topic Re: Hi, in Wireless

Excessive Web Authentication Failures -customize counters and timers

Temur Kalandia — Mon, 05 Jul 2021 12:24:56 GMT

Hello everyone,

we are preparing the demo environment for our customer. configured web authentication with LDAP integration. everything is working normally, but have following question regarding Excessive Web Authentication Failures :

1) can we control number of failed retries?it is currently 3, but wee need change it to 5 or any other number
2) can we change duration between failed attempts? currently it is 1 minute , but need to increase to 5 minutes , if failed login attempts will be 5 , during 5 minutes need exclude this client.

thanks in advance 🙂

Hi Temur,

WiFi Trainers — Wed, 13 Jul 2016 11:49:12 GMT

Hi Temur,

Can you please clarify what retries you are referring to? Is it the number of times the WLC tries to send an authentication request to the radius server?

Best Regards,

WiFi Trainers (www.wifitrainers.com)

Your one stop solution for all your wireless training needs!

******** Please rate if useful *********

hi ,

Temur Kalandia — Wed, 13 Jul 2016 21:49:52 GMT

hi ,

cisco wlc has Client Exclusion Policies, one of that policies is "Excessive Web Authentication Failures" it offers client exclusion after three consecutive failures. refer to this doc: http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_0111010.pdf

my tasks are :

1) somehow control failure counters, for example i need to exlude clients after 5 consecutive failures, or choose any other number.

2) control the time between failures, in default configuration if 3 failures occur during one minute wips will exclude client at fourth try, but i need to increase this duration to 5 minutes. in this case if user fails authenticate 5 times , it will be excluded.

Hi Temur,

WiFi Trainers — Thu, 14 Jul 2016 05:29:57 GMT

Hi Temur,

Thanks for the clarification. There is no config option to change this even on the latest 8.2 code. We can only enable this feature and not change any of the default parameters.

Best Regards,

WiFi Trainers (www.wifitrainers.com)

Your one stop solution for all your wireless training needs!

******** Please rate if useful *********

Hi,

hajia — Thu, 14 Jul 2016 07:08:35 GMT

Hi,

You can change it on your LDAP server.

In Web Authentication, WLC only transfer the authentication request to the authentication server , in your case "LDAP".

hello,

Temur Kalandia — Thu, 14 Jul 2016 08:04:29 GMT

hello,

can you please tell me the duration time for three consecutive failures? in what time period should hacker try three consecutive failures? 3 tries during one minute or time does not meters, if there will be three consecutive failures during any time , client will be blocked?

hi,

Temur Kalandia — Thu, 14 Jul 2016 09:57:39 GMT

hi,

we have already configured this option : user account lockout, but customer needs to add additional security at wireless layer, to avoid offload the LDAP.

one option i think will be use radius server between LDAP and WLC and sent client exclusion attributes from the radius server itself. if you have any guide for this typof config will be great 🙂

Re: Hi,

ajc — Mon, 18 Sep 2017 15:30:18 GMT

Question, what do you mean by "In webauth the wlc transfer the authentication request to the authentication server when using LDAP?. Does the same apply for PEAP when using LDAP?