Solved: Lock a user ssh session for X time to a switch after x attempt

philippe.cousineau · ‎08-05-2010

I would like to know if it is possible with the IOS ( c3560 ) to lock a user ssh session for X time after he try to connect to the switch for exemple 3 times.

I know that there is this command :aaa local authentication attempts max-fail number-of-unsuccessful-attempts

https://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/g_cilprl.html

The problem is when the user is lock it need to be manually unlock by somebody else. I just want to lock the user for a short period of time.

any idea ?

Tharak Abraham · ‎08-05-2010

Phillippe,

A per user lockout time may not be possible without ACS as mentioned.

But what can be done is by enabling "login block-for"command which specifies the lockout time.

The no. of failed connection attempts will trigger this.

Meanwhile the "login quite-mode access-class" can help you define a group of host which still would have permissions to login in the quiet mode of the router, i.e excluded from the quiet mode.

View solution in original post

Nagaraja Thanthry · ‎08-05-2010

Hello,

You could use TACACS authentication with Cisco ACS which will allow you to

configure number of logins/time based logins.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_ch

apter09186a0080205a6e.html#wp852208

Hope this helps.

Regards,

NT

Tharak Abraham · ‎08-05-2010

Phillippe,

A per user lockout time may not be possible without ACS as mentioned.

But what can be done is by enabling "login block-for"command which specifies the lockout time.

The no. of failed connection attempts will trigger this.

Meanwhile the "login quite-mode access-class" can help you define a group of host which still would have permissions to login in the quiet mode of the router, i.e excluded from the quiet mode.