(RADIATOR) Bad password count on Win2k Active Directory

Smith, Mike (Toronto) Mike.Smith at WatsonWyatt.com
Mon Aug 11 07:53:52 CDT 2003 

I'm using an LDAP browser to view user attributes in the Active Directory.
Every user has an attribute 'badpwdcount' which increases by 1 for every
failed login.  As far as I know, the 'radpwtst' utility only sends one
request, and just to be sure only one request is made I set the DupInterval
on radiator to 20 seconds.  If radpwtst retries authentication, radiator
should ignore it.  The rapwtst program does not run for more than 20
seconds.  My question is this:  Does the radius server retry authentication
when the AD rejects it because of a bad password?  If it does, can I change
it's behaviour so it only tries once?

Thanks.



-----Original Message-----
From: Mike McCauley [mailto:mikem at open.com.au] 
Sent: Sunday, August 10, 2003 3:38 AM
To: Smith, Mike (Toronto); 'radiator at open.com.au'
Subject: Re: (RADIATOR) Bad password count on Win2k Active Directory


Hello Steve,


On Sat, 9 Aug 2003 01:22 am, Smith, Mike (Toronto) wrote:
> Hello,
>
> I am using Radiator to authenticate dialin users against our AD.  
> However, when a user enters a bad password, the bad password count in 
> the AD (attribute is called "badpwdcount" in AD) increases by 2.  If 
> the SearchAttribute is defined, the bad password count increases by 3.  
> It is not caused by duplicate requests from the dialin client because 
> I set the DupInterval to 20 seconds.  I believe Radiator is making 
> only one request to the AD, but somehow the bad password count 
> increases by 2 or 3.  I've attached the output of the 'radpwtst' test 
> program and the radius server as well as my config file.  In this test 
> run, I purposely used a wrong password and the bad password count 
> increased by 2.
>
> Any Ideas?

I cant explain that yet.
How are you getting the badpwdcount after the bad logins?
Are you quite sure there are not multiple authentication requests happening,

perhaps due to retransmissions etc?


