Re: use ACS to lock AD user account if to many auth attempts

Justin Westover · ‎04-19-2011

I have setup ACS 5.2 in my lab and have it completely funcation with Downloadable ACLs, Dynamic VLANs and the identity store on the backend is Active Directory. I need it to lock a user account in AD if there are to many auth attempts. I have gone into AD and set a max login attempts to 3 but if I continue to fail authentication (on purpose) using radius auth, it never locks out my AD account? I am using the Anyconnect 3.0 with NAM as the supplicant installed on my workstation. I have also configured the switchport that I am connect to with the following commands. I tried the dot1x max-reauth-req 3 command and that didn't really do anything for me either. What am I missing here?

switchport mode access
ip access-group 10 in
authentication event fail action authorize vlan 40
authentication event no-response action authorize vlan 40
authentication host-mode multi-host
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate 10
authentication timer inactivity 20
authentication violation protect
mab
dot1x pae authenticator
dot1x timeout quiet-period 5
dot1x timeout tx-period 5
dot1x max-req 3
spanning-tree portfast

Tiago Antunes · ‎04-20-2011

Hi,

Are you sure the authenticatio nis failing on the AD?

If you look into the event viewer of the DC do you see the failed attempts?

If yes, then it is something to look into the DC why it is not locking the account.

HTH,
Tiago

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.