Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2143
Views
0
Helpful
9
Replies

Prevent Active Directory account lockout in Cisco ISE

fira
Level 1
Level 1

‎05-20-2024 06:04 AM

Hello, community!

I am using Enable Failed Authentication Protection for radius ravpn in ISE to prevent Active Directory User Lockout. The maximum password less than the maximum bad password attempts configured as the value of the badPwdCount attribute in the Active Directory and for Authentication Policy use the specific Active Directory join point (not scope mode) but it doesn't work correctly.  User gets locked out even when the lockout prevention for Active Directory is enabled. 
I cannot understand what the reason could be. What needs to be configured or checked for a solution?

0 Helpful
9 Replies 9

ahollifield
VIP
VIP

‎05-20-2024 10:59 AM

Use certificate or SAML auth instead.  How are you enabling MFA on your RAVPN solution?

0 Helpful

fira
Level 1
Level 1
In response to ahollifield

‎05-20-2024 08:33 PM

Thanks for answer, ahollifield

I found the reason in nas-port-type radius attribute but I could not find information how can override this attribute using cisco asa or maybe cisco ISE? 
0 Helpful

ahollifield
VIP
VIP
In response to fira

‎05-20-2024 11:08 PM

The reason? Override what?
0 Helpful

fira
Level 1
Level 1
In response to ahollifield

‎05-20-2024 11:24 PM

The reason why Prevent Active Directory account lockout didn't work. Currently NAS-Port-Type value in access-request from cisco asa = virtual and Prevent Active Directory account lockout feature in ISE doesn't work with NAS-Port-Type=virtual so i have question is it possible to override value NAS-Port-Type attribute using asa or maybe cisco ISE?

0 Helpful

ahollifield
VIP
VIP
In response to fira

‎05-21-2024 12:06 AM

Now I am following, still though the real fix here is to use certificate or SAML. What is the use/case for simple username/password? How are you performing MFA?
0 Helpful

fira
Level 1
Level 1
In response to ahollifield

‎05-21-2024 02:04 AM

"What is the use/case for simple username/password?" - what does it mean
MFA is used
Prevent Active Directory account lockout is good solution which does not affect users

0 Helpful

ahollifield
VIP
VIP
In response to fira

‎05-21-2024 03:07 AM

How exactly is MFA implemented? Do you have something in between ISE and AD? Do some other way directly on the firewall?
0 Helpful

fira
Level 1
Level 1
In response to ahollifield

‎05-21-2024 06:13 AM

AD(first) + OTP scheme

0 Helpful

Da ICS16
Level 1
Level 1
In response to ahollifield

‎05-08-2025 11:53 PM

Hello @ahollifield 

You mean to implementation certificate-based as first authentication on FTD and set expired date? Even external user / non-domain devices  try to use this certificate but cannot promised and failed authentication stage? And not lead to be AD account locked out even attacker known AD user? thanks.

0 Helpful
Customers Also Viewed These Support Documents