Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
513
Views
0
Helpful
4
Replies

Locking down ASA

bob.bartlett
Level 1
Level 1

‎01-23-2013 03:20 PM - edited ‎03-11-2019 05:51 PM

I am working on locking down the ASA and I am looking for the commands to set the number of failed authentications before it won't accept login attempts from that host.  I found a single command to set the max times but what about the max duration or the time between attempts settings.                  

Labels:
0 Helpful
4 Replies 4

Julio Carvajal
VIP Alumni
VIP Alumni

‎01-23-2013 08:09 PM

Hello,

I would say there is no such a comand on the ASA,

You can set after how much idle time a user will need to reauthenticate but that's it.

timeout uauth  xx:xx:xx

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Karsten Iwen
VIP
VIP

‎01-23-2013 10:34 PM

For full control of the login-environment, you should use a TACACS- or RADIUS-Server. There you can configure the parameters as you want.


Sent from Cisco Technical Support iPad App

0 Helpful

bob.bartlett
Level 1
Level 1
In response to Karsten Iwen

‎01-24-2013 07:11 AM

I have it locked down there but if the TACACS fails then their is nothing to prevent a dictionary attack.  So how to you prevent that?

0 Helpful

Karsten Iwen
VIP
VIP
In response to bob.bartlett

‎01-24-2013 07:32 AM

One thing is the max-fail you already mentioned. And then you can configure a password-policy:

asa1(config)# password-policy ?

configure mode commands/options:

  authenticate-enable  Enable the user authentication feature

  lifetime             Set password lifetime

  minimum-changes      Set minimum character changes between old and new

                       password

  minimum-length       Set minimum password length

  minimum-lowercase    Set minimum number of lowercase password characters

  minimum-numeric      Set minimum number of numeric password characters

  minimum-special      Set minimum number of special password characters

  minimum-uppercase    Set minimum number of uppercase password characters

It's from an 8.4.4 ASA.  But that is gone on my v9.1-ASA (not sure if it's only a bug, RSA-authentication also doesn't work any more):

asa(config)# password-policy

                     ^

ERROR: % Invalid input detected at '^' marker.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card