https://community.cisco.com/t5/network-access-control/acs-reject-reason/m-p/1280416#M393727 <HTML><HEAD></HEAD><BODY><P>..but if it is a customer request....</P><P>an application, when authenticating users, should differentiate between users that are disabled and those that mistyped user/pass</P></BODY></HTML> Thu, 23 Jul 2009 12:00:09 GMT kpanduric 2009-07-23T12:00:09Z https://community.cisco.com/t5/network-access-control/acs-reject-reason/m-p/1280413#M393720 <P>Is it possible to configure ACS 4.x to return reason that caused the user to be rejected (e.g. account disabled, wrong user/password...) to NAS?</P> Sun, 10 Mar 2019 23:36:12 GMT https://community.cisco.com/t5/network-access-control/acs-reject-reason/m-p/1280413#M393720 kpanduric 2019-03-10T23:36:12Z https://community.cisco.com/t5/network-access-control/acs-reject-reason/m-p/1280414#M393722 <HTML><HEAD></HEAD><BODY><P>The communication between the AAA client and the NAS is done using Radius:</P><P></P><P>1 Access-Request</P><P>2 Access-Accept</P><P>3 Access-Reject</P><P></P><P>An External Database like Active Directory would send those type of messages (account disabled, wrong user/password..) to the AAA Server, but I don't beleive it can forward them to the AAA client.</P><P></P><P>Thanks...</P></BODY></HTML> Wed, 22 Jul 2009 14:35:31 GMT https://community.cisco.com/t5/network-access-control/acs-reject-reason/m-p/1280414#M393722 ansalaza 2009-07-22T14:35:31Z https://community.cisco.com/t5/network-access-control/acs-reject-reason/m-p/1280415#M393724 <HTML><HEAD></HEAD><BODY><P>...and there is a good reason why you *never* do this.</P><P></P><P>Security 101 - dont tell users why an authentication has failed - they might not be who you think they are.</P><P></P><P>Yes its a pain when real valid users cant authenticate and they have to ring the support team. But the alternative is far worse.</P></BODY></HTML> Thu, 23 Jul 2009 10:01:52 GMT https://community.cisco.com/t5/network-access-control/acs-reject-reason/m-p/1280415#M393724 darpotter 2009-07-23T10:01:52Z https://community.cisco.com/t5/network-access-control/acs-reject-reason/m-p/1280416#M393727 <HTML><HEAD></HEAD><BODY><P>..but if it is a customer request....</P><P>an application, when authenticating users, should differentiate between users that are disabled and those that mistyped user/pass</P></BODY></HTML> Thu, 23 Jul 2009 12:00:09 GMT https://community.cisco.com/t5/network-access-control/acs-reject-reason/m-p/1280416#M393727 kpanduric 2009-07-23T12:00:09Z https://community.cisco.com/t5/network-access-control/acs-reject-reason/m-p/1280417#M393729 <HTML><HEAD></HEAD><BODY><P>No, never.</P><P></P><P>If you do, then you're telling a potential hacker that the username he/she just tried is valid.</P><P></P><P>Getting a username is half the job done.</P><P></P><P>Remember ACS is aimed at remote access and wireless where logins could be coming from anywhere.</P><P></P><P>What it could do is include a failure message to the end user that includes the help desk telephone number and perhaps a unique incident id. Thats secure and helpful.</P></BODY></HTML> Thu, 23 Jul 2009 12:43:11 GMT https://community.cisco.com/t5/network-access-control/acs-reject-reason/m-p/1280417#M393729 darpotter 2009-07-23T12:43:11Z