Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
785
Views
1
Helpful
1
Replies

Use AAA to lock out source IP?

Sean Oskar
Level 1
Level 1

‎07-04-2011 01:15 PM - edited ‎03-10-2019 06:12 PM

Hello,

Is there any aaa command(s) to lock-out source IPs after a given number of attempts? I'd like to make it so specific users do not get locked out universally. (2811 v12.3 (8) T5)

Or would I need an IPS for this?

Thanks for any info,

Sean

Labels:
0 Helpful
1 Reply 1

andamani
Cisco Employee
Cisco Employee

‎07-04-2011 08:16 PM

Hi Sean,

Honestly i did not understand your exact requirement. You can direct the traffic to the AAA server via a source interface of the router.

Tacacs :

ip tacacs source-interface subinterface-name

http://www.cisco.com/en/US/docs/ios/12_3/security/command/reference/sec_i1g.html#wp1074100

Radius:

ip radius source-interface subinterface-name [vrf vrf-name]

http://www.cisco.com/en/US/docs/ios/12_3/security/command/reference/sec_i1g.html#wp1071845

You can define the maximum attempts of the user as well. After failure of these attempts the account wll get locked out.

aaa authentication attempts login number-of-attempts

http://www.cisco.com/en/US/docs/ios/12_3/security/command/reference/sec_a1g.html#wp1070744

Hope this helps.

Regards,

Anisha

P.S.:Please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

Customers Also Viewed These Support Documents