Hello Mark -

On Fri, 20 Oct 2000, Mark O'Leary wrote:
> Hopefully an easily-answered query.
> 
> My Radiator installation authenticates using a customised LDAP module (see 
> posts to this list passim). This module is designed to fire off a single 
> authentication attempt.
> 
> However, the administrators of the LDAP server that I connect to (for complex 
> reasons, I don't 'own' the database I authenticate against) are seeing 
> multiple authentication attempts in rapid succession. 
> 
> This presents problems, because if a dialup users accidentally presents the 
> wrong password, the LDAP server is hit multiple times with that password, and 
> the underlying NDS user object that is being authenticated against registers 
> this as multiple bad attempts at access, and invokes a security lockout 
> (intended to defend against brute force cracking attempts). 
> 
> In effect, one mistake locks the user out for a couple of hours until the 
> security lock expires, even if they subsequently corerect their error.
> 
> As I mentioned my module makes only one authentication attempt per 
> invocation, but:
> 
> 1) Could the core Radiator code be calling it more than once for the same 
> login attempt?
> 
> or (as seems more likely)
> 
> 2) is the users PC getting impatient waiting for the authentication response, 
> and re-trying whilst radiator is still coping with the previous request?
> 
> (put another way, is a single radius request from the RAS triggering multiple 
> LDAP responses from Radiator, or is Radiator issuing one LDAP per request as 
> desired, but being repeatedly requested to do this via radius traffic from 
> the RAS?)
> 
> Any suggestions as to how I can ensure only one LDAP authentication request 
> per dialup login? Its causing us big problems here.... 8(
> 

I will need to see a copy of your configuration file (no secrets) together with
a trace 4 debug showing what is happening.

thanks

Hugh


-- 
Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.



===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Reply via email to