Cisco Bug: CSCvv50134 - ISE implement feature to auto block clients after multiple incorrect password attempts
Aug 31, 2020
- Cisco Identity Services Engine
Known Affected Releases
Symptom: Currently ISE has a suppression feature(Administration>System>Settings>Protocols>Radius), which prevents logging of repeated authentication failures, and thus prevents system load or rogue clients. It has the option to reject clients automatically after a custom threshold frequency of failures, but this was intended for reducing 'load' and doesn't work if the failures are due to wrong password(as explained here: https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_new_chapter_0101001.html?bookSearch=true#ID911 Customers looking to prevents brute force password attacks in their network want the ability for their Radius server to reject these clients automatically after multiple 'wrong password' attempts. Conditions: The device is configured for Radius authentication.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases