Security

Reply
Occasional Contributor II

Lock AD account with Onboard process

Hi to all,

 

we have a customer using dual SSID onboarding with AD accounts. The SSID for onboarding is unencrypted and only broadcasted in the upper part of the company building. For security reasons the AD locks a user account afer 5 failed login attempts. This leads to the following situation: an external person knowing a username could lock this specific user account form outside, or could just start a bruteforce on a combination of username and password and could lock a huge ammount of user accounts.

 

As far as I know it is not possilbe to limit the login attempts with clearpass. Also there is no easy way to put a captcha on the onboarding website.

 

Has someone any idea to mitigate this issue?

 

Regards,

 

Marian

Occasional Contributor II

Re: Lock AD account with Onboard process

In the Active Directory authentication source, add a filter for the AD attribute 'Bad-Pwd-Count < 4'.

This means if a bad password has been entered 4 times (1 less than lockout) then the query won't be sent to AD.

The attempted authentication will constantly fail but won't lock the AD account.

Occasional Contributor II

Re: Lock AD account with Onboard process

In the Active Directory authenticaiton source add a filter for the AD queries similar to 'Bad-Pwd-Count < 4'.

This will stop ClearPass querying AD when an account has already entered 4 (or 1 less than your lockout limit) invalid passwords.

Users will still not be able to authenticate but it won't lock the AD account.

Aruba Employee

Re: Lock AD account with Onboard process

I second Dave27's suggestion.

You may refer the below article and see if it helps to prevent AD account lockout from ClearPass.

 

https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-prevent-AD-account-being-Locked-out-by-5-failed/ta-p/234571


Thank you,
Saravanan Rajagopal

**Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the post.
Highlighted
Guru Elite

Re: Lock AD account with Onboard process

Use your SAML IdP for all end user authorization to ClearPass.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Lock AD account with Onboard process

This worked our perfectly. Thank you very much.

Occasional Contributor II

Re: Lock AD account with Onboard process

Just out out of personal interest, how can you limit the logins when using the SAML IdP?

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: