Skip to content

Enabling Account Lock-Out RADIUS based Authentication

Enabling Lock Out with Radius Based Authentication

It’s standard best practice to use RADIUS with wireless to provide a stronger method of authentication, however, sometimes this isn’t always the case.

When using the Network Access Policy role in Windows Server to provide RADIUS services, many people miss the fact that although wireless users may be authenticating against Active Directory (which is great), the standard lock-out policies do not get applied (not so great).

Radius Based Authentication Solution

What you need to do is enable Remote Access Account Lockout on the Network Policy Server by setting the appropriate values in the registry...

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout

Create a new value, if it doesn’t already exist, called MaxDenials and set the value to however many failed attempts should be allowed before lockout occurs.

You may also need to created ResetTime (mins) which determines the amount of time until account lockout reset. This value must be set in hexadecimal and the default is 0xb40, or 48 hours.

Once the changes are applied it’ll be important to know how to manually reset those accounts that get locked. To do that, you’ll have to delete the registry key that corresponds with the user’s account name:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout\domain name:user name

Learn More

Need more information? Details can be found at: http://technet.microsoft.com/en-us/library/dd197529(v=ws.10).aspx

"14 Non-Technical Things You Can Do Today to Protect Your Business from Cyber Crime"

Here's what you'll learn:

  1. Why your employees are your weakest link and what to do about it
  2. Easy ideas for keeping passwords secure
  3. How to tell if your cyber insurance policy is worthless

Share this Blog

Scroll To Top