To prevent an attacker from using brute-force attempts to discover a user's enrollment password, the invalid authentication lockout feature provides a way to lock the attacker out after too many invalid passwords in a defined period of time. If users try to authenticate too many times during that period, they see an error, "Too many invalid authentication attempts. Please try again later." After the user acknowledges this message, the app exits. The user is not allowed to authenticate to the gateway until the timeout period is over.

To enable this feature, configure the invalid-auth-lockout:

% set aaa invalid-auth-lockout enable true

You can configure the behavior with these additional options:


Integer. The number of password attempts allowed during a time period defined by detection-interval.

Default: 5


Integer. The number of password attempts above the attempt-threshold until the user is locked out for the time period defined by max-lockout-period.

Default: 10


Integer (minutes). The amount of time during which the user can attempt to authenticate. If the attempt-threshold is reached during the detection-interval, the user cannot authenticate for a period of time based on max-lockout-period, attempts-until-max-lockout, and the number of attempts made over the attempt-threshold.

Default: 15


Integer (minutes). The maximum amount of time a user can be locked out.

Default: 5

The lockout period is calculated based on max-lockout-period and attempts remaining until max lockout. That is, when users attempt to login with a bad password, each attempt increases the lockout period. This table shows the lockout period with default values.

Attempt ## Over thresholdRemaining attempts-until-max-lockout

Lockout period:

excess attempts * 300 seconds (max-lockout-period = 5 minutes) / ​attempts-until-max-lockout

Or max-lockout-period, whichever is smaller

​5 (default attempt-threshold)010
619300/9 = 33 seconds 
728600/8 = 75 seconds
837900/7 = 128 seconds
10551500/5 = 300 seconds = max-lockout-period
11641800/4 = 450 seconds, which is greater than max-lockout-period, so every attempt after this until the threshold is reached will timeout for 5 minutes


% set aaa invalid-auth-lockout enable true attempt-threshold 5 attempts-until-max-lockout 15 
detection-interval 20 max-lockout-period 4

In this example, if a user tries authenticating with a bad password five times (attempt-threshold) within a twenty minute period (detection-interval), the sixth attempt locks the user out for a period of 16 seconds (15 allowed attempts up to 240 seconds). After the lockout period is over, another invalid attempt increases the amount of time the user has to wait to attempt another login, continuing until a maximum wait time of four minutes (max-lockout-period). 

While the user is trying to authenticate or is in a lockout period, the gateway status includes the lockout data:

> show status operational context default aaa-operational auth-lockout-table
auth-lockout-table {
  user-ip jlennon: {
    num-invalid-attempts 4;
    last-invalid-attempt  "29 seconds ago";

Once the user successfully authenticates, or the lockout period expires, the entry in the auth-lockout-table is cleared.

You can clear the entire auth-lockout-table on demand with this command:

> request flush-auth-lockout-table

You can also flush specific portions of the table by specifying a username or a username with IP address (but not an IP address without a username):

> request flush-auth-lockout-table username jlennon ip-address

Specify only a username to flush all entries with that username on all associated IP addresses:

> request flush-auth-lockout-table username jlennon