ACS - reject reason

kpanduric · ‎07-22-2009

Is it possible to configure ACS 4.x to return reason that caused the user to be rejected (e.g. account disabled, wrong user/password...) to NAS?

ansalaza · ‎07-22-2009

The communication between the AAA client and the NAS is done using Radius:

1 Access-Request

2 Access-Accept

3 Access-Reject

An External Database like Active Directory would send those type of messages (account disabled, wrong user/password..) to the AAA Server, but I don't beleive it can forward them to the AAA client.

Thanks...

darpotter · ‎07-23-2009

...and there is a good reason why you *never* do this.

Security 101 - dont tell users why an authentication has failed - they might not be who you think they are.

Yes its a pain when real valid users cant authenticate and they have to ring the support team. But the alternative is far worse.

kpanduric · ‎07-23-2009

..but if it is a customer request....

an application, when authenticating users, should differentiate between users that are disabled and those that mistyped user/pass

darpotter · ‎07-23-2009

No, never.

If you do, then you're telling a potential hacker that the username he/she just tried is valid.

Getting a username is half the job done.

Remember ACS is aimed at remote access and wireless where logins could be coming from anywhere.

What it could do is include a failure message to the end user that includes the help desk telephone number and perhaps a unique incident id. Thats secure and helpful.