Firepower FTD/ASA: Block Anyconnect brute force attack
Situation:
Attacker attempts to connect Anyconnect, Anyconnect sends authentication to ISE, ISE sends authentication to AD. In ISE logs, there are lots failed Radius requests with non-exist username, AD is overwhelmed, can't process more legitimate AD authentication request. During this attack, ISE normally is not the one get overwhelmed.
Anyconnect user's public IP is in Radius attribute calling-station-ID
Issue:
Cisco Enhancement request:
Solution:
Appendix 1
1. 1. Add FlexConfig Object as below, replace with real IP and interface name.
2. 2. Configure FlexConfig Poilcy, apply the FlexConfig Object
Comments
Post a Comment