Security

last person joined: 18 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

AD Account Lockout-Large MultiCampus Environment

This thread has been viewed 17 times

  • 1.  AD Account Lockout-Large MultiCampus Environment

    Posted Oct 07, 2016 10:52 AM

    Good Morning-

     

    We are having issues with users who have incorrect credentials entered in a mobile devices locking out their AD Accounts.  

    We researched Airheads and ...

    We deployed the following in our near production environment successfully. However when we deployed in production the solution simply did not work( no indication of badpwcount) and we began to see failed machine authentications.

     

    Solution: http://community.arubanetworks.com/aruba/attachments/aruba/aaa-nac-guest-access byod/13473/1/Preventing%20AD%20account%20lockout.pdf

     

    These two environments have differences.

    Our near production environment contains 2 CPPM appliances V 6.5.7

    A single DC and instant replication. No issues upon deploying the above solution.  Still in place and working great. 

     

    Our production environment contains 9 CPPM appliances v 6.5.7 and many domain controllers an F5 handling the balancing and roughly 70000+ users daily.  Replication is handled by our AD teams and can take upwards to 30-45 minutes. We deployed the solution and began to observe widespread failed machine auths with error 216 user not found and when we attempted to enter incorrect creds on a device an observe the query results we never saw the badpwcount incrementing at all.  

     

    We really like this solution because if a user reaches 4 bad pw attempts CPPM prevents the device from locking AD.  We already advise tech support and end users to then remove creds from the device and log into a pc, verifiying creds. So end users are already conditioned to perform these steps which reset the badpw count.  

    We suspect (sans data) the complexities of many dcs and lag times in replication but are curious what others in a very large multicampus environment do in regards to this situation.  We are looking at a WLAN controller blacklist option or a single server handling the auth reqs. However the CPPM option is a great solution.

    Thoughts?

    Thanks

     

     



  • 2.  RE: AD Account Lockout-Large MultiCampus Environment

    Posted Oct 06, 2022 12:48 PM
    Hiya,

    Did you ever find a good solution to this? We use the BadPwdCount on our campus and it was working fine when we only had 4 DC's, but now we have 6 our account lockouts have gone through the roof.

    thanks

    ------------------------------
    matt
    ------------------------------

    Original Message


  • 3.  RE: AD Account Lockout-Large MultiCampus Environment

    EMPLOYEE
    Posted Oct 11, 2022 05:39 AM
    This is a very old discussion.

    The solution to password lockouts is to move away from passwords and switch to EAP-TLS certificate authentication. You should not deploy PEAP-MSCHAPv2 as per Microsoft recommendations, as MSCHAPv2 is broken and if you use it on devices that you don't fully control you should consider your password leaked. Moving to EAP-TLS will solve your lockout problem in the same time.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message