(RADIATOR) Bad password count on Win2k Active Directory

Mike McCauley mikem at open.com.au
Mon Aug 11 18:33:50 CDT 2003 

Hello Mike,

On Mon, 11 Aug 2003 10:53 pm, Smith, Mike (Toronto) wrote:
> I'm using an LDAP browser to view user attributes in the Active Directory.

Which browser?

> Every user has an attribute 'badpwdcount' which increases by 1 for every
> failed login.  As far as I know, the 'radpwtst' utility only sends one
> request, and just to be sure only one request is made I set the DupInterval
> on radiator to 20 seconds.  If radpwtst retries authentication, radiator
> should ignore it.  The rapwtst program does not run for more than 20
> seconds.  My question is this:  Does the radius server retry authentication
> when the AD rejects it because of a bad password?  

No.

> If it does, can I change
> it's behaviour so it only tries once?
>
> Thanks.
>
>
>
> -----Original Message-----
> From: Mike McCauley [mailto:mikem at open.com.au]
> Sent: Sunday, August 10, 2003 3:38 AM
> To: Smith, Mike (Toronto); 'radiator at open.com.au'
> Subject: Re: (RADIATOR) Bad password count on Win2k Active Directory
>
>
> Hello Steve,
>
> On Sat, 9 Aug 2003 01:22 am, Smith, Mike (Toronto) wrote:
> > Hello,
> >
> > I am using Radiator to authenticate dialin users against our AD.
> > However, when a user enters a bad password, the bad password count in
> > the AD (attribute is called "badpwdcount" in AD) increases by 2.  If
> > the SearchAttribute is defined, the bad password count increases by 3.
> > It is not caused by duplicate requests from the dialin client because
> > I set the DupInterval to 20 seconds.  I believe Radiator is making
> > only one request to the AD, but somehow the bad password count
> > increases by 2 or 3.  I've attached the output of the 'radpwtst' test
> > program and the radius server as well as my config file.  In this test
> > run, I purposely used a wrong password and the bad password count
> > increased by 2.
> >
> > Any Ideas?
>
> I cant explain that yet.
> How are you getting the badpwdcount after the bad logins?
> Are you quite sure there are not multiple authentication requests
> happening,
>
> perhaps due to retransmissions etc?
>
> > Thanks in advance,
> >
> > Mike Smith
> >
> >
> >
> >
> > Radpwtst output
> > ---------------------------------------------------------------------
> >
> > C:\Radius>perl radpwtst -s 127.0.0.1 -secret test -user lupu -password
> > test sending Access-Request...
> > Rejected: Request Denied
> > sending Accounting-Request Start...
> > OK
> > sending Accounting-Request Stop...
> > OK
> >
> >
> >
> >
> > Radiusd output
> > -------------------------------------------------------------
> >
> > C:\Radius>perl radiusd -config_file c:\radiator\radius.cfg
> >
> > Wed Aug  6 21:07:57 2003: DEBUG: Packet dump:
> > *** Received from 127.0.0.1 port 4109 ....
> > Code:       Access-Request
> > Identifier: 132
> > Authentic:  1234567890123456
> > Attributes:
> >         User-Name = "lupu"
> >         Service-Type = Framed-User
> >         NAS-IP-Address = 203.63.154.1
> >         NAS-Port = 1234
> >         Called-Station-Id = "123456789"
> >         Calling-Station-Id = "987654321"
> >         NAS-Port-Type = Async
> >         User-Password =
> > "<159><234><28><161><247>~<222><178>z<199><246>h<138><6>8<128>"
> >
> > Wed Aug  6 21:07:57 2003: DEBUG: Handling request with Handler
> > 'Client-Identifier=TestAD' Wed Aug  6 21:07:57 2003: DEBUG:  Deleting
> > session for lupu, 203.63.154.1, 1234
> > Wed Aug  6 21:07:57 2003: DEBUG: Handling with ASDI
> > Wed Aug  6 21:07:57 2003: DEBUG: BindString converted to
> > LDAP://toradtest/cn=lupu,cn=Users,dc=torzentest,dc=ca
> > Wed Aug  6 21:07:57 2003: DEBUG: AuthUser converted to lupu
> > Wed Aug  6 21:07:57 2003: DEBUG: Connecting to namespace: LDAP:
> > Wed Aug  6 21:07:57 2003: DEBUG: Running OpenDSObject on
> > LDAP://toradtest/cn=lupu,cn=Users,dc=torzentest,dc=ca
> > Wed Aug  6 21:07:57 2003: DEBUG: Could not get user object:
> > Win32::OLE(0.1601) error 0x8007052e: "Logon failure: unknown user name or
> > bad password"
> >     in METHOD/PROPERTYGET "OpenDSObject"
> > Wed Aug  6 21:07:57 2003: INFO: Access rejected for lupu: Could not find
> > user
> >
> > Wed Aug  6 21:07:57 2003: DEBUG: Packet dump:
> > *** Sending to 127.0.0.1 port 4109 ....
> > Code:       Access-Reject
> > Identifier: 132