>
> Thanks in advance,
>
> Mike Smith
>
>
>
>
> Radpwtst output
> ---------------------------------------------------------------------
>
> C:\Radius>perl radpwtst -s 127.0.0.1 -secret test -user lupu -password 
> test sending Access-Request...
> Rejected: Request Denied
> sending Accounting-Request Start...
> OK
> sending Accounting-Request Stop...
> OK
>
>
>
>
> Radiusd output
> -------------------------------------------------------------
>
> C:\Radius>perl radiusd -config_file c:\radiator\radius.cfg
>
> Wed Aug  6 21:07:57 2003: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 4109 ....
> Code:       Access-Request
> Identifier: 132
> Authentic:  1234567890123456
> Attributes:
>         User-Name = "lupu"
>         Service-Type = Framed-User
>         NAS-IP-Address = 203.63.154.1
>         NAS-Port = 1234
>         Called-Station-Id = "123456789"
>         Calling-Station-Id = "987654321"
>         NAS-Port-Type = Async
>         User-Password = 
> "<159><234><28><161><247>~<222><178>z<199><246>h<138><6>8<128>"
>
> Wed Aug  6 21:07:57 2003: DEBUG: Handling request with Handler 
> 'Client-Identifier=TestAD' Wed Aug  6 21:07:57 2003: DEBUG:  Deleting 
> session for lupu, 203.63.154.1, 1234
> Wed Aug  6 21:07:57 2003: DEBUG: Handling with ASDI
> Wed Aug  6 21:07:57 2003: DEBUG: BindString converted to
> LDAP://toradtest/cn=lupu,cn=Users,dc=torzentest,dc=ca
> Wed Aug  6 21:07:57 2003: DEBUG: AuthUser converted to lupu
> Wed Aug  6 21:07:57 2003: DEBUG: Connecting to namespace: LDAP:
> Wed Aug  6 21:07:57 2003: DEBUG: Running OpenDSObject on
> LDAP://toradtest/cn=lupu,cn=Users,dc=torzentest,dc=ca
> Wed Aug  6 21:07:57 2003: DEBUG: Could not get user object:
> Win32::OLE(0.1601) error 0x8007052e: "Logon failure: unknown user name or
> bad password"
>     in METHOD/PROPERTYGET "OpenDSObject"
> Wed Aug  6 21:07:57 2003: INFO: Access rejected for lupu: Could not find
> user
>
> Wed Aug  6 21:07:57 2003: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 4109 ....
> Code:       Access-Reject
> Identifier: 132
> Authentic:  1234567890123456
> Attributes:
>         Reply-Message = "Request Denied"
>
> Wed Aug  6 21:07:57 2003: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 4109 ....
> Code:       Accounting-Request
> Identifier: 133
> Authentic:  <23><234>1<25><243>LQ<5>l<188>-`<145><214><26>3
> Attributes:
>         User-Name = "lupu"
>         Service-Type = Framed-User
>         NAS-IP-Address = 203.63.154.1
>         NAS-Port = 1234
>         NAS-Port-Type = Async
>         Acct-Session-Id = "00001234"
>         Acct-Status-Type = Start
>         Called-Station-Id = "123456789"
>         Calling-Station-Id = "987654321"
>         Acct-Delay-Time = 0
>
> Wed Aug  6 21:07:57 2003: DEBUG: Handling request with Handler 
> 'Client-Identifier=TestAD' Wed Aug  6 21:07:57 2003: DEBUG:  Adding 
> session for lupu, 203.63.154.1, 1234
> Wed Aug  6 21:07:57 2003: DEBUG: Handling with ASDI
> Wed Aug  6 21:07:57 2003: DEBUG: Accounting accepted
>
> Wed Aug  6 21:07:57 2003: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 4109 ....
> Code:       Accounting-Response
> Identifier: 133
> Authentic:  <23><234>1<25><243>LQ<5>l<188>-`<145><214><26>3
> Attributes:
>
> Wed Aug  6 21:07:57 2003: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 4109 ....
> Code:       Accounting-Request
> Identifier: 134
> Authentic:  
> <247><153>-<222>[<188><176><151><184><192>1<15>l<128><190>2
> Attributes:
>         User-Name = "lupu"
>         Service-Type = Framed-User
>         NAS-IP-Address = 203.63.154.1
>         NAS-Port = 1234
>         NAS-Port-Type = Async
>         Acct-Session-Id = "00001234"
>         Acct-Status-Type = Stop
>         Called-Station-Id = "123456789"
>         Calling-Station-Id = "987654321"
>         Acct-Delay-Time = 0
>         Acct-Session-Time = 1000
>         Acct-Input-Octets = 20000
>         Acct-Output-Octets = 30000
>
> Wed Aug  6 21:07:57 2003: DEBUG: Handling request with Handler 
> 'Client-Identifier=TestAD' Wed Aug  6 21:07:57 2003: DEBUG:  Deleting 
> session for lupu, 203.63.154.1, 1234
> Wed Aug  6 21:07:57 2003: DEBUG: Handling with ASDI
> Wed Aug  6 21:07:57 2003: DEBUG: Accounting accepted
>
> Wed Aug  6 21:07:57 2003: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 4109 ....
> Code:       Accounting-Response
> Identifier: 134
> Authentic:  
> <247><153>-<222>[<188><176><151><184><192>1<15>l<128><190>2
> Attributes:
>
>
> Config file
> ---------------------------------------------------------------------
>
> Foreground
> LogStdout
> LogDir		c:/Radiator
> DbDir		c:/Radiator
>
>
> Trace 		4
>
>
> #
> #  Baystack Switches
> #
>
> # test switch
> <Client 10.34.0.15>
> 	Secret	test
> 	DupInterval 20
> 	Identifier BayStackSwitch
> </Client>
>
>
> #
> #  Shiva Lanrovers
> #
>
> # shivas
> <Client 10.36.1.34>
> 	Secret  test
> 	DupInterval 20
> 	Identifier ShivaLanRover
> </Client>
>
> <Client 127.0.0.1>
> 	Secret  test
> 	DupInterval 20
> 	Identifier TestAD
> </Client>
>
> <Client DEFAULT>
> 	Secret	mypass
> 	DupInterval 20
> </Client>
>
>
> <Handler Client-Identifier=BayStackSwitch>
>
> 	<AuthBy ADSI>
> 		Identifier ADSI
>
> 		SearchAttribute   sAMAccountName
> 		BindString LDAP://toradtest/cn=Users,dc=torzentest,dc=ca
> 		AuthUser %0
>
> 		DefaultReply Service-Type=Administrative-User
> 		GroupRequired  CN=net admin
> 	</AuthBy>
>
> </Handler>
>
> <Handler Client-Identifier=ShivaLanRover>
>
> 	<AuthBy ADSI>
> 		Identifier ADSI
>
> 		SearchAttribute   sAMAccountName
> 		BindString LDAP://toradtest/cn=Users,dc=torzentest,dc=ca
> 		AuthUser %0
>
> 		DefaultReply Service-Type=Framed-User
> 		GroupRequired  CN=dialin
> 	</AuthBy>
>
> </Handler>
>
> <Handler Client-Identifier=TestAD>
>
> 	<AuthBy ADSI>
> 		Identifier ADSI
>
> #		SearchAttribute   sAMAccountName
> 		BindString
LDAP://toradtest/cn=%0,cn=Users,dc=torzentest,dc=ca
> 		AuthUser %0
>
> 		DefaultReply Service-Type=Framed-User
> 	</AuthBy>
>
> </Handler>

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985                       Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list