Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
566
Views
0
Helpful
2
Replies

Limits on AD Client Authz attempts

gaowen
Level 1
Level 1

‎05-22-2018 08:56 AM

Hi all, I have a customer who uses dual SSID BYOD, the open SSID using AD creds for auth. The issue they have is that 5 x wrong password = account lockout. They are concerned that a malicious actor would be able to exploit this and they would like to have an Authz rule which prevents any more requests being sent to the DC after say 2 or 3 failures. Has anyone seen anything like this before and able to help?


Thanks, Gareth

0 Helpful
2 Replies 2

kthiruve
Cisco Employee
Cisco Employee

‎05-22-2018 11:11 AM

If you are using AD creds then the password policies should be controlled in AD environment.

Authorization happens after authentication so even say for eg: if we have a rule in ISE to prevent this, it will not affect authentication since your concern is multiple auth failures hitting DC.

ISE does’t have rules to control the behavior of AD.

However we do have rules for Network access user such as password policy and account lockout if you have a local user that you can take advantage of.

-krishnan

0 Helpful

Craig Hyps
Level 10
Level 10
In response to kthiruve

‎05-23-2018 04:40 AM

One option is to use Client Exclusions on access device.  For example, if the endpoint fails auth X number of times in an interval, the endpoint is prevented from attempting auth again for specified period.  You can try setting the exclusion time to a value > than the AD lockout interval.

0 Helpful
Customers Also Viewed These Support Documents