Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS v5.2 and LDAP: Active Directory Accounts not being disabled after a number of failed attempts.


     We have a v5.2 ACS which is authenticating against Windows Active Directory using secure LDAP. The authentication is working fine. However, there is an issue with disabling the account after a number of failed attempts. The Active Directory policy is set to disable the account after 5 failed attempts. This policy doesn't work if the authentication comes from the ACS. We can have many consecutive failures on an AD account and it does not get disabled.

It looks like that after the ACS does a bind to the LDAP server all the traffic that comes from the ACS is seen by Active Directory as a query. So all authentications from users whether they authenticate or not are just queries and it doesn't log failed authentications.

Has anyone out there managed to successfully enforce this kind of policy using ACS and LDAP?

Any advice would be appreciated


BTW: The authentications mainly come from Network Devices and not servers.

CreatePlease login to create content