07-22-2009 07:22 AM - edited 03-10-2019 04:36 PM
Is it possible to configure ACS 4.x to return reason that caused the user to be rejected (e.g. account disabled, wrong user/password...) to NAS?
07-22-2009 07:35 AM
The communication between the AAA client and the NAS is done using Radius:
1 Access-Request
2 Access-Accept
3 Access-Reject
An External Database like Active Directory would send those type of messages (account disabled, wrong user/password..) to the AAA Server, but I don't beleive it can forward them to the AAA client.
Thanks...
07-23-2009 03:01 AM
...and there is a good reason why you *never* do this.
Security 101 - dont tell users why an authentication has failed - they might not be who you think they are.
Yes its a pain when real valid users cant authenticate and they have to ring the support team. But the alternative is far worse.
07-23-2009 05:00 AM
..but if it is a customer request....
an application, when authenticating users, should differentiate between users that are disabled and those that mistyped user/pass
07-23-2009 05:43 AM
No, never.
If you do, then you're telling a potential hacker that the username he/she just tried is valid.
Getting a username is half the job done.
Remember ACS is aimed at remote access and wireless where logins could be coming from anywhere.
What it could do is include a failure message to the end user that includes the help desk telephone number and perhaps a unique incident id. Thats secure and helpful.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide