Security

last person joined: 9 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

CPPM: Lock user account after six failed login attempts

This thread has been viewed 14 times

  • 1.  CPPM: Lock user account after six failed login attempts

    Posted Apr 29, 2020 05:57 PM

    Hello community,

     

    How can I configure that a user will be locked after 6 login FAILED attemps using a Comware 7 switch?

    Maybe with enforcement policy?

    We have ClearPass Policy Manager 6.8

     

    Regards.



  • 2.  RE: CPPM: Lock user account after six failed login attempts

    Posted Apr 29, 2020 06:13 PM

    You could modify the InsightDB auth source and add a filter for "Failed login count since midnight". This would essentially just be a copy of "Successful Login count since Midnight"

     

    You could try this:

    SELECT COUNT(*) AS login_count FROM auth WHERE error_code != 0 AND username = '%{Authentication:Username}' AND auth.auth_status != 'MAB' AND timestamp BETWEEN date_trunc('day', NOW()) AND date_trunc('day', NOW() + INTERVAL '1 day');


  • 3.  RE: CPPM: Lock user account after six failed login attempts

    Posted Apr 29, 2020 06:22 PM

    Hi zemerick1, thanks for your reply,

    Is there a way to do it through an enforcement policy?

    What I'm trying to do is block the switch port, for the user to make a maximum of 6 failed authentication attempts.

    Regards.



  • 4.  RE: CPPM: Lock user account after six failed login attempts

    Posted Apr 29, 2020 06:29 PM

    Take a look at the wired enforcement solution guide. It has a Comware section on how to setup enforcement policy through CPPM.

     

    https://community.arubanetworks.com/t5/Security/ClearPass-Solution-Guide-Wired-Policy-Enforcement/td-p/298161

     

    Combine that with your Insight query, which you have to tweak for your use case, and you should be good to go.



  • 5.  RE: CPPM: Lock user account after six failed login attempts

    Posted Apr 29, 2020 06:44 PM

    Generally speaking, can ClearPass block authentication attempts for a period of time after a certain number of failed authentications?

     

    Regards.



  • 6.  RE: CPPM: Lock user account after six failed login attempts

    Posted Apr 29, 2020 06:57 PM

    Not directly. I mean once you make a decision on failed attempts, those attempts won't be 'reset'. They will be stored in the database. Everything would be based around the query.

     

    Given that, if you adjust your Insight filter query correctly, such as looking for failed attempts in the last 1 hours, lets say. . then that would effectively be a timeout period. After 1 hour when the user attempts to login again, and that query is ran, it is only going to show failed attempts in the last hour.

     

    For instance, an user fails 5 times in the last hour. They are Blacklisted/bounced from switch. After an hour has elapsed, those 5 attempts won't be returned in the query.

     

    I hope that makes sense.

    *EDIT*

    I didn't answer your question directly. . CPPM doesn't ever "block" authentication attempts since the attempts come from the NAD, not the user directly.