Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS - reject reason

Is it possible to configure ACS 4.x to return reason that caused the user to be rejected (e.g. account disabled, wrong user/password...) to NAS?

4 REPLIES
Bronze

Re: ACS - reject reason

The communication between the AAA client and the NAS is done using Radius:

1 Access-Request

2 Access-Accept

3 Access-Reject

An External Database like Active Directory would send those type of messages (account disabled, wrong user/password..) to the AAA Server, but I don't beleive it can forward them to the AAA client.

Thanks...

Silver

Re: ACS - reject reason

...and there is a good reason why you *never* do this.

Security 101 - dont tell users why an authentication has failed - they might not be who you think they are.

Yes its a pain when real valid users cant authenticate and they have to ring the support team. But the alternative is far worse.

New Member

Re: ACS - reject reason

..but if it is a customer request....

an application, when authenticating users, should differentiate between users that are disabled and those that mistyped user/pass

Silver

Re: ACS - reject reason

No, never.

If you do, then you're telling a potential hacker that the username he/she just tried is valid.

Getting a username is half the job done.

Remember ACS is aimed at remote access and wireless where logins could be coming from anywhere.

What it could do is include a failure message to the end user that includes the help desk telephone number and perhaps a unique incident id. Thats secure and helpful.

326
Views
0
Helpful
4
Replies