topic Re: Prevent Active Directory account lockout in Cisco ISE in Network Access Control

Prevent Active Directory account lockout in Cisco ISE

fira — Mon, 20 May 2024 13:04:05 GMT

Hello, community!

I am using Enable Failed Authentication Protection for radius ravpn in ISE to prevent Active Directory User Lockout. The maximum password less than the maximum bad password attempts configured as the value of the badPwdCount attribute in the Active Directory and for Authentication Policy use the specific Active Directory join point (not scope mode) but it doesn't work correctly. User gets locked out even when the lockout prevention for Active Directory is enabled.
I cannot understand what the reason could be. What needs to be configured or checked for a solution?

Re: Prevent Active Directory account lockout in Cisco ISE

ahollifield — Mon, 20 May 2024 17:59:26 GMT

Use certificate or SAML auth instead. How are you enabling MFA on your RAVPN solution?

Re: Prevent Active Directory account lockout in Cisco ISE

fira — Tue, 21 May 2024 03:33:09 GMT

Thanks for answer, ahollifield

I found the reason in nas-port-type radius attribute but I could not find information how can override this attribute using cisco asa or maybe cisco ISE?

Re: Prevent Active Directory account lockout in Cisco ISE

ahollifield — Tue, 21 May 2024 06:08:29 GMT

The reason? Override what?

Re: Prevent Active Directory account lockout in Cisco ISE

fira — Tue, 21 May 2024 06:24:57 GMT

The reason why Prevent Active Directory account lockout didn't work. Currently NAS-Port-Type value in access-request from cisco asa = virtual and Prevent Active Directory account lockout feature in ISE doesn't work with NAS-Port-Type=virtual so i have question is it possible to override value NAS-Port-Type attribute using asa or maybe cisco ISE?

Re: Prevent Active Directory account lockout in Cisco ISE

ahollifield — Tue, 21 May 2024 07:06:29 GMT

Now I am following, still though the real fix here is to use certificate or SAML. What is the use/case for simple username/password? How are you performing MFA?

Re: Prevent Active Directory account lockout in Cisco ISE

fira — Tue, 21 May 2024 09:04:07 GMT

"What is the use/case for simple username/password?" - what does it mean
MFA is used
Prevent Active Directory account lockout is good solution which does not affect users

Re: Prevent Active Directory account lockout in Cisco ISE

ahollifield — Tue, 21 May 2024 10:07:31 GMT

How exactly is MFA implemented? Do you have something in between ISE and AD? Do some other way directly on the firewall?

Re: Prevent Active Directory account lockout in Cisco ISE

fira — Tue, 21 May 2024 13:13:22 GMT

AD(first) + OTP scheme

Re: Prevent Active Directory account lockout in Cisco ISE

Da ICS16 — Fri, 09 May 2025 06:53:45 GMT

Hello @ahollifield

You mean to implementation certificate-based as first authentication on FTD and set expired date? Even external user / non-domain devices try to use this certificate but cannot promised and failed authentication stage? And not lead to be AD account locked out even attacker known AD user? thanks.

Re: Prevent Active Directory account lockout in Cisco ISE

ahollifield — Mon, 19 May 2025 12:57:05 GMT

What exactly are you asking? I'm saying don't rely on AD at all. Use Certificate and redirect to the SAML IDP of your choice.