03-21-2018 09:44 AM
The customer I am working for, interested in this below use cases. They are currently using dot1x for employees wired and wireless
1. When a dot1x wired user login attempts fail three times, that user will be blocked for 30 minutes and then they can attempt again.
2. When wireless user login attempts fail five times, they are blocked permanently and the administrator has to reauthorize.
I want to know how to implement this use cases and also what is the license level they should be in for these two features.
Thank you
Stalin
03-21-2018 10:07 AM
AFAIK, there are no options today to block a user for repeated authentication failures involving wrong credentials.
The following are the options today to handle RADIUS failures, however.
Rejected endpoints get ACCESS-REJECT from ISE for the reject interval. The response from ISE cannot be customized and thereby portal notification cannot be provided today.
The rejected endpoints appear in the ISE dashboard and can be cleared before the reject interval by the administrator. More details here: Endpoints "Release Rejected" Button
thanks,
~Hari
03-21-2018 10:10 AM
Please look at the presentation BRKSEC-3699 for performance and scale it has many slides showing how we do client suppression automatically
https://communities.cisco.com/docs/DOC-63882#jive_content_id_2017_Cisco_Live_Las_Vegas
03-21-2018 01:05 PM
Hello,
Thank you for your response.
If I understand your response correctly, suppression means notification suppression am I correct? If yes,
what client wants is - If the user login attempts fail three times, they should be locked from using any network services for 30 mins and unlocked after 30 mins. How do I do this?
03-22-2018 04:44 AM
No there are two types of suppression. There is the notification, i.e. log entry, and then there is the reject. The screen shot posted has the reject setting set for 5 times and then you are rejected for the next 60 minutes. If you fail 5 times, then for the next 60 minutes no matter what you do from that MAC address you will get a RADIUS reject from ISE. The reject message won't show up in the logs. ISE will just send a reject.
03-22-2018 05:04 AM
OK . thank you. Will try it in the lab today?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide