cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8396
Views
0
Helpful
8
Replies

Block repeated login attempts ASA5505

Esben Pedersen
Level 1
Level 1

Hi Cisco

I have a question regarding our ASA 5505 and ASA 5510. I am working on a solution on how to block repeated login attempts.

As it is today, you can try as much as you like to enter the right password for the admin user (we only have an administrator account configured).

I found the "aaa local authentication attempts max-fail" command, but is is not possible as the administrator can't get locked out.

Is there a way to block repeated attempts on the admin account, or is it possible to enter a delay before you can try again ?

Thanks in advance !

Best Regards

Esben Pedersen

Kamco A/S

Denmark

8 Replies 8

ALIAOF_
Level 6
Level 6

Do you have a RADIUS or TACACS+ server setup?  You can easily set this up that way.  But if you don't then you'll need to go with some other best practices such as:

- Only allow ssh and https access from certain IP's

- Change the admin name to something different that can not be easily guessed and only give it out to people you need access to it.

No we do not have a RADIUS or TACACS+ server setup.

The other solutions is not what we need.

What we need(if possible) is a way to block repeated login attempts, or at least configure a delay before it is possible to try to login again. I mean, if you type wrong password 3 times, then you have to wait fx 2 min before you can try again.

Best regards

Esben Pedersen

Esben Pedersen
Level 1
Level 1

Does anyone have a solution that suits our needs ??

Hi,

You can use the login enhancement feature. A command would be:

login block-for 1800 attempts 3 within 300

Sent from Cisco Technical Support iPhone App

Is this only a Router command? (block for)

Esben Pedersen
Level 1
Level 1

Hi

It is not possible to enter the above command on our ASA's

Our ASA's are running with software version:

Cisco Adaptive Security Appliance Software Version 8.2(3)

Cisco Adaptive Security Appliance Software Version 8.2(5)

I do not know if it has anthing to say ?

Hi,

Sorry I've re-checked this on Cisco's feature navigator tool. The login enhancement feature is supported by IOS routers and ASRs only.

Looks like you'll need an external appliance or server in order to achieve your goal.


Sent from Cisco Technical Support iPhone App

Does somebody know if this feature is available now?

I only have one user, which is local, and I would like to improve security by blocking attempts as I can do with all my switches and routers using login block-for command.

There isn´t any compatibility between IOS and ASA?

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: