Information
The default number of allowed login attempts per session or user is three, meaning the user has three chances to supply valid access credentials. Once this limit is reached, the session terminates, and the user must start the login process over after an optional lockout delay (disabled by default). Both the number of allowed login attempts and the lockout delay period are configurable.
Solution
To reduce the number of login attempts before terminating the session to two, use the following command:
switch(config)# aaa authentication num-attempts 2
This setting can be set to a value of 1-10. If the lockout delay is set to a non-zero value, the number of attempts are enforced per user account; if there is no configured delay, the setting is enforced per-session.