cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

849
Views
2
Helpful
4
Replies
jplivolsi
Beginner

ACS 5.8.1 - time between failed attempts?

When an ID has several failed attempts in a row, and say the disable threshold is set to 3 attempts, what is the time frame that the ACS is using to track the failed attempts?  Is it so many attempts per second, per several seconds, per minute?  So, for example, say a user attempted to authenticate but failed 3 times in a 3 second window, they tried once per second, is the ACS going to recognize that as meeting the 3 failed attempts criteria and disable the account?  What if they failed 3 times in a 10 second, 30 seconds, or 1 minute time frame?   What is the ACS configured to look for?

4 REPLIES 4
vthaluru
Cisco Employee

Hi Jplivolsi,

Authentications are doing against to which server ? if it is secondary ,then there is delay to disable . Because it needs to update to primary server .

It will not check any time frame like 10s ,20s ..etc ,if we configured failed attempt .

It will check the count of failed attempt .

Thanks

VenkataKrishna

Please rate helpful posts and mark correct answers.

Ok, so it is obvious you do not know what I am asking about because you didn't even answer my question.  You answered a question I didn't even ask, which is all to common for this forum.  This has absolutely nothing to do with primary/secondary servers, nothing to do with delay between servers and/or hosts, nothing to do with checking over a specific time frame.  It has to do with the time between specific attempts by a specific individual user trying to log into any device that authenticates against the ACS.  So, here is an example:

05/06/2016 13:21:06    22040 Wrong password or invalid shared secret
05/06/2016 13:21:18    22040 Wrong password or invalid shared secret
05/06/2016 13:21:30    22040 Wrong password or invalid shared secret
05/06/2016 13:24:47    22040 Wrong password or invalid shared secret
05/06/2016 13:25:03    22075 Authentication failed. User account is disabled due to excessive failed authentication attempts at global level

I removed everything but the time stamp and the message.  This particular user attempted to log into a device multiple times and the ACS eventually disabled their account.  In this specific example, it was after 5 attempts.  I understand how to configure the number of times that it checks before disabling the account because I am the one who configured it.  What is missing, and quite important in my opinion, is the ability to specify the time between authentication attempts.  If you bothered to actually read my above example, you will see the time between attempts by that specific user varied.  So, the second attempt happened 12 seconds after the first attempt, the third attempt happened also 12 seconds after the second attempt.  The fourth attempt happened 197 seconds after the third attempt, and the fifth attempt happened 16 seconds after the fourth attempt.  Follow?  So, there is no pattern in this.  What I am wondering is what is the threshold, or maximum amount of time that has to pass, before the ACS resets the failed attempt counter?

Hi Jplivolsi,

There is no option to specify the time between authentication attempts.

There is no threshold or maximum amount of time to count the failed attempt, It will count the number of failed attempts .

If we have failed attempt for every sec or 2 sec ..etc ,it will count the number of failed attempts ,then user will go to disable.

Thanks

VenkataKrishna

Please rate helpful posts and mark correct answers.

Ok, so lets say the number of attempts is 5, like above.  If a user attempts to log into a device once a month, and that is the only time they attempt to login for that month, and they fail.  After 5 months, of only trying once a month, their account will be disabled?  That is really poor planning and design.  I highly doubt that is the real case.  Actually, I know for a fact that is not the case.  The reason I know is because I have tested it.  I have purposefully had 4 successive failed login attempts, then waited an amount of time and purposefully failed again.  The account wasn't disabled, I know this because I am the administrator of this particular ACS.  I have actually managed to have many times more than the configured number of failed attempts logged without disabling the account.  I have yet to figure out what the actual time frame is, but there has to be one.  Othewise, regardless of how long I waited between attempts, the account would have been disabled.  Apparently from your responses, you don't actually know how an ACS works and are only going by how you think it works.   I was hoping that I would not have to actually call Cisco to get this information but I guess that is the first thing I am going to be doing on Monday since there is a severe lack of knowledge here.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel