Hopefully an easily-answered query.
My Radiator installation authenticates using a customised LDAP module (see
posts to this list passim). This module is designed to fire off a single
authentication attempt.
However, the administrators of the LDAP server that I connect to (for complex
reasons, I don't 'own' the database I authenticate against) are seeing
multiple authentication attempts in rapid succession.
This presents problems, because if a dialup users accidentally presents the
wrong password, the LDAP server is hit multiple times with that password, and
the underlying NDS user object that is being authenticated against registers
this as multiple bad attempts at access, and invokes a security lockout
(intended to defend against brute force cracking attempts).
In effect, one mistake locks the user out for a couple of hours until the
security lock expires, even if they subsequently corerect their error.
As I mentioned my module makes only one authentication attempt per
invocation, but:
1) Could the core Radiator code be calling it more than once for the same
login attempt?
or (as seems more likely)
2) is the users PC getting impatient waiting for the authentication response,
and re-trying whilst radiator is still coping with the previous request?
(put another way, is a single radius request from the RAS triggering multiple
LDAP responses from Radiator, or is Radiator issuing one LDAP per request as
desired, but being repeatedly requested to do this via radius traffic from
the RAS?)
Any suggestions as to how I can ensure only one LDAP authentication request
per dialup login? Its causing us big problems here.... 8(
Thanks,
M.
--
Mark O'Leary, Manchester Computing, UK
PGP Key and Further Details:
http://lucy.mcc.ac.uk/mark/mark.html
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
