cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

946
Views
2
Helpful
3
Replies
Highlighted
Beginner

AnyConnect Brute Force protection

Hello guys,

how can i archieve Brute Force Protection with ISE, while using RA-VPN? Cisco ASA is configured to use ISE as an AAA Server for AnyConnect login.

The customer has AnyConnect up and running and now wants to have Brute Force Protection, because you can literally try a million times without someone blocking your attempts to gain access.

At Administration -> System -> Settings -> Protocols -> Radius -> "Reject RADIUS requests from clients with repeated failures" does not work as I expected it to work.

I've set the requirements to minimum (Detect two failures within: 1 Minute, failures prior to automatic rejection: 2, continue rejecting requests for 5 Minutes) and used 20 times the wrong password for the same user and nothing happened. After 20 tries I just entered the correct password and it gave me access.

ISE Version 2.3

Any Ideas on what I may did wrong?

Thank you very much for your time!

Kind Regards

Lukas

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: AnyConnect Brute Force protection

Your results are expected at present. Wrong passwords are currently exempted for that rejection.

3 REPLIES 3
Cisco Employee

Re: AnyConnect Brute Force protection

Your results are expected at present. Wrong passwords are currently exempted for that rejection.

Beginner

Re: AnyConnect Brute Force protection

Thank you very much. We will try to block BruteForce attacks with FirePower then.

So the rejection feature is only available to stop misconfigured clients right?

Kind regards

Lukas

Cisco Employee

Re: AnyConnect Brute Force protection

Yes, the main purpose is to stop misconfigured clients.