Security

Hi to all,

we have a customer using dual SSID onboarding with AD accounts. The SSID for onboarding is unencrypted and only broadcasted in the upper part of the company building. For security reasons the AD locks a user account afer 5 failed login attempts. This leads to the following situation: an external person knowing a username could lock this specific user account form outside, or could just start a bruteforce on a combination of username and password and could lock a huge ammount of user accounts.

As far as I know it is not possilbe to limit the login attempts with clearpass. Also there is no easy way to put a captcha on the onboarding website.

Has someone any idea to mitigate this issue?

Regards,

Marian

In the Active Directory authentication source, add a filter for the AD attribute 'Bad-Pwd-Count < 4'.

This means if a bad password has been entered 4 times (1 less than lockout) then the query won't be sent to AD.

The attempted authentication will constantly fail but won't lock the AD account.

This worked our perfectly. Thank you very much.

In the Active Directory authenticaiton source add a filter for the AD queries similar to 'Bad-Pwd-Count < 4'.

This will stop ClearPass querying AD when an account has already entered 4 (or 1 less than your lockout limit) invalid passwords.

Users will still not be able to authenticate but it won't lock the AD account.

I second Dave27's suggestion.

You may refer the below article and see if it helps to prevent AD account lockout from ClearPass.

https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-prevent-AD-account-being-Locked-out-by-5-failed/ta-p/234571

Just out out of personal interest, how can you limit the logins when using the SAML IdP?

Could you expand upon the SAMLp information please? Thank you.