(RADIATOR) Bad password count on Win2k Active Directory

Smith, Mike (Toronto) Mike.Smith at WatsonWyatt.com
Tue Aug 12 07:27:01 CDT 2003


I'm using Softerra LDAP Browser 2.5.2 to look at the AD attributes.
The AD is Windows 2000 w/ SP3.

Mike

-----Original Message-----
From: Mike McCauley [mailto:mikem at open.com.au] 
Sent: Monday, August 11, 2003 7:34 PM
To: Smith, Mike (Toronto); 'radiator at open.com.au'
Subject: Re: (RADIATOR) Bad password count on Win2k Active Directory


Hello Mike,

On Mon, 11 Aug 2003 10:53 pm, Smith, Mike (Toronto) wrote:
> I'm using an LDAP browser to view user attributes in the Active 
> Directory.

Which browser?

> Every user has an attribute 'badpwdcount' which increases by 1 for 
> every failed login.  As far as I know, the 'radpwtst' utility only 
> sends one request, and just to be sure only one request is made I set 
> the DupInterval on radiator to 20 seconds.  If radpwtst retries 
> authentication, radiator should ignore it.  The rapwtst program does 
> not run for more than 20 seconds.  My question is this:  Does the 
> radius server retry authentication when the AD rejects it because of a bad
password?

No.

