question

FdoRuiz-6670 avatar image
0 Votes"
FdoRuiz-6670 asked CandyLuo-MSFT edited

Remote access client account lockout does not work

Hi everyone,

We are using Windows NPS as a RADIUS server for the corporate wireless network. Only the AD groups defined in the NPS policy (i.e. DOMAIN\WIFIGRP) are allowed to authenticate. We configured the MaxDenials and ResetTime registry entries using values that roughly half of what is defined in AD's account lockout policy.

The problem is, when we deliberately enter wrong password's for a member of DOMAIN\WIFIGRP NPS's remote lockout policy does not seem to 'intercept' those requests and AD's badPwdCount get's incremented instead, which is precisely what we are trying to avoid.

Any ideas?

Thanks in advance.

windows-serverwindows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CandyLuo-MSFT avatar image
1 Vote"
CandyLuo-MSFT answered CandyLuo-MSFT edited

Yes, we use PEAP with MSCHAP-v2. 'Enable fast reconnect' is ticked. In the EAP MSCHAP-v2 properties we have 2 authentication attempts and 'allow client to change password after it has expired'.

You might set Number of authentication retries to 0 and then try again to check the result.




· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hey @CandyLuo-MSFT,

We set Number of authentication retries to 0 in both our Connection request policy and Network Policy and now we see the denials in the registry.
We didn't think that particular setting was able to override the remote access lockout settings.

Thank you so much!


0 Votes 0 ·

I am pleased to know that the information is helpful to you. You could accept the useful reply as answer,  it will encourage the person who help you.

Appreciate your understanding. :)

If there is anything else we can do for you, please feel free to post in the forum.


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.




0 Votes 0 ·
CandyLuo-MSFT avatar image
0 Votes"
CandyLuo-MSFT answered

Hi ,

Before we go further, I would like to confirm the following question:

1.Which device is acting as radius client?

2.Which authentication method did you use? PEAP-MSCHAP-v2?

3.What's the OS version of your Radius server? server 2008 R2, server 2016 or server 2019?

Best Regards,
Candy


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FdoRuiz-6670 avatar image
0 Votes"
FdoRuiz-6670 answered CandyLuo-MSFT converted comment to answer

Hi @CandyLuo-MSFT,

Thanks for your prompt reply.

  1. Which device is acting as radius client?

The device is an Aruba virtual controller. In the device's RADIUS server settings we have Timeout: 5 sec and retry count: 3.
In the NPS server we set the client type as 'RADIUS Standard'.

  1. Which authentication method did you use? PEAP-MSCHAP-v2?

Yes, we use PEAP with MSCHAP-v2. 'Enable fast reconnect' is ticked. In the EAP MSCHAP-v2 properties we have 2 authentication attempts and 'allow client to change password after it has expired'.

  1. What's the OS version of your Radius server? server 2008 R2, server 2016 or server 2019?

Windows Server 2012 R2



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.