cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5221
Views
2
Helpful
6
Replies

Brute-force attack (auto login)

lvanwaye
Cisco Employee
Cisco Employee

Hi,

How does ISE handle brute-force attacks ?

Cheers,

Lennert

1 Accepted Solution

Accepted Solutions

howon
Cisco Employee
Cisco Employee

Lennert,

For repeated 802.1X failures, ISE features anomalous client detection where admin can deny access from the endpoint for predetermined period (Default 1 hour). There are settings on the NADs, that also addresses such behavior from the client devices. Cisco WLC has client exclusion policies and Cisco IOS switches can leverage 802.1X settings to rate-limit authentication requests. Also the identity database such as AD can be configured to disable accounts after X number of unsuccessful authentication attempts.

Hosuk

View solution in original post

6 Replies 6

howon
Cisco Employee
Cisco Employee

Lennert,

For repeated 802.1X failures, ISE features anomalous client detection where admin can deny access from the endpoint for predetermined period (Default 1 hour). There are settings on the NADs, that also addresses such behavior from the client devices. Cisco WLC has client exclusion policies and Cisco IOS switches can leverage 802.1X settings to rate-limit authentication requests. Also the identity database such as AD can be configured to disable accounts after X number of unsuccessful authentication attempts.

Hosuk

 

 

Is this feature also applicable to Device Administration via Tacacs+, with an AD joined domain which contains the accounts of the ISE administrators?

@axeleratorcisco for blocking brute force attacks against a switch/router for device administration, you can control this from the switch/router using the command "login block-for X attempts X within X".

Thanks Rob!

So on ISE there is no specific functionality for this? (Akin to anomolous client detection for 802.1x)

And thus no possibility of "quarantaining" the offending host via a function of ISE?