Re: Prevent Active Directory account lockout in Cisco ISE

fira · ‎05-20-2024

Hello, community!

I am using Enable Failed Authentication Protection for radius ravpn in ISE to prevent Active Directory User Lockout. The maximum password less than the maximum bad password attempts configured as the value of the badPwdCount attribute in the Active Directory and for Authentication Policy use the specific Active Directory join point (not scope mode) but it doesn't work correctly. User gets locked out even when the lockout prevention for Active Directory is enabled.
I cannot understand what the reason could be. What needs to be configured or checked for a solution?

ahollifield · ‎05-20-2024

Use certificate or SAML auth instead. How are you enabling MFA on your RAVPN solution?

fira · ‎05-20-2024

Thanks for answer, ahollifield

I found the reason in nas-port-type radius attribute but I could not find information how can override this attribute using cisco asa or maybe cisco ISE?

ahollifield · ‎05-20-2024

The reason? Override what?

fira · ‎05-20-2024

The reason why Prevent Active Directory account lockout didn't work. Currently NAS-Port-Type value in access-request from cisco asa = virtual and Prevent Active Directory account lockout feature in ISE doesn't work with NAS-Port-Type=virtual so i have question is it possible to override value NAS-Port-Type attribute using asa or maybe cisco ISE?

ahollifield · ‎05-21-2024

Now I am following, still though the real fix here is to use certificate or SAML. What is the use/case for simple username/password? How are you performing MFA?

fira · ‎05-21-2024

"What is the use/case for simple username/password?" - what does it mean
MFA is used
Prevent Active Directory account lockout is good solution which does not affect users

ahollifield · ‎05-21-2024

How exactly is MFA implemented? Do you have something in between ISE and AD? Do some other way directly on the firewall?

fira · ‎05-21-2024

AD(first) + OTP scheme