06-11-2012 11:08 AM
We are running two Aruba 6000 M3 controllers running AOS 18.104.22.168. We have a third Aruba 6000 M3 acting as a master and a backup LMS to the other two.
We use 802.1x authentication on our wireless. We use our AD accounts to logon to the wireless. We have a pretty aggressive password change policy - every 35 days. Because of this and because of the one to many relationship that many people now have with their mobile devices (wireless devices), account lockouts happen frequently. An account is locked out after 5 failed attempts. Because a lockout could impact not only the wireless network access, but access to email and clinical systems (we are a hospital), we are looking at moving email and wireless authentications to a certificate based model using a MDM. However, until that is deployed, I was looking at the max authenticatioin failures as a stop-gap mechanism.
So, our current lockout counter is set to a max of 5 before the account is locked out. The counter is reset automatically after 35 minutes. The account, once locked out, is automatically unlocked after 48 hours. I was thinking of setting the max authentication failures on the dot1x aaa profile to 2 or 3 with an authentication blacklist timer set to 40 minutes (to get past the lockout counter reset time). This means that after 2 or 3 failures on the wireless network, the device is blacklisted for 40 minutes. After 40 minutes, the user is automatically un-blacklisted. Or, they could be manually un-blacklisted. The thought process is that anyone who happens to just be mistyping a password would hopefully not be impacted too much by this. But, in the event of a device continuously trying to get on the wireless network unbeknownst to a user, it wouldn't lockout the account.
I was wondering if there are any caveats to this? I can think of one which is the blacklist is by controller only. We have two controllers. So, that is why I would consider setting the max auth failure threshold to 2. This is a bit aggressive, but that way, even if they roam to another AP that is on a different controller and get blacklisted there, that is only 4 failed attempts and they haven't yet hit the 5 for a lockout event. Are there any other caveats or things to consider?
06-11-2012 05:13 PM
I think that is the best that you can do.
You are right... if you used clearpass Onboard, it would give each device a unique credential and that would keep you away from your current issue.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base