(RADIATOR) Bad password count on Win2k Active Directory
Smith, Mike (Toronto)
Mike.Smith at WatsonWyatt.com
Fri Aug 8 10:22:33 CDT 2003
Hello,
I am using Radiator to authenticate dialin users against our AD. However,
when a user enters a bad password, the bad password count in the AD
(attribute is called "badpwdcount" in AD) increases by 2. If the
SearchAttribute is defined, the bad password count increases by 3. It is
not caused by duplicate requests from the dialin client because I set the
DupInterval to 20 seconds. I believe Radiator is making only one request to
the AD, but somehow the bad password count increases by 2 or 3. I've
attached the output of the 'radpwtst' test program and the radius server as
well as my config file. In this test run, I purposely used a wrong password
and the bad password count increased by 2.
Any Ideas?
Thanks in advance,
Mike Smith
Radpwtst output
---------------------------------------------------------------------
C:\Radius>perl radpwtst -s 127.0.0.1 -secret test -user lupu -password test
sending Access-Request...
Rejected: Request Denied
sending Accounting-Request Start...
OK
sending Accounting-Request Stop...
OK
Radiusd output
-------------------------------------------------------------
C:\Radius>perl radiusd -config_file c:\radiator\radius.cfg
Wed Aug 6 21:07:57 2003: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 4109 ....
Code: Access-Request
Identifier: 132
Authentic: 1234567890123456
Attributes:
User-Name = "lupu"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
User-Password =
"<159><234><28><161><247>~<222><178>z<199><246>h<138><6>8<128>"
Wed Aug 6 21:07:57 2003: DEBUG: Handling request with Handler
'Client-Identifier=TestAD'
Wed Aug 6 21:07:57 2003: DEBUG: Deleting session for lupu, 203.63.154.1,
1234
Wed Aug 6 21:07:57 2003: DEBUG: Handling with ASDI
Wed Aug 6 21:07:57 2003: DEBUG: BindString converted to
LDAP://toradtest/cn=lupu,cn=Users,dc=torzentest,dc=ca
Wed Aug 6 21:07:57 2003: DEBUG: AuthUser converted to lupu
Wed Aug 6 21:07:57 2003: DEBUG: Connecting to namespace: LDAP:
Wed Aug 6 21:07:57 2003: DEBUG: Running OpenDSObject on
LDAP://toradtest/cn=lupu,cn=Users,dc=torzentest,dc=ca
Wed Aug 6 21:07:57 2003: DEBUG: Could not get user object:
Win32::OLE(0.1601) error 0x8007052e: "Logon failure: unknown user name or
bad password"
in METHOD/PROPERTYGET "OpenDSObject"
Wed Aug 6 21:07:57 2003: INFO: Access rejected for lupu: Could not find
user
Wed Aug 6 21:07:57 2003: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 4109 ....
Code: Access-Reject
Identifier: 132
Authentic: 1234567890123456
Attributes:
Reply-Message = "Request Denied"
Wed Aug 6 21:07:57 2003: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 4109 ....
Code: Accounting-Request
Identifier: 133
Authentic: <23><234>1<25><243>LQ<5>l<188>-`<145><214><26>3
Attributes:
User-Name = "lupu"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
NAS-Port-Type = Async
Acct-Session-Id = "00001234"
Acct-Status-Type = Start
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
Acct-Delay-Time = 0
Wed Aug 6 21:07:57 2003: DEBUG: Handling request with Handler
'Client-Identifier=TestAD'
Wed Aug 6 21:07:57 2003: DEBUG: Adding session for lupu, 203.63.154.1,
1234
Wed Aug 6 21:07:57 2003: DEBUG: Handling with ASDI
Wed Aug 6 21:07:57 2003: DEBUG: Accounting accepted
Wed Aug 6 21:07:57 2003: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 4109 ....
Code: Accounting-Response
Identifier: 133
Authentic: <23><234>1<25><243>LQ<5>l<188>-`<145><214><26>3
Attributes:
Wed Aug 6 21:07:57 2003: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 4109 ....
Code: Accounting-Request
Identifier: 134
Authentic: <247><153>-<222>[<188><176><151><184><192>1<15>l<128><190>2
Attributes:
User-Name = "lupu"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
NAS-Port-Type = Async
Acct-Session-Id = "00001234"
Acct-Status-Type = Stop
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
Acct-Delay-Time = 0
Acct-Session-Time = 1000
Acct-Input-Octets = 20000
Acct-Output-Octets = 30000
Wed Aug 6 21:07:57 2003: DEBUG: Handling request with Handler
'Client-Identifier=TestAD'
Wed Aug 6 21:07:57 2003: DEBUG: Deleting session for lupu, 203.63.154.1,
1234
Wed Aug 6 21:07:57 2003: DEBUG: Handling with ASDI
Wed Aug 6 21:07:57 2003: DEBUG: Accounting accepted
Wed Aug 6 21:07:57 2003: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 4109 ....
Code: Accounting-Response
Identifier: 134
Authentic: <247><153>-<222>[<188><176><151><184><192>1<15>l<128><190>2
Attributes:
Config file
---------------------------------------------------------------------
Foreground
LogStdout
LogDir c:/Radiator
DbDir c:/Radiator
Trace 4
#
# Baystack Switches
#
# test switch
<Client 10.34.0.15>
Secret test
DupInterval 20
Identifier BayStackSwitch
</Client>
#
# Shiva Lanrovers
#
# shivas
<Client 10.36.1.34>
Secret test
DupInterval 20
Identifier ShivaLanRover
</Client>
<Client 127.0.0.1>
Secret test
DupInterval 20
Identifier TestAD
</Client>
<Client DEFAULT>
Secret mypass
DupInterval 20
</Client>
<Handler Client-Identifier=BayStackSwitch>
<AuthBy ADSI>
Identifier ADSI
SearchAttribute sAMAccountName
BindString LDAP://toradtest/cn=Users,dc=torzentest,dc=ca
AuthUser %0
DefaultReply Service-Type=Administrative-User
GroupRequired CN=net admin
</AuthBy>
</Handler>
<Handler Client-Identifier=ShivaLanRover>
<AuthBy ADSI>
Identifier ADSI
SearchAttribute sAMAccountName
BindString LDAP://toradtest/cn=Users,dc=torzentest,dc=ca
AuthUser %0
DefaultReply Service-Type=Framed-User
GroupRequired CN=dialin
</AuthBy>
</Handler>
<Handler Client-Identifier=TestAD>
<AuthBy ADSI>
Identifier ADSI
# SearchAttribute sAMAccountName
BindString
LDAP://toradtest/cn=%0,cn=Users,dc=torzentest,dc=ca
AuthUser %0
DefaultReply Service-Type=Framed-User
</AuthBy>
</Handler>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20030808/224934b5/attachment.html>
More information about the radiator
mailing list