https://community.cisco.com/t5/network-security/look-solution-to-mitigate-vpn-bruteforce-attack/m-p/5285769#M1120769 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1636457">@Da ICS16</a>&nbsp;yes&nbsp;</P> <P>&nbsp;</P> Mon, 28 Apr 2025 04:31:58 GMT Rob Ingram 2025-04-28T04:31:58Z https://community.cisco.com/t5/network-security/look-solution-to-mitigate-vpn-bruteforce-attack/m-p/5285207#M1120737 <P>Dear Community,</P> <P>We explore the solution to mitigate VPN brute force attack in Cisco FTD.&nbsp;</P> <P>AD users always locked out when under targeting&nbsp; potential VPN brute force attacks so it leads to AD account locked out and impact to legit users (internal user).&nbsp;</P> <P>Flow: FTD -&gt; ISE.</P> <P>ISE has connectivity to AD and 2FA (OTP). On ISE get source form FTD and on ISE Policy Set (<SPAN>Authentication methods: PAP/ASCII or MSCHAPv2, NAS-PORT-TYPE: Virtual</SPAN>).</P> <P>- We enabled "AD account locked out policies , eg: 5 failed attempt"&nbsp; server.</P> <P>-&nbsp;<SPAN>ISE features tested: 'Reject RADIUS requests from clients with repeated failures', 'Prevent Active Directory User Lockout' but cannot blocked AD user on ISE.</SPAN></P> <P><SPAN>We user ISE 3.1, Cisco Secure Client VPN agent 5.x</SPAN></P> <P><SPAN>Could you share commend / good practice to prevent / mitigate this kind of vpn brute force attacks? To ensure no AD locked on target users.</SPAN></P> <P><SPAN>Well appreciated for you supporting.</SPAN></P> <P><SPAN>Best Regards,</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 25 Apr 2025 10:06:51 GMT https://community.cisco.com/t5/network-security/look-solution-to-mitigate-vpn-bruteforce-attack/m-p/5285207#M1120737 Da ICS16 2025-04-25T10:06:51Z https://community.cisco.com/t5/network-security/look-solution-to-mitigate-vpn-bruteforce-attack/m-p/5285215#M1120738 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1636457">@Da ICS16</a> you can enable threat detection capability, this may require a patch/upgrade as this is a relatively new feature.&nbsp;</P> <P>Once enabled, the FTD automatically shuns the host (IP address) that exceeds the configured thresholds, to prevent further attempts until you manually remove the shun of the IP address.</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221806-password-spray-attacks-impacting-custome.html" target="_blank" rel="noopener">https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221806-password-spray-attacks-impacting-custome.html</A></P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/222383-configure-threat-detection-for-remote-ac.html" target="_blank" rel="noopener">https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/222383-configure-threat-detection-for-remote-ac.html</A></P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 28 Apr 2025 07:14:17 GMT https://community.cisco.com/t5/network-security/look-solution-to-mitigate-vpn-bruteforce-attack/m-p/5285215#M1120738 Rob Ingram 2025-04-28T07:14:17Z https://community.cisco.com/t5/network-security/look-solution-to-mitigate-vpn-bruteforce-attack/m-p/5285741#M1120767 <P>Hello&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a>&nbsp;</P><P>Thanks for your commend and supporting.</P><P>To enable threat detection capability, does it can mitigate this kind of attack even the attacker's known AD User?&nbsp;</P><P>Thanks.</P> Mon, 28 Apr 2025 01:47:35 GMT https://community.cisco.com/t5/network-security/look-solution-to-mitigate-vpn-bruteforce-attack/m-p/5285741#M1120767 Da ICS16 2025-04-28T01:47:35Z https://community.cisco.com/t5/network-security/look-solution-to-mitigate-vpn-bruteforce-attack/m-p/5285769#M1120769 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1636457">@Da ICS16</a>&nbsp;yes&nbsp;</P> <P>&nbsp;</P> Mon, 28 Apr 2025 04:31:58 GMT https://community.cisco.com/t5/network-security/look-solution-to-mitigate-vpn-bruteforce-attack/m-p/5285769#M1120769 Rob Ingram 2025-04-28T04:31:58Z https://community.cisco.com/t5/network-security/look-solution-to-mitigate-vpn-bruteforce-attack/m-p/5285829#M1120770 <P>Hello&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a>&nbsp;</P><P>For we ever did even the configured threshold, tuning certificate but no luck to prevent AD user locked out.</P><P>Seem it is not the fixed solution.</P> Mon, 28 Apr 2025 07:07:53 GMT https://community.cisco.com/t5/network-security/look-solution-to-mitigate-vpn-bruteforce-attack/m-p/5285829#M1120770 Da ICS16 2025-04-28T07:07:53Z https://community.cisco.com/t5/network-security/look-solution-to-mitigate-vpn-bruteforce-attack/m-p/5285831#M1120771 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1636457">@Da ICS16</a> what software version are you running? Have you confirmed that threat detection is working after you configured it, run - "show threat-detection service" and "show shun"</P> Mon, 28 Apr 2025 07:13:52 GMT https://community.cisco.com/t5/network-security/look-solution-to-mitigate-vpn-bruteforce-attack/m-p/5285831#M1120771 Rob Ingram 2025-04-28T07:13:52Z