cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
The ISE 2.5 Beta software is now available! Join the ISE Beta Community to try it in your lab!

Choose one of the topics below for ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.

743
Views
2
Helpful
3
Replies
Highlighted
Cisco Employee

Brute-force attack (auto login)

Hi,

How does ISE handle brute-force attacks ?

Cheers,

Lennert

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Brute-force attack (auto login)

Lennert,

For repeated 802.1X failures, ISE features anomalous client detection where admin can deny access from the endpoint for predetermined period (Default 1 hour). There are settings on the NADs, that also addresses such behavior from the client devices. Cisco WLC has client exclusion policies and Cisco IOS switches can leverage 802.1X settings to rate-limit authentication requests. Also the identity database such as AD can be configured to disable accounts after X number of unsuccessful authentication attempts.

Hosuk

3 REPLIES
Cisco Employee

Re: Brute-force attack (auto login)

Lennert,

For repeated 802.1X failures, ISE features anomalous client detection where admin can deny access from the endpoint for predetermined period (Default 1 hour). There are settings on the NADs, that also addresses such behavior from the client devices. Cisco WLC has client exclusion policies and Cisco IOS switches can leverage 802.1X settings to rate-limit authentication requests. Also the identity database such as AD can be configured to disable accounts after X number of unsuccessful authentication attempts.

Hosuk

Re: Brute-force attack (auto login)

Can you please provide in a detailed way how and where is this option in Cisco WLC as well as on Cisco switch.

where is the option in WLC and what command in cisco LAN swtich to set this parameters.

In ISE I have see the password policy for user in External Identity where we can lock account for a particular time or disable it.  In case of disabling, how technically it will work as ISE cannot disabled the account in AD unless it has account operator privilege. Is it like ISE creates a deny policy of local user matching the same user name in ISE with status as disabled.

Re: Brute-force attack (auto login)

In ISE I tested the user password policy and its helping only for local users, not any external identity.

In WLC I see the setting for excessive dot1x failure. Though its enabled somehow its not trigerring and working.

In Network switch, appreciate if you can provide the details of parameters and command line configuration to achieve this.

CreatePlease to create content
Ask the Expert- DMVPN on Cisco routers