Solved: Re: ACS 5.2 How to configure local user lockout policy?

cwallin · ‎11-23-2010

Hi all!

Im struggling with finding out how you configure the local user account lockout policy in ACS 5.2.

In 4.2.1 there is the "Failed attempts exceed" option, see link for more details:

http://www.ciscosystems.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2.1/User_Guide/UsrMgt.html#wp273167

But in 5.2 i cannot find the option:

http://www.cisco.com/en/US/customer/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/acsuserguide.html

Can someone spread some light over where i configure this?

BR /Crille

Eduardo Aliaga · ‎11-23-2010

Just found a bug id that states it's not supported.

CSCth12406 Bug Details

ACS 5 does not have option to disable local account on failed attempts
Symptom: ACS 5 does not have an option to disable local account in internal identity store on failed attempts Conditions: When ACS 5 is used to only authenticate users using internal identity store, there is no way to configure an account lockout policy for failed attempts. Workaround: Currently there is no workaround

View solution in original post

Eduardo Aliaga · ‎11-23-2010

You can't lockout due to "failed attempts". You can only lockout due to "password expiration". This option is in "system administration > Users > authentication settings". Please rate if it helps.

cwallin · ‎11-23-2010

You cant? That sounds strange, why on earth would Cisco remove that functionality?

I found out that its avaliable in Cisco ACS Express 5.0.1 aswell:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_express/5.0.1/user/guide/ident.html#wp1043065

Im hoping its just hidden in some other screen.

Eduardo Aliaga · ‎11-23-2010

That link is for "ACS Express" which is a different product.

Anyway, about ACS 5.2 , I did a deep research and it seems ACS could support a maximum of 3 retry attempts when using "PEAP" or "EAP-FAST".

Go to "Access Policies > Access Services" then edit of one one of those services and click "Allowed Protocols", then click "PEAP" or "EAP-FAST" and type the number of retries. About the other protocols it seems it's not supported.

cwallin · ‎11-23-2010

I dont believe that setting is releated to account lockout, but the number of times ACS tries to request credentials before returning "login failure".

Can you link to or tell me which chapter in the manual you refer to?

I think its time for a TAC request, this is fishy.

Eduardo Aliaga · ‎11-23-2010

Just found a bug id that states it's not supported.

CSCth12406 Bug Details

ACS 5 does not have option to disable local account on failed attempts
Symptom: ACS 5 does not have an option to disable local account in internal identity store on failed attempts Conditions: When ACS 5 is used to only authenticate users using internal identity store, there is no way to configure an account lockout policy for failed attempts. Workaround: Currently there is no workaround

Vinay Sharma · ‎11-24-2010

Hi All,

this Bug CSCth12406 ACS 5 does not have option to disable local account on failed attempts is an enhancement request. So this feature might be included in future releases.

thanks,

Vinay

_________________

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Thanks & Regards