ACS 5.1.0.44 External Identity Stores Account to be locked out a

momocastillo · ‎05-12-2012

Hi All ,

I am currently running cisco ACS 5.1.0.44 and use active directory as the main authentication identity store to allow network administrators to have access to network devices in my organization .

As per the established security policies in my organization , the ACS has to disable any account after 3 failed login attempts to any network devices .

Can you kindly share how it is done ?! i have gone through all the settings oN the acs but couldn't find where or how it is done .

Regards ,

Moussa

jrabinow · ‎05-12-2012

The account lock out policy needs to be set on Active Directory itself and not in ACS. ACS will detect when account is locked out but the enforcement itself needs to be on AD

momocastillo · ‎05-12-2012

Hello jrabinow ,

Thanks a lot for the reply .

We already have our AD setup to lock account of users who failed 3 consecutive windows login attempts .

However when network administrators fail to login after 3 consecutive attempts into a network device, they can still login into a network device if they provide their correct AD credentials .

Is there any specific configuration that needs to be done on the AD to be aware of the failed login attempts on the network devices and count it the same as a failed windows login attempt ?!

Kind Regards ,

Moussa

momocastillo · ‎05-12-2012

I will also check with my AD administrators if they can spot anything on this specific issue or if the login policies have been changed

ACS 5.1.0.44 External Identity Stores Account to be locked out after 3 failed login attempts