Support Home Communities Home   Search Today's Posts Mark Forums Read
Notices


 
 
LinkBack Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 21-Oct-2004, 02:31 PM
Mike.Zajac@ps.net
NNTP User
  
Posts: n/a
Default Miscellaneous Radius errors
Having miscellaneous authentication errors using radius. I've been able
to narrow the focus down to possible lockouts caused by users that don't
have rights to the DAS or DAP. It seems that when a users without rights
tries to authenticate, users trying to login directly afterward get denied
access as well. The following is a snapshot of the falled login:

318) [(ip) 199.171.61.11:43445], Received 87 Bytes (Access-Request (1))
[2004-10-20 09:32:18 AM] [(total=318) (p=316) (d=0) (r=1) (acc=0)
(rej=0)]
[2004-10-20 09:32:18 AM] <3> Done GetNextMessage [(ip)
199.171.61.11:43445]: time:12525806
[2004-10-20 09:32:18 AM] -------- START : (Access-Request (1)) [(ip)
199.171.61.11:43445]: time:-263912100---
[2004-10-20 09:32:18 AM] CACHE: CacheDomainListExist
(radius_bm2.servers.ptc.usa.tree), using cache
[2004-10-20 09:32:18 AM] AuthRequestHandler(), Calling RequestHandler.
[2004-10-20 09:32:18 AM] CACHE: CacheReadSecretForNASAddress
(radius_bm2.servers.ptc.usa.tree), using cache
[2004-10-20 09:32:18 AM] CACHE: CacheGetEnableCNLogin
(radius_bm2.servers.ptc.usa.tree), using cache
[2004-10-20 09:32:18 AM] CacheGetDNForName(melotij), Using cache
[2004-10-20 09:32:18 AM] (->)CacheGetDNForName:NWDSReadObjectInfo
(melotij), succeeded, time:11
[2004-10-20 09:32:18 AM] userName: user
[2004-10-20 09:32:18 AM] userDN: user.Users.SH.USA.tree
[2004-10-20 09:32:18 AM] (->)NDSVerifyAttr:NWDSRead
(user.Users.SH.USA.tree,RADIUS:Dial Access Group) succeeded, time:5
[2004-10-20 09:32:18 AM] User "user.Users.SH.USA.tree", does not
have "RADIUS:Dial Access Group" defined, trying parent "Users.SH.USA.tree"
[2004-10-20 09:32:18 AM] (->)NWDSCompare:(Users.SH.USA.Breed) succeeded,
time:5
[2004-10-20 09:32:18 AM] User "user.Users.SH.USA.tree"is not member of
Dial Access System, checking rights to
object "radius_bm2.servers.ptc.usa.tree"
[2004-10-20 09:32:18 AM] (->)NWDSRead(user.Users.SH.USA.tree,RADIUS
Enable Attr) failed, no such attribute (-603), time:5
[2004-10-20 09:32:18 AM] (->)User "user.Users.SH.USA.tree", Looking in
(Users.SH.USA.tree) for (RADIUS:Enable Dial Access)
[2004-10-20 09:32:18 AM] (->)NWDSRead(Users.SH.USA.tree,RADIUS Enable
Attr) failed, no such attribute (-603), time:4
[2004-10-20 09:32:18 AM] (->)User user.Users.SH.USA.tree is not enabled
for RADIUS Login
[2004-10-20 09:32:18 AM] ->Sending Access-Reject (3) [(ip) 199.171.61.11
(43445)] count=23
[2004-10-20 09:32:18 AM] ->Inserting into RespQ , code(3) id(113).
[2004-10-20 09:32:18 AM] -------- END : (Access-Request (1)) [(ip)
199.171.61.11:43445]: time:-263912002---
[2004-10-20 09:32:34 AM] (->)Cacher: NWDSReadObjectInfo
(radius_bm2.servers.ptc.usa.tree), succeeded, time:4
[2004-10-20 09:33:34 AM] (->)Cacher: NWDSReadObjectInfo
(radius_bm2.servers.ptc.usa.tree), succeeded, time:5
[2004-10-20 09:33:38 AM] 319) [(ip) 199.171.61.3:47414], Received 86 Bytes
(Access-Request (1))
[2004-10-20 09:33:38 AM] [(total=319) (p=317) (d=0) (r=1) (acc=0)
(rej=0)]
[2004-10-20 09:33:38 AM] <6> Done GetNextMessage [(ip)
199.171.61.3:47414]: time:11945565

Is there some sort of default intruder detection that is triggered after 3
failed logins? How do you reset or change these parameters?



Also, I've noticed a 603 within this log that seems to indicate there
isn't a password policy defined. There are also other failures that I've
noticed within the log:

Cacher: Rebuilding cache, mod time different,
[2004-10-15 07:39:31 PM] (->)NDSReadData:NWDSRead
(radius_bm2.servers.ptc.usa.tree,RADIUS:DAS Version) succeeded, time:7
[2004-10-15 07:39:31 PM] (->)NDSReadData:NWDSRead
(radius_bm2.servers.ptc.usa.tree,RADIUS:Password Policy) failed, no such
attribute (-603), time:3
[2004-10-15 07:39:31 PM] (->)NDSReadData:NWDSRead
(radius_bm2.servers.ptc.usa.tree,RADIUS:Common Name Resolution) succeeded,
time:3
[2004-10-15 07:39:31 PM] (->)NDSReadData:NWDSRead
(radius_bm2.servers.ptc.usa.tree,RADIUS:Concurrent Limit) failed, no such
attribute (-603), time:3
[2004-10-15 07:39:31 PM] (->)NDSReadData:NWDSRead
(radius_bm2.servers.ptc.usa.tree,RADIUS:Interim Accting Timeout) failed,
no such attribute (-603), time:3
[2004-10-15 07:39:31 PM] (->)NDSReadData:NWDSRead
(radius_bm2.servers.ptc.usa.tree,RADIUS:Aged Interval) failed, no such
attribute (-603), time:3
[2004-10-15 07:39:31 PM] (->)NDSReadData:NWDSRead
(radius_bm2.servers.ptc.usa.tree,RADIUS:Maximum History Record) failed, no
such attribute (-603), time:3
[2004-10-15 07:39:31 PM] CACHE: Use Netware Password
for "radius_bm2.servers.ptc.usa.tree": Enabled
[2004-10-15 07:39:31 PM] CACHE: CN Login
for "radius_bm2.servers.ptc.usa.tree": Enabled
[2004-10-15 07:39:31 PM] CACHE: Concurrent Limit
for "radius_bm2.servers.ptc.usa.tree": 0x80000000
[2004-10-15 07:39:31 PM] CACHE: Interim Timeout
for "radius_bm2.servers.ptc.usa.tree": 10 minutes
[2004-10-15 07:39:31 PM] CACHE: Interval For Aging
for "radius_bm2.servers.ptc.usa.tree": 7 days
[2004-10-15 07:39:31 PM] CACHE: Max History Record
for "radius_bm2.servers.ptc.usa.tree": 30

How do I change these settings so that there are no 603's at load? I
assume this will resolve 603' with password policy too. What is Interim
Timeout? Is this intruder lockout??
Reply With Quote
 

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Threaded Mode Threaded Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT -6. The time now is 08:40 AM.
Contact Us - NOVELL FORUMS - Archive - Privacy Statement - Top

© 2007 Novell, Inc. All Rights Reserved.

Search Engine Friendly URLs by vBSEO 3.3.2