account lock for email registration

A: I was trying to setup login portal using email registration method. The registration process was very smooth, I could get activation email and able to login after that. So that was really good.

Then I went on to test the password reset function, typed http://mbox.ransnet.com to logout, and click login again, the landing page comes back, then I click on "Forgot your Password?". But after I put in my email and clicked on Submit button, I got message "Please try reset a few minutes later"

Then I waited for a few minutes and repeated the reset steps again, now I am getting "Account is locked" message and couldn't proceed further.

So what's going on here? Is the reset function working?

Q: The email self-registration method opens up 10 minutes free access for registration or password reset, so that users can check their emails, to retrieve their password. This can be potentially abused by hackers who just want to leverage on this temporary free access by keeping on submitting false emails or resetting passwords (assuming each submission gets 10  minutes free access), hoping that they never need to signup with real information to get pro-longed free access.

To mitigate such risks, mbox has implemented multiple security measures. For example, you can not reset password immediately after registration, or you can't keep putting false emails from the same device within a short period of time and you are only limited to a few registrations on the same device per day etc, because a legitimate user will not behave like that and they won't experience such lockout.

However, as a testing engineer, you want to test all the features, such as registration and password reset during implementation, and sometimes you need to test registrations with many emails etc. You may experience such lockouts too and it will be very inconvenient for your tests.

So you have to be aware that after immediate registration, you need to wait more than 15 minutes to test password reset, and after trying with many emails, your device will be locked out. Then either you need to use a different device to test; or you need to reset the RADIUS database to clear off the lockout sessions so that you can continue to test further (else you need to wait till next day to try again....)

There're two ways to reset your RADIUS database (make sure only do this during initial testing while there's no existing RADIUS data, because the reset will wipe them out..)

1. reset via CLI

Randy-TEST> enable

Enter enable password:

Randy-TEST# configure 

Randy-TEST(config)# security radius-server 

Randy-TEST(config-radius)# data-reset 

This will erase all your existing RADIUS data. do you want to continue "y" or "n": y

restoring default radius...

Info: mysql is stopped.

Info: mysql is running.

Randy-TEST(config-radius)# 

2. reset via mbox portal (this is recommended only if you have an initial config backup prior to your test)

Login to mbox portal, go to ADMIN --> Settings --> Config Backup, click to restore your old backup config.