I'm looking for some feedback on the following percieved issue.
Assumptions:
1) A PEAP implementation where PEAP authentication is configured to use a static NT user/pass combination as credentials.
2) The ACS has an unknown user policy to check the NT Domain
3) Your NT Domain security Policy locks accounts after 5 failed attempted logings
Queation:
Given that PEAP does not enforce client side verification and that any XP SP1 (perhaps the CISCO ACU depending on configuration) client can attempt a PEAP login. If a client maliciously attacks by entering wrong passwords they could create a Denial Of Service (legitimate users will be locked out) attack against the NT Domain
Thoughts?