Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PEAP - NT Domain Denial Of Service Attack

I'm looking for some feedback on the following percieved issue.

Assumptions:

1) A PEAP implementation where PEAP authentication is configured to use a static NT user/pass combination as credentials.

2) The ACS has an unknown user policy to check the NT Domain

3) Your NT Domain security Policy locks accounts after 5 failed attempted logings

Queation:

Given that PEAP does not enforce client side verification and that any XP SP1 (perhaps the CISCO ACU depending on configuration) client can attempt a PEAP login. If a client maliciously attacks by entering wrong passwords they could create a Denial Of Service (legitimate users will be locked out) attack against the NT Domain

Thoughts?

1 REPLY
Silver

Re: PEAP - NT Domain Denial Of Service Attack

PEAP does not provide credential caching. Any logins to Windows NT file systems will be separate and subsequent to PEAP login.

PEAP supports silent session resume (upon RADIUS session timeout) when only the first phase of PEAP is executed. In the second phase, the previous authentication state is reused. Hence, users will not be required to re-authenticate until the PEAP session timeout expires. The duration time of the PEAP session timeout is configurable from Cisco Secure ACS graphical user interface (GUI).

You can find more information in this URL:

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_qanda_item09186a008010018c

211
Views
0
Helpful
1
Replies
CreatePlease to create content