cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
614
Views
0
Helpful
4
Replies

ACS - reject reason

kpanduric
Level 1
Level 1

Is it possible to configure ACS 4.x to return reason that caused the user to be rejected (e.g. account disabled, wrong user/password...) to NAS?

4 Replies 4

ansalaza
Level 1
Level 1

The communication between the AAA client and the NAS is done using Radius:

1 Access-Request

2 Access-Accept

3 Access-Reject

An External Database like Active Directory would send those type of messages (account disabled, wrong user/password..) to the AAA Server, but I don't beleive it can forward them to the AAA client.

Thanks...

...and there is a good reason why you *never* do this.

Security 101 - dont tell users why an authentication has failed - they might not be who you think they are.

Yes its a pain when real valid users cant authenticate and they have to ring the support team. But the alternative is far worse.

..but if it is a customer request....

an application, when authenticating users, should differentiate between users that are disabled and those that mistyped user/pass

No, never.

If you do, then you're telling a potential hacker that the username he/she just tried is valid.

Getting a username is half the job done.

Remember ACS is aimed at remote access and wireless where logins could be coming from anywhere.

What it could do is include a failure message to the end user that includes the help desk telephone number and perhaps a unique incident id. Thats secure and helpful.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: