topic Re: Suppressing wrong password attempts during wireless BYOD via CWA in Network Access Control

Suppressing wrong password attempts during wireless BYOD via CWA

AndreVal — Wed, 15 Feb 2023 17:26:06 GMT

Hello!

We're using BYOD via CWA (setup on ISE) in our wireless network so that users could self-register and issue/download a certificate profile. The normal scenario looks like this: user connects to an ssid, gets a redirect to guest web portal, enters his domain credentials and then follows the BYOD flow, in the end he gets his certificate profile and installs it on its phone. Since our domain controller has a policy of blocking account after 5 consecutive wrong password attempts we set up CWA portal to 3 attempts until rate limiting.

And it works totally fine while user using the same session. But apparently there is a way to bypass that limitation: after 1-2 login attempts a user can reopen the browser, get a redirect to the login page again and try another 2 times of logging in and so on. We've tried it, and after the 5th attempt the testing account was blocked.

We haven't really seen anyone doing it, but there is a possibility of cases like that, or some attackers who would try to block some employees domain accounts.

So, I'm trying to find a way to suppress/block users who tries to login via guest portal using wrong password. We're using ISE 2.7, maybe new versions of ISE have settings we need.

Re: Suppressing wrong password attempts during wireless BYOD via CWA

ahollifield — Wed, 15 Feb 2023 20:52:46 GMT

Are you sure these are Guest splash page logins? Or are they PEAP logins from RADIUS from an SSID?

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-2943876.html

Re: Suppressing wrong password attempts during wireless BYOD via CWA

AndreVal — Thu, 16 Feb 2023 07:34:49 GMT

I'm pretty sure it's a guest splash, since I set it up. We're using Guest flow + BYOD and it's set up in Work centers -> Guest Access -> Portal & Components -> Sponsored Guest Portal

Re: Suppressing wrong password attempts during wireless BYOD via CWA

poongarg — Thu, 16 Feb 2023 12:54:05 GMT

There is already an enhancement filed for this issue on ISE 3.0 version:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwc56883

The ISE guest portal provides the following feature: > Maximum Failed Login Attempts Before Rate Limiting: Specify the number of failed login attempts from a single browser session before Cisco ISE starts to throttle that account. This does not cause an account lockout. The throttled rate is configured in Time between login attempts when rate limiting.

This enhancement request is filed to improve this feature to not bind the limit to one session. The reason is, that the limit can be easily bypassed when replacing the session cookies (portalSessionId / APPSESSIONID / token) for each request.

Re: Suppressing wrong password attempts during wireless BYOD via CWA

AndreVal — Mon, 29 May 2023 08:41:23 GMT

Hello everyone!

Does anyone know if there is a fix/workaround released for that problem?