Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
318
Views
1
Helpful
5
Replies

Look solution to mitigate VPN bruteforce attack

Da ICS16
Level 1
Level 1

‎04-25-2025 02:43 AM - last edited on ‎04-25-2025 03:06 AM by Cisco Employee

Dear Community,

We explore the solution to mitigate VPN brute force attack in Cisco FTD. 

AD users always locked out when under targeting  potential VPN brute force attacks so it leads to AD account locked out and impact to legit users (internal user). 

Flow: FTD -> ISE.

ISE has connectivity to AD and 2FA (OTP). On ISE get source form FTD and on ISE Policy Set (Authentication methods: PAP/ASCII or MSCHAPv2, NAS-PORT-TYPE: Virtual).

- We enabled "AD account locked out policies , eg: 5 failed attempt"  server.

ISE features tested: 'Reject RADIUS requests from clients with repeated failures', 'Prevent Active Directory User Lockout' but cannot blocked AD user on ISE.

We user ISE 3.1, Cisco Secure Client VPN agent 5.x

Could you share commend / good practice to prevent / mitigate this kind of vpn brute force attacks? To ensure no AD locked on target users.

Well appreciated for you supporting.

Best Regards,

 

 

 

 

Labels:
0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎04-25-2025 03:10 AM - edited ‎04-28-2025 12:14 AM

@Da ICS16 you can enable threat detection capability, this may require a patch/upgrade as this is a relatively new feature. 

Once enabled, the FTD automatically shuns the host (IP address) that exceeds the configured thresholds, to prevent further attempts until you manually remove the shun of the IP address.

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221806-password-spray-attacks-impacting-custome.html

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/222383-configure-threat-detection-for-remote-ac.html

 

 

0 Helpful

Da ICS16
Level 1
Level 1
In response to Rob Ingram

‎04-27-2025 06:47 PM

Hello @Rob Ingram 

Thanks for your commend and supporting.

To enable threat detection capability, does it can mitigate this kind of attack even the attacker's known AD User? 

Thanks.

Rob Ingram
VIP
VIP
In response to Da ICS16

‎04-27-2025 09:31 PM

@Da ICS16 yes 

 

0 Helpful

Da ICS16
Level 1
Level 1
In response to Rob Ingram

‎04-28-2025 12:07 AM

Hello @Rob Ingram 

For we ever did even the configured threshold, tuning certificate but no luck to prevent AD user locked out.

Seem it is not the fixed solution.

0 Helpful

Rob Ingram
VIP
VIP
In response to Da ICS16

‎04-28-2025 12:13 AM

@Da ICS16 what software version are you running? Have you confirmed that threat detection is working after you configured it, run - "show threat-detection service" and "show shun"

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card
Top