Excessive Web Authentication Failures -customize counters and timers

Temur Kalandia · ‎07-13-2016

Hello everyone,

we are preparing the demo environment for our customer. configured web authentication with LDAP integration. everything is working normally, but have following question regarding Excessive Web Authentication Failures :

1) can we control number of failed retries?it is currently 3, but wee need change it to 5 or any other number
2) can we change duration between failed attempts? currently it is 1 minute , but need to increase to 5 minutes , if failed login attempts will be 5 , during 5 minutes need exclude this client.

thanks in advance

WiFi Trainers · ‎07-13-2016

Hi Temur,

Can you please clarify what retries you are referring to? Is it the number of times the WLC tries to send an authentication request to the radius server?

Best Regards,

WiFi Trainers (www.wifitrainers.com)

Your one stop solution for all your wireless training needs!

******** Please rate if useful *********

Temur Kalandia · ‎07-13-2016

hi ,

cisco wlc has Client Exclusion Policies, one of that policies is "Excessive Web Authentication Failures" it offers client exclusion after three consecutive failures. refer to this doc: http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_0111010.pdf

my tasks are :

1) somehow control failure counters, for example i need to exlude clients after 5 consecutive failures, or choose any other number.

2) control the time between failures, in default configuration if 3 failures occur during one minute wips will exclude client at fourth try, but i need to increase this duration to 5 minutes. in this case if user fails authenticate 5 times , it will be excluded.

WiFi Trainers · ‎07-13-2016

Hi Temur,

Thanks for the clarification. There is no config option to change this even on the latest 8.2 code. We can only enable this feature and not change any of the default parameters.

Best Regards,

WiFi Trainers (www.wifitrainers.com)

Your one stop solution for all your wireless training needs!

******** Please rate if useful *********

Temur Kalandia · ‎07-14-2016

hello,

can you please tell me the duration time for three consecutive failures? in what time period should hacker try three consecutive failures? 3 tries during one minute or time does not meters, if there will be three consecutive failures during any time , client will be blocked?

hajia · ‎07-14-2016

Hi,

You can change it on your LDAP server.

In Web Authentication, WLC only transfer the authentication request to the authentication server , in your case "LDAP".

Temur Kalandia · ‎07-14-2016

hi,

we have already configured this option : user account lockout, but customer needs to add additional security at wireless layer, to avoid offload the LDAP.

one option i think will be use radius server between LDAP and WLC and sent client exclusion attributes from the radius server itself. if you have any guide for this typof config will be great :)

ajc · ‎09-18-2017

Question, what do you mean by "In webauth the wlc transfer the authentication request to the authentication server when using LDAP?. Does the same apply for PEAP when using LDAP?