Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1672
Views
0
Helpful
6
Replies

PEAP with ACS 5.4 - How to Prevent Active Directory Account locks?

johnnylingo
Level 5
Level 5

‎12-03-2013 09:15 PM - edited ‎03-10-2019 09:09 PM

I have a WLC4402 with a PEAP WLAN, relaying authentication to ACS Server 5.4 via RADIUS.   ACS then has a network access policy to send these requests to Active Directory.

All works great exept for one issue.  When a user changes their AD password (which we require every 90 days), and they forget to update it across all devices, that device re-tries to get on the WLAN, resulting in the user's account being locked out. 

Is there a way to prevent this in ACS?  Say, after 2 failed attempts, pause 30 seconds?   

Labels:
0 Helpful
6 Replies 6

johnnylingo
Level 5
Level 5

‎12-11-2013 01:01 PM

Would configuring these commands on the controller help?

config advanced eap identity-request-retries (default is 20)

config advanced eap request-retries (default is 2)


0 Helpful

Nigel Bowden
Level 2
Level 2
In response to johnnylingo

‎12-11-2013 02:15 PM

No, those command control the RADIUS traffic between the controller and the ACS server only, to cater for network delays etc. between the two devices.

I'm not sure how to fix your issue. What type of devices are caching credentials and causing the lockouts?

Generally, tablets and smartphones that fail auth will prompt a user to supply new credentials upon failure, so I'm guessing it's maybe Windows laptops that are using cached credentials?

Nigel.

Sent from Cisco Technical Support iPad App

0 Helpful

johnnylingo
Level 5
Level 5
In response to Nigel Bowden

‎12-11-2013 02:44 PM

So what you're saying is the retry values only come in to play if the RADIUS server is inaccessible, right?

Windows laptops actually work just fine, because many of them are using machine authentication.  The main issue seems to be from iPhones, which are saving the username/password and then re-attempting too many times when the user changes password.

One solution is to use LDAP instead of AD within ACS, but the downside is the password can be guessed thousands of time in a row and open to dictionary attacks.  We do enforce complex password policies so the liklihood of an account being compromised is slim, but, I'd rather eliminate the chance entirely.

0 Helpful

Nigel Bowden
Level 2
Level 2
In response to johnnylingo

‎12-11-2013 02:49 PM

Yes, that's correct.

Interesting to hear about the iPhone issue. I'm sorry I don't have a solution to your issue, but will be interested to hear if anyone else can come up with a suggestion. Unless there is some type of setting that could be pushed out using a profile of some type, I can't think how to get around this issue...sorry.

All the best.

Nigel.


Sent from Cisco Technical Support iPad App

0 Helpful

johnnylingo
Level 5
Level 5
In response to Nigel Bowden

‎08-12-2015 07:42 PM

FYI Apple finally fixed this behavior with IOS 8

0 Helpful

wvunathans
Level 1
Level 1

‎08-13-2015 07:07 PM

This is 100% controlled by AD and there is nothing you can do in ACS to resolve it. ACS is acting no different then any other AD server, such as a file server, in authenticating a user.

Moreover you would not want to even if you could since this would effectively negate a large part of the protection against attempting to brute-force a users password.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents