Security

Reply
KDI
Contributor I
Posts: 25
Registered: ‎02-02-2015

AD Account Lockout-Large MultiCampus Environment

Good Morning-

 

We are having issues with users who have incorrect credentials entered in a mobile devices locking out their AD Accounts.  

We researched Airheads and ...

We deployed the following in our near production environment successfully. However when we deployed in production the solution simply did not work( no indication of badpwcount) and we began to see failed machine authentications.

 

Solution: http://community.arubanetworks.com/aruba/attachments/aruba/aaa-nac-guest-access byod/13473/1/Preventing%20AD%20account%20lockout.pdf

 

These two environments have differences.

Our near production environment contains 2 CPPM appliances V 6.5.7

A single DC and instant replication. No issues upon deploying the above solution.  Still in place and working great. 

 

Our production environment contains 9 CPPM appliances v 6.5.7 and many domain controllers an F5 handling the balancing and roughly 70000+ users daily.  Replication is handled by our AD teams and can take upwards to 30-45 minutes. We deployed the solution and began to observe widespread failed machine auths with error 216 user not found and when we attempted to enter incorrect creds on a device an observe the query results we never saw the badpwcount incrementing at all.  

 

We really like this solution because if a user reaches 4 bad pw attempts CPPM prevents the device from locking AD.  We already advise tech support and end users to then remove creds from the device and log into a pc, verifiying creds. So end users are already conditioned to perform these steps which reset the badpw count.  

We suspect (sans data) the complexities of many dcs and lag times in replication but are curious what others in a very large multicampus environment do in regards to this situation.  We are looking at a WLAN controller blacklist option or a single server handling the auth reqs. However the CPPM option is a great solution.

Thoughts?

Thanks

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: