Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
252
Views
0
Helpful
3
Replies

AD lockouts occurring from RA-VPN brute force

tmcG
Level 1
Level 1

‎10-11-2024 01:15 PM

Scenario:

I am trying to figure out a way to prevent AD accounts from being locked out when brute force login attempts to the RA-VPN occur.

RA-VPN configured on FTD. Radius authentication used via ISE pointing to AD. DUO MFA works fine, no issues, but recently we've had a different situation occur.

Since primary authentication occurs when a user connects to VPN prior to the MFA challenge, AD gets the authentication request. This means if a botnet or script or bad actor on the internet tries to authenticate with a given username repeatedly, it locks the AD account because AD receives X number of authentication attempts and it trips our AD account lockout policy (usually 5-10 failed authentication attempts).

Cisco FTD does not have a way to stop this, and does not have any sort of identity aware DDOS or "Fail2ban" capability. Per Tac, Cisco's official recommendation is to put a firewall Infront of the firewall because RA-VPN on a FTD operates in an administrative context and no IPS/IDS functionality applies to it.

I am trying to determine if I change our configuration to point to a different IdP for primary authentication, perhaps to Azure or ADFS via SAML, can I force the MFA challenges prior to primary authentication? If not, perhaps I can use some sort of conditional access policy to prevent brute forcing causing account lockouts?

Has anyone ever encountered something like this? Any help or similar experiences are appreciated.

Labels:
0 Helpful
3 Replies 3

Rob Ingram
VIP
VIP

‎10-11-2024 01:22 PM

@tmcG you can use threat detection for Remote Access VPN services on FTD, which can automatically shun the host (IP address) that exceeds the configured thresholds, to prevent further attempts until you manually remove the shun of the IP address.

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/222383-configure-threat-detection-for-remote-ac.html

You need to be using version 7.0.6.3 or 7.6

 

0 Helpful

Aref Alsouqi
VIP
VIP

‎10-14-2024 05:24 AM

What RADIUS server are you using? is it ISE? With ISE you can do the authentication via Duo and then the authorization via the AD, that way if the user responds to the Duo push they need to be part of the authorized AD group, if not the authorization will fail. So with such a setup the AD users won't be locked out by any malicious actors. If you are not using ISE your RADIUS server should allow you to configure similar setup.

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents