Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The Cisco ISE must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must lock out the user account from accessing the device for 15 minutes.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-242617 | CSCO-NM-000110 | SV-242617r714161_rule | Medium |
| Description |
|---|
| By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. If the administrator enters an incorrect password three times, the Admin portal locks the account, adds a log entry in the Server Administrator Logins report, and suspends the credentials until it is reset. |
| STIG | Date |
|---|---|
| Cisco ISE NDM Security Technical Implementation Guide | 2021-09-27 |
Details
| Check Text ( C-45892r714159_chk ) |
|---|
| Log in to the CLI via SSH or the console. View the Cisco ISE configuration. Verify the following are set: accountlocking enable accountlocking unlocktime 900 If a lockout for local accounts is not configured, this is a finding. |
| Fix Text (F-45849r717036_fix) |
|---|
| Log in to the CLI via SSH or the console. Configure using CLI to enable and configure lockout. After three failed login attempts, the account will be locked for 15 minutes. Set accountlocking enable Set accountlocking unlocktime 900 |