Re: ISE 2.6 Suppress Repeated Failed Clients user experience

mlaurencik · ‎12-01-2021

Hello,

As I did not find this anywhere, I'd like to ask a question about Cisco ISE feature "Suppress Repeated Failed Clients". We have a Guest environment, where we use standard CWA redirect. Recently we get some complains from users, that they are redirected to CWA successfully, but the Guest login page functionality is "disabled" for them. The page loads completely, but users are not able to enter username, password or click on user acceptance link, they cannot accept terms and condition. It looks like the page would be "broken". In the ISE logs there I see that user was suppressed because of too many faileISE, Identity Services Engine (ISE)d attempts. Once I delete user's MAC from ISE Endpoint DB and terminate the session and wait a while, the page works just fine, he is able to enter credentials and accept terms and condition and successfully authenticate to network. My questions is, how does it look like for guest user when ISE does suppress him? I'm wondering if suppression causes that the guest login page functionality is disabled

thanks.

mlaurencik · ‎12-01-2021

OK, so here's an update from our architect. The settings which controls this behavior should be the one located under Guest portal "Login page" setting and are called "Maximum Failed Login Attempts Before Rate Limiting" and "Time Between Login Attempts when Rate Limiting" . I believe these two values are the ones that cause what guest user experiences as "disabled login page functionality". Unfortunately in ISE documentation effect of these settings is described as "Cisco ISE starts to throttle that account". So does "throttle" in these terms means that guest user is actually not able to enter username and password on the guest login page?

https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ISE_26_admin_guide/b_ISE_admin_26_guest.html#concept_AF489AB90F8F4BE8A028CBD6A7B1EADD

thanks

Martin