Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Bronze

PEAP with ACS 5.4 - How to Prevent Active Directory Account locks?

I have a WLC4402 with a PEAP WLAN, relaying authentication to ACS Server 5.4 via RADIUS.   ACS then has a network access policy to send these requests to Active Directory.

All works great exept for one issue.  When a user changes their AD password (which we require every 90 days), and they forget to update it across all devices, that device re-tries to get on the WLAN, resulting in the user's account being locked out. 

Is there a way to prevent this in ACS?  Say, after 2 failed attempts, pause 30 seconds?   

6 REPLIES
Bronze

PEAP with ACS 5.4 - How to Prevent Active Directory Account lock

Would configuring these commands on the controller help?

config advanced eap identity-request-retries (default is 20)

config advanced eap request-retries (default is 2)


New Member

Re: PEAP with ACS 5.4 - How to Prevent Active Directory Account

No, those command control the RADIUS traffic between the controller and the ACS server only, to cater for network delays etc. between the two devices.

I'm not sure how to fix your issue. What type of devices are caching credentials and causing the lockouts?

Generally, tablets and smartphones that fail auth will prompt a user to supply new credentials upon failure, so I'm guessing it's maybe Windows laptops that are using cached credentials?

Nigel.

Sent from Cisco Technical Support iPad App

Bronze

Re: PEAP with ACS 5.4 - How to Prevent Active Directory Account

So what you're saying is the retry values only come in to play if the RADIUS server is inaccessible, right?

Windows laptops actually work just fine, because many of them are using machine authentication.  The main issue seems to be from iPhones, which are saving the username/password and then re-attempting too many times when the user changes password.

One solution is to use LDAP instead of AD within ACS, but the downside is the password can be guessed thousands of time in a row and open to dictionary attacks.  We do enforce complex password policies so the liklihood of an account being compromised is slim, but, I'd rather eliminate the chance entirely.

New Member

Re: PEAP with ACS 5.4 - How to Prevent Active Directory Account

Yes, that's correct.

Interesting to hear about the iPhone issue. I'm sorry I don't have a solution to your issue, but will be interested to hear if anyone else can come up with a suggestion. Unless there is some type of setting that could be pushed out using a profile of some type, I can't think how to get around this issue...sorry.

All the best.

Nigel.


Sent from Cisco Technical Support iPad App

Bronze

FYI Apple finally fixed this

FYI Apple finally fixed this behavior with IOS 8

New Member

This is 100% controlled by AD

This is 100% controlled by AD and there is nothing you can do in ACS to resolve it. ACS is acting no different then any other AD server, such as a file server, in authenticating a user.

Moreover you would not want to even if you could since this would effectively negate a large part of the protection against attempting to brute-force a users password.

684
Views
0
Helpful
6
Replies
CreatePlease to create content