Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
984
Views
5
Helpful
5
Replies

Account blocking when making API requests

jds5
Level 1
Level 1

‎05-24-2022 01:39 AM

Hello,

 

ISE blocks nominative accounts used to launch scripts making API requests with many connections and simultaneous actions (there are about 300 devices concerned). It's always have to do the unlocking manually.

The question is whether the blocking comes from the number of connections per second or the number of actions per second and what to do to bypass this blocking (configuration or specific account to be provided?)

 

Objet : Information regarding account locked

 

Account has been locked for internal user, userid A*******-adm.
This account has been locked. For this account to become unlocked, please contact your IT helpdesk.

 

ISE version is 2.4.0.357

 

Best Regards,

José

 

0 Helpful
5 Replies 5

jds5
Level 1
Level 1

‎05-24-2022 06:27 AM

Hello, 

 

Has anyone confronted this type of issue?

 

Tkx,

 

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee

‎05-24-2022 04:22 PM

The account locking is likely due to the Lock/Suspend Settings configuration found on the Administration > System > Admin Access > Authentication > Lock/Suspend Settings page.

Have you checked the ISE logs or reports for repeated failed authentications generated by the API calls?

How many concurrent ERS API calls do you have? As per the https://cs.co/ise-scale guide, ISE supports a maximum of 100 concurrent API connections.

There are also various API bugs fixed in patches for 2.4. If you have not already done so, you might upgrade to the latest patch to see if the issue is resolved.

You should also be aware that ISE 2.4 reaches End of Support in December 2022. You should consider upgrading to a more recent version to ensure you can receive support from Cisco TAC.

jds5
Level 1
Level 1
In response to Greg Gibbs

‎05-30-2022 05:34 AM

Thanks Greg for this information.

 

To be more specific, the exact requirement is for API requests made to Endpoints that include ISE authentication but do not relate to the ISE directly.

 

BR,

 

0 Helpful

thomas
Cisco Employee
Cisco Employee
In response to jds5

‎05-30-2022 06:54 AM

I do not understand what API requests you are talking about and from what to what.

What API?

What scenario are you trying to do?

Please see How to Ask The Community for Help so we have enough details to understand the problem and potentially reproduce it.

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎05-31-2022 05:09 PM

User Authentication Settings says,

  • Lock/Suspend Account with Incorrect Login Attempts: You can use this option to suspend or lock an account if the login attempt failed for the specified number of times. The valid range is from 3 to 20.

  • The Account Disable Policy tab is where you configure rules about when to disable an existing user account. See Disable User Accounts Globally for more information.

 

0 Helpful
Customers Also Viewed These Support Documents