cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
440
Views
0
Helpful
2
Replies

Limits on AD Client Authz attempts

gaowen
Level 1
Level 1

Hi all, I have a customer who uses dual SSID BYOD, the open SSID using AD creds for auth. The issue they have is that 5 x wrong password = account lockout. They are concerned that a malicious actor would be able to exploit this and they would like to have an Authz rule which prevents any more requests being sent to the DC after say 2 or 3 failures. Has anyone seen anything like this before and able to help?


Thanks, Gareth

2 Replies 2

kthiruve
Cisco Employee
Cisco Employee

If you are using AD creds then the password policies should be controlled in AD environment.

Authorization happens after authentication so even say for eg: if we have a rule in ISE to prevent this, it will not affect authentication since your concern is multiple auth failures hitting DC.

ISE does’t have rules to control the behavior of AD.

However we do have rules for Network access user such as password policy and account lockout if you have a local user that you can take advantage of.

-krishnan

One option is to use Client Exclusions on access device.  For example, if the endpoint fails auth X number of times in an interval, the endpoint is prevented from attempting auth again for specified period.  You can try setting the exclusion time to a value > than the AD lockout interval.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: