DISA STIGS Viewer

AOS must be configured to enforce the limit of three consecutive invalid login attempts, after which time it must block any login attempt for 15 minutes.

Overview

Finding ID Version Rule ID IA Controls Severity
V-266911 ARBA-ND-000214 SV-266911r1039754_rule   Medium
Description
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.
STIG Date
HPE Aruba Networking AOS NDM Security Technical Implementation Guide 2024-10-29

Details

Check Text (C-70835r1039752_chk)
1. Verify the AOS configuration with the following command:
show aaa password-policy mgmt

2. Verify that "Maximum Number of failed attempts in 3 minute window to lockout password based user" is set to "3 attempts" and "Time duration to lockout the password based user upon crossing the 'lock-out' threshold" is set to "15 minutes".

If one or both of these settings are set to any other value, this is a finding.
Fix Text (F-70738r1039753_fix)
Configure AOS with the following commands:
configure terminal
aaa password-policy mgmt
password-lock-out 3
password-lock-out-time 15
enable
exit
write memory