04-22-2020 01:45 AM
Hi community,
Does Cisco ACI support account lockout upon authentication failure (like for 5 failed attempts within a certain amount of time)? Local users, and probably also needed for remote users.
Thanks heaps.
Solved! Go to Solution.
04-22-2020 09:21 AM
This is a feature of ACI MSO (see release notes below )
■ When upgrading from a release prior to Release 2.2(1), a GUI lockout timer for repeated failed login attempts is automatically enabled by default and is set to 5 login attempts before a lockout with the lockout duration incremented exponentially every additional failed attempt.
However, I've not seen it move down into the APIC itself. I can confirm it is not available in version 4.1(1k) or 4.2(3q) and have not found anything in the release notes to suggest its a feature (yet) so for now it does not look like you can rely on getting this capability from the APIC itself. You would likely need to enable authentication to another source that does support this capability.
04-26-2020 01:20 PM - edited 04-26-2020 01:30 PM
The feature is fresh and new, now available in ACI 4.2.4.
You can block a user from being able to log in after the user fails a configured number of login attempts. You can specify how many failed login attempts the user can have within a specific time period. If the user fails to log in too many times, then that user becomes unable to log in for a specified period of time.
Cheers,
Sergiu
04-22-2020 09:21 AM
This is a feature of ACI MSO (see release notes below )
■ When upgrading from a release prior to Release 2.2(1), a GUI lockout timer for repeated failed login attempts is automatically enabled by default and is set to 5 login attempts before a lockout with the lockout duration incremented exponentially every additional failed attempt.
However, I've not seen it move down into the APIC itself. I can confirm it is not available in version 4.1(1k) or 4.2(3q) and have not found anything in the release notes to suggest its a feature (yet) so for now it does not look like you can rely on getting this capability from the APIC itself. You would likely need to enable authentication to another source that does support this capability.
04-22-2020 09:18 PM
04-26-2020 01:20 PM - edited 04-26-2020 01:30 PM
The feature is fresh and new, now available in ACI 4.2.4.
You can block a user from being able to log in after the user fails a configured number of login attempts. You can specify how many failed login attempts the user can have within a specific time period. If the user fails to log in too many times, then that user becomes unable to log in for a specified period of time.
Cheers,
Sergiu
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide