Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
15514
Views
5
Helpful
9
Replies

Prevent AD account being locked out by failed authentications

Go to solution
pgerstenberger
Level 1
Level 1

‎10-18-2018 12:18 AM

Hello Community,

 

I got a little question regarding prevention of AD accounts being locked out by failed authentications. When a user changes his password for the AD account they forget to change it on their mobile devices and get locked out after 5 failed attempts. Is there any solution to prevent user locked out caused by failed RADIUS attempts. Something like this on Aruba Clear Pass?

 

https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-prevent-AD-account-being-Locked-out-by-5-failed/ta-p/234571 

 

Thanks,

Philipp

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP
In response to hslai

‎10-22-2018 03:29 PM

LDAP is your solution.  We even used that back in the ACS days.  It's brilliant and will of course integrate to your existing AD controllers out of the box (TCP/389).  We have systems that misbehave and then repeatedly use the wrong password against an active user account.  If we had used AD then the account would have been locked out.  With LDAP, this account is not locked out.  We can trawl the logs and then find the offending system and sort it out.  In our case it was 3G/LTE modems that misbehave and cache old password.  It's not a user error.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
anthonylofreso
Level 4
Level 4

‎10-18-2018 04:57 AM

I actually had this same question, and a Cisco employee worked with me to come up with the following solution:

Failed Login Attempts

On the ISE portal there is a mechanism that prevents user from logging into the guest portal too many times with incorrect username and/or password which counts as a failed guest authentication as viewed from the ISE GUI: Operations > Radius > Live Logs or from ISE GUI: Operations > Reports > Endpoints and Users > Radius Authentication [report].  

 

The default behavior is after 5 failed guest authentication attempts the guest portal on ISE will not allow anyone to login for a duration of 2 minutes.  Testing shows the “sign on” button becomes disabled; thus account is not actually being locked.  This feature should apply to either Sponsored Guest Portal or Self-Registered Guest Portal but not in Hotspot Portal.  

 

This feature is configurable in the Guest Portal itself, from ISE GUI: Work Centers > Guest Access: Portals & Components > Guest Portals {select guest portal that uses credentials} > Edit > section: Login Page Settings, as shown below:login ise.jpg

 

 

Recommend the value specified as “maximum failed login attempts before rate limiting” should be less than the lockout period in Active Directory and “time between login attempts when rate limiting” to be the same or exceed the duration period in Active Directory, for best results.   That way if failed authentication happens too many times on ISE Portal then after rate limit period expires and another round of failed guest authentication won’t lock user account in Active Directory on multiple round of failed guest authentication attempts.

 

Reference: Cisco Identity Services Engine Administrator Guide, Release 2.2 > Chapter: Guest Access User Interface Reference > Login Page Settings for Credentialed Guest Portals

Go to solution
Arne Bier
VIP
VIP
In response to anthonylofreso

‎10-18-2018 05:36 AM

You could try using LDAP instead of an AD Join Point.  If you use LDAP to authenticate against your AD domains, then you won't incur this account lockout issue.  LDAP is pretty cool because you can do everything that the AD Join Point does, without all this overhead that comes with AD Join Points. 

The biggest trick I find with LDAP is that you need to understand the schema mapping between ISE and your AD schema - most AD admins will help you with that.  There is also the sysinternals AD Explorer that helped me  a lot.

 

LDAP is really "Lightweight" - it's great!

0 Helpful

Go to solution
pgerstenberger
Level 1
Level 1
In response to anthonylofreso

‎10-18-2018 07:37 AM - edited ‎10-18-2018 07:40 AM

Hi Anthonylofreso ,

thanks for the fast reply. Unfortunately we don´t use the Guest Portal on ISE for this authentication. Were just checking if the credential are correct and grand then access to the wifi (ISE is only RADIUS Server for the wifi located on aruba). But is it possible to check if the password is correct using LDAP instead of AD?

Cheers,
Philipp

0 Helpful

Go to solution
scamarda
Cisco Employee
Cisco Employee

‎10-18-2018 09:32 AM

Have not tried this but could you not have a condition which looks at the Bad Password Count and set the value to one lower than the max amount.  When it matches that condition the user could be redirected to a portal page that gives the user a warning about password lockout and to wait x amount of minutes.  I believe the you can control the bad password count timer and the portal page will continue to display until the timer in AD/LDAP has reset.  

 

Not the ISE or AD expert just offering some thoughts.

 

Sam

 

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎10-22-2018 03:09 PM

That is not exactly a good solution. If allowing users to use password-based .1X authentications on wireless., esp. on mobile endpoints, it would be better off by disabling the AD account lockout policy altogether.

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to hslai

‎10-22-2018 03:29 PM

LDAP is your solution.  We even used that back in the ACS days.  It's brilliant and will of course integrate to your existing AD controllers out of the box (TCP/389).  We have systems that misbehave and then repeatedly use the wrong password against an active user account.  If we had used AD then the account would have been locked out.  With LDAP, this account is not locked out.  We can trawl the logs and then find the offending system and sort it out.  In our case it was 3G/LTE modems that misbehave and cache old password.  It's not a user error.

0 Helpful

Go to solution
Nadav
Level 7
Level 7
In response to Arne Bier

‎11-02-2018 09:20 AM - edited ‎11-02-2018 09:24 AM

LDAP doesn't support all the authentication methods that are available to AD, so it depends on how they authenticate their supplicants.  

 

However if LDAP is a good pick for them then according to the ISE performance and scaling guides it allows for more authentications per second for supported authentication methods, so that's a plus.

0 Helpful

Go to solution
fira
Level 1
Level 1
In response to Arne Bier

‎05-23-2024 01:27 AM

Hi, Arne
I integrated ise with ldap but the account is still blocked after wrong password attemps. What else needs to be configured so that accounts are not blocked? 

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to fira

‎05-23-2024 02:19 PM

Hey @fira - the thread I replied to is from 2018 and a lot has probably changed since then. I have not worked much with LDAP since then. It certainly the behaviour then - perhaps with newer Windows Server platforms, Microsoft may have changed the behaviour. What version of Server are you using?

0 Helpful
Customers Also Viewed These Support Documents