Security

Greetings,

One of our clients asked us the trace failed mac authentication events and block an endpoint for a certain time, send a notification of the failed attempt and put this particular endpoint on a black list. Regardless if it is a wireless or wired endpoint.

To be more precise. An endpoint is allowed to fail authentication within 15 minutes. If the endpoint authenticates at i.e. the 3rd attempt the counter should reset and start any failed authentication attempts from zero. The clients wishes a notification via snmp trap and e-mail each time an endpoints is blocked after 4 failed attempts.  

Any idea how to satisfy the client is more than welcome.

Thanks

I've done something similar with Endpoint attributes to add timestamps and blacklist/whitelist values. You can also use something like the "Unique Device Count" attribute that is created for Guests to create an incrimental value of failed authentications.

Create an Enforcement Profile that increases the failed number of authentications.

Create an Enforcement Profile that includes an Entity Update for "Blacklisted = True", which is assigned under the condition the authentication fails x number of times.

Create an Enforcement Profile that has a time entry for Blacklist time or Reset time, and use it as needed.

You will need a combination of role mapping, enforcement policy, and enforcement profiles to make this happen.

The notification can be done easily as long as a Messaging server is configured, that email can be generated via SMTP and again I believe that would be an enforcement profile, but I've not tested that.

Thanks a lot for the hints. I'll test them and get back with an response.

Regards