[RADIATOR] Account Locking for Yubikey Authentication

Heikki Vatiainen hvn at open.com.au
Thu Jan 9 10:35:42 CST 2014 

On 01/08/2014 07:38 PM, Heinz, Dave wrote:
> Security team for my company would like us to be able to lock an account
> (tacacs in this case) in the event the user fails X times in Y minutes. 
> 
> We use Yubikey for 2-factor authentication with the Radiator TACACS server. 
> 
> Is there a way for it to flag an account and “disable” the account
> meeting the failed criteria? Would this have to be a “feature” request
> for the next version? 

Currently the Yubikey SQL DB holds information that is only directly
related to Yubikey use. Any logic to lock the account would need to be
implemented separately e.g., by a PostAuthHook or a specific module that
does locking policy.

If implemented by a hook, the information could go into the current
Yubikey table. Required number of columns could be added to the table to
hold the bad login count, timestamps and any other information the
implementation needs. The hook then updates and maintains this
information based on the AuthBy result and current time. However, this
may not be enough depeding on the requirements. More about this later.

A more generic approach could be to create a module that implements
locking. It could be then used with the other AuthBys too, for example
AuthBy FILE when stacked with a suitable AuthByPolicy.

If you want to implement this yourself, I'd ask for a clear
specification how the locking needs to be done. For example:

Does your security team require that the account stays locked or should
the lock be automatically cleared after a certain time has passed? Would
a successful login clear failed attempts or is it strict, e.g., 5 bad
logins within last 10 minutes no matter if there were good logins too.
Also, if the bad logins continue during the lock down period, are they
counted too?

If this should be Radiator feature, we would most likely make it a
generic SQL based module. Any comments related to this would be appreciated.

Thanks,
Heikki


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list