Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3294
Views
0
Helpful
5
Replies

ISE Unsuccessful login attempts Use Cases

sb12
Cisco Employee
Cisco Employee

‎03-21-2018 09:44 AM

The customer I am working for, interested in this below use cases. They are currently using dot1x for employees wired and wireless

1. When a dot1x wired user login attempts fail three times, that user will be blocked for 30 minutes and then they can attempt again.

2. When wireless user login attempts fail five times, they are blocked permanently and the administrator has to reauthorize.

I want to know how to implement this use cases and also what is the license level they should be in for these two features.

Thank you

Stalin

0 Helpful
5 Replies 5

hariholla
Cisco Employee
Cisco Employee

‎03-21-2018 10:07 AM

AFAIK, there are no options today to block a user for repeated authentication failures involving wrong credentials.  

The following are the options today to handle RADIUS failures, however.

Screen Shot 2018-03-21 at 10.02.29 AM.png

Rejected endpoints get ACCESS-REJECT from ISE for the reject interval. The response from ISE cannot be customized and thereby portal notification cannot be provided today.

The rejected endpoints appear in the ISE dashboard and can be cleared before the reject interval by the administrator. More details here: Endpoints "Release Rejected" Button

thanks,

~Hari

0 Helpful

Jason Kunst
Cisco Employee
Cisco Employee
In response to hariholla

‎03-21-2018 10:10 AM

Please look at the presentation BRKSEC-3699 for performance and scale it has many slides showing how we do client suppression automatically

https://communities.cisco.com/docs/DOC-63882#jive_content_id_2017_Cisco_Live_Las_Vegas

0 Helpful

sb12
Cisco Employee
Cisco Employee
In response to hariholla

‎03-21-2018 01:05 PM

Hello,

Thank you for your response.

If I understand your response correctly, suppression means notification suppression am I correct?  If yes,

what client wants is - If the user login attempts fail three times, they should be locked from using any network services for 30 mins and unlocked after 30 mins.  How do I do this?

0 Helpful

paul
Level 10
Level 10
In response to sb12

‎03-22-2018 04:44 AM

No there are two types of suppression.  There is the notification, i.e. log entry, and then there is the reject.  The screen shot posted has the reject setting set for 5 times and then you are rejected for the next 60 minutes.  If you fail 5 times, then for the next 60 minutes no matter what you do from that MAC address you will get a RADIUS reject from ISE. The reject message won't show up in the logs.  ISE will just send a reject.

0 Helpful

sb12
Cisco Employee
Cisco Employee
In response to paul

‎03-22-2018 05:04 AM

OK . thank you. Will try it in the lab today?

0 Helpful
Customers Also Viewed These Support Documents