topic Re: AD Attribute & Bad Password Count in Network Access Control

AD Attribute & Bad Password Count

jmcgourt@cisco.com — Tue, 18 Jun 2019 20:22:12 GMT

Can you please advise how the rate limiting works with 802.1X using the AD attribute?

Does ISE check the current BadPwdCount on AD? Or does it increment a local count only?

Re: AD Attribute

Mohammed al Baqari — Wed, 19 Jun 2019 05:59:06 GMT

I don't this ISE can rate limit. It can push radius attributes for shaping
policy to WLC but I don't think ISE itself can rate limit.

Re: AD Attribute & Bad Password Count

ldanny — Wed, 19 Jun 2019 08:14:39 GMT

Usually rate-limiting is a term used for traffic shaping , so im assuming your not referring to that.

What is your use case for badPwdCount?

Re: AD Attribute & Bad Password Count

Jason Kunst — Thu, 20 Jun 2019 14:48:07 GMT

not sure if these apply to the solution?

https://community.cisco.com/t5/identity-services-engine-ise/prevent-ad-account-being-locked-out-by-failed-authentications/td-p/3727650
https://community.cisco.com/t5/identity-services-engine-ise/cisco-ise-domain-account-locked-out-frequently/td-p/3749944
https://community.cisco.com/t5/policy-and-access/ise-ad-account-locked-trying-to-authenticate-on-ssid/td-p/3219076

Also check out this for CWA

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_011100.html#reference_B076C0D0A31E4DA292CE1EA582EB9A4C

Maximum failed login attempts before rate limiting—Specify the number of failed login attempts from a single browser session before Cisco ISE starts to throttle that account. This does not cause an account lockout. The throttled rate is configured in Time between login attempts when rate limiting.
Time between login attempts when rate limiting—Set the length of time in minutes that a user must wait before attempting to log in again (throttled rate), after failing to log in the number of times defined in Maximum failed login attempts before rate limiting.

Re: AD Attribute & Bad Password Count

jmcgourt@cisco.com — Wed, 19 Jun 2019 19:22:50 GMT

The use case is that we don't want a malicious user to be able to make multiple attempts on a username and password combination on the user portal login provided by ISE (and linked to AD) - and then lock out the legitimate user's AD account as it times out after multiple failed password attempts.