> If it does, can I change
> it's behaviour so it only tries once?
>
> Thanks.
>
>
>
> -----Original Message-----
> From: Mike McCauley [mailto:mikem at open.com.au]
> Sent: Sunday, August 10, 2003 3:38 AM
> To: Smith, Mike (Toronto); 'radiator at open.com.au'
> Subject: Re: (RADIATOR) Bad password count on Win2k Active Directory
>
>
> Hello Steve,
>
> On Sat, 9 Aug 2003 01:22 am, Smith, Mike (Toronto) wrote:
> > Hello,
> >
> > I am using Radiator to authenticate dialin users against our AD. 
> > However, when a user enters a bad password, the bad password count 
> > in the AD (attribute is called "badpwdcount" in AD) increases by 2.  
> > If the SearchAttribute is defined, the bad password count increases 
> > by 3. It is not caused by duplicate requests from the dialin client 
> > because I set the DupInterval to 20 seconds.  I believe Radiator is 
> > making only one request to the AD, but somehow the bad password 
> > count increases by 2 or 3.  I've attached the output of the 
> > 'radpwtst' test program and the radius server as well as my config 
> > file.  In this test run, I purposely used a wrong password and the 
> > bad password count increased by 2.
> >
> > Any Ideas?
>
> I cant explain that yet.
> How are you getting the badpwdcount after the bad logins?
> Are you quite sure there are not multiple authentication requests 
> happening,
>
> perhaps due to retransmissions etc?
>
> > Thanks in advance,
> >
> > Mike Smith
> >
> >
> >
> >
> > Radpwtst output
> > --------------------------------------------------------------------
> > -
> >
> > C:\Radius>perl radpwtst -s 127.0.0.1 -secret test -user lupu 
> > -password test sending Access-Request...
> > Rejected: Request Denied
> > sending Accounting-Request Start...
> > OK
> > sending Accounting-Request Stop...
> > OK
> >
> >
> >
> >
> > Radiusd output
> > -------------------------------------------------------------
> >
> > C:\Radius>perl radiusd -config_file c:\radiator\radius.cfg
> >
> > Wed Aug  6 21:07:57 2003: DEBUG: Packet dump:
> > *** Received from 127.0.0.1 port 4109 ....
> > Code:       Access-Request
> > Identifier: 132
> > Authentic:  1234567890123456
> > Attributes:
> >         User-Name = "lupu"
> >         Service-Type = Framed-User
> >         NAS-IP-Address = 203.63.154.1
> >         NAS-Port = 1234
> >         Called-Station-Id = "123456789"
> >         Calling-Station-Id = "987654321"
> >         NAS-Port-Type = Async
> >         User-Password = 
> > "<159><234><28><161><247>~<222><178>z<199><246>h<138><6>8<128>"
> >
> > Wed Aug  6 21:07:57 2003: DEBUG: Handling request with Handler 
> > 'Client-Identifier=TestAD' Wed Aug  6 21:07:57 2003: DEBUG:  
> > Deleting session for lupu, 203.63.154.1, 1234 Wed Aug  6 21:07:57 
> > 2003: DEBUG: Handling with ASDI Wed Aug  6 21:07:57 2003: DEBUG: 
> > BindString converted to 
> > LDAP://toradtest/cn=lupu,cn=Users,dc=torzentest,dc=ca
> > Wed Aug  6 21:07:57 2003: DEBUG: AuthUser converted to lupu Wed Aug  
> > 6 21:07:57 2003: DEBUG: Connecting to namespace: LDAP: Wed Aug  6 
> > 21:07:57 2003: DEBUG: Running OpenDSObject on 
> > LDAP://toradtest/cn=lupu,cn=Users,dc=torzentest,dc=ca
> > Wed Aug  6 21:07:57 2003: DEBUG: Could not get user object:
> > Win32::OLE(0.1601) error 0x8007052e: "Logon failure: unknown user 
> > name or bad password"
> >     in METHOD/PROPERTYGET "OpenDSObject"
> > Wed Aug  6 21:07:57 2003: INFO: Access rejected for lupu: Could not 
> > find user
> >
> > Wed Aug  6 21:07:57 2003: DEBUG: Packet dump:
> > *** Sending to 127.0.0.1 port 4109 ....
> > Code:       Access-Reject
> > Identifier: 132
> > Authentic:  1234567890123456
> > Attributes:
> >         Reply-Message = "Request Denied"
> >
> > Wed Aug  6 21:07:57 2003: DEBUG: Packet dump:
> > *** Received from 127.0.0.1 port 4109 ....
> > Code:       Accounting-Request
> > Identifier: 133
> > Authentic:  <23><234>1<25><243>LQ<5>l<188>-`<145><214><26>3
> > Attributes:
> >         User-Name = "lupu"
> >         Service-Type = Framed-User
> >         NAS-IP-Address = 203.63.154.1
> >         NAS-Port = 1234
> >         NAS-Port-Type = Async
> >         Acct-Session-Id = "00001234"
> >         Acct-Status-Type = Start
> >         Called-Station-Id = "123456789"
> >         Calling-Station-Id = "987654321"
> >         Acct-Delay-Time = 0
> >
> > Wed Aug  6 21:07:57 2003: DEBUG: Handling request with Handler 
> > 'Client-Identifier=TestAD' Wed Aug  6 21:07:57 2003: DEBUG:  Adding 
> > session for lupu, 203.63.154.1, 1234 Wed Aug  6 21:07:57 2003: 
> > DEBUG: Handling with ASDI Wed Aug  6 21:07:57 2003: DEBUG: 
> > Accounting accepted
> >
> > Wed Aug  6 21:07:57 2003: DEBUG: Packet dump:
> > *** Sending to 127.0.0.1 port 4109 ....
> > Code:       Accounting-Response
> > Identifier: 133
> > Authentic:  <23><234>1<25><243>LQ<5>l<188>-`<145><214><26>3
> > Attributes:
> >
> > Wed Aug  6 21:07:57 2003: DEBUG: Packet dump:
> > *** Received from 127.0.0.1 port 4109 ....
> > Code:       Accounting-Request
> > Identifier: 134
> > Authentic: 
> > <247><153>-<222>[<188><176><151><184><192>1<15>l<128><190>2
> > Attributes:
> >         User-Name = "lupu"
> >         Service-Type = Framed-User
> >         NAS-IP-Address = 203.63.154.1
> >         NAS-Port = 1234
> >         NAS-Port-Type = Async
> >         Acct-Session-Id = "00001234"
> >         Acct-Status-Type = Stop
> >         Called-Station-Id = "123456789"
> >         Calling-Station-Id = "987654321"
> >         Acct-Delay-Time = 0
> >         Acct-Session-Time = 1000
> >         Acct-Input-Octets = 20000
> >         Acct-Output-Octets = 30000
> >
> > Wed Aug  6 21:07:57 2003: DEBUG: Handling request with Handler 
> > 'Client-Identifier=TestAD' Wed Aug  6 21:07:57 2003: DEBUG:  
> > Deleting session for lupu, 203.63.154.1, 1234 Wed Aug  6 21:07:57 
> > 2003: DEBUG: Handling with ASDI Wed Aug  6 21:07:57 2003: DEBUG: 
> > Accounting accepted
> >
> > Wed Aug  6 21:07:57 2003: DEBUG: Packet dump:
> > *** Sending to 127.0.0.1 port 4109 ....
> > Code:       Accounting-Response
> > Identifier: 134
> > Authentic: 
> > <247><153>-<222>[<188><176><151><184><192>1<15>l<128><190>2
> > Attributes:
> >
> >
> > Config file
> > --------------------------------------------------------------------
> > -
> >
> > Foreground
> > LogStdout
> > LogDir		c:/Radiator
> > DbDir		c:/Radiator
> >
> >
> > Trace 		4
> >
> >
> > #
> > #  Baystack Switches
> > #
> >
> > # test switch
> > <Client 10.34.0.15>
> > 	Secret	test
> > 	DupInterval 20
> > 	Identifier BayStackSwitch
> > </Client>
> >
> >
> > #
> > #  Shiva Lanrovers
> > #
> >
> > # shivas
> > <Client 10.36.1.34>
> > 	Secret  test
> > 	DupInterval 20
> > 	Identifier ShivaLanRover
> > </Client>
> >
> > <Client 127.0.0.1>
> > 	Secret  test
> > 	DupInterval 20
> > 	Identifier TestAD
> > </Client>
> >
> > <Client DEFAULT>
> > 	Secret	mypass
> > 	DupInterval 20
> > </Client>
> >
> >
> > <Handler Client-Identifier=BayStackSwitch>
> >
> > 	<AuthBy ADSI>
> > 		Identifier ADSI
> >
> > 		SearchAttribute   sAMAccountName
> > 		BindString LDAP://toradtest/cn=Users,dc=torzentest,dc=ca
> > 		AuthUser %0
> >
> > 		DefaultReply Service-Type=Administrative-User
> > 		GroupRequired  CN=net admin
> > 	</AuthBy>
> >
> > </Handler>
> >
> > <Handler Client-Identifier=ShivaLanRover>
> >
> > 	<AuthBy ADSI>
> > 		Identifier ADSI
> >
> > 		SearchAttribute   sAMAccountName
> > 		BindString LDAP://toradtest/cn=Users,dc=torzentest,dc=ca
> > 		AuthUser %0
> >
> > 		DefaultReply Service-Type=Framed-User
> > 		GroupRequired  CN=dialin
> > 	</AuthBy>
> >
> > </Handler>
> >
> > <Handler Client-Identifier=TestAD>
> >
> > 	<AuthBy ADSI>
> > 		Identifier ADSI
> >
> > #		SearchAttribute   sAMAccountName
> > 		BindString
>
> LDAP://toradtest/cn=%0,cn=Users,dc=torzentest,dc=ca
>
> > 		AuthUser %0
> >
> > 		DefaultReply Service-Type=Framed-User
> > 	</AuthBy>
> >
> > </Handler>
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list