This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
The customer I am working for, interested in this below use cases. They are currently using dot1x for employees wired and wireless
1. When a dot1x wired user login attempts fail three times, that user will be blocked for 30 minutes and then they can attempt again.
2. When wireless user login attempts fail five times, they are blocked permanently and the administrator has to reauthorize.
I want to know how to implement this use cases and also what is the license level they should be in for these two features.
AFAIK, there are no options today to block a user for repeated authentication failures involving wrong credentials.
The following are the options today to handle RADIUS failures, however.
Rejected endpoints get ACCESS-REJECT from ISE for the reject interval. The response from ISE cannot be customized and thereby portal notification cannot be provided today.
The rejected endpoints appear in the ISE dashboard and can be cleared before the reject interval by the administrator. More details here: Endpoints "Release Rejected" Button
Please look at the presentation BRKSEC-3699 for performance and scale it has many slides showing how we do client suppression automatically
Thank you for your response.
If I understand your response correctly, suppression means notification suppression am I correct? If yes,
what client wants is - If the user login attempts fail three times, they should be locked from using any network services for 30 mins and unlocked after 30 mins. How do I do this?
No there are two types of suppression. There is the notification, i.e. log entry, and then there is the reject. The screen shot posted has the reject setting set for 5 times and then you are rejected for the next 60 minutes. If you fail 5 times, then for the next 60 minutes no matter what you do from that MAC address you will get a RADIUS reject from ISE. The reject message won't show up in the logs. ISE will just send a reject.