Details
By default, there is no limit on the number of login attempts a user can make before successfully authenticating; this introduces the risk of an unauthorized user gaining access to a switch by guessing an account password. This risk can be mitigated by specifying a limit on failed login attempts; once this limit is reached, the user account is locked out.
Solution
To set the number of failed login attempts before account lockout to 2, with a lockout time of 300 seconds (5 minutes), use the following command:
switch(config)# aaa authentication limit-login-attempts 2 lockout-time 300
The limit on failed login attempts can be set between 1 and 10; if set to 1, any failed login attempt will result in the account being locked out. The lockout time can be set in a range from 1 to 3,600 seconds (1 hour).
This setting applies only to login attempts through SSH or the Web UI using local authentication; it does not apply to login attempts through the serial console. This feature cannot be configured when RADIUS or TACACS+ are being used for user authentication; account lockout policies should be configured on the respective authentication server instead.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system ArubaOS.