11-23-2010 05:07 AM - edited 03-10-2019 05:36 PM
Hi all!
Im struggling with finding out how you configure the local user account lockout policy in ACS 5.2.
In 4.2.1 there is the "Failed attempts exceed" option, see link for more details:
But in 5.2 i cannot find the option:
Can someone spread some light over where i configure this?
BR /Crille
Solved! Go to Solution.
11-23-2010 11:52 PM
Just found a bug id that states it's not supported.
CSCth12406 Bug Details |
---|
ACS 5 does not have option to disable local account on failed attempts | |
Symptom: ACS 5 does not have an option to disable local account in internal identity store on failed attempts Conditions: When ACS 5 is used to only authenticate users using internal identity store, there is no way to configure an account lockout policy for failed attempts. Workaround: Currently there is no workaround |
11-23-2010 10:39 AM
You can't lockout due to "failed attempts". You can only lockout due to "password expiration". This option is in "system administration > Users > authentication settings". Please rate if it helps.
11-23-2010 02:16 PM
You cant? That sounds strange, why on earth would Cisco remove that functionality?
I found out that its avaliable in Cisco ACS Express 5.0.1 aswell:
Im hoping its just hidden in some other screen.
11-23-2010 03:35 PM
That link is for "ACS Express" which is a different product.
Anyway, about ACS 5.2 , I did a deep research and it seems ACS could support a maximum of 3 retry attempts when using "PEAP" or "EAP-FAST".
Go to "Access Policies > Access Services" then edit of one one of those services and click "Allowed Protocols", then click "PEAP" or "EAP-FAST" and type the number of retries. About the other protocols it seems it's not supported.
11-23-2010 09:38 PM
I dont believe that setting is releated to account lockout, but the number of times ACS tries to request credentials before returning "login failure".
Can you link to or tell me which chapter in the manual you refer to?
I think its time for a TAC request, this is fishy.
11-23-2010 11:52 PM
Just found a bug id that states it's not supported.
CSCth12406 Bug Details |
---|
ACS 5 does not have option to disable local account on failed attempts | |
Symptom: ACS 5 does not have an option to disable local account in internal identity store on failed attempts Conditions: When ACS 5 is used to only authenticate users using internal identity store, there is no way to configure an account lockout policy for failed attempts. Workaround: Currently there is no workaround |
11-24-2010 12:22 AM
Hi All,
this Bug CSCth12406 ACS 5 does not have option to disable local account on failed attempts is an enhancement request. So this feature might be included in future releases.
thanks,
Vinay
_________________
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide