Solved: Re: ISE failed authentication attempts

Daniel Matos · ‎08-07-2019

Hi!!

We are trying to do a ISE option, were after a X number of failed login attempts the user is send to a specific vlan named "quarantine" vlan, is it possible to do this via the policy sets?

ISE is configured to authenticate users via AD.

Thanks for the help!

Mike.Cifelli · ‎08-07-2019

You have a couple of options. You could configure default ISE policies to push hosts/users to a restricted network. You could statically assign your interfaces on your NADs to authorize the attached host into a restricted network upon 8021x failure (authentication event fail action authorize vlan xx). If you are running IBNS you can create a template globally and assign to your interfaces that essentially would do that same thing as if you statically assigned ports. Some good stuff here: https://www.cisco.com/c/en/us/products/ios-nx-os-software/identity-based-networking-services/white-paper-listing.html

Good luck & HTH!

View solution in original post

Mike.Cifelli · ‎08-07-2019

You have a couple of options. You could configure default ISE policies to push hosts/users to a restricted network. You could statically assign your interfaces on your NADs to authorize the attached host into a restricted network upon 8021x failure (authentication event fail action authorize vlan xx). If you are running IBNS you can create a template globally and assign to your interfaces that essentially would do that same thing as if you statically assigned ports. Some good stuff here: https://www.cisco.com/c/en/us/products/ios-nx-os-software/identity-based-networking-services/white-paper-listing.html

Good luck & HTH!