01-23-2013 03:20 PM - edited 03-11-2019 05:51 PM
I am working on locking down the ASA and I am looking for the commands to set the number of failed authentications before it won't accept login attempts from that host. I found a single command to set the max times but what about the max duration or the time between attempts settings.
01-23-2013 08:09 PM
Hello,
I would say there is no such a comand on the ASA,
You can set after how much idle time a user will need to reauthenticate but that's it.
timeout uauth xx:xx:xx
Regards
01-23-2013 10:34 PM
For full control of the login-environment, you should use a TACACS- or RADIUS-Server. There you can configure the parameters as you want.
Sent from Cisco Technical Support iPad App
01-24-2013 07:11 AM
I have it locked down there but if the TACACS fails then their is nothing to prevent a dictionary attack. So how to you prevent that?
01-24-2013 07:32 AM
One thing is the max-fail you already mentioned. And then you can configure a password-policy:
asa1(config)# password-policy ?
configure mode commands/options:
authenticate-enable Enable the user authentication feature
lifetime Set password lifetime
minimum-changes Set minimum character changes between old and new
password
minimum-length Set minimum password length
minimum-lowercase Set minimum number of lowercase password characters
minimum-numeric Set minimum number of numeric password characters
minimum-special Set minimum number of special password characters
minimum-uppercase Set minimum number of uppercase password characters
It's from an 8.4.4 ASA. But that is gone on my v9.1-ASA (not sure if it's only a bug, RSA-authentication also doesn't work any more):
asa(config)# password-policy
^
ERROR: % Invalid input detected at '^' marker.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: