UCF STIG Viewer Logo

The Cisco ISE must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must lock out the user account from accessing the device for 15 minutes.


Overview

Finding ID Version Rule ID IA Controls Severity
V-242617 CSCO-NM-000110 SV-242617r714161_rule Medium
Description
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. If the administrator enters an incorrect password three times, the Admin portal locks the account, adds a log entry in the Server Administrator Logins report, and suspends the credentials until it is reset.
STIG Date
Cisco ISE NDM Security Technical Implementation Guide 2021-04-19

Details

Check Text ( C-45892r714159_chk )
Log in to the CLI via SSH or the console. View the Cisco ISE configuration. Verify the following are set:

accountlocking enable
accountlocking unlocktime 900

If a lockout for local accounts is not configured, this is a finding.
Fix Text (F-45849r717036_fix)
Log in to the CLI via SSH or the console.

Configure using CLI to enable and configure lockout. After three failed login attempts, the account will be locked for 15 minutes.

Set accountlocking enable
Set accountlocking unlocktime 900