Support User Manuals

Cisco Systems IPS 7.1 Home Security System User Manual

Open as PDF

of 1042

4-32

Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1

OL-19892-01

Chapter 4 Setting Up the Sensor

Configuring Authentication and User Parameters

Locking User Accounts

Note When you configure account locking, local authentication, as well as RADIUS authentication, is

affected. After a specified number of failed attempts to log in locally or in to a RADIUS account, the

account is locked locally on the sensor. For local accounts, you can reset the password or use the unlock

user username command to unlock the account. For RADIUS user accounts, you must use the unlock

user username command to unlock the account.

Note For RADIUS users, the attempt limit feature is enforced only after the RADIUS user’s first successful

login to the sensor.

Use the attemptLimit number command in authentication submode to lock accounts so that users cannot

keep trying to log in after a certain number of failed attempts. The default is 0, which indicates unlimited

authentication attempts. For security purposes, you should change this number.

To configure account locking, follow these steps:

Step 1 Log in to the sensor using an account with administrator privileges.

Step 2 Enter service authentication submode.

sensor# configure terminal

sensor(config)# service authentication

Step 3 Set the number of attempts users will have to log in to accounts.

sensor(config-aut)# attemptLimit 3

Step 4 Check your new setting.

sensor(config-aut)# show settings

attemptLimit: 3 defaulted: 0

sensor(config-aut)#

Step 5 Set the value back to the system default setting.

sensor(config-aut)# default attemptLimit

Step 6 Check that the setting has returned to the default.

sensor(config-aut)# show settings

attemptLimit: 0 <defaulted>

sensor(config-aut)#

Step 7 Check to see if any users have locked accounts. The account of the user jsmith is locked as indicated by

the parentheses.

Note When you apply a configuration that contains a non-zero value for attemptLimit, a change is

made in the SSH server that may subsequently impact your ability to connect with the sensor.

When attemptLimit is non-zero, the SSH server requires the client to support challenge-response

authentication. If you experience problems after your SSH client connects but before it prompts

for a password, you need to enable challenge-response authentication. Refer to the

documentation for your SSH client for instructions.

previous next