aaa authentication limit-login-attempts


aaa authentication limit-login-attempts <ATTEMPTS> lockout-time <LOCKOUT-TIME>

no aaa authentication limit-login-attempts


Enables local login attempt limiting. If the number of failed local login attempts equals the configured threshold, the user is locked out for the configured duration.

The no form of this command disables local login attempt limits.


This local login attempt limiting feature is only available when not using remote authentication through AAA servers (TACACS+ or RADIUS).

Command context




Specifies the threshold of failed local login attempts that triggers user lockout. Range: 1 to 10. For example, if <ATTEMPTS> is set to 1, a single failed login attempt triggers immediate user lockout.


Specifies the amount of time a user is locked out. Range: 1 to 3600 seconds.




Enabling local login attempt failure limiting with a 20 second lockout being triggered upon the fourth consecutive login attempt failure.

switch(config)# aaa authentication limit-login-attempts 4 lockout-time 20

Disabling login attempt failure limiting:

switch(config)# no aaa authentication minimum-password-length