Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1505
Views
0
Helpful
3
Replies

Support for account lockout?

Go to solution
tuanquangnguyen
Level 1
Level 1

‎04-22-2020 01:45 AM

Hi community,

Does Cisco ACI support account lockout upon authentication failure (like for 5 failed attempts within a certain amount of time)? Local users, and probably also needed for remote users.

Thanks heaps.

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Claudia de Luna
Spotlight
Spotlight

‎04-22-2020 09:21 AM

Hi @tuanquangnguyen 

 

This is a feature of ACI MSO (see release notes below )

■      When upgrading from a release prior to Release 2.2(1), a GUI lockout timer for repeated failed login attempts is automatically enabled by default and is set to 5 login attempts before a lockout with the lockout duration incremented exponentially every additional failed attempt.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/aci_multi-site/sw/2x/release-notes/Cisco-ACI-Multi-Site-Release-Notes-223.html

 

However, I've not seen it move down into the APIC itself.  I can confirm it is not available in version 4.1(1k) or 4.2(3q) and have not found anything in the release notes to suggest its a feature (yet) so for now it does not look like you can rely on getting this capability from the APIC itself.  You would likely need to enable authentication to another source that does support this capability.

 

View solution in original post

0 Helpful

Go to solution
Sergiu.Daniluk
VIP Alumni
VIP Alumni

‎04-26-2020 01:20 PM - edited ‎04-26-2020 01:30 PM

Hi @tuanquangnguyen 

The feature is fresh and new, now available in ACI 4.2.4.

You can block a user from being able to log in after the user fails a configured number of login attempts. You can specify how many failed login attempts the user can have within a specific time period. If the user fails to log in too many times, then that user becomes unable to log in for a specified period of time.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/4-x/release-notes/cisco-apic-release-notes-424.html 

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/4-x/security/b-Cisco-APIC-Security-Configuration-Guide-421/b-Cisco-APIC-Security-Configuration-Guide-421_chapter_011.html#Cisco_Concept.dita_5c10e028-7d03-4b96-94c9-4737f8e5206d 

 

Cheers,

Sergiu

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Claudia de Luna
Spotlight
Spotlight

‎04-22-2020 09:21 AM

Hi @tuanquangnguyen 

 

This is a feature of ACI MSO (see release notes below )

■      When upgrading from a release prior to Release 2.2(1), a GUI lockout timer for repeated failed login attempts is automatically enabled by default and is set to 5 login attempts before a lockout with the lockout duration incremented exponentially every additional failed attempt.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/aci_multi-site/sw/2x/release-notes/Cisco-ACI-Multi-Site-Release-Notes-223.html

 

However, I've not seen it move down into the APIC itself.  I can confirm it is not available in version 4.1(1k) or 4.2(3q) and have not found anything in the release notes to suggest its a feature (yet) so for now it does not look like you can rely on getting this capability from the APIC itself.  You would likely need to enable authentication to another source that does support this capability.

 

0 Helpful

Go to solution
tuanquangnguyen
Level 1
Level 1
In response to Claudia de Luna

‎04-22-2020 09:18 PM

Thanks Claudia for the explanation.
0 Helpful

Go to solution
Sergiu.Daniluk
VIP Alumni
VIP Alumni

‎04-26-2020 01:20 PM - edited ‎04-26-2020 01:30 PM

Hi @tuanquangnguyen 

The feature is fresh and new, now available in ACI 4.2.4.

You can block a user from being able to log in after the user fails a configured number of login attempts. You can specify how many failed login attempts the user can have within a specific time period. If the user fails to log in too many times, then that user becomes unable to log in for a specified period of time.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/4-x/release-notes/cisco-apic-release-notes-424.html 

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/4-x/security/b-Cisco-APIC-Security-Configuration-Guide-421/b-Cisco-APIC-Security-Configuration-Guide-421_chapter_011.html#Cisco_Concept.dita_5c10e028-7d03-4b96-94c9-4737f8e5206d 

 

Cheers,

Sergiu

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License