ACS - reject reason

Unanswered Question
Jul 22nd, 2009

Is it possible to configure ACS 4.x to return reason that caused the user to be rejected (e.g. account disabled, wrong user/password...) to NAS?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ansalaza Wed, 07/22/2009 - 07:35

The communication between the AAA client and the NAS is done using Radius:

1 Access-Request

2 Access-Accept

3 Access-Reject

An External Database like Active Directory would send those type of messages (account disabled, wrong user/password..) to the AAA Server, but I don't beleive it can forward them to the AAA client.

Thanks...

darpotter Thu, 07/23/2009 - 03:01

...and there is a good reason why you *never* do this.

Security 101 - dont tell users why an authentication has failed - they might not be who you think they are.

Yes its a pain when real valid users cant authenticate and they have to ring the support team. But the alternative is far worse.

kpanduric Thu, 07/23/2009 - 05:00

..but if it is a customer request....

an application, when authenticating users, should differentiate between users that are disabled and those that mistyped user/pass

darpotter Thu, 07/23/2009 - 05:43

No, never.

If you do, then you're telling a potential hacker that the username he/she just tried is valid.

Getting a username is half the job done.

Remember ACS is aimed at remote access and wireless where logins could be coming from anywhere.

What it could do is include a failure message to the end user that includes the help desk telephone number and perhaps a unique incident id. Thats secure and helpful.

Actions

This Discussion