Enabling Lock Out with Radius Based Authentication

It’s standard best practice to use RADIUS with wireless to provide a stronger method of authentication, however, sometimes this isn’t always the case.

When using the Network Access Policy role in Windows Server to provide RADIUS services, many people miss the fact that although wireless users may be authenticating against Active Directory (which is great), the standard lock-out policies do not get applied (not so great).

Radius Based Authentication Solution

What you need to do is enable Remote Access Account Lockout on the Network Policy Server by setting the appropriate values in the registry...


Create a new value, if it doesn’t already exist, called MaxDenials and set the value to however many failed attempts should be allowed before lockout occurs.

You may also need to created ResetTime (mins) which determines the amount of time until account lockout reset. This value must be set in hexadecimal and the default is 0xb40, or 48 hours.

Once the changes are applied it’ll be important to know how to manually reset those accounts that get locked. To do that, you’ll have to delete the registry key that corresponds with the user’s account name:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout\domain name:user name

Learn More

Need more information? Details can be found at: http://technet.microsoft.com/en-us/library/dd197529(v=ws.10).aspx

Free Resources to Protect Your Business

Checklist: "14 Non-Technical Things You Can Do Today to Protect Your Business from Cyber Crime"

We've made it simple, safe and free for you to get a report of risk across your entire digital ecosystem.

Share this Blog