Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
419
Views
0
Helpful
1
Replies

PEAP - NT Domain Denial Of Service Attack

jonmell
Level 1
Level 1

‎11-20-2002 09:25 AM - edited ‎07-04-2021 08:22 AM

I'm looking for some feedback on the following percieved issue.

Assumptions:

1) A PEAP implementation where PEAP authentication is configured to use a static NT user/pass combination as credentials.

2) The ACS has an unknown user policy to check the NT Domain

3) Your NT Domain security Policy locks accounts after 5 failed attempted logings

Queation:

Given that PEAP does not enforce client side verification and that any XP SP1 (perhaps the CISCO ACU depending on configuration) client can attempt a PEAP login. If a client maliciously attacks by entering wrong passwords they could create a Denial Of Service (legitimate users will be locked out) attack against the NT Domain

Thoughts?

Labels:
0 Helpful
1 Reply 1

thomas.chen
Level 6
Level 6

‎11-26-2002 12:24 PM

PEAP does not provide credential caching. Any logins to Windows NT file systems will be separate and subsequent to PEAP login.

PEAP supports silent session resume (upon RADIUS session timeout) when only the first phase of PEAP is executed. In the second phase, the previous authentication state is reused. Hence, users will not be required to re-authenticate until the PEAP session timeout expires. The duration time of the PEAP session timeout is configurable from Cisco Secure ACS graphical user interface (GUI).

You can find more information in this URL:

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_qanda_item09186a008010018c

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card