To configure the number of allowable unsuccessful login attempts, use the security authentication failure rate command in global configuration mode....supposedly.  :-)

Cisco Login Failure Rate - Part 1

Cisco Login Failure Rate - Part 2

Cisco Login Failure Rate - Part 3

The Quick and Dirty

Supposedly this feature allows you to configure the number of allowable unsuccessful login attempts on your Cisco devices. I say 'supposedly' because I have not been able to get this to work. I’ve tried with routers running 12.4(12.4(15)T10) and 12.3(12.3(14)T7) and could not get this to work. I tried ‘login local’ and just using a simple vty password. No logging. No 15-second delay. Nothing.

I’m totally speculating here, but I think that this was a command that was either never implemented – or implemented and deprecated. The ‘login block’ feature set accomplishes all of the same task that ‘security authentication failure rate’ attempts to address – with a lot more granularity as well as the ability to verify settings.

So this is good to know for the CCNA Security exam and maybe it will work with your flavor of IOS, but I could not get this to work. If you cannot get this to work in production, you might want to check out the “login block” feature instead..

Command and Configuration References

security authentication failure rate

Additional Resources

Quiz (Registered Users Only)

Lab link

Slides (PDF)

Search Terms: security authentication failure rate, threshold-rate, Cisco Login Failure Rate, Security Authentication Failure Rate