07-22-2009 07:22 AM - edited 03-10-2019 04:36 PM
Is it possible to configure ACS 4.x to return reason that caused the user to be rejected (e.g. account disabled, wrong user/password...) to NAS?
07-22-2009 07:35 AM
The communication between the AAA client and the NAS is done using Radius:
1 Access-Request
2 Access-Accept
3 Access-Reject
An External Database like Active Directory would send those type of messages (account disabled, wrong user/password..) to the AAA Server, but I don't beleive it can forward them to the AAA client.
Thanks...
07-23-2009 03:01 AM
...and there is a good reason why you *never* do this.
Security 101 - dont tell users why an authentication has failed - they might not be who you think they are.
Yes its a pain when real valid users cant authenticate and they have to ring the support team. But the alternative is far worse.
07-23-2009 05:00 AM
..but if it is a customer request....
an application, when authenticating users, should differentiate between users that are disabled and those that mistyped user/pass
07-23-2009 05:43 AM
No, never.
If you do, then you're telling a potential hacker that the username he/she just tried is valid.
Getting a username is half the job done.
Remember ACS is aimed at remote access and wireless where logins could be coming from anywhere.
What it could do is include a failure message to the end user that includes the help desk telephone number and perhaps a unique incident id. Thats secure and helpful.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: