06-04-2014 11:51 PM - edited 03-10-2019 09:46 PM
Hi All,
We have an AD to authenticate for wireless users. In AD, we have specified to block the user if the password is entered wrongly for more than 3 times. The problem is some of them are using other user ID and locking the accounts. I have gotten the MAC address of the user. Can anyone please advise how to block the request from this MAC from even reaching the AD.
Thanks
Solved! Go to Solution.
06-06-2014 01:23 PM
You have two options from ISE and one option from the WLC:
The first option which is not very scalable is to modify your authentication policy to deny access to an specific MAC address(Radius:Calling station ID). But this is not very scalable as you can only specify one MAC address.
Your second option is to enable the anomalous client suppression(under systems->settings->protocols->RADIUS). This will be your best option but it would require a bit of testing to identify what are the best values for your environment.
From the controller you can enable the excessive 802.1x authentication failures. By default it won't even send the fourth authentication to ISE for a failing endpoint:
Here you will need to modify the exclusion timer to something high as the default is 60 sec.
06-05-2014 02:02 AM
In the end point identity, assign the MAC as blacklisted , from static assignment.
06-05-2014 02:21 AM
Hi
Thanks for the reply. But in ISE, it will check authentication first followed by authorization. So it is still sending a request to AD before authorization. Hence the account will be locked.
06-06-2014 01:23 PM
You have two options from ISE and one option from the WLC:
The first option which is not very scalable is to modify your authentication policy to deny access to an specific MAC address(Radius:Calling station ID). But this is not very scalable as you can only specify one MAC address.
Your second option is to enable the anomalous client suppression(under systems->settings->protocols->RADIUS). This will be your best option but it would require a bit of testing to identify what are the best values for your environment.
From the controller you can enable the excessive 802.1x authentication failures. By default it won't even send the fourth authentication to ISE for a failing endpoint:
Here you will need to modify the exclusion timer to something high as the default is 60 sec.
01-02-2020 04:00 PM
Profile the device as blacklist
1.2 Administration->Identity manager->Endpoint-(searchmac)->In network search Blacklisted
2.X Administration > Identity Management > Groups > Endpoint Identity Groups->Blacklisted-Edit->add
06-06-2014 10:24 AM
Hi,
Then, In DHCP server you can filter this MAC address to block requests reaching to the AD.
06-06-2014 09:30 PM
Hi,
Though first option is not scalable, I think it is the best bet I have got.
There are students using one another accounts (e.g say friend's user name is George) they are using this as the user name and blocking their's friend account.
So second and third option will not be applicable to me.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide