Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2826
Views
0
Helpful
2
Replies

Login block-for command and Cisco ISE alternatives

Go to solution
dimitrios.katsaros
Level 1
Level 1

‎06-10-2020 07:16 AM

Greetings,

I have set the command "login block-for 300 attempts 3 within 60" on my network devices. However, i am aware that in case of failed login attempts then all users will be unable to login to the device for 300sec. Can somehow this command be configured in a way to block access per individual user or can block access to the device by setting only specific IP addresses on a quite-mode ACL instead?

Does Cisco ISE supports the functionality of blocking access per specific user or again it applies for all users?

Please let me know.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
saxenanitesh8522
Level 4
Level 4

‎06-10-2020 10:04 AM

Hi,

 

Please check the following settings:

Administration > Identity Management > Settings > User Authentication Settings:

- Disable user account after "Value" days if password was not changed

- Lock/Suspend Account with incorrect login attempts

 

Administration > Identity Management > Identities > Edit User Account:

- Account Disable Policy

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
saxenanitesh8522
Level 4
Level 4

‎06-10-2020 10:04 AM

Hi,

 

Please check the following settings:

Administration > Identity Management > Settings > User Authentication Settings:

- Disable user account after "Value" days if password was not changed

- Lock/Suspend Account with incorrect login attempts

 

Administration > Identity Management > Identities > Edit User Account:

- Account Disable Policy

 

0 Helpful

Go to solution
Nadav
Level 7
Level 7

‎06-13-2020 04:57 AM

If your users are all internal ISE users than the answer already provided for this post is sufficient. Keep in mind that case your login block command would be entirely irrelavant to that policy since it's applied internally via ISE. 

 

If your users are AD-managed, you'd need to handle this via passwords policy in your AD. Check out:

https://community.cisco.com/t5/network-access-control/how-to-configure-password-policy-on-cisco-ise-2-3-to-manage-the/m-p/3786385#M485995 

 

If you want to handle this entirely via "login block-for" then you're out of luck since that's not how the command works. Take a look at:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/xe-16/sec-usr-cfg-xe-16-book/sec-login-enhance.html . The best you can do is a quiet-mode ACL for hosts you know are secure, not users.

0 Helpful
Customers Also Viewed These Support Documents