Solved: AnyConnect Brute Force protection

swscco001 · ‎10-09-2017

Hello guys,

how can i archieve Brute Force Protection with ISE, while using RA-VPN? Cisco ASA is configured to use ISE as an AAA Server for AnyConnect login.

The customer has AnyConnect up and running and now wants to have Brute Force Protection, because you can literally try a million times without someone blocking your attempts to gain access.

At Administration -> System -> Settings -> Protocols -> Radius -> "Reject RADIUS requests from clients with repeated failures" does not work as I expected it to work.

I've set the requirements to minimum (Detect two failures within: 1 Minute, failures prior to automatic rejection: 2, continue rejecting requests for 5 Minutes) and used 20 times the wrong password for the same user and nothing happened. After 20 tries I just entered the correct password and it gave me access.

ISE Version 2.3

Any Ideas on what I may did wrong?

Thank you very much for your time!

Kind Regards

Lukas

hslai · ‎10-12-2017

Your results are expected at present. Wrong passwords are currently exempted for that rejection.

View solution in original post

hslai · ‎10-12-2017

Your results are expected at present. Wrong passwords are currently exempted for that rejection.

Futuristc · ‎10-18-2017

Thank you very much. We will try to block BruteForce attacks with FirePower then.

So the rejection feature is only available to stop misconfigured clients right?

Kind regards

Lukas

hslai · ‎10-18-2017

Yes, the main purpose is to stop misconfigured clients.