Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
475
Views
0
Helpful
2
Replies

ISE CWA and username parsing, limiting number of login attempts

Toni Kivivuori
Level 1
Level 1

‎03-30-2017 01:44 PM - edited ‎03-11-2019 12:35 AM

Hi.

I have a case under test where guest autentication for wireless users is done with ISE and CWA. Authz policies are made so that they allow use of guest accounts (made at sponsorportal) and AD accounts (with selected ad groups). All is fine and this works really nice.

The problem is that user can input anything to the username field. As this "whatever string" is sent also to the AD, it is possible to do things that should not happen. Like lock accounts.

The question is; is it possible to do some checks or rewrite to the username before it's sent to AD? For example; sent it to AD only if it begins with "guest-" and drop everything else. This would be easy to after initial CWA is passed via simple authz policy. Is it possible to limit the amount of login attempts?

Perhaps this should be done at the AD's end with use of NPS with a policy which checks the username from the radius query..

/Toni

Labels:
0 Helpful
2 Replies 2

Peter Koltl
Level 7
Level 7

‎04-02-2017 01:45 PM

You can build a fine-tuned authentication policy with subconditions matching username regexps. Each subcondition can have its own identity source assigned.

0 Helpful

Toni Kivivuori
Level 1
Level 1
In response to Peter Koltl

‎04-02-2017 02:22 PM

Hi Peter

This is what I tried and it works as expected. I can direct users with matching username to what ever identity source I want (like denying access for usernames matching "temp" by directing authentications toward internal user database -> authentication fails). In my case it is quite hard to make difference in usernames between guests and internal users, as user "jonny "can be guest or employee to ISE. Only thing different is that "jonny the employee" can be found from AD. So to enable employees to use AD accounts on guest portal, I need to use AD at the identity source sequence. 

So the issue seems to be howto control the number of failed login attempts. There is a option at portal login page settings (Maximum failed login attempts before rate limiting) which seems to get the job done. 

The setup I run at my lab does block the users login attempts with above settings before AD account get locked. I just do not know how ISE does that, so I'm not sure if I did it right or is it just pure luck :)

/Toni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents