08-05-2010 02:04 PM - edited 03-06-2019 12:21 PM
I would like to know if it is possible with the IOS ( c3560 ) to lock a user ssh session for X time after he try to connect to the switch for exemple 3 times.
I know that there is this command :aaa local authentication attempts max-fail number-of-unsuccessful-attempts
https://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/g_cilprl.html
The problem is when the user is lock it need to be manually unlock by somebody else. I just want to lock the user for a short period of time.
any idea ?
Solved! Go to Solution.
08-05-2010 09:01 PM
Phillippe,
A per user lockout time may not be possible without ACS as mentioned.
But what can be done is by enabling "login block-for"command which specifies the lockout time.
The no. of failed connection attempts will trigger this.
Meanwhile the "login quite-mode access-class" can help you define a group of host which still would have permissions to login in the quiet mode of the router, i.e excluded from the quiet mode.
08-05-2010 04:55 PM
Hello,
You could use TACACS authentication with Cisco ACS which will allow you to
configure number of logins/time based logins.
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_ch
apter09186a0080205a6e.html#wp852208
Hope this helps.
Regards,
NT
08-05-2010 09:01 PM
Phillippe,
A per user lockout time may not be possible without ACS as mentioned.
But what can be done is by enabling "login block-for"command which specifies the lockout time.
The no. of failed connection attempts will trigger this.
Meanwhile the "login quite-mode access-class" can help you define a group of host which still would have permissions to login in the quiet mode of the router, i.e excluded from the quiet mode.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: