Hello Steve,
On Sat, 9 Aug 2003 01:22 am, Smith, Mike (Toronto) wrote: > Hello, > > I am using Radiator to authenticate dialin users against our AD. However, > when a user enters a bad password, the bad password count in the AD > (attribute is called "badpwdcount" in AD) increases by 2. If the > SearchAttribute is defined, the bad password count increases by 3. It is > not caused by duplicate requests from the dialin client because I set the > DupInterval to 20 seconds. I believe Radiator is making only one request > to the AD, but somehow the bad password count increases by 2 or 3. I've > attached the output of the 'radpwtst' test program and the radius server as > well as my config file. In this test run, I purposely used a wrong > password and the bad password count increased by 2. > > Any Ideas? I cant explain that yet. How are you getting the badpwdcount after the bad logins? Are you quite sure there are not multiple authentication requests happening, perhaps due to retransmissions etc? > > Thanks in advance, > > Mike Smith > > > > > Radpwtst output > --------------------------------------------------------------------- > > C:\Radius>perl radpwtst -s 127.0.0.1 -secret test -user lupu -password test > sending Access-Request... > Rejected: Request Denied > sending Accounting-Request Start... > OK > sending Accounting-Request Stop... > OK > > > > > Radiusd output > ------------------------------------------------------------- > > C:\Radius>perl radiusd -config_file c:\radiator\radius.cfg > > Wed Aug 6 21:07:57 2003: DEBUG: Packet dump: > *** Received from 127.0.0.1 port 4109 .... > Code: Access-Request > Identifier: 132 > Authentic: 1234567890123456 > Attributes: > User-Name = "lupu" > Service-Type = Framed-User > NAS-IP-Address = 203.63.154.1 > NAS-Port = 1234 > Called-Station-Id = "123456789" > Calling-Station-Id = "987654321" > NAS-Port-Type = Async > User-Password = > "<159><234><28><161><247>~<222><178>z<199><246>h<138><6>8<128>" > > Wed Aug 6 21:07:57 2003: DEBUG: Handling request with Handler > 'Client-Identifier=TestAD' > Wed Aug 6 21:07:57 2003: DEBUG: Deleting session for lupu, 203.63.154.1, > 1234 > Wed Aug 6 21:07:57 2003: DEBUG: Handling with ASDI > Wed Aug 6 21:07:57 2003: DEBUG: BindString converted to > LDAP://toradtest/cn=lupu,cn=Users,dc=torzentest,dc=ca > Wed Aug 6 21:07:57 2003: DEBUG: AuthUser converted to lupu > Wed Aug 6 21:07:57 2003: DEBUG: Connecting to namespace: LDAP: > Wed Aug 6 21:07:57 2003: DEBUG: Running OpenDSObject on > LDAP://toradtest/cn=lupu,cn=Users,dc=torzentest,dc=ca > Wed Aug 6 21:07:57 2003: DEBUG: Could not get user object: > Win32::OLE(0.1601) error 0x8007052e: "Logon failure: unknown user name or > bad password" > in METHOD/PROPERTYGET "OpenDSObject" > Wed Aug 6 21:07:57 2003: INFO: Access rejected for lupu: Could not find > user > > Wed Aug 6 21:07:57 2003: DEBUG: Packet dump: > *** Sending to 127.0.0.1 port 4109 .... > Code: Access-Reject > Identifier: 132 > Authentic: 1234567890123456 > Attributes: > Reply-Message = "Request Denied" > > Wed Aug 6 21:07:57 2003: DEBUG: Packet dump: > *** Received from 127.0.0.1 port 4109 .... > Code: Accounting-Request > Identifier: 133 > Authentic: <23><234>1<25><243>LQ<5>l<188>-`<145><214><26>3 > Attributes: > User-Name = "lupu" > Service-Type = Framed-User > NAS-IP-Address = 203.63.154.1 > NAS-Port = 1234 > NAS-Port-Type = Async > Acct-Session-Id = "00001234" > Acct-Status-Type = Start > Called-Station-Id = "123456789" > Calling-Station-Id = "987654321" > Acct-Delay-Time = 0 > > Wed Aug 6 21:07:57 2003: DEBUG: Handling request with Handler > 'Client-Identifier=TestAD' > Wed Aug 6 21:07:57 2003: DEBUG: Adding session for lupu, 203.63.154.1, > 1234 > Wed Aug 6 21:07:57 2003: DEBUG: Handling with ASDI > Wed Aug 6 21:07:57 2003: DEBUG: Accounting accepted > > Wed Aug 6 21:07:57 2003: DEBUG: Packet dump: > *** Sending to 127.0.0.1 port 4109 .... > Code: Accounting-Response > Identifier: 133 > Authentic: <23><234>1<25><243>LQ<5>l<188>-`<145><214><26>3 > Attributes: > > Wed Aug 6 21:07:57 2003: DEBUG: Packet dump: > *** Received from 127.0.0.1 port 4109 .... > Code: Accounting-Request > Identifier: 134 > Authentic: <247><153>-<222>[<188><176><151><184><192>1<15>l<128><190>2 > Attributes: > User-Name = "lupu" > Service-Type = Framed-User > NAS-IP-Address = 203.63.154.1 > NAS-Port = 1234 > NAS-Port-Type = Async > Acct-Session-Id = "00001234" > Acct-Status-Type = Stop > Called-Station-Id = "123456789" > Calling-Station-Id = "987654321" > Acct-Delay-Time = 0 > Acct-Session-Time = 1000 > Acct-Input-Octets = 20000 > Acct-Output-Octets = 30000 > > Wed Aug 6 21:07:57 2003: DEBUG: Handling request with Handler > 'Client-Identifier=TestAD' > Wed Aug 6 21:07:57 2003: DEBUG: Deleting session for lupu, 203.63.154.1, > 1234 > Wed Aug 6 21:07:57 2003: DEBUG: Handling with ASDI > Wed Aug 6 21:07:57 2003: DEBUG: Accounting accepted > > Wed Aug 6 21:07:57 2003: DEBUG: Packet dump: > *** Sending to 127.0.0.1 port 4109 .... > Code: Accounting-Response > Identifier: 134 > Authentic: <247><153>-<222>[<188><176><151><184><192>1<15>l<128><190>2 > Attributes: > > > Config file > --------------------------------------------------------------------- > > Foreground > LogStdout > LogDir c:/Radiator > DbDir c:/Radiator > > > Trace 4 > > > # > # Baystack Switches > # > > # test switch > <Client 10.34.0.15> > Secret test > DupInterval 20 > Identifier BayStackSwitch > </Client> > > > # > # Shiva Lanrovers > # > > # shivas > <Client 10.36.1.34> > Secret test > DupInterval 20 > Identifier ShivaLanRover > </Client> > > <Client 127.0.0.1> > Secret test > DupInterval 20 > Identifier TestAD > </Client> > > <Client DEFAULT> > Secret mypass > DupInterval 20 > </Client> > > > <Handler Client-Identifier=BayStackSwitch> > > <AuthBy ADSI> > Identifier ADSI > > SearchAttribute sAMAccountName > BindString LDAP://toradtest/cn=Users,dc=torzentest,dc=ca > AuthUser %0 > > DefaultReply Service-Type=Administrative-User > GroupRequired CN=net admin > </AuthBy> > > </Handler> > > <Handler Client-Identifier=ShivaLanRover> > > <AuthBy ADSI> > Identifier ADSI > > SearchAttribute sAMAccountName > BindString LDAP://toradtest/cn=Users,dc=torzentest,dc=ca > AuthUser %0 > > DefaultReply Service-Type=Framed-User > GroupRequired CN=dialin > </AuthBy> > > </Handler> > > <Handler Client-Identifier=TestAD> > > <AuthBy ADSI> > Identifier ADSI > > # SearchAttribute sAMAccountName > BindString > LDAP://toradtest/cn=%0,cn=Users,dc=torzentest,dc=ca > AuthUser %0 > > DefaultReply Service-Type=Framed-User > </AuthBy> > > </Handler> -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP etc on Unix, Windows, MacOS etc. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
