cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
910
Views
0
Helpful
8
Replies

Prevent Active Directory account lockout in Cisco ISE

fira
Level 1
Level 1

Hello, community!

I am using Enable Failed Authentication Protection for radius ravpn in ISE to prevent Active Directory User Lockout. The maximum password less than the maximum bad password attempts configured as the value of the badPwdCount attribute in the Active Directory and for Authentication Policy use the specific Active Directory join point (not scope mode) but it doesn't work correctly.  User gets locked out even when the lockout prevention for Active Directory is enabled. 
I cannot understand what the reason could be. What needs to be configured or checked for a solution?

8 Replies 8

Use certificate or SAML auth instead.  How are you enabling MFA on your RAVPN solution?

Thanks for answer, ahollifield

I found the reason in nas-port-type radius attribute but I could not find information how can override this attribute using cisco asa or maybe cisco ISE? 

The reason? Override what?

The reason why Prevent Active Directory account lockout didn't work. Currently NAS-Port-Type value in access-request from cisco asa = virtual and Prevent Active Directory account lockout feature in ISE doesn't work with NAS-Port-Type=virtual so i have question is it possible to override value NAS-Port-Type attribute using asa or maybe cisco ISE?

Now I am following, still though the real fix here is to use certificate or SAML. What is the use/case for simple username/password? How are you performing MFA?

"What is the use/case for simple username/password?" - what does it mean
MFA is used
Prevent Active Directory account lockout is good solution which does not affect users

How exactly is MFA implemented? Do you have something in between ISE and AD? Do some other way directly on the firewall?

AD(first) + OTP scheme