Security

Reply
uwe
Occasional Contributor I

Count endpoint failed MAC Authentication to block the endpoint

Greetings,

One of our clients asked us the trace failed mac authentication events and block an endpoint for a certain time, send a notification of the failed attempt and put this particular endpoint on a black list. Regardless if it is a wireless or wired endpoint.

 

To be more precise. An endpoint is allowed to fail authentication within 15 minutes. If the endpoint authenticates at i.e. the 3rd attempt the counter should reset and start any failed authentication attempts from zero. The clients wishes a notification via snmp trap and e-mail each time an endpoints is blocked after 4 failed attempts.  

 

Any idea how to satisfy the client is more than welcome.

 

Thanks

 

Re: Count endpoint failed MAC Authentication to block the endpoint

I've done something similar with Endpoint attributes to add timestamps and blacklist/whitelist values. You can also use something like the "Unique Device Count" attribute that is created for Guests to create an incrimental value of failed authentications.

 

Create an Enforcement Profile that increases the failed number of authentications.

 

Create an Enforcement Profile that includes an Entity Update for "Blacklisted = True", which is assigned under the condition the authentication fails x number of times.

 

Create an Enforcement Profile that has a time entry for Blacklist time or Reset time, and use it as needed.

 

You will need a combination of role mapping, enforcement policy, and enforcement profiles to make this happen.


Thank you.

Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com

Re: Count endpoint failed MAC Authentication to block the endpoint

The notification can be done easily as long as a Messaging server is configured, that email can be generated via SMTP and again I believe that would be an enforcement profile, but I've not tested that.


Thank you.

Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com
uwe
Occasional Contributor I

Re: Count endpoint failed MAC Authentication to block the endpoint

Thanks a lot for the hints. I'll test them and get back with an response.

Regards

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: