cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6317
Views
2
Helpful
3
Replies

AnyConnect Brute Force protection

swscco001
Level 1
Level 1

Hello guys,

how can i archieve Brute Force Protection with ISE, while using RA-VPN? Cisco ASA is configured to use ISE as an AAA Server for AnyConnect login.

The customer has AnyConnect up and running and now wants to have Brute Force Protection, because you can literally try a million times without someone blocking your attempts to gain access.

At Administration -> System -> Settings -> Protocols -> Radius -> "Reject RADIUS requests from clients with repeated failures" does not work as I expected it to work.

I've set the requirements to minimum (Detect two failures within: 1 Minute, failures prior to automatic rejection: 2, continue rejecting requests for 5 Minutes) and used 20 times the wrong password for the same user and nothing happened. After 20 tries I just entered the correct password and it gave me access.

ISE Version 2.3

Any Ideas on what I may did wrong?

Thank you very much for your time!

Kind Regards

Lukas

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

Your results are expected at present. Wrong passwords are currently exempted for that rejection.

View solution in original post

3 Replies 3

hslai
Cisco Employee
Cisco Employee

Your results are expected at present. Wrong passwords are currently exempted for that rejection.

Thank you very much. We will try to block BruteForce attacks with FirePower then.

So the rejection feature is only available to stop misconfigured clients right?

Kind regards

Lukas

Yes, the main purpose is to stop misconfigured clients.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: