On Wed, May 22, 2013 at 03:09:20PM +0000, Pascal Beauregard wrote: > Hi, > > We would like to block request to our Active Directory if a wireless > user have been rejected 3 times in the last 30 minutes. > > We have Cisco Wireless Controllers, Radiator and AD. In a university > environment a lot of our users have multiple wireless devices all > authenticating trough Radiator and AD. We have a password expiration > delay of 6 monts in AD. When the password expire for a user, the > wireless devices of that user tries to authenticates to the wireless > network over and over until the AD account is locked. The account is > locked for 30 minutes. > > So if Radiator can do that, we would like to block authentication > request after 3 unsuccessful requests in the last 30 minutes before > doing the AuthByNTLM. > > I presume, we are not the only organization that face this issue.
No :-) We have a similar setup, and I believe it was solved in the configuration of the Cisco controllers. The values were fiddled in both the AD and the WLC so that the controller blocks the account (temporarily) before the AD locks the account. If you prefer to do this in Radiator you might want to do the check in a PostAuthHook. If you have one Radiator only, you can keep the number of bad logins in a Perl hash inside Radiator itself, but if you have more Radiators you need a shared cache or database. We use memcached for this purpose (in another context not related to AD) I wrote a few tips on this (and other things) last year: http://www.open.com.au/pipermail/radiator/2012-December/018755.html Cheers, Anders -- Anders Bandholm, UNI-C, Aarhus [email protected] (+45) 8937-6645 Fax: (+45) 8937-6677 PGP: id=0x0DD38396; fp=9FDE 3B13 6CA3 BD03 7BF1 7062 E694 D295 0DD3 8396 _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
