Enabling Account Lock-Out RADIUS based Authentication

It’s standard best practice to use RADIUS with wireless to provide a stronger method of authentication, however, sometimes this isn’t always the case.

When using the Network Access Policy role in Windows Server to provide RADIUS services, many people miss the fact that although wireless users may be authenticating against Active Directory (which is great), the standard lock-out policies do not get applied (not so great).

Radius Based Authentication Solution

What you need to do is enable Remote Access Account Lockout on the Network Policy Server by setting the appropriate values in the registry…

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesRemoteAccessParametersAccountLockout

Create a new value, if it doesn’t already exist, called MaxDenials and set the value to however many failed attempts should be allowed before lockout occurs.

You may also need to created ResetTime (mins) which determines the amount of time until account lockout reset. This value must be set in hexadecimal and the default is 0xb40, or 48 hours.

Once the changes are applied it’ll be important to know how to manually reset those accounts that get locked. To do that, you’ll have to delete the registry key that corresponds with the user’s account name:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesRemoteAccessParametersAccountLockoutdomain name:user name

Now RADIUS based authentication will provide more protection.

Learn More

Need more information? Details can be found at: http://technet.microsoft.com/en-us/library/dd197529(v=ws.10).aspx

Searching for more cyber security help? Intrust IT is an IT support services and cyber security partner that gets you and gets back to you. Breaches, hacks, cybercrime and whatever’s next: We make sure your business is protected so you can sleep at night. Just looking for security consulting? We can help you assess your cyber threats. Learn more about our Cincinnati cyber security solutions online or schedule an appointment.