cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
931
Views
10
Helpful
4
Replies

Suppressing wrong password attempts during wireless BYOD via CWA

AndreVal
Level 1
Level 1

Hello!

We're using BYOD via CWA (setup on ISE) in our wireless network so that users could self-register and issue/download a certificate profile. The normal scenario looks like this: user connects to an ssid, gets a redirect to guest web portal, enters his domain credentials and then follows the BYOD flow, in the end he gets his certificate profile and installs it on its phone. Since our domain controller has a policy of blocking account after 5 consecutive wrong password attempts we set up CWA portal to 3 attempts until rate limiting.

ise cwa.png

And it works totally fine while user using the same session. But apparently there is a way to bypass that limitation: after 1-2 login attempts a user can reopen the browser, get a redirect to the login page again and try another 2 times of logging in and so on. We've tried it, and after the 5th attempt the testing account was blocked.

ise-cwa-wrong-password.png

error message.png

We haven't really seen anyone doing it, but there is a possibility of cases like that, or some attackers who would try to block some employees domain accounts.   

So, I'm trying to find a way to suppress/block users who tries to login via guest portal using wrong password. We're using ISE 2.7, maybe new versions of ISE have settings we need. 

 

4 Replies 4

Are you sure these are Guest splash page logins?  Or are they PEAP logins from RADIUS from an SSID?  

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-2943876.html

I'm pretty sure it's a guest splash, since I set it up. We're using Guest flow + BYOD and it's set up in Work centers -> Guest Access -> Portal & Components -> Sponsored Guest Portal

Screenshot 2023-02-16 at 10.29.23.png

poongarg
Cisco Employee
Cisco Employee

There is already an enhancement filed for this issue on ISE 3.0 version:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwc56883

The ISE guest portal provides the following feature: > Maximum Failed Login Attempts Before Rate Limiting: Specify the number of failed login attempts from a single browser session before Cisco ISE starts to throttle that account. This does not cause an account lockout. The throttled rate is configured in Time between login attempts when rate limiting.

This enhancement request is filed to improve this feature to not bind the limit to one session. The reason is, that the limit can be easily bypassed when replacing the session cookies (portalSessionId / APPSESSIONID / token) for each request.

AndreVal
Level 1
Level 1

Hello everyone!

Does anyone know if there is a fix/workaround released for that problem?