Radius module for Config Server

[DJM]

Hi guys,

Just wonder if you guys have had any experience with this??

Our customer has a security requirement to disable a user after 3 failed attempts at logging in with a given username.  Genesys informed us the best way to do this would be to use a Radius server..

I have had a bit of a play with this, and started looking at LDAP authentication also.. I have downloaded and tried winradius (they run windows here).. Bit of a toy, but works ok, I can see in the winradius logs when a user logs into CME, and either gets authenticated or not.

The next would be to lock a user after he has say 3 or so trys at logging in.

I noticed there is an option in the radiusclient.conf file in the Confserv directory:

# maximum login tries a user has
login_tries 4

Unfortunately this doesn't seem to work.. I presume it perhaps is getting passed to my radius server, but it doesn't know what to do with it..

Any advice or experience you can give me on this??

Also, what other security issues do you have with Genesys?? have you had to go through security audits for you customers? (unencrypted username/passwords in transit seems to brought up a bit)

Cheers
DJM

[Steve]

We too have problems with passwords in Genesys. Things like forcing passwords to expire after x days, ensuring that the password is 8 characters or more and that it contains upper and lowercase letters.

All of these, and your max retries issue need to be configured in the radius server. Exactly how you do this will depend on the Radius Server, so in that respect I can't help.

Unencypted passwords are not an issue in Genesys v7.2, as all passwords are encypted between the client and Config Server.

Steve

[JTL]

We've configured LDAP authentication, using the company's existing LDAP server which authenticates for the user domain.

As a result, obviously we bypass any problems relating to length of password, upper/lower case etc, because the user never sets a Genesys password - so we can use the Windows policies to properly govern the passwords.

This does not, however, help with respect to multiple password attempts per se - unless the LDAP server will simply ignore any requests > the allowed failure number. I can't say I've tried that, as it wasn't a policy requirement, but I've no reason to think it can't be configured to do so - assuming that the LDAP server treats login requests from the Genesys LDAP string in the same way that it treats logins from (say) the domain login box.

[DJM]

Hi guys,

Thanks for your feedback, great to hear what other people are doing out there.

I think LDAP is probably the best way to go for us, but will be more work, as we'll have to involve other parties ourside of our team, which generally means more pain!

Cheers