Having miscellaneous authentication errors using radius. I've been able
to narrow the focus down to possible lockouts caused by users that don't
have rights to the DAS or DAP. It seems that when a users without rights
tries to authenticate, users trying to login directly afterward get denied
access as well. The following is a snapshot of the falled login:

318) [(ip) 199.171.61.11:43445], Received 87 Bytes (Access-Request (1))
[2004-10-20 09:32:18 AM] [(total=318) (p=316) (d=0) (r=1) (acc=0)
(rej=0)]
[2004-10-20 09:32:18 AM] <3> Done GetNextMessage [(ip)
199.171.61.11:43445]: time:12525806
[2004-10-20 09:32:18 AM] -------- START : (Access-Request (1)) [(ip)
199.171.61.11:43445]: time:-263912100---
[2004-10-20 09:32:18 AM] CACHE: CacheDomainListExist
(radius_bm2.servers.ptc.usa.tree), using cache
[2004-10-20 09:32:18 AM] AuthRequestHandler(), Calling RequestHandler.
[2004-10-20 09:32:18 AM] CACHE: CacheReadSecretForNASAddress
(radius_bm2.servers.ptc.usa.tree), using cache
[2004-10-20 09:32:18 AM] CACHE: CacheGetEnableCNLogin
(radius_bm2.servers.ptc.usa.tree), using cache
[2004-10-20 09:32:18 AM] CacheGetDNForName(melotij), Using cache
[2004-10-20 09:32:18 AM] (->)CacheGetDNForName:NWDSReadObjectInfo
(melotij), succeeded, time:11
[2004-10-20 09:32:18 AM] userName: user
[2004-10-20 09:32:18 AM] userDN: user.Users.SH.USA.tree
[2004-10-20 09:32:18 AM] (->)NDSVerifyAttr:NWDSRead
(user.Users.SH.USA.tree,RADIUS:Dial Access Group) succeeded, time:5
[2004-10-20 09:32:18 AM] User "user.Users.SH.USA.tree", does not
have "RADIUS:Dial Access Group" defined, trying parent "Users.SH.USA.tree"
[2004-10-20 09:32:18 AM] (->)NWDSCompare:(Users.SH.USA.Breed) succeeded,
time:5
[2004-10-20 09:32:18 AM] User "user.Users.SH.USA.tree"is not member of
Dial Access System, checking rights to
object "radius_bm2.servers.ptc.usa.tree"
[2004-10-20 09:32:18 AM] (->)NWDSRead(user.Users.SH.USA.tree,RADIUS
Enable Attr) failed, no such attribute (-603), time:5
[2004-10-20 09:32:18 AM] (->)User "user.Users.SH.USA.tree", Looking in
(Users.SH.USA.tree) for (RADIUS:Enable Dial Access)
[2004-10-20 09:32:18 AM] (->)NWDSRead(Users.SH.USA.tree,RADIUS Enable
Attr) failed, no such attribute (-603), time:4
[2004-10-20 09:32:18 AM] (->)User user.Users.SH.USA.tree is not enabled
for RADIUS Login
[2004-10-20 09:32:18 AM] ->Sending Access-Reject (3) [(ip) 199.171.61.11
(43445)] count=23
[2004-10-20 09:32:18 AM] ->Inserting into RespQ , code(3) id(113).
[2004-10-20 09:32:18 AM] -------- END : (Access-Request (1)) [(ip)
199.171.61.11:43445]: time:-263912002---
[2004-10-20 09:32:34 AM] (->)Cacher: NWDSReadObjectInfo
(radius_bm2.servers.ptc.usa.tree), succeeded, time:4
[2004-10-20 09:33:34 AM] (->)Cacher: NWDSReadObjectInfo
(radius_bm2.servers.ptc.usa.tree), succeeded, time:5
[2004-10-20 09:33:38 AM] 319) [(ip) 199.171.61.3:47414], Received 86 Bytes
(Access-Request (1))
[2004-10-20 09:33:38 AM] [(total=319) (p=317) (d=0) (r=1) (acc=0)
(rej=0)]
[2004-10-20 09:33:38 AM] <6> Done GetNextMessage [(ip)
199.171.61.3:47414]: time:11945565

Is there some sort of default intruder detection that is triggered after 3
failed logins? How do you reset or change these parameters?



Also, I've noticed a 603 within this log that seems to indicate there
isn't a password policy defined. There are also other failures that I've
noticed within the log:

Cacher: Rebuilding cache, mod time different,
[2004-10-15 07:39:31 PM] (->)NDSReadData:NWDSRead
(radius_bm2.servers.ptc.usa.tree,RADIUS:DAS Version) succeeded, time:7
[2004-10-15 07:39:31 PM] (->)NDSReadData:NWDSRead
(radius_bm2.servers.ptc.usa.tree,RADIUS:Password Policy) failed, no such
attribute (-603), time:3
[2004-10-15 07:39:31 PM] (->)NDSReadData:NWDSRead
(radius_bm2.servers.ptc.usa.tree,RADIUS:Common Name Resolution) succeeded,
time:3
[2004-10-15 07:39:31 PM] (->)NDSReadData:NWDSRead
(radius_bm2.servers.ptc.usa.tree,RADIUS:Concurrent Limit) failed, no such
attribute (-603), time:3
[2004-10-15 07:39:31 PM] (->)NDSReadData:NWDSRead
(radius_bm2.servers.ptc.usa.tree,RADIUS:Interim Accting Timeout) failed,
no such attribute (-603), time:3
[2004-10-15 07:39:31 PM] (->)NDSReadData:NWDSRead
(radius_bm2.servers.ptc.usa.tree,RADIUS:Aged Interval) failed, no such
attribute (-603), time:3
[2004-10-15 07:39:31 PM] (->)NDSReadData:NWDSRead
(radius_bm2.servers.ptc.usa.tree,RADIUS:Maximum History Record) failed, no
such attribute (-603), time:3
[2004-10-15 07:39:31 PM] CACHE: Use Netware Password
for "radius_bm2.servers.ptc.usa.tree": Enabled
[2004-10-15 07:39:31 PM] CACHE: CN Login
for "radius_bm2.servers.ptc.usa.tree": Enabled
[2004-10-15 07:39:31 PM] CACHE: Concurrent Limit
for "radius_bm2.servers.ptc.usa.tree": 0x80000000
[2004-10-15 07:39:31 PM] CACHE: Interim Timeout
for "radius_bm2.servers.ptc.usa.tree": 10 minutes
[2004-10-15 07:39:31 PM] CACHE: Interval For Aging
for "radius_bm2.servers.ptc.usa.tree": 7 days
[2004-10-15 07:39:31 PM] CACHE: Max History Record
for "radius_bm2.servers.ptc.usa.tree": 30

How do I change these settings so that there are no 603's at load? I
assume this will resolve 603' with password policy too. What is Interim
Timeout? Is this intruder lockout??