Custom Search
|
|
Cisco Ccna (640-553) Security Exam Training: The Aaa Local Authentication Attempts Max-fail Command
Network administrators (like you) use the “aaa local authentication attempts max-fail” command, to specify the maximum number of unsuccessful authentication attempts before a user is locked out. In other words, once a CCNA configures a router with the command, the router will generate a system message like you see below: (%AAA-5-USER_LOCKED: User user1 locked out on authentication failure) Whenever a user is either locked out by the router (system) or unlocked by the network administrator (CCNA); by the way, the command doesn’t work on network administrators (CCNAs) only users. Below is the command’s syntax: aaa local authentication attempts max-fail number-of-unsuccessful-attempts The number-of-unsuccessful-attempts argument is the number of unsuccessful authentication attempts. Note: No messages are displayed to users after authentication failures that are due to the locked status (that is, there is no difference between a normal authentication failure and an authentication failure due to the locked status of the user. Also, if you use the word “no” in front of the command to remove the number of unsuccessful attempts that you set on the router, like you see below: Router(config)#no aaa local authentication attempts max-fail 5 Those users that were locked out by the command will remain locked out; but, to clear the existing locked-out or number-of-failed attempts, you’ll have to explicitly clear the status of the user(s) using clear commands. Below is an example of the command being used: Router>enable Router#configure terminal Router(config)#username netadmin Router(config)#username user1 password 0 ittechtips Router(config)#aaa new-model Router(config)#aaa local authentication attempts max-fail 3 Router(config)#aaa authentication login default local Router(config)#exit Router#copy run start In the example above, the maximum number of unsuccessful authentication attempts before a user(s) is locked out has been set to 3: By the way, if you decide to use the command, make sure your router(s) is running Cisco IOS 12.3(14)T or higher. I hope this article was very informative and helped you quickly understand the usage of the aaa local authentication attempts max-fail command. If you need to learn more; I suggest you visit my website, were you’ll find the latest information regarding the Cisco CCNA (640-553) Security exam techniques. To your success, Article Directory: http://www.articledashboard.com Charles Ross, CCNP #CSCO10444244 is the owner of Ittechtips.com; where you'll find free comprehensive information and videos on how to pass the CCNA (640-553) security exam. Sign-Up for "100 Free Videos" and, also learn more about the new "Cisco CCNA (640-553) Video Accelerated Training Course" at his website. www.ccnaittechtips.com |
|