Enabling Account Lock-Out RADIUS based Authentication

Enabling Lock Out with Radius Based Authentication

It’s standard best practice to use RADIUS with wireless to provide a stronger method of authentication, however, sometimes this isn’t always the case.

When using the Network Access Policy role in Windows Server to provide RADIUS services, many people miss the fact that although wireless users may be authenticating against Active Directory (which is great), the standard lock-out policies do not get applied (not so great).

Radius Based Authentication Solution

What you need to do is enable Remote Access Account Lockout on the Network Policy Server by setting the appropriate values in the registry...

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout

Create a new value, if it doesn’t already exist, called MaxDenials and set the value to however many failed attempts should be allowed before lockout occurs.

You may also need to created ResetTime (mins) which determines the amount of time until account lockout reset. This value must be set in hexadecimal and the default is 0xb40, or 48 hours.

Once the changes are applied it’ll be important to know how to manually reset those accounts that get locked. To do that, you’ll have to delete the registry key that corresponds with the user’s account name:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout\domain name:user name

Now RADIUS based authentication will provide more protection.

Learn More

Need more information? Details can be found at: http://technet.microsoft.com/en-us/library/dd197529(v=ws.10).aspx

Searching for more cyber security help? Intrust IT is an IT support services and cyber security partner that gets you and gets back to you. Breaches, hacks, cybercrime and whatever's next: We make sure your business is protected so you can sleep at night. Just looking for security consulting? We can help you assess your cyber threats. Learn more about our Cincinnati cyber security solutions online or schedule an appointment.

Intrust Man

Intrust Man

Intrust Man may be small, but he is mighty smart. You can trust this clever cartoon hero to provide news you can use.

Get This Free Resource to Protect Your Business

Checklist: "14 Non-Technical Things You Can Do Today to Protect Your Business from Cyber Crime"

Share this Blog