I am working with Cisco Secure ACS 4.2 and it is integrated with Active Directory at a Windows 2008 R2 functional level, user accounts that are set with lockout parameters (3 incorrect attempts) are locked out prematurely after the user enters the wrong credentials just once, the integration is done via LDAP.
I wonder if anybody has any idea why this is happening, because when I connect to a Cisco device or VPN, and type my password wrongly, on the Active Directory I get extra bad password counts.
Thanks in advance and regards....
Well its due to the clients OS... once you enter the credentials and its wrong, it will keep using those credentials. If you look at the logs on ACS, you will probably see multiple failures for that user.
Help out other by using the rating system and marking answered questions as "Answered"
Thanks for your answer. However we checked the ACS logs and it shows that we entered bad credentials just once, but in the Active Directory our account sometimes is blocked because we get at least 2 and sometimes 3 failures. This problem is only presented when we authenticate Cisco devices or through VPN, in normal circumstances, when users enter bad credentials on their computers, it works fine.
Thanks and regards...
Sniff the traffic from ACS and see if ACS is sending the login more than one time. Not much you can do if the credentials are wrong because eventually they will keep retrying and get locked out.
Sent from Cisco Technical Support iPhone App