On Wed, Dec 02, 2015 at 01:50:32PM +0000, Trent Hurt wrote: > Does anyone know which radius servers actually work with the > password history n-2 feature in Active Directory?
It's not the RADIUS server per-se, but the backend authentication mechanism that it is using. For example, often with FreeRADIUS (which we use here) you will be using ntlm_auth and Samba for doing AD authentication for users (because the easiest EAP method in Windows is PEAP/EAP-MSCHAPv2). So as this is using NTLM it will lock accounts out with badPwdCount, and also will not lock accounts out if they are n-1/n-2. So we see lockout issues months after the password has been changed because a device with an old password has been trying unsuccessfully to connect but not hitting lockout. We tested NTLM, LDAP and Kerberos and all triggered the same lockout (if not up to n-2) behaviour. As did IMAP and Exchange CAS web logins. I'm can't think of any other options available for auth - but this isn't really something that is RADIUS server related. It's the backend auth that the RADIUS server is doing against AD that matters. If you're using (PEAP/TTLS)/EAP-MSCHAPv2 then you'll be NTLM of some variety. If TTLS/PAP then probably NTLM or LDAP. RADIUS server shouldn't matter. Only exception I can think of is EAP-TLS then it won't hit AD at all as it's certificate based so will never lock an account out. Matthew -- Matthew Newton, Ph.D. <m...@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ith...@le.ac.uk> ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
