AOS must be configured to enforce the limit of three consecutive invalid login attempts, after which time it must block any login attempt for 15 minutes.
Overview
Finding ID | Version | Rule ID | IA Controls | Severity |
V-266911 | ARBA-ND-000214 | SV-266911r1039754_rule | Medium |
Description |
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. |
STIG | Date |
HPE Aruba Networking AOS NDM Security Technical Implementation Guide | 2024-10-29 |
Details
Check Text (C-70835r1039752_chk) |
1. Verify the AOS configuration with the following command: show aaa password-policy mgmt 2. Verify that "Maximum Number of failed attempts in 3 minute window to lockout password based user" is set to "3 attempts" and "Time duration to lockout the password based user upon crossing the 'lock-out' threshold" is set to "15 minutes". If one or both of these settings are set to any other value, this is a finding. |
Fix Text (F-70738r1039753_fix) |
Configure AOS with the following commands: configure terminal aaa password-policy mgmt password-lock-out 3 password-lock-out-time 15 enable exit write memory |