> > Authentic:  1234567890123456
> > Attributes:
> >         Reply-Message = "Request Denied"
> >
> > Wed Aug  6 21:07:57 2003: DEBUG: Packet dump:
> > *** Received from 127.0.0.1 port 4109 ....
> > Code:       Accounting-Request
> > Identifier: 133
> > Authentic:  <23><234>1<25><243>LQ<5>l<188>-`<145><214><26>3
> > Attributes:
> >         User-Name = "lupu"
> >         Service-Type = Framed-User
> >         NAS-IP-Address = 203.63.154.1
> >         NAS-Port = 1234
> >         NAS-Port-Type = Async
> >         Acct-Session-Id = "00001234"
> >         Acct-Status-Type = Start
> >         Called-Station-Id = "123456789"
> >         Calling-Station-Id = "987654321"
> >         Acct-Delay-Time = 0
> >
> > Wed Aug  6 21:07:57 2003: DEBUG: Handling request with Handler
> > 'Client-Identifier=TestAD' Wed Aug  6 21:07:57 2003: DEBUG:  Adding
> > session for lupu, 203.63.154.1, 1234
> > Wed Aug  6 21:07:57 2003: DEBUG: Handling with ASDI
> > Wed Aug  6 21:07:57 2003: DEBUG: Accounting accepted
> >
> > Wed Aug  6 21:07:57 2003: DEBUG: Packet dump:
> > *** Sending to 127.0.0.1 port 4109 ....
> > Code:       Accounting-Response
> > Identifier: 133
> > Authentic:  <23><234>1<25><243>LQ<5>l<188>-`<145><214><26>3
> > Attributes:
> >
> > Wed Aug  6 21:07:57 2003: DEBUG: Packet dump:
> > *** Received from 127.0.0.1 port 4109 ....
> > Code:       Accounting-Request
> > Identifier: 134
> > Authentic:
> > <247><153>-<222>[<188><176><151><184><192>1<15>l<128><190>2
> > Attributes:
> >         User-Name = "lupu"
> >         Service-Type = Framed-User
> >         NAS-IP-Address = 203.63.154.1
> >         NAS-Port = 1234
> >         NAS-Port-Type = Async
> >         Acct-Session-Id = "00001234"
> >         Acct-Status-Type = Stop
> >         Called-Station-Id = "123456789"
> >         Calling-Station-Id = "987654321"
> >         Acct-Delay-Time = 0
> >         Acct-Session-Time = 1000
> >         Acct-Input-Octets = 20000
> >         Acct-Output-Octets = 30000
> >
> > Wed Aug  6 21:07:57 2003: DEBUG: Handling request with Handler
> > 'Client-Identifier=TestAD' Wed Aug  6 21:07:57 2003: DEBUG:  Deleting
> > session for lupu, 203.63.154.1, 1234
> > Wed Aug  6 21:07:57 2003: DEBUG: Handling with ASDI
> > Wed Aug  6 21:07:57 2003: DEBUG: Accounting accepted
> >
> > Wed Aug  6 21:07:57 2003: DEBUG: Packet dump:
> > *** Sending to 127.0.0.1 port 4109 ....
> > Code:       Accounting-Response
> > Identifier: 134
> > Authentic:
> > <247><153>-<222>[<188><176><151><184><192>1<15>l<128><190>2
> > Attributes:
> >
> >
> > Config file
> > ---------------------------------------------------------------------
> >
> > Foreground
> > LogStdout
> > LogDir		c:/Radiator
> > DbDir		c:/Radiator
> >
> >
> > Trace 		4
> >
> >
> > #
> > #  Baystack Switches
> > #
> >
> > # test switch
> > <Client 10.34.0.15>
> > 	Secret	test
> > 	DupInterval 20
> > 	Identifier BayStackSwitch
> > </Client>
> >
> >
> > #
> > #  Shiva Lanrovers
> > #
> >
> > # shivas
> > <Client 10.36.1.34>
> > 	Secret  test
> > 	DupInterval 20
> > 	Identifier ShivaLanRover
> > </Client>
> >
> > <Client 127.0.0.1>
> > 	Secret  test
> > 	DupInterval 20
> > 	Identifier TestAD
> > </Client>
> >
> > <Client DEFAULT>
> > 	Secret	mypass
> > 	DupInterval 20
> > </Client>
> >
> >
> > <Handler Client-Identifier=BayStackSwitch>
> >
> > 	<AuthBy ADSI>
> > 		Identifier ADSI
> >
> > 		SearchAttribute   sAMAccountName
> > 		BindString LDAP://toradtest/cn=Users,dc=torzentest,dc=ca
> > 		AuthUser %0
> >
> > 		DefaultReply Service-Type=Administrative-User
> > 		GroupRequired  CN=net admin
> > 	</AuthBy>
> >
> > </Handler>
> >
> > <Handler Client-Identifier=ShivaLanRover>
> >
> > 	<AuthBy ADSI>
> > 		Identifier ADSI
> >
> > 		SearchAttribute   sAMAccountName
> > 		BindString LDAP://toradtest/cn=Users,dc=torzentest,dc=ca
> > 		AuthUser %0
> >
> > 		DefaultReply Service-Type=Framed-User
> > 		GroupRequired  CN=dialin
> > 	</AuthBy>
> >
> > </Handler>
> >
> > <Handler Client-Identifier=TestAD>
> >
> > 	<AuthBy ADSI>
> > 		Identifier ADSI
> >
> > #		SearchAttribute   sAMAccountName
> > 		BindString
>
> LDAP://toradtest/cn=%0,cn=Users,dc=torzentest,dc=ca
>
> > 		AuthUser %0
> >
> > 		DefaultReply Service-Type=Framed-User
> > 	</AuthBy>
> >
> > </Handler>

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985                       Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list