Guest

Preview Tool

Cisco Bug: CSCvv50134 - ISE implement feature to auto block clients after multiple incorrect password attempts

Last Modified

Aug 31, 2020

Products (1)

  • Cisco Identity Services Engine

Known Affected Releases

2.4(0.910)

Description (partial)

Symptom:
Currently ISE has a suppression feature(Administration>System>Settings>Protocols>Radius), which prevents logging of repeated authentication failures, and thus prevents system load or rogue clients.

It has the option to reject clients automatically after a custom threshold frequency of failures, but this was intended for reducing 'load' and doesn't work if the failures are due to wrong password(as explained here: https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_new_chapter_0101001.html?bookSearch=true#ID911

Customers looking to prevents brute force password attacks in their network want the ability for their Radius server to reject these clients automatically after multiple 'wrong password' attempts.

Conditions:
The device is configured for Radius authentication.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.