I was wondering whether it's possible for Radiator to limit/throttle the amount 
of authentication requests handled by a handler (in this case AuthBy LSA) when 
an authentication fails.
To elaborate the idea behind this..

Our AD account lockout policy is 10 bad logins within 30 minutes.
If a user has multiple devices that connect to our WiFi (802.1x) using radius 
authentication and their password expires/needs to be changed, this will need 
to be changed on all devices.
However sometimes the user will not always have access to all devices, for 
example the device is left at work while the user resets their password at home.
Or a user has like 5-6 devices, and once the password has been changed on 1 
device the account might already be locked by the time the last device will be 
edited (some devices seem to ignore bad credentials and keep retrying).

In order to "battle" this account lockout discussion we always seem to have 
with end users, I figure... "what if" we can prevent the radius server from 
sending authentication requests for a certain amount of time, if for example 3 
bad authentications have occurred in x time. If that's the case, then the bad 
authentication requests won't even be sent to the domain controllers resulting 
is fewer locked out accounts.

Is something like this possible? Any other helpful ideas are also welcome. I'm 
pretty sure we won't change our AD lockout / password policy (increase bad 
password count or disable expiring passwords).

Kind regards,

Stephan Schwarz
Senior Security Administrator | Leiden University Medical Center

Tel.: +31 (0)71-526-1822
Email: s.schw...@lumc.nl

radiator mailing list

Reply via email to