Hello Stephan -

I have written a couple of “rate-limiting” hooks that you will find in 
“goodies/hooks.txt”.

You may be able to modify one or the other to do what you describe.

regards

Hugh


> On 18 Feb 2017, at 03:52, <s.schw...@lumc.nl> <s.schw...@lumc.nl> wrote:
> 
> Hi,
> 
> I was wondering whether it's possible for Radiator to limit/throttle the 
> amount of authentication requests handled by a handler (in this case AuthBy 
> LSA) when an authentication fails.
> To elaborate the idea behind this..
> 
> Our AD account lockout policy is 10 bad logins within 30 minutes.
> If a user has multiple devices that connect to our WiFi (802.1x) using radius 
> authentication and their password expires/needs to be changed, this will need 
> to be changed on all devices.
> However sometimes the user will not always have access to all devices, for 
> example the device is left at work while the user resets their password at 
> home.
> Or a user has like 5-6 devices, and once the password has been changed on 1 
> device the account might already be locked by the time the last device will 
> be edited (some devices seem to ignore bad credentials and keep retrying).
> 
> In order to "battle" this account lockout discussion we always seem to have 
> with end users, I figure... "what if" we can prevent the radius server from 
> sending authentication requests for a certain amount of time, if for example 
> 3 bad authentications have occurred in x time. If that's the case, then the 
> bad authentication requests won't even be sent to the domain controllers 
> resulting is fewer locked out accounts.
> 
> Is something like this possible? Any other helpful ideas are also welcome. 
> I'm pretty sure we won't change our AD lockout / password policy (increase 
> bad password count or disable expiring passwords).
> 
> 
> Kind regards,
> 
> Stephan Schwarz
> Senior Security Administrator | Leiden University Medical Center
> 
> 
> Tel.: +31 (0)71-526-1822
> Email: s.schw...@lumc.nl
> 
> 
> _______________________________________________
> radiator mailing list
> radiator@lists.open.com.au
> http://lists.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

_______________________________________________
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator

Reply via email to