topic Re: Cisco ISE - Avoid users blocked account in AD in Network Access Control

Cisco ISE - Avoid users blocked account in AD

SupportAC — Fri, 24 Oct 2025 12:21:29 GMT

Is it possible CISCO ISE can block or filter authentication attempts between the Wi-Fi device and Active Directory after a certain number of failed attempts, in order to prevent those attempts from reaching AD and prevent account lockouts.

We've detected that when corporate Wi-Fi users change their password, if they keep the old credentials on their phone, the device continues to attempt to authenticate with them until the account is locked. How can mitigate this in the CISCO ISE.

Re: Cisco ISE - Avoid users blocked account in AD

Dustin Anderson — Fri, 24 Oct 2025 14:48:26 GMT

Bit buried, but Admin -> Settings -> Protocols -> RADIUS

Suppress repeated failures. This will open the options when checked. Keep in mind on the duration as I have not found a way to remove someone suppressed until it times out.

Re: Cisco ISE - Avoid users blocked account in AD

davidgfriedman — Fri, 24 Oct 2025 15:38:28 GMT

I believe I know of 3 ways to bypass endpoint rejection before the suppression timeout occurs.

1. If an endpoint is truly rejected, you can release it under Context Visibility->Endpoints. Look it up, click the checkbox, and see if the Release Rejected option is grayed out or clickable. It is on the same line as the refresh circle, the add /edit / delete buttons, and the Import/Export endpoints pulldowns.

2. You can also check / release it using the APIs document on your PAN https://PAN/ers/sdk See the API documentation->End Point section, calls ReleaseRejectedEndpoint and GetRejectedEndpoints. I just had an issue the last time I tested it (2.7 maybe?) where the GetRejectedEndpoints didn't paginate properly so I didn't trust the list it sent back to me (at that moment we were working with teams to sort out rejections, and it was more than the API could return on one page of results).

3. Navigate to Administration->System->Logging->Collection Filters In that section, add your MAC Address as a Attribute->MAC Address with the Filter Type->Bypass Suppression It allows a bypass for the default time period, which I believe is 60 minutes. When that time period has passed, it automatically changes from enabled to disabled. However, it stays on that list until manually deleted. So, if you use it often here, you'll have to manually clean up any suppression bypasses you had created on this screen.

Regards,
David

Re: Cisco ISE - Avoid users blocked account in AD

Karsten Iwen — Fri, 24 Oct 2025 17:01:02 GMT

Suppression should work, but IMO, it's the wrong tool for the right job.

Under the Advanced Settings of the AD connection, you find the option "Prevent Active Directory User Lockout". There are restrictions, but if these don't match your use case, it's the way to go.

Re: Cisco ISE - Avoid users blocked account in AD

milannbrahmbhatt — Mon, 23 Mar 2026 19:40:23 GMT

Navigate to Administration > Identity Management > External Identity Sources > Active Directory.
Select your AD join point and go to the Advanced Settings tab.
Locate the Prevent Active Directory User Lockout section and check Enable Failed Authentication Protection

Navigate to Administration > Identity Management > External Identity Sources > Active Directory.
Select your AD join point and go to the Advanced Settings tab.
Locate the Prevent Active Directory User Lockout section and check Enable Failed Authentication Protection