https://community.cisco.com/t5/network-access-control/limits-on-ad-client-authz-attempts/m-p/3578870#M509719 <HTML><HEAD></HEAD><BODY><P>One option is to use Client Exclusions on access device.&nbsp; For example, if the endpoint fails auth X number of times in an interval, the endpoint is prevented from attempting auth again for specified period.&nbsp; You can try setting the exclusion time to a value &gt; than the AD lockout interval.</P></BODY></HTML> Wed, 23 May 2018 11:40:27 GMT Craig Hyps 2018-05-23T11:40:27Z https://community.cisco.com/t5/network-access-control/limits-on-ad-client-authz-attempts/m-p/3578868#M509713 <HTML><HEAD></HEAD><BODY><P><SPAN style="color: #58585b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 15px;">Hi all, I have a customer who uses dual SSID BYOD, the open SSID using AD creds for auth. The issue they have is that 5 x wrong password = account lockout. They are concerned that a malicious actor would be able to exploit this and they would like to have an Authz rule which prevents any more requests being sent to the DC after say 2 or 3 failures. Has anyone seen anything like this before and able to help? </SPAN></P><P><SPAN style="color: #58585b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 15px;"><BR /></SPAN></P><P><SPAN style="color: #58585b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 15px;">Thanks, Gareth</SPAN></P></BODY></HTML> Tue, 22 May 2018 15:56:39 GMT https://community.cisco.com/t5/network-access-control/limits-on-ad-client-authz-attempts/m-p/3578868#M509713 gaowen 2018-05-22T15:56:39Z https://community.cisco.com/t5/network-access-control/limits-on-ad-client-authz-attempts/m-p/3578869#M509716 <HTML><HEAD></HEAD><BODY><P>If you are using AD creds then the password policies should be controlled in AD environment.</P><P>Authorization happens after authentication so even say for eg: if we have a rule in ISE to prevent this, it will not affect authentication since your concern is multiple auth failures hitting DC.</P><P>ISE does’t have rules to control the behavior of AD.</P><P>However we do have rules for Network access user such as password policy and account lockout if you have a local user that you can take advantage of.</P><P></P><P>-krishnan</P></BODY></HTML> Tue, 22 May 2018 18:11:54 GMT https://community.cisco.com/t5/network-access-control/limits-on-ad-client-authz-attempts/m-p/3578869#M509716 kthiruve 2018-05-22T18:11:54Z https://community.cisco.com/t5/network-access-control/limits-on-ad-client-authz-attempts/m-p/3578870#M509719 <HTML><HEAD></HEAD><BODY><P>One option is to use Client Exclusions on access device.&nbsp; For example, if the endpoint fails auth X number of times in an interval, the endpoint is prevented from attempting auth again for specified period.&nbsp; You can try setting the exclusion time to a value &gt; than the AD lockout interval.</P></BODY></HTML> Wed, 23 May 2018 11:40:27 GMT https://community.cisco.com/t5/network-access-control/limits-on-ad-client-authz-attempts/m-p/3578870#M509719 Craig Hyps 2018-05-23T11:40:27Z