel-group DefaultRAGroup general-attributes<BR />no address-pool<BR />no ipv6-address-pool<BR />authentication-server-group LOCAL<BR />secondary-authentication-server-group none<BR />no accounting-server-group<BR />default-group-policy DfltGrpPolicy<BR />no dhcp-server<BR />no strip-realm<BR />no nat-assigned-to-public-ip<BR />no scep-enrollment enable<BR />no password-management<BR />no strip-group<BR />no authorization-required<BR />username-from-certificate CN OU<BR />secondary-username-from-certificate CN OU<BR />authentication-attr-from-server primary<BR />authenticated-session-username primary</P><P>&nbsp;</P><P>&nbsp;</P><P>I think you doing a local authentication if you have ISE servers you can define your attributes and push it from there.</P> Sat, 21 Dec 2019 13:15:11 GMT Sheraz.Salim 2019-12-21T13:15:11Z https://community.cisco.com/t5/network-security/asa-ipsec-remote-access-vpn-limit-number-of-auth-retries/m-p/4001257#M4948 <P>Is there a way to limit the number of retries a VPN user has to authenticate? I found the <EM><SPAN class="content"><SPAN class="synph"><SPAN class="kwd">aaa</SPAN> <SPAN class="kwd">local</SPAN> <SPAN class="kwd">authentication</SPAN> <SPAN class="kwd">attempts</SPAN> <SPAN class="kwd">max-fail</SPAN> </SPAN></SPAN></EM>command but our ra VPN uses certificates for authetication so I am not sure if the max-fail command would work.</P> Fri, 21 Feb 2020 17:46:51 GMT https://community.cisco.com/t5/network-security/asa-ipsec-remote-access-vpn-limit-number-of-auth-retries/m-p/4001257#M4948 NazgulNr5 2020-02-21T17:46:51Z https://community.cisco.com/t5/network-security/asa-ipsec-remote-access-vpn-limit-number-of-auth-retries/m-p/4002305#M4951 <P>for the ASA vpn configuration if custom configuration is not define then it always go and match the default configuraton.</P><P>&nbsp;</P><P>show run all tunnel-group</P><P>!</P><P>tunnel-group DefaultRAGroup type remote-access<BR />tunnel-group DefaultRAGroup general-attributes<BR />no address-pool<BR />no ipv6-address-pool<BR />authentication-server-group LOCAL<BR />secondary-authentication-server-group none<BR />no accounting-server-group<BR />default-group-policy DfltGrpPolicy<BR />no dhcp-server<BR />no strip-realm<BR />no nat-assigned-to-public-ip<BR />no scep-enrollment enable<BR />no password-management<BR />no strip-group<BR />no authorization-required<BR />username-from-certificate CN OU<BR />secondary-username-from-certificate CN OU<BR />authentication-attr-from-server primary<BR />authenticated-session-username primary</P><P>&nbsp;</P><P>&nbsp;</P><P>I think you doing a local authentication if you have ISE servers you can define your attributes and push it from there.</P> Sat, 21 Dec 2019 13:15:11 GMT https://community.cisco.com/t5/network-security/asa-ipsec-remote-access-vpn-limit-number-of-auth-retries/m-p/4002305#M4951 Sheraz.Salim 2019-12-21T13:15:11Z