Radius authentication on BYOD locking out users at password change.

  • 2
  • Question
  • Updated 4 years ago
  • Answered
We are using RADIUS against our AD to authenticate our BYOD users. It works very well with one caveat...

We're having trouble with devices that have the wrong AD password locking our user accounts in these two scenarios:
-When a user changes his password and does not change it on the BYOD device.
-When a user attempts to connect with a wrong password and does not correct the password when the connection fails.

In both cases there is a device constantly trying to authenticate with his username and a wrong password. For the most part, the user knows which device is causing the problem and can fix it, but there are ongoing instances of the user having no knowledge of what device is causing the problem.
I've tried running Account Lockout Examiner but the workstation that cause the lockout just shows up as the AP that runs radius.

Two questions: 1. Has anyone else run in to this problem? If so, how have you tracked down the offending device?
2. Is there a way to get the radius server to stop requesting the authentication to AD?

I'm assuming it can be tracked down through snmp, but I'm not very familiar with configuring snmp.

Photo of Dan Ware

Dan Ware

  • 14 Posts
  • 2 Reply Likes

Posted 4 years ago

  • 2
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
My thoughts on options are:

  1. Consider using device certificates instead of username/password based credentials with an enrollment process to sidestep the issue with a better scheme, look at Aerohive's ID Manager and CloudPath's XpressConnect, the latter being more full featured but significantly more expensive.
  2. Consider disabling the lockout policy which is in itself a DoS security vulnerability and instead just ensure that complex passwords are mandated.
  3. Look to see if you can configure/implement hysteresis of the desired nature in FreeRADIUS with a SQL database and some scripting, you definitely cannot do this in NPS without writing your own extension. (This would only be effective through manual intervention as you would have to block authentication attempts.)
The best way to track down offending devices is not via SNMP, rather though analysing the logs at the RADIUS server. You'll get the username, device MAC address and frequency.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Less haste, more speed: I meant Client Management and not ID Manager here.
Photo of Mohanantass


  • 45 Posts
  • 0 Reply Likes
dear Nick, 

I have similiar prblem with one of our customer here, if i use id manager ? will this help me solve this issue ? what can i do with the ID manager, can you give me some idea using ID manager to tackle this issue. 
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
The idea is that if you authenticate client devices with a certificate rather than a username and password, this issue is sidestepped. The question then becomes how do I on-board these devices.

Take a look at: http://www.aerohive.com/products/cloud-services-platform/client-management