Hello Mark -
On Fri, 20 Oct 2000, Mark O'Leary wrote:
> Hopefully an easily-answered query.
>
> My Radiator installation authenticates using a customised LDAP module (see
> posts to this list passim). This module is designed to fire off a single
> authentication attempt.
>
> However, the administrators of the LDAP server that I connect to (for complex
> reasons, I don't 'own' the database I authenticate against) are seeing
> multiple authentication attempts in rapid succession.
>
> This presents problems, because if a dialup users accidentally presents the
> wrong password, the LDAP server is hit multiple times with that password, and
> the underlying NDS user object that is being authenticated against registers
> this as multiple bad attempts at access, and invokes a security lockout
> (intended to defend against brute force cracking attempts).
>
> In effect, one mistake locks the user out for a couple of hours until the
> security lock expires, even if they subsequently corerect their error.
>
> As I mentioned my module makes only one authentication attempt per
> invocation, but:
>
> 1) Could the core Radiator code be calling it more than once for the same
> login attempt?
>
> or (as seems more likely)
>
> 2) is the users PC getting impatient waiting for the authentication response,
> and re-trying whilst radiator is still coping with the previous request?
>
> (put another way, is a single radius request from the RAS triggering multiple
> LDAP responses from Radiator, or is Radiator issuing one LDAP per request as
> desired, but being repeatedly requested to do this via radius traffic from
> the RAS?)
>
> Any suggestions as to how I can ensure only one LDAP authentication request
> per dialup login? Its causing us big problems here.... 8(
>
I will need to see a copy of your configuration file (no secrets) together with
a trace 4 debug showing what is happening.
thanks
Hugh
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
