(RADIATOR) Bad password count on Win2k Active Directory

Mike McCauley mikem at open.com.au
Sun Aug 10 02:37:49 CDT 2003 

Hello Steve,


On Sat, 9 Aug 2003 01:22 am, Smith, Mike (Toronto) wrote:
> Hello,
>
> I am using Radiator to authenticate dialin users against our AD.  However,
> when a user enters a bad password, the bad password count in the AD
> (attribute is called "badpwdcount" in AD) increases by 2.  If the
> SearchAttribute is defined, the bad password count increases by 3.  It is
> not caused by duplicate requests from the dialin client because I set the
> DupInterval to 20 seconds.  I believe Radiator is making only one request
> to the AD, but somehow the bad password count increases by 2 or 3.  I've
> attached the output of the 'radpwtst' test program and the radius server as
> well as my config file.  In this test run, I purposely used a wrong
> password and the bad password count increased by 2.
>
> Any Ideas?

I cant explain that yet.
How are you getting the badpwdcount after the bad logins?
Are you quite sure there are not multiple authentication requests happening, 
perhaps due to retransmissions etc?


>
> Thanks in advance,
>
> Mike Smith
>
>
>
>
> Radpwtst output
> ---------------------------------------------------------------------
>
> C:\Radius>perl radpwtst -s 127.0.0.1 -secret test -user lupu -password test
> sending Access-Request...
> Rejected: Request Denied
> sending Accounting-Request Start...
> OK
> sending Accounting-Request Stop...
> OK
>
>
>
>
> Radiusd output
> -------------------------------------------------------------
>
> C:\Radius>perl radiusd -config_file c:\radiator\radius.cfg
>
> Wed Aug  6 21:07:57 2003: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 4109 ....
> Code:       Access-Request
> Identifier: 132
> Authentic:  1234567890123456
> Attributes:
>         User-Name = "lupu"
>         Service-Type = Framed-User
>         NAS-IP-Address = 203.63.154.1
>         NAS-Port = 1234
>         Called-Station-Id = "123456789"
>         Calling-Station-Id = "987654321"
>         NAS-Port-Type = Async
>         User-Password =
> "<159><234><28><161><247>~<222><178>z<199><246>h<138><6>8<128>"
>
> Wed Aug  6 21:07:57 2003: DEBUG: Handling request with Handler
> 'Client-Identifier=TestAD'
> Wed Aug  6 21:07:57 2003: DEBUG:  Deleting session for lupu, 203.63.154.1,
> 1234
> Wed Aug  6 21:07:57 2003: DEBUG: Handling with ASDI
> Wed Aug  6 21:07:57 2003: DEBUG: BindString converted to
> LDAP://toradtest/cn=lupu,cn=Users,dc=torzentest,dc=ca
> Wed Aug  6 21:07:57 2003: DEBUG: AuthUser converted to lupu
> Wed Aug  6 21:07:57 2003: DEBUG: Connecting to namespace: LDAP:
> Wed Aug  6 21:07:57 2003: DEBUG: Running OpenDSObject on
> LDAP://toradtest/cn=lupu,cn=Users,dc=torzentest,dc=ca
> Wed Aug  6 21:07:57 2003: DEBUG: Could not get user object:
> Win32::OLE(0.1601) error 0x8007052e: "Logon failure: unknown user name or
> bad password"
>     in METHOD/PROPERTYGET "OpenDSObject"
> Wed Aug  6 21:07:57 2003: INFO: Access rejected for lupu: Could not find
> user
>
> Wed Aug  6 21:07:57 2003: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 4109 ....
> Code:       Access-Reject
> Identifier: 132
> Authentic:  1234567890123456
> Attributes:
>         Reply-Message = "Request Denied"
>
> Wed Aug  6 21:07:57 2003: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 4109 ....
> Code:       Accounting-Request
> Identifier: 133
> Authentic:  <23><234>1<25><243>LQ<5>l<188>-`<145><214><26>3
> Attributes:
>         User-Name = "lupu"
>         Service-Type = Framed-User
>         NAS-IP-Address = 203.63.154.1
>         NAS-Port = 1234
>         NAS-Port-Type = Async
>         Acct-Session-Id = "00001234"
>         Acct-Status-Type = Start
>         Called-Station-Id = "123456789"
>         Calling-Station-Id = "987654321"
>         Acct-Delay-Time = 0
>
> Wed Aug  6 21:07:57 2003: DEBUG: Handling request with Handler
> 'Client-Identifier=TestAD'
> Wed Aug  6 21:07:57 2003: DEBUG:  Adding session for lupu, 203.63.154.1,
> 1234
> Wed Aug  6 21:07:57 2003: DEBUG: Handling with ASDI
> Wed Aug  6 21:07:57 2003: DEBUG: Accounting accepted
>
> Wed Aug  6 21:07:57 2003: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 4109 ....
> Code:       Accounting-Response
> Identifier: 133
> Authentic:  <23><234>1<25><243>LQ<5>l<188>-`<145><214><26>3
> Attributes:
>
> Wed Aug  6 21:07:57 2003: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 4109 ....
> Code:       Accounting-Request
> Identifier: 134
> Authentic:  <247><153>-<222>[<188><176><151><184><192>1<15>l<128><190>2
> Attributes:
>         User-Name = "lupu"
>         Service-Type = Framed-User
>         NAS-IP-Address = 203.63.154.1
>         NAS-Port = 1234
>         NAS-Port-Type = Async
>         Acct-Session-Id = "00001234"
>         Acct-Status-Type = Stop
>         Called-Station-Id = "123456789"
>         Calling-Station-Id = "987654321"
>         Acct-Delay-Time = 0
>         Acct-Session-Time = 1000
>         Acct-Input-Octets = 20000
>         Acct-Output-Octets = 30000
>
> Wed Aug  6 21:07:57 2003: DEBUG: Handling request with Handler
> 'Client-Identifier=TestAD'
> Wed Aug  6 21:07:57 2003: DEBUG:  Deleting session for lupu, 203.63.154.1,
> 1234
> Wed Aug  6 21:07:57 2003: DEBUG: Handling with ASDI
> Wed Aug  6 21:07:57 2003: DEBUG: Accounting accepted
>
> Wed Aug  6 21:07:57 2003: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 4109 ....
> Code:       Accounting-Response
> Identifier: 134
> Authentic:  <247><153>-<222>[<188><176><151><184><192>1<15>l<128><190>2
> Attributes:
>
>
> Config file
> ---------------------------------------------------------------------
>
> Foreground
> LogStdout
> LogDir		c:/Radiator
> DbDir		c:/Radiator
>
>
> Trace 		4
>
>
> #
> #  Baystack Switches
> #
>
> # test switch
> <Client 10.34.0.15>
> 	Secret	test
> 	DupInterval 20
> 	Identifier BayStackSwitch
> </Client>
>
>
> #
> #  Shiva Lanrovers
> #
>
> # shivas
> <Client 10.36.1.34>
> 	Secret  test
> 	DupInterval 20
> 	Identifier ShivaLanRover
> </Client>
>
> <Client 127.0.0.1>
> 	Secret  test
> 	DupInterval 20
> 	Identifier TestAD
> </Client>
>
> <Client DEFAULT>
> 	Secret	mypass
> 	DupInterval 20
> </Client>
>
>
> <Handler Client-Identifier=BayStackSwitch>
>
> 	<AuthBy ADSI>
> 		Identifier ADSI
>
> 		SearchAttribute   sAMAccountName
> 		BindString LDAP://toradtest/cn=Users,dc=torzentest,dc=ca
> 		AuthUser %0
>
> 		DefaultReply Service-Type=Administrative-User
> 		GroupRequired  CN=net admin
> 	</AuthBy>
>
> </Handler>
>
> <Handler Client-Identifier=ShivaLanRover>
>
> 	<AuthBy ADSI>
> 		Identifier ADSI
>
> 		SearchAttribute   sAMAccountName
> 		BindString LDAP://toradtest/cn=Users,dc=torzentest,dc=ca
> 		AuthUser %0
>
> 		DefaultReply Service-Type=Framed-User
> 		GroupRequired  CN=dialin
> 	</AuthBy>
>
> </Handler>
>
> <Handler Client-Identifier=TestAD>
>
> 	<AuthBy ADSI>
> 		Identifier ADSI
>
> #		SearchAttribute   sAMAccountName
> 		BindString
> LDAP://toradtest/cn=%0,cn=Users,dc=torzentest,dc=ca
> 		AuthUser %0
>
> 		DefaultReply Service-Type=Framed-User
> 	</AuthBy>
>
> </Handler>

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985                       Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list