Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5222
Views
2
Helpful
6
Replies

Brute-force attack (auto login)

Go to solution
lvanwaye
Cisco Employee
Cisco Employee

‎04-04-2016 12:12 AM

Hi,

How does ISE handle brute-force attacks ?

Cheers,

Lennert

1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee

‎04-04-2016 07:07 AM

Lennert,

For repeated 802.1X failures, ISE features anomalous client detection where admin can deny access from the endpoint for predetermined period (Default 1 hour). There are settings on the NADs, that also addresses such behavior from the client devices. Cisco WLC has client exclusion policies and Cisco IOS switches can leverage 802.1X settings to rate-limit authentication requests. Also the identity database such as AD can be configured to disable accounts after X number of unsuccessful authentication attempts.

Hosuk

View solution in original post

6 Replies 6

Go to solution
howon
Cisco Employee
Cisco Employee

‎04-04-2016 07:07 AM

Lennert,

For repeated 802.1X failures, ISE features anomalous client detection where admin can deny access from the endpoint for predetermined period (Default 1 hour). There are settings on the NADs, that also addresses such behavior from the client devices. Cisco WLC has client exclusion policies and Cisco IOS switches can leverage 802.1X settings to rate-limit authentication requests. Also the identity database such as AD can be configured to disable accounts after X number of unsuccessful authentication attempts.

Hosuk

Go to solution
v_cheriyan@qp.com.qa
Level 1
Level 1
In response to howon

‎11-08-2016 02:30 AM - edited ‎08-08-2020 10:00 PM

 
0 Helpful

Go to solution
v_cheriyan@qp.com.qa
Level 1
Level 1
In response to v_cheriyan@qp.com.qa

‎11-09-2016 04:27 AM - edited ‎08-08-2020 09:57 PM

 
0 Helpful

Go to solution
axeleratorcisco
Level 1
Level 1
In response to howon

‎12-12-2022 08:55 AM

Is this feature also applicable to Device Administration via Tacacs+, with an AD joined domain which contains the accounts of the ISE administrators?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to axeleratorcisco

‎12-12-2022 09:23 AM

@axeleratorcisco for blocking brute force attacks against a switch/router for device administration, you can control this from the switch/router using the command "login block-for X attempts X within X".

0 Helpful

Go to solution
axeleratorcisco
Level 1
Level 1
In response to Rob Ingram

‎12-12-2022 11:38 PM

Thanks Rob!

So on ISE there is no specific functionality for this? (Akin to anomolous client detection for 802.1x)

And thus no possibility of "quarantaining" the offending host via a function of ISE?

 

0 Helpful
Customers Also Viewed These Support Documents