That’s a very interesting scenario. I’ve always wondered about that. I wonder 
if there’s a way that AD admins can track authentications from CUCM cluster and 
apply the lock out rules accordingly?

---
Lelio Fulgenzi, B.A.
Senior Analyst, Network Infrastructure
Computing and Communications Services (CCS)
University of Guelph

519-824-4120 Ext 56354
le...@uoguelph.ca
www.uoguelph.ca/ccs
Room 037, Animal Science and Nutrition Building
Guelph, Ontario, N1G 2W1

From: cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] On Behalf Of 
Charles Goldsmith
Sent: Tuesday, August 08, 2017 11:55 AM
To: voip puck
Subject: [cisco-voip] authentication failed alerts

So, a question out to the community about how you deal with this issue.  If an 
organization is using Webex Messenger for IM and end-users are connecting 
Jabber to it, along with phone services and voicemail locally, jabber is setup 
with accounts to authenticate to AD locally.  SSO is not in the mix.

When a user's AD password comes up on their expiration and it's changed, they 
usually forget to update jabber on their laptop, phone and tablets, generating 
a lot of authentication alerts.  Those can be filtered down by adjusting the 
thresholds.

I'm not an AD guy, but talking with some, when asking about why this activity 
is not locking out the AD accounts, I was told that CUCM/CUC uses a read-only 
connection to AD, so it will not lock out the accounts.

Because of that problem, we can't simply disable the alerts, we need to monitor 
them in case of brute force via MRA.

Any thoughts on a better way to handle this specific scenario?

I may wind up writing a script to consolidate the email authentication reports 
into something to give a report on thresholds per user, like John.Doe had 30 
authenticaiton attempts in the last hour, Jane.Smith had 15, and Mark.Jones had 
650.

Thanks!

_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Reply via email to