Security

last person joined: 3 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Apply different Enforcement profile after several failed authentications?

Jump to Best Answer
  • 1.  Apply different Enforcement profile after several failed authentications?

    Posted Aug 13, 2019 09:15 AM

    Hi

     

    Is it possible in any way to count failed authentications for a device and after a specified number of events within a given timeframe apply different roles and Enforcement profiles?

     



  • 2.  RE: Apply different Enforcement profile after several failed authentications?

    Posted Aug 13, 2019 01:28 PM

    Hello, you could use Insight for doing this, enable insight on that server, and add insight as a Authorization source, create a custom sql source to look for failed authentications for the last 1 hour, for so and so count, to map a different enforcement profile for that device or user.

     

     

    --

     



  • 3.  RE: Apply different Enforcement profile after several failed authentications?

    Posted Aug 15, 2019 09:21 AM

    Thank you for the information.

    Do you have an example of the syntax of the query?

     

     



  • 4.  RE: Apply different Enforcement profile after several failed authentications?
    Best Answer

    Posted Aug 15, 2019 01:53 PM

    Hello Jonas,

     

    you could do something like this, in the below query, i am looking for a user name, which failed authentications for 5 times in last one hour, you could adjust the query accordingly for your convenience:

     

    select auth_username as username from auth where auth_status = 'Failed' AND timestamp > now() - interval '1 hour' GROUP BY auth_username HAVING COUNT(*) > 5;

     

    --