Is 'security authentication failure rate' command deprecated?

jbulloch · ‎05-01-2025

So, For a long time i have used:

login block-for 900 attempts 3 within 120
login on-failure log
login on-success log

This logs to syslog fine and can be dumped to security software and reports ran to search string when needed just fine. Lately, i noticed that solar winds has a "cisco security audit". It hit all my switches for not having "security authentication failure rate". However, not a single IOS or XE version i have in use will take the command. It appears this command should take a count number on global and then log to syslog if it's exceeded, but it seems redudant with constant logging from "login on-failure log" and "login block-for" offering the ability to restrict logins with quiet mode acl.

Is there something about this command i am missing here or has it been removed?

hawksg2024 · ‎05-02-2025

You're absolutely right to question it — you're not missing much. The security authentication failure rate command was used in some older or specific IOS versions but isn’t widely supported across modern IOS or IOS-XE platforms. What you’ve already implemented (login block-for, login on-failure log) is not only more flexible but also actively protects against brute-force attacks, especially with quiet mode ACLs. Most security audits just look for specific commands and may flag things even if you’ve covered the functionality in a better way. It’s more of a checkbox mismatch than a real security gap.