Hello!
We're using BYOD via CWA (setup on ISE) in our wireless network so that users could self-register and issue/download a certificate profile. The normal scenario looks like this: user connects to an ssid, gets a redirect to guest web portal, enters his domain credentials and then follows the BYOD flow, in the end he gets his certificate profile and installs it on its phone. Since our domain controller has a policy of blocking account after 5 consecutive wrong password attempts we set up CWA portal to 3 attempts until rate limiting.
And it works totally fine while user using the same session. But apparently there is a way to bypass that limitation: after 1-2 login attempts a user can reopen the browser, get a redirect to the login page again and try another 2 times of logging in and so on. We've tried it, and after the 5th attempt the testing account was blocked.
We haven't really seen anyone doing it, but there is a possibility of cases like that, or some attackers who would try to block some employees domain accounts.
So, I'm trying to find a way to suppress/block users who tries to login via guest portal using wrong password. We're using ISE 2.7, maybe new versions of ISE have settings we need.