07-13-2016 04:25 AM - edited 07-05-2021 05:24 AM
Hello everyone,
we are preparing the demo environment for our customer. configured web authentication with LDAP integration. everything is working normally, but have following question regarding Excessive Web Authentication Failures :
1) can we control number of failed retries?it is currently 3, but wee need change it to 5 or any other number
2) can we change duration between failed attempts? currently it is 1 minute , but need to increase to 5 minutes , if failed login attempts will be 5 , during 5 minutes need exclude this client.
thanks in advance
07-13-2016 04:49 AM
Hi Temur,
Can you please clarify what retries you are referring to? Is it the number of times the WLC tries to send an authentication request to the radius server?
Best Regards,
WiFi Trainers (www.wifitrainers.com)
Your one stop solution for all your wireless training needs!
******** Please rate if useful *********
07-13-2016 02:49 PM
hi ,
cisco wlc has Client Exclusion Policies, one of that policies is "Excessive Web Authentication Failures" it offers client exclusion after three consecutive failures. refer to this doc: http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_0111010.pdf
my tasks are :
1) somehow control failure counters, for example i need to exlude clients after 5 consecutive failures, or choose any other number.
2) control the time between failures, in default configuration if 3 failures occur during one minute wips will exclude client at fourth try, but i need to increase this duration to 5 minutes. in this case if user fails authenticate 5 times , it will be excluded.
07-13-2016 10:29 PM
Hi Temur,
Thanks for the clarification. There is no config option to change this even on the latest 8.2 code. We can only enable this feature and not change any of the default parameters.
Best Regards,
WiFi Trainers (www.wifitrainers.com)
Your one stop solution for all your wireless training needs!
******** Please rate if useful *********
07-14-2016 01:04 AM
hello,
can you please tell me the duration time for three consecutive failures? in what time period should hacker try three consecutive failures? 3 tries during one minute or time does not meters, if there will be three consecutive failures during any time , client will be blocked?
07-14-2016 12:08 AM
Hi,
You can change it on your LDAP server.
In Web Authentication, WLC only transfer the authentication request to the authentication server , in your case "LDAP".
07-14-2016 02:57 AM
hi,
we have already configured this option : user account lockout, but customer needs to add additional security at wireless layer, to avoid offload the LDAP.
one option i think will be use radius server between LDAP and WLC and sent client exclusion attributes from the radius server itself. if you have any guide for this typof config will be great :)
09-18-2017 08:30 AM
Question, what do you mean by "In webauth the wlc transfer the authentication request to the authentication server when using LDAP?. Does the same apply for PEAP when using LDAP?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: