Configuring invalid authentication lockout
To prevent an attacker from using brute-force attempts to discover a user's enrollment password, the invalid authentication lockout feature provides a way to lock the attacker out after too many invalid passwords in a defined period of time. If users try to authenticate too many times during that period, they see an error, "Too many invalid authentication attempts. Please try again later." After the user acknowledges this message, the app exits. The user is not allowed to authenticate to the gateway until the timeout period is over.
To enable this feature, configure the invalid-auth-lockout:
% set aaa invalid-auth-lockout enable trueYou can configure the behavior with these additional options:
| Parameter | Description |
|---|---|
| attempt-threshold | Integer. The number of password attempts allowed during a time period defined by detection-interval. Default: 5 |
| attempts-until-max-lockout | Integer. The number of password attempts above the attempt-threshold until the user is locked out for the time period defined by max-lockout-period. Default: 10 |
| detection-interval | Integer (minutes). The amount of time during which the user can attempt to authenticate. If the attempt-threshold is reached during the detection-interval, the user cannot authenticate for a period of time based on max-lockout-period, attempts-until-max-lockout, and the number of attempts made over the attempt-threshold. Default: 15 |
| max-lockout-period | Integer (minutes). The maximum amount of time a user can be locked out. Default: 5 |
The lockout period is calculated based on max-lockout-period and attempts remaining until max lockout. That is, when users attempt to login with a bad password, each attempt increases the lockout period. This table shows the lockout period with default values.
| Attempt # | # Over threshold | Remaining attempts-until-max-lockout | Lockout period: excess attempts * 300 seconds (max-lockout-period = 5 minutes) / attempts-until-max-lockout Or max-lockout-period, whichever is smaller |
|---|---|---|---|
| 5 (default attempt-threshold) | 0 | 10 | |
| 6 | 1 | 9 | 300/9 = 33 seconds |
| 7 | 2 | 8 | 600/8 = 75 seconds |
| 8 | 3 | 7 | 900/7 = 128 seconds |
| 10 | 5 | 5 | 1500/5 = 300 seconds = max-lockout-period |
| 11 | 6 | 4 | 1800/4 = 450 seconds, which is greater than max-lockout-period, so every attempt after this until the threshold is reached will timeout for 5 minutes |
Example
% set aaa invalid-auth-lockout enable true attempt-threshold 5 attempts-until-max-lockout 15
detection-interval 20 max-lockout-period 4In this example, if a user tries authenticating with a bad password five times (attempt-threshold) within a twenty minute period (detection-interval), the sixth attempt locks the user out for a period of 16 seconds (15 allowed attempts up to 240 seconds). After the lockout period is over, another invalid attempt increases the amount of time the user has to wait to attempt another login, continuing until a maximum wait time of four minutes (max-lockout-period).
While the user is trying to authenticate or is in a lockout period, the gateway status includes the lockout data:
> show status operational context default aaa-operational auth-lockout-table
auth-lockout-table {
user-ip jlennon:10.20.30.40 {
num-invalid-attempts 4;
last-invalid-attempt "29 seconds ago";
}
}Once the user successfully authenticates, or the lockout period expires, the entry in the auth-lockout-table is cleared.
You can clear the entire auth-lockout-table on demand with this command:
> request flush-auth-lockout-tableYou can also flush specific portions of the table by specifying a username or a username with IP address (but not an IP address without a username):
> request flush-auth-lockout-table username jlennon ip-address 10.20.30.40Specify only a username to flush all entries with that username on all associated IP addresses:
> request flush-auth-lockout-table username jlennon