By default, no limit on the maximum number of failed attempts allowed for authentication of local users is active. This means that an attacker can brute-force a local user and his password as long as he wants. To prevent this, the number of password retries for a locally managed user has to be limited. Authentication and accounting of failed login attempts have to be enabled for this purpose. 

This is quickly implemented with the following configuration lines.

aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa proxy-limit 3
aaa authentication secure-http-client
aaa local authentication attempts max-fail 3

Now it can happen that a user account is locked. What now? Do I have to create a new user or can I reset the statistics and the lock status? No, you do not have to create a new user. The following four commands (in Level 15 mode) help you to reset the statistics.

  • unlock the affected user: clear aaa local user lockout username %username%
  • erase/reset the failed logon statistics of the user: clear aaa local user fail-attempts username %username%
  • display all local users including their statistics: show aaa local user
  • display all locked out users: show aaa local user lockout