7

I'm trying to block users from configuring a Cisco IOS device if they have entered incorrect passwords a number of times. This is the command I'm using:

Router(config)# login block-for 120 attempts 3 within 60

Which should block login attempts for 120 seconds in case incorrect passwords have been entered three times within 60 seconds. I've tried this in Packet Tracer and it doesn't seem to work: If you try getting access to the Router's user EXEC mode and use incorrect passwords you are not blocked after 3 attempts, the only thing that happens is that it says "bad passwords" and then you can keep trying. Which types of login is this command supposed to block? user EXEC, privileged EXEC, console port?

Axel Kennedal
  • 671
  • 4
  • 9
  • 16
  • What is the output of `show access-list sl_def_acl`? If a quiet-mode ACL hasn't been developed, it will use the default `sl_def_acl` ACL that doesn't show up in running-config. – Ryan Foley Mar 06 '14 at 11:31
  • Router>en Router#show access-list sl_def_acl Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#show access-list sl_def_acl ^ % Invalid input detected at '^' marker. And also, I have no idea of what you're talking about. @Fizzle – Axel Kennedal Mar 06 '14 at 11:49
  • @AxelKennedal-TechTutor remember that if you are in the configuration mode you need to change the syntax for a show command. The correct syntax is `do show access-list sl_def_acl` – radtrentasei Mar 06 '14 at 11:58
  • @radicetrentasei He is running this command at privilege exec. Take note of `Router#show access-list sl_def_acl`. – Ryan Foley Mar 07 '14 at 08:13
  • @Fizzle I was referring to the commands posted in the comments. – radtrentasei Mar 07 '14 at 08:38
  • This seems to happen with IOS vesion 15. Commands take but fails to apply. We are opening a TAC case. –  Nov 24 '15 at 13:13
  • Did any answer help you? if so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you could post and accept your own answer. – Ron Maupin Jan 03 '21 at 21:51

2 Answers2

7

Based on your comments, the default sl_def_acl ACL didn't load into your configuration, for whatever reason. The behavior for the login-block feature is to use a quiet mode after certain parameters have been violated. In your case, after 3 failed attempts within 60 seconds will apply a quiet period ACL for 120 seconds. If you haven't explicitly defined a quiet mode, it will default to the below ACL.

Router#show access-lists sl_def_acl

 Extended IP access list sl_def_acl
     10 deny tcp any any eq telnet
     20 deny tcp any any eq www
     30 deny tcp any any eq 22
     40 permit ip any any

Default sl_def_acl ACL sample curtesy of Cisco IOS Login Enhancements (Login Block).

Manually defining your own ACL for these parameters is ideal.

login quiet-mode access-class {acl-name | acl-number}

If you want additional information on how this function works, pop on over to the Cisco Documentation that covers this for more detail.

Ryan Foley
  • 5,479
  • 4
  • 23
  • 43
7

Perhaps there is a misunderstanding of how the feature works... this is my base configuration... no explicit ACL is required for the basic functionality to work

Baseline configuration before configuring the login block-for feature

xconnect01#sh runn | i username|aaa|access-list
username cisco privilege 15 password 7 13061E010803
aaa new-model
aaa authentication login default local-case
aaa authentication enable default enable
aaa session-id common
xconnect01#
xconnect01#sh runn | b line vty
line vty 0 4
 password 7 070C285F4D06
!
ntp clock-period 17180450
ntp server vrf mgmtVrf 172.16.1.5
end

xconnect01#

Configuring the feature

Now I configure the basic login block-for feature...

xconnect01#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
xconnect01(config)# login block-for 120 attempts 3 within 60
xconnect01(config)#end
xconnect01#quit
Connection closed by foreign host.
[mpenning@tsunami ~]$

Demonstrating failures

Entering some wrong logins to intentionally block myself.

[mpenning@tsunami ~]$ date; telnet 172.16.1.240
Thu Mar  6 06:05:20 CST 2014
Trying 172.16.1.240...
Connected to 172.16.1.240.
Escape character is '^]'.


User Access Verification

Username: foobarme
Password:

% Authentication failed

Username: foobarme
Password:

% Authentication failed

Username: foobarme
Password:

% Authentication failed
Connection closed by foreign host.
[mpenning@tsunami ~]$

Demonstrating the blocks for 120 seconds

Notice the date commands just before my telnet; these document exactly when I telnet to the lab router.

[mpenning@tsunami ~]$ date; telnet 172.16.1.240
Thu Mar  6 06:05:37 CST 2014
Trying 172.16.1.240...
telnet: Unable to connect to remote host: Connection refused
[mpenning@tsunami ~]$
[mpenning@tsunami ~]$ date; telnet 172.16.1.240
Thu Mar  6 06:06:51 CST 2014
Trying 172.16.1.240...
telnet: Unable to connect to remote host: Connection refused
[mpenning@tsunami ~]$

Demonstrating a successful login after the 120-second quiet period

Two minutes after being blocked, I can login again...

[mpenning@tsunami ~]$ date; telnet 172.16.1.240
Thu Mar  6 06:07:56 CST 2014
Trying 172.16.1.240...
Connected to 172.16.1.240.
Escape character is '^]'.


User Access Verification

Username: cisco
Password:

xconnect01>
Mike Pennington
  • 29,876
  • 11
  • 78
  • 152