NDS grace login problem

["Chris Hughes" <chughes1 () idt net>]

I am working on a VPN project involving NDS authentication.  The two
solutions I ended up with were the Cisco Secure VPN solution and the Lucent
Managed Firewall aka 'the Brick'.  Both solutions take advantage of Steel
Belted Radius to handle NDS authentication.

The problem I am left with is a NDS grace login scenario.  While Steel
Belted Radius can recognize that a grace login scenario is taking place, the
only the abiltiy to deal with it is to display a pop-up window to the user
once the grace login period has expired.

Even though SBR keeps a log file that records the existence of a grace login
scenario as well as the number of grace logins remaining, It only lets you
open the message once authentication is denied.  Alternatively, SBR affords
the ability to authenticate even if the NDS auth fails.

My dilemma is that upon full implementation, my VPN will be handling 10K
users or more.  I dont want to pop up a message for them to call helpdesk
for expired passwords.

Has anyone run into this?   Is there a good solution that doesnt involve
writing a script to parse the SBR log file?

Any help would be greatly appreciated.

Thanks,

Chris Hughes
Senior Network Consultant
Enterprise Networking Systems
8840 Stanford Blvd
Suite 2100
Columbia, MD  21045

(410)953-0200 - Business
(410)953-0203 - Fax
(240)460-7283 - Mobile