Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8415
Views
0
Helpful
4
Replies

ISE: AD Account Locked trying to authenticate on SSID

Go to solution
Nicolai Borchorst
Level 1
Level 1

‎11-19-2017 09:08 AM - edited ‎02-21-2020 10:39 AM

Hi

 

I'm using EAP-MSCHAPv2 to authenticate wireless clients against Active Directory when joining the corporate SSID.

When the clients accidentally type their username or password wrong 3 times the whole AD Account is locked out meaning they can't even log onto a wired domain computer.

Are there any way of disabling this? I'm aware that ISE does nothing but proxy the credentials and results to AD, so the change is most likely to be on the AD server, but i have't been able to find a solution.

 

 

Best Regards
Nicolai Borchorst
CCIE Security #65775
1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ajc
Level 7
Level 7

‎11-20-2017 12:56 PM

Getting locked out has nothing to do with ISE. However, you would probably like to match AD against ISE Suppresion List. We aware that there is also an Exclusion List on the WLC so probably you need to match WLC-ISE-AD values.

 

radius.png

View solution in original post

0 Helpful
4 Replies 4

Go to solution
agrissimanis
Level 1
Level 1

‎11-20-2017 08:30 AM - edited ‎11-20-2017 08:39 AM

From the Active Directory perspective this would be configured with Group policy. You would need to modify the default account lockout threshold. Have a look at this Technet article. Consider the consequences carefully before modifying these settings, if you disable AD user lockout, you could make brute force attacks much easier, etc.

0 Helpful

Go to solution
ajc
Level 7
Level 7

‎11-20-2017 12:56 PM

Getting locked out has nothing to do with ISE. However, you would probably like to match AD against ISE Suppresion List. We aware that there is also an Exclusion List on the WLC so probably you need to match WLC-ISE-AD values.

 

radius.png

0 Helpful

Go to solution
Nicolai Borchorst
Level 1
Level 1
In response to ajc

‎11-20-2017 11:57 PM

Thank you for the reply.

This looks really helpful, wouldn't these changes to Radius however affect both wired and wireless clients meaning that wired machines would also be suppressed?

Best Regards
Nicolai Borchorst
CCIE Security #65775
0 Helpful

Go to solution
ajc
Level 7
Level 7
In response to Nicolai Borchorst

‎11-21-2017 07:40 AM

Based on my understanding, yes.

0 Helpful
Customers Also Viewed These Support Documents