topic Account blocking when making API requests in Network Access Control

Account blocking when making API requests

jds5 — Tue, 24 May 2022 08:39:42 GMT

Hello,

ISE blocks nominative accounts used to launch scripts making API requests with many connections and simultaneous actions (there are about 300 devices concerned). It's always have to do the unlocking manually.

The question is whether the blocking comes from the number of connections per second or the number of actions per second and what to do to bypass this blocking (configuration or specific account to be provided?)

Objet : Information regarding account locked

Account has been locked for internal user, userid A*******-adm.
This account has been locked. For this account to become unlocked, please contact your IT helpdesk.

ISE version is 2.4.0.357

Best Regards,

José

Re: Account blocking when making API requests

jds5 — Tue, 24 May 2022 13:27:30 GMT

Hello,

Has anyone confronted this type of issue?

Tkx,

Re: Account blocking when making API requests

Greg Gibbs — Tue, 24 May 2022 23:22:48 GMT

The account locking is likely due to the Lock/Suspend Settings configuration found on the Administration > System > Admin Access > Authentication > Lock/Suspend Settings page.

Have you checked the ISE logs or reports for repeated failed authentications generated by the API calls?

How many concurrent ERS API calls do you have? As per the https://cs.co/ise-scale guide, ISE supports a maximum of 100 concurrent API connections.

There are also various API bugs fixed in patches for 2.4. If you have not already done so, you might upgrade to the latest patch to see if the issue is resolved.

You should also be aware that ISE 2.4 reaches End of Support in December 2022. You should consider upgrading to a more recent version to ensure you can receive support from Cisco TAC.

Re: Account blocking when making API requests

jds5 — Mon, 30 May 2022 12:34:29 GMT

Thanks Greg for this information.

To be more specific, the exact requirement is for API requests made to Endpoints that include ISE authentication but do not relate to the ISE directly.

BR,

Re: Account blocking when making API requests

thomas — Mon, 30 May 2022 13:54:06 GMT

I do not understand what API requests you are talking about and from what to what.

What API?

What scenario are you trying to do?

Please see so we have enough details to understand the problem and potentially reproduce it.

Re: Account blocking when making API requests

hslai — Wed, 01 Jun 2022 00:09:38 GMT

User Authentication Settings says,

Lock/Suspend Account with Incorrect Login Attempts: You can use this option to suspend or lock an account if the login attempt failed for the specified number of times. The valid range is from 3 to 20.

The Account Disable Policy tab is where you configure rules about when to disable an existing user account. See Disable User Accounts Globally for more information.