AAA, NAC, Guest Access & BYOD

How to disable a guest account automatically after certain number of wrong password attempts

Aruba Employee
Requirement:

You might have a situation where you want the guest account to get disabled automatically if a user attempts a certain number of invalid password attempts on the trot. This is to avoid them from finding out the password using brute force. This article helps us in disabling the guest account after a certain number of successive wrong attempts.



Solution:

We need to make use of Insight to compute the number of bad password attempts from their last successful login attempt. Also we need to make sure that once we reach the maximum number of bad password attempts, we do a post authentication update to disable the corresponding guest account.



Configuration:

We need to have Insight enabled for this to work, so make sure that you have Insight enabled on one node atleast.

We also need an Insight filter to perform the computation for the bad password which you need to add as a custom filter. You need to click on the Insight Authentication source and click on "Add More Filters" option to add a new filter.

 

 

The query that performs the required computation is below

 

SELECT COUNT(*) + 1 AS login_failed_count FROM auth WHERE error_code = 216 AND username = '%{Authentication:Username}' AND timestamp > (SELECT GREATEST ((SELECT timestamp from auth where error_code = 0 AND username = '%{Authentication:Username}' order by timestamp desc limit 1), date_trunc('year', NOW())))

 

You need to add a new filter name and put in the query above by mapping the right attribute name with an alias of your choice. The alias name will be referenced in your rules

 

We also need an enforcement profile that can disable the account after the user hits the threshold and that is an enforcement of type post auth

 

In the service that handles the guest authentication we need to add Insight as an authorization source. 

 

The rules can be configured as below

 

Once we do the configuration as per the screenshots above the guest user account will be disabled after 5 wrong password attempts. Please note that for the first login attempt inspite of the authentication being a success or a failure you might see the login failed count as 1, that is because of the +1 in the query and we should ignore that.

 



Verification

You can verify that the configuration stated above is working by testing with a guest account and attempting 5 login attempts with a wrong password. 

Create a guest account that can be used for testing

 

Try logging in with that account 5 times with an incorrect password, and each time you login with an incorrect password you would see that the "Login Failed Count" increments by 1.  Once it reaches 5, with the help of the enforcement we configured the guest user account gets disabled.

 

 

Once the enforcement is done you can go back to guest user accounts and verify that the account is disabled

 

Version history
Revision #:
2 of 2
Last update:
‎03-01-2017 03:02 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: