RAVPN request control

imanv · ‎05-06-2026

I have a remote access VPN with the following scenario.

I have FTD virtual managed by FMC (version 7.7), Cisco ISE radius AAA (version 3.4), external radius server (Microsoft NPS) for multi-factor authentication (MFA). User send the credential to FMC-->ISE-->external radius and after external radius check it with active directory. The external radius server authenticate the remote clients to send the SMS as second factor. After that I configure ISE to continue the Authorization using ISE Authorization profiles.

I found that some remote clients sends many correct credentials to VPN gateway in short period of time ( less than a minute) and by this method hundreds of SMS sends. I am looking for a way to manage accepting the correct user/passwords for certain period of time to prevent the overwhelming the SMS servers.

Just note that it is not simultaneous connection attempts.

Thank you.

Aref Alsouqi · ‎05-07-2026

Why you have to use MS NPS if you have ISE? can't ISE handle the whole authentication and authorization process?

imanv · ‎05-07-2026

Thanks for your reply.

I need it to handle the second factor authentication. The NPS check the credentials with DC and send the result to another application to send the SMS. If the remote client send the OTP code recived by SMS and approved by the application, MS NPS send the result to ISE. Then I configure ISE to continue authorization to ISE authz policies.

Aref Alsouqi · ‎05-08-2026

Could that be something ISE can handle? not really sure if that would fix the reported issue though. How those many authentication requests look like on ISE? I'm just thinking if this issue could be related to some sort of latency on the network used by those remote clients maybe?

imanv · ‎05-11-2026

Thanks Aref.

Initial authentication happen in NPS. I will generate it and feedback here.