10-30-2012 10:56 AM - edited 07-03-2021 10:57 PM
Hello Everybody,
I am working with Cisco Secure ACS 4.2 and it is integrated with Active Directory at a Windows 2008 R2 functional level, user accounts that are set with lockout parameters (3 incorrect attempts) are locked out prematurely after the user enters the wrong credentials just once, the integration is done via LDAP.
I wonder if anybody has any idea why this is happening, because when I connect to a Cisco device or VPN, and type my password wrongly, on the Active Directory I get extra bad password counts.
Thanks in advance and regards....
10-31-2012 08:09 AM
Well its due to the clients OS... once you enter the credentials and its wrong, it will keep using those credentials. If you look at the logs on ACS, you will probably see multiple failures for that user.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
10-31-2012 09:47 AM
Hello Scott,
Thanks for your answer. However we checked the ACS logs and it shows that we entered bad credentials just once, but in the Active Directory our account sometimes is blocked because we get at least 2 and sometimes 3 failures. This problem is only presented when we authenticate Cisco devices or through VPN, in normal circumstances, when users enter bad credentials on their computers, it works fine.
Thanks and regards...
10-31-2012 10:18 AM
Sniff the traffic from ACS and see if ACS is sending the login more than one time. Not much you can do if the credentials are wrong because eventually they will keep retrying and get locked out.
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide