Hello Mike, On Mon, 11 Aug 2003 10:53 pm, Smith, Mike (Toronto) wrote: > I'm using an LDAP browser to view user attributes in the Active Directory.
Which browser? > Every user has an attribute 'badpwdcount' which increases by 1 for every > failed login. As far as I know, the 'radpwtst' utility only sends one > request, and just to be sure only one request is made I set the DupInterval > on radiator to 20 seconds. If radpwtst retries authentication, radiator > should ignore it. The rapwtst program does not run for more than 20 > seconds. My question is this: Does the radius server retry authentication > when the AD rejects it because of a bad password? No. > If it does, can I change > it's behaviour so it only tries once? > > Thanks. > > > > -----Original Message----- > From: Mike McCauley [mailto:[EMAIL PROTECTED] > Sent: Sunday, August 10, 2003 3:38 AM > To: Smith, Mike (Toronto); '[EMAIL PROTECTED]' > Subject: Re: (RADIATOR) Bad password count on Win2k Active Directory > > > Hello Steve, > > On Sat, 9 Aug 2003 01:22 am, Smith, Mike (Toronto) wrote: > > Hello, > > > > I am using Radiator to authenticate dialin users against our AD. > > However, when a user enters a bad password, the bad password count in > > the AD (attribute is called "badpwdcount" in AD) increases by 2. If > > the SearchAttribute is defined, the bad password count increases by 3. > > It is not caused by duplicate requests from the dialin client because > > I set the DupInterval to 20 seconds. I believe Radiator is making > > only one request to the AD, but somehow the bad password count > > increases by 2 or 3. I've attached the output of the 'radpwtst' test > > program and the radius server as well as my config file. In this test > > run, I purposely used a wrong password and the bad password count > > increased by 2. > > > > Any Ideas? > > I cant explain that yet. > How are you getting the badpwdcount after the bad logins? > Are you quite sure there are not multiple authentication requests > happening, > > perhaps due to retransmissions etc? > > > Thanks in advance, > > > > Mike Smith > > > > > > > > > > Radpwtst output > > --------------------------------------------------------------------- > > > > C:\Radius>perl radpwtst -s 127.0.0.1 -secret test -user lupu -password > > test sending Access-Request... > > Rejected: Request Denied > > sending Accounting-Request Start... > > OK > > sending Accounting-Request Stop... > > OK > > > > > > > > > > Radiusd output > > ------------------------------------------------------------- > > > > C:\Radius>perl radiusd -config_file c:\radiator\radius.cfg > > > > Wed Aug 6 21:07:57 2003: DEBUG: Packet dump: > > *** Received from 127.0.0.1 port 4109 .... > > Code: Access-Request > > Identifier: 132 > > Authentic: 1234567890123456 > > Attributes: > > User-Name = "lupu" > > Service-Type = Framed-User > > NAS-IP-Address = 203.63.154.1 > > NAS-Port = 1234 > > Called-Station-Id = "123456789" > > Calling-Station-Id = "987654321" > > NAS-Port-Type = Async > > User-Password = > > "<159><234><28><161><247>~<222><178>z<199><246>h<138><6>8<128>" > > > > Wed Aug 6 21:07:57 2003: DEBUG: Handling request with Handler > > 'Client-Identifier=TestAD' Wed Aug 6 21:07:57 2003: DEBUG: Deleting > > session for lupu, 203.63.154.1, 1234 > > Wed Aug 6 21:07:57 2003: DEBUG: Handling with ASDI > > Wed Aug 6 21:07:57 2003: DEBUG: BindString converted to > > LDAP://toradtest/cn=lupu,cn=Users,dc=torzentest,dc=ca > > Wed Aug 6 21:07:57 2003: DEBUG: AuthUser converted to lupu > > Wed Aug 6 21:07:57 2003: DEBUG: Connecting to namespace: LDAP: > > Wed Aug 6 21:07:57 2003: DEBUG: Running OpenDSObject on > > LDAP://toradtest/cn=lupu,cn=Users,dc=torzentest,dc=ca > > Wed Aug 6 21:07:57 2003: DEBUG: Could not get user object: > > Win32::OLE(0.1601) error 0x8007052e: "Logon failure: unknown user name or > > bad password" > > in METHOD/PROPERTYGET "OpenDSObject" > > Wed Aug 6 21:07:57 2003: INFO: Access rejected for lupu: Could not find > > user > > > > Wed Aug 6 21:07:57 2003: DEBUG: Packet dump: > > *** Sending to 127.0.0.1 port 4109 .... > > Code: Access-Reject > > Identifier: 132 > > Authentic: 1234567890123456 > > Attributes: > > Reply-Message = "Request Denied" > > > > Wed Aug 6 21:07:57 2003: DEBUG: Packet dump: > > *** Received from 127.0.0.1 port 4109 .... > > Code: Accounting-Request > > Identifier: 133 > > Authentic: <23><234>1<25><243>LQ<5>l<188>-`<145><214><26>3 > > Attributes: > > User-Name = "lupu" > > Service-Type = Framed-User > > NAS-IP-Address = 203.63.154.1 > > NAS-Port = 1234 > > NAS-Port-Type = Async > > Acct-Session-Id = "00001234" > > Acct-Status-Type = Start > > Called-Station-Id = "123456789" > > Calling-Station-Id = "987654321" > > Acct-Delay-Time = 0 > > > > Wed Aug 6 21:07:57 2003: DEBUG: Handling request with Handler > > 'Client-Identifier=TestAD' Wed Aug 6 21:07:57 2003: DEBUG: Adding > > session for lupu, 203.63.154.1, 1234 > > Wed Aug 6 21:07:57 2003: DEBUG: Handling with ASDI > > Wed Aug 6 21:07:57 2003: DEBUG: Accounting accepted > > > > Wed Aug 6 21:07:57 2003: DEBUG: Packet dump: > > *** Sending to 127.0.0.1 port 4109 .... > > Code: Accounting-Response > > Identifier: 133 > > Authentic: <23><234>1<25><243>LQ<5>l<188>-`<145><214><26>3 > > Attributes: > > > > Wed Aug 6 21:07:57 2003: DEBUG: Packet dump: > > *** Received from 127.0.0.1 port 4109 .... > > Code: Accounting-Request > > Identifier: 134 > > Authentic: > > <247><153>-<222>[<188><176><151><184><192>1<15>l<128><190>2 > > Attributes: > > User-Name = "lupu" > > Service-Type = Framed-User > > NAS-IP-Address = 203.63.154.1 > > NAS-Port = 1234 > > NAS-Port-Type = Async > > Acct-Session-Id = "00001234" > > Acct-Status-Type = Stop > > Called-Station-Id = "123456789" > > Calling-Station-Id = "987654321" > > Acct-Delay-Time = 0 > > Acct-Session-Time = 1000 > > Acct-Input-Octets = 20000 > > Acct-Output-Octets = 30000 > > > > Wed Aug 6 21:07:57 2003: DEBUG: Handling request with Handler > > 'Client-Identifier=TestAD' Wed Aug 6 21:07:57 2003: DEBUG: Deleting > > session for lupu, 203.63.154.1, 1234 > > Wed Aug 6 21:07:57 2003: DEBUG: Handling with ASDI > > Wed Aug 6 21:07:57 2003: DEBUG: Accounting accepted > > > > Wed Aug 6 21:07:57 2003: DEBUG: Packet dump: > > *** Sending to 127.0.0.1 port 4109 .... > > Code: Accounting-Response > > Identifier: 134 > > Authentic: > > <247><153>-<222>[<188><176><151><184><192>1<15>l<128><190>2 > > Attributes: > > > > > > Config file > > --------------------------------------------------------------------- > > > > Foreground > > LogStdout > > LogDir c:/Radiator > > DbDir c:/Radiator > > > > > > Trace 4 > > > > > > # > > # Baystack Switches > > # > > > > # test switch > > <Client 10.34.0.15> > > Secret test > > DupInterval 20 > > Identifier BayStackSwitch > > </Client> > > > > > > # > > # Shiva Lanrovers > > # > > > > # shivas > > <Client 10.36.1.34> > > Secret test > > DupInterval 20 > > Identifier ShivaLanRover > > </Client> > > > > <Client 127.0.0.1> > > Secret test > > DupInterval 20 > > Identifier TestAD > > </Client> > > > > <Client DEFAULT> > > Secret mypass > > DupInterval 20 > > </Client> > > > > > > <Handler Client-Identifier=BayStackSwitch> > > > > <AuthBy ADSI> > > Identifier ADSI > > > > SearchAttribute sAMAccountName > > BindString LDAP://toradtest/cn=Users,dc=torzentest,dc=ca > > AuthUser %0 > > > > DefaultReply Service-Type=Administrative-User > > GroupRequired CN=net admin > > </AuthBy> > > > > </Handler> > > > > <Handler Client-Identifier=ShivaLanRover> > > > > <AuthBy ADSI> > > Identifier ADSI > > > > SearchAttribute sAMAccountName > > BindString LDAP://toradtest/cn=Users,dc=torzentest,dc=ca > > AuthUser %0 > > > > DefaultReply Service-Type=Framed-User > > GroupRequired CN=dialin > > </AuthBy> > > > > </Handler> > > > > <Handler Client-Identifier=TestAD> > > > > <AuthBy ADSI> > > Identifier ADSI > > > > # SearchAttribute sAMAccountName > > BindString > > LDAP://toradtest/cn=%0,cn=Users,dc=torzentest,dc=ca > > > AuthUser %0 > > > > DefaultReply Service-Type=Framed-User > > </AuthBy> > > > > </Handler> -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP etc on Unix, Windows, MacOS etc. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
