cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

592
Views
0
Helpful
5
Replies
Cisco Employee

ISE Unsuccessful login attempts Use Cases

The customer I am working for, interested in this below use cases. They are currently using dot1x for employees wired and wireless

1. When a dot1x wired user login attempts fail three times, that user will be blocked for 30 minutes and then they can attempt again.

2. When wireless user login attempts fail five times, they are blocked permanently and the administrator has to reauthorize.

I want to know how to implement this use cases and also what is the license level they should be in for these two features.

Thank you

Stalin

Everyone's tags (4)
5 REPLIES 5
Highlighted
Cisco Employee

Re: ISE Unsuccessful login attempts Use Cases

AFAIK, there are no options today to block a user for repeated authentication failures involving wrong credentials.  

The following are the options today to handle RADIUS failures, however.

Screen Shot 2018-03-21 at 10.02.29 AM.png

Rejected endpoints get ACCESS-REJECT from ISE for the reject interval. The response from ISE cannot be customized and thereby portal notification cannot be provided today.

The rejected endpoints appear in the ISE dashboard and can be cleared before the reject interval by the administrator. More details here: Endpoints "Release Rejected" Button

thanks,

~Hari

Cisco Employee

Re: ISE Unsuccessful login attempts Use Cases

Please look at the presentation BRKSEC-3699 for performance and scale it has many slides showing how we do client suppression automatically

https://communities.cisco.com/docs/DOC-63882#jive_content_id_2017_Cisco_Live_Las_Vegas

Cisco Employee

Re: ISE Unsuccessful login attempts Use Cases

Hello,

Thank you for your response.

If I understand your response correctly, suppression means notification suppression am I correct?  If yes,

what client wants is - If the user login attempts fail three times, they should be locked from using any network services for 30 mins and unlocked after 30 mins.  How do I do this?

VIP Engager

Re: ISE Unsuccessful login attempts Use Cases

No there are two types of suppression.  There is the notification, i.e. log entry, and then there is the reject.  The screen shot posted has the reject setting set for 5 times and then you are rejected for the next 60 minutes.  If you fail 5 times, then for the next 60 minutes no matter what you do from that MAC address you will get a RADIUS reject from ISE. The reject message won't show up in the logs.  ISE will just send a reject.

Cisco Employee

Re: ISE Unsuccessful login attempts Use Cases

OK . thank you. Will try it in the lab today?