ansalaza Wed, 07/22/2009 - 07:35
User Badges:
  • Cisco Employee,

The communication between the AAA client and the NAS is done using Radius:

1 Access-Request

2 Access-Accept

3 Access-Reject

An External Database like Active Directory would send those type of messages (account disabled, wrong user/password..) to the AAA Server, but I don't beleive it can forward them to the AAA client.


darpotter Thu, 07/23/2009 - 03:01
User Badges:
  • Silver, 250 points or more

...and there is a good reason why you *never* do this.

Security 101 - dont tell users why an authentication has failed - they might not be who you think they are.

Yes its a pain when real valid users cant authenticate and they have to ring the support team. But the alternative is far worse.

kpanduric Thu, 07/23/2009 - 05:00
User Badges:

..but if it is a customer request....

an application, when authenticating users, should differentiate between users that are disabled and those that mistyped user/pass

darpotter Thu, 07/23/2009 - 05:43
User Badges:
  • Silver, 250 points or more

No, never.

If you do, then you're telling a potential hacker that the username he/she just tried is valid.

Getting a username is half the job done.

Remember ACS is aimed at remote access and wireless where logins could be coming from anywhere.

What it could do is include a failure message to the end user that includes the help desk telephone number and perhaps a unique incident id. Thats secure and helpful.


This Discussion