Failed authentication lockout

The default number of allowed login attempts per session or user is three, meaning the user has three chances to supply valid access credentials. Once this limit is reached, the session terminates, and the user must start the login process over after an optional lockout delay (disabled by default). Both the number of allowed login attempts and the lockout delay period are configurable.

To reduce the number of login attempts before terminating the session to two, use the following command:

switch(config)# aaa authentication num-attempts 2

This setting can be set to a value of 1-10. If the lockout delay is set to a non-zero value, the number of attempts are enforced per user account; if there is no configured delay, the setting is enforced per-session.

To set a lockout delay of 30 seconds after the number of allowed attempts has been exceeded:

switch(config)# aaa authentication lockout-delay 30

This setting can be assigned a value (in seconds) between 0 and 3600; setting the value to 0 disables the lockout delay. However, exceeding the number of allowed login attempts will still result in the authentication session being terminated.

For more details on local password management and policies, refer to the chapter titled “Configuring Username and Password Security” in the ArubaOS-Switch Access Security Guide.