cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
776
Views
1
Helpful
1
Replies

Use AAA to lock out source IP?

Sean Oskar
Level 1
Level 1

Hello,

Is there any aaa command(s) to lock-out source IPs after a given number of attempts? I'd like to make it so specific users do not get locked out universally. (2811 v12.3 (8) T5)

Or would I need an IPS for this?

Thanks for any info,

Sean

1 Reply 1

andamani
Cisco Employee
Cisco Employee

Hi Sean,

Honestly i did not understand your exact requirement. You can direct the traffic to the AAA server via a source interface of the router.

Tacacs :

ip tacacs source-interface subinterface-name

http://www.cisco.com/en/US/docs/ios/12_3/security/command/reference/sec_i1g.html#wp1074100

Radius:

ip radius source-interface subinterface-name [vrf vrf-name]

http://www.cisco.com/en/US/docs/ios/12_3/security/command/reference/sec_i1g.html#wp1071845

You can define the maximum attempts of the user as well. After failure of these attempts the account wll get locked out.

aaa authentication attempts login number-of-attempts

http://www.cisco.com/en/US/docs/ios/12_3/security/command/reference/sec_a1g.html#wp1070744

Hope this helps.

Regards,

Anisha

P.S.:Please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: