|Finding ID||Version||Rule ID||IA Controls||Severity|
|By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.|
|Cisco IOS XE Switch NDM Security Technical Implementation Guide||2021-09-16|
|Check Text ( C-22239r508516_chk )|
| Review the Cisco switch configuration to verify that it enforces the limit of three consecutive invalid logon attempts as shown in the example below: |
login block-for 900 attempts 3 within 120
Note: The configuration example above will block any login attempt for 15 minutes after three consecutive invalid logon attempts within a two-minute period.
If the Cisco switch is not configured to enforce the limit of three consecutive invalid logon attempts, this is a finding.
|Fix Text (F-22228r508517_fix)|
| Configure the Cisco switch to enforce the limit of three consecutive invalid logon attempts as shown in the example below: |
SW2(config)#login block-for 900 attempts 3 within 120