7

I'm trying to block users from configuring a Cisco IOS device if they have entered incorrect passwords a number of times. This is the command I'm using:

Router(config)# login block-for 120 attempts 3 within 60

Which should block login attempts for 120 seconds in case incorrect passwords have been entered three times within 60 seconds. I've tried this in Packet Tracer and it doesn't seem to work: If you try getting access to the Router's user EXEC mode and use incorrect passwords you are not blocked after 3 attempts, the only thing that happens is that it says "bad passwords" and then you can keep trying. Which types of login is this command supposed to block? user EXEC, privileged EXEC, console port?

Improve this question
7
  • What is the output of show access-list sl_def_acl? If a quiet-mode ACL hasn't been developed, it will use the default sl_def_acl ACL that doesn't show up in running-config. Commented Mar 6, 2014 at 11:31
  • Router>en Router#show access-list sl_def_acl Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#show access-list sl_def_acl ^ % Invalid input detected at '^' marker. And also, I have no idea of what you're talking about. @Fizzle Commented Mar 6, 2014 at 11:49
  • @AxelKennedal-TechTutor remember that if you are in the configuration mode you need to change the syntax for a show command. The correct syntax is do show access-list sl_def_acl Commented Mar 6, 2014 at 11:58
  • @radicetrentasei He is running this command at privilege exec. Take note of Router#show access-list sl_def_acl. Commented Mar 7, 2014 at 8:13
  • @Fizzle I was referring to the commands posted in the comments. Commented Mar 7, 2014 at 8:38

2 Answers 2

Reset to default
7

Based on your comments, the default sl_def_acl ACL didn't load into your configuration, for whatever reason. The behavior for the login-block feature is to use a quiet mode after certain parameters have been violated. In your case, after 3 failed attempts within 60 seconds will apply a quiet period ACL for 120 seconds. If you haven't explicitly defined a quiet mode, it will default to the below ACL.

Router#show access-lists sl_def_acl Extended IP access list sl_def_acl 10 deny tcp any any eq telnet 20 deny tcp any any eq www 30 deny tcp any any eq 22 40 permit ip any any

Default sl_def_acl ACL sample curtesy of Cisco IOS Login Enhancements (Login Block).

Manually defining your own ACL for these parameters is ideal.

login quiet-mode access-class {acl-name | acl-number}

If you want additional information on how this function works, pop on over to the Cisco Documentation that covers this for more detail.

Improve this answer
7

Perhaps there is a misunderstanding of how the feature works... this is my base configuration... no explicit ACL is required for the basic functionality to work

Baseline configuration before configuring the login block-for feature

xconnect01#sh runn | i username|aaa|access-list username cisco privilege 15 password 7 13061E010803 aaa new-model aaa authentication login default local-case aaa authentication enable default enable aaa session-id common xconnect01# xconnect01#sh runn | b line vty line vty 0 4 password 7 070C285F4D06 ! ntp clock-period 17180450 ntp server vrf mgmtVrf 172.16.1.5 end xconnect01#

Configuring the feature

Now I configure the basic login block-for feature...

xconnect01#conf t Enter configuration commands, one per line. End with CNTL/Z. xconnect01(config)# login block-for 120 attempts 3 within 60 xconnect01(config)#end xconnect01#quit Connection closed by foreign host. [mpenning@tsunami ~]$

Demonstrating failures

Entering some wrong logins to intentionally block myself.

[mpenning@tsunami ~]$ date; telnet 172.16.1.240 Thu Mar 6 06:05:20 CST 2014 Trying 172.16.1.240... Connected to 172.16.1.240. Escape character is '^]'. User Access Verification Username: foobarme Password: % Authentication failed Username: foobarme Password: % Authentication failed Username: foobarme Password: % Authentication failed Connection closed by foreign host. [mpenning@tsunami ~]$

Demonstrating the blocks for 120 seconds

Notice the date commands just before my telnet; these document exactly when I telnet to the lab router.

[mpenning@tsunami ~]$ date; telnet 172.16.1.240 Thu Mar 6 06:05:37 CST 2014 Trying 172.16.1.240... telnet: Unable to connect to remote host: Connection refused [mpenning@tsunami ~]$ [mpenning@tsunami ~]$ date; telnet 172.16.1.240 Thu Mar 6 06:06:51 CST 2014 Trying 172.16.1.240... telnet: Unable to connect to remote host: Connection refused [mpenning@tsunami ~]$

Demonstrating a successful login after the 120-second quiet period

Two minutes after being blocked, I can login again...

[mpenning@tsunami ~]$ date; telnet 172.16.1.240 Thu Mar 6 06:07:56 CST 2014 Trying 172.16.1.240... Connected to 172.16.1.240. Escape character is '^]'. User Access Verification Username: cisco Password: xconnect01>
Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.