AOS must be configured to enforce the limit of three consecutive invalid login attempts, after which time it must block any login attempt for 15 minutes.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-266911	SRG-APP-000065-NDM-000214	ARBA-ND-000214	SV-266911r1039754_rule	2024-10-29	1

Description
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.

ℹ️ Check
1. Verify the AOS configuration with the following command: show aaa password-policy mgmt 2. Verify that "Maximum Number of failed attempts in 3 minute window to lockout password based user" is set to "3 attempts" and "Time duration to lockout the password based user upon crossing the 'lock-out' threshold" is set to "15 minutes". If one or both of these settings are set to any other value, this is a finding.

ℹ️ Check

1. Verify the AOS configuration with the following command: show aaa password-policy mgmt 2. Verify that "Maximum Number of failed attempts in 3 minute window to lockout password based user" is set to "3 attempts" and "Time duration to lockout the password based user upon crossing the 'lock-out' threshold" is set to "15 minutes". If one or both of these settings are set to any other value, this is a finding.

✔️ Fix
Configure AOS with the following commands: configure terminal aaa password-policy mgmt password-lock-out 3 password-lock-out-time 15 enable exit write memory