[cisco-voip] authentication failed alerts

Charles Goldsmith wokka at justfamily.org
Tue Aug 8 12:26:00 EDT 2017 

Based on what the AD gurus told me, it's the way Cisco authenticates from
CUCM/CUC, so it would have to be a Cisco change.

Anyone in the know at Cisco that can let us know for sure?

Thanks!


On Tue, Aug 8, 2017 at 11:08 AM, Lelio Fulgenzi <lelio at uoguelph.ca> wrote:

> That’s a very interesting scenario. I’ve always wondered about that. I
> wonder if there’s a way that AD admins can track authentications from CUCM
> cluster and apply the lock out rules accordingly?
>
>
>
> ---
>
> Lelio Fulgenzi, B.A.
>
> Senior Analyst, Network Infrastructure
>
> Computing and Communications Services (CCS)
>
> University of Guelph
>
>
>
> 519-824-4120 Ext 56354 <(519)%20824-4120>
>
> lelio at uoguelph.ca
>
> www.uoguelph.ca/ccs
>
> Room 037, Animal Science and Nutrition Building
>
> Guelph, Ontario, N1G 2W1
>
>
>
> *From:* cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] *On Behalf
> Of *Charles Goldsmith
> *Sent:* Tuesday, August 08, 2017 11:55 AM
> *To:* voip puck
> *Subject:* [cisco-voip] authentication failed alerts
>
>
>
> So, a question out to the community about how you deal with this issue.
> If an organization is using Webex Messenger for IM and end-users are
> connecting Jabber to it, along with phone services and voicemail locally,
> jabber is setup with accounts to authenticate to AD locally.  SSO is not in
> the mix.
>
>
>
> When a user's AD password comes up on their expiration and it's changed,
> they usually forget to update jabber on their laptop, phone and tablets,
> generating a lot of authentication alerts.  Those can be filtered down by
> adjusting the thresholds.
>
>
>
> I'm not an AD guy, but talking with some, when asking about why this
> activity is not locking out the AD accounts, I was told that CUCM/CUC uses
> a read-only connection to AD, so it will not lock out the accounts.
>
>
>
> Because of that problem, we can't simply disable the alerts, we need to
> monitor them in case of brute force via MRA.
>
>
>
> Any thoughts on a better way to handle this specific scenario?
>
>
>
> I may wind up writing a script to consolidate the email authentication
> reports into something to give a report on thresholds per user, like
> John.Doe had 30 authenticaiton attempts in the last hour, Jane.Smith had
> 15, and Mark.Jones had 650.
>
>
>
> Thanks!
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20170808/accfb7b2/attachment.html>

More information about the cisco-voip mailing list