Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
644
Views
0
Helpful
5
Replies

Prevent ISE from sending authentication to AD if BadPwdCount = <value>

Go to solution
scott.stapleton
Level 1
Level 1

‎05-20-2019 09:10 AM - edited ‎05-20-2019 09:13 AM

I'd like to configure ISE so that if the AD attribute badPwdCount is equal or less than a particular value, ISE won't send any additional authentication attempts in order to prevent ISE from locking out the AD account. This is for CWA that is hooked into AD. Yes, it's a bad idea to use a CP with an AD back-end but alas, that is the task I have at hand!

 

As far as I know and can see, ISE only supports AD attribute use with the AuthZ policy, not AuthN and therefore this capability is NOT support by ISE but perhaps I am missing something. Can anyone confirm definitively?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎05-20-2019 09:48 AM

AD attributes are only available for use in authorization policy.  ISE will still query AD if the authentication request comes in regardless of the attribute.

 

Regards,

-Tim

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎05-20-2019 09:48 AM

AD attributes are only available for use in authorization policy.  ISE will still query AD if the authentication request comes in regardless of the attribute.

 

Regards,

-Tim

0 Helpful

Go to solution
scott.stapleton
Level 1
Level 1
In response to Timothy Abbott

‎05-21-2019 01:26 AM

Cheers - that's inline with documentation and my testing.

0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee

‎06-11-2019 09:23 AM

If using CWA there is better option. We have authentication rate limiting directly on the portal page that you can use. This isn't utilizing AuthZ policy:

image001.png

0 Helpful

Go to solution
scott.stapleton
Level 1
Level 1
In response to howon

‎07-18-2019 01:51 AM

Cheers. Unfortunately this is a much worse option. I've already tested this option but as ISE doesn't know the BadPwdCount in AD, in many case the AD account will be locked out. For example, if BadPwdCount is already at 2 because it was tripped by some other application that hooks into AD or standard Windows login where the the user makes a typo twice (and AD policy is 3 failed logins), ISE will still send request not knowing AD is at 2, and lock it out.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to scott.stapleton

‎07-18-2019 02:05 PM

Not sure what you expect from us thought? Sounds like a feature request? Or change the value to 10?
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents