Hello Stephan - I have written a couple of “rate-limiting” hooks that you will find in “goodies/hooks.txt”.
You may be able to modify one or the other to do what you describe. regards Hugh > On 18 Feb 2017, at 03:52, <[email protected]> <[email protected]> wrote: > > Hi, > > I was wondering whether it's possible for Radiator to limit/throttle the > amount of authentication requests handled by a handler (in this case AuthBy > LSA) when an authentication fails. > To elaborate the idea behind this.. > > Our AD account lockout policy is 10 bad logins within 30 minutes. > If a user has multiple devices that connect to our WiFi (802.1x) using radius > authentication and their password expires/needs to be changed, this will need > to be changed on all devices. > However sometimes the user will not always have access to all devices, for > example the device is left at work while the user resets their password at > home. > Or a user has like 5-6 devices, and once the password has been changed on 1 > device the account might already be locked by the time the last device will > be edited (some devices seem to ignore bad credentials and keep retrying). > > In order to "battle" this account lockout discussion we always seem to have > with end users, I figure... "what if" we can prevent the radius server from > sending authentication requests for a certain amount of time, if for example > 3 bad authentications have occurred in x time. If that's the case, then the > bad authentication requests won't even be sent to the domain controllers > resulting is fewer locked out accounts. > > Is something like this possible? Any other helpful ideas are also welcome. > I'm pretty sure we won't change our AD lockout / password policy (increase > bad password count or disable expiring passwords). > > > Kind regards, > > Stephan Schwarz > Senior Security Administrator | Leiden University Medical Center > > > Tel.: +31 (0)71-526-1822 > Email: [email protected] > > > _______________________________________________ > radiator mailing list > [email protected] > http://lists.open.com.au/mailman/listinfo/radiator -- Hugh Irvine [email protected] Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://lists.open.com.au/mailman/listinfo/radiator
