[RADIATOR] Question regarding to rate limiting bad credentials

S.Schwarz at lumc.nl S.Schwarz at lumc.nl
Fri Feb 17 16:52:33 UTC 2017


I was wondering whether it's possible for Radiator to