Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1198
Views
0
Helpful
7
Replies

Excessive Web Authentication Failures -customize counters and timers

Temur Kalandia
Level 1
Level 1

‎07-13-2016 04:25 AM - edited ‎07-05-2021 05:24 AM

Hello everyone, 

we are preparing the demo environment for our customer. configured web authentication with LDAP integration. everything is working normally, but have following question regarding Excessive Web Authentication Failures :


1) can we control number of failed retries?it is currently 3, but wee need change it to 5 or any other number
2) can we change duration between failed attempts? currently it is 1 minute , but need to increase to 5 minutes , if failed login attempts will be 5 , during 5 minutes need exclude this client.

thanks in advance

Labels:
0 Helpful
7 Replies 7

WiFi Trainers
Level 1
Level 1

‎07-13-2016 04:49 AM

Hi Temur,

Can you please clarify what retries you are referring to? Is it the number of times the WLC tries to send an authentication request to the radius server?

Best Regards,

WiFi Trainers (www.wifitrainers.com)

Your one stop solution for all your wireless training needs!

******** Please rate if useful *********

0 Helpful

Temur Kalandia
Level 1
Level 1
In response to WiFi Trainers

‎07-13-2016 02:49 PM

hi , 

cisco wlc has Client Exclusion Policies, one of that policies is "Excessive Web Authentication Failures" it offers client exclusion after three consecutive failures. refer to this doc: http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_0111010.pdf 

my tasks are :

1) somehow control failure counters, for example i need to exlude clients after 5 consecutive failures, or choose any other number.

2) control the time between failures, in default configuration if 3 failures occur during one minute wips will exclude client at fourth try, but i need to increase this duration to 5 minutes. in this case if user fails authenticate 5 times , it will be excluded.

0 Helpful

WiFi Trainers
Level 1
Level 1
In response to Temur Kalandia

‎07-13-2016 10:29 PM

Hi Temur,

Thanks for the clarification. There is no config option to change this even on the latest 8.2 code. We can only enable this feature and not change any of the default parameters.

Best Regards,

WiFi Trainers (www.wifitrainers.com)

Your one stop solution for all your wireless training needs!

******** Please rate if useful *********

0 Helpful

Temur Kalandia
Level 1
Level 1
In response to WiFi Trainers

‎07-14-2016 01:04 AM

hello, 

can you please tell me the duration time for three consecutive failures? in what time period should hacker try three consecutive failures? 3 tries during one minute or time does not meters, if there will be three consecutive failures during any time , client will be blocked?

0 Helpful

hajia
Cisco Employee
Cisco Employee

‎07-14-2016 12:08 AM

Hi,

You can change it on your LDAP server.

In Web Authentication, WLC only transfer the authentication request to the authentication server , in your case "LDAP".

0 Helpful

Temur Kalandia
Level 1
Level 1
In response to hajia

‎07-14-2016 02:57 AM

hi, 

we have already configured this option : user account lockout, but customer needs to add additional security at wireless layer, to avoid offload the LDAP.

one option i think will be use radius server between LDAP and WLC and sent client exclusion attributes from the radius server itself.  if you have any guide for this typof config will be great :)

0 Helpful

ajc
Level 7
Level 7
In response to hajia

‎09-18-2017 08:30 AM

Question, what do you mean by "In webauth the wlc transfer the authentication request to the authentication server when using LDAP?. Does the same apply for PEAP when using LDAP?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card