11-19-2017 09:08 AM - edited 02-21-2020 10:39 AM
Hi
I'm using EAP-MSCHAPv2 to authenticate wireless clients against Active Directory when joining the corporate SSID.
When the clients accidentally type their username or password wrong 3 times the whole AD Account is locked out meaning they can't even log onto a wired domain computer.
Are there any way of disabling this? I'm aware that ISE does nothing but proxy the credentials and results to AD, so the change is most likely to be on the AD server, but i have't been able to find a solution.
Solved! Go to Solution.
11-20-2017 12:56 PM
Getting locked out has nothing to do with ISE. However, you would probably like to match AD against ISE Suppresion List. We aware that there is also an Exclusion List on the WLC so probably you need to match WLC-ISE-AD values.
11-20-2017 08:30 AM - edited 11-20-2017 08:39 AM
From the Active Directory perspective this would be configured with Group policy. You would need to modify the default account lockout threshold. Have a look at this Technet article. Consider the consequences carefully before modifying these settings, if you disable AD user lockout, you could make brute force attacks much easier, etc.
11-20-2017 12:56 PM
Getting locked out has nothing to do with ISE. However, you would probably like to match AD against ISE Suppresion List. We aware that there is also an Exclusion List on the WLC so probably you need to match WLC-ISE-AD values.
11-20-2017 11:57 PM
Thank you for the reply.
This looks really helpful, wouldn't these changes to Radius however affect both wired and wireless clients meaning that wired machines would also be suppressed?
11-21-2017 07:40 AM
Based on my understanding, yes.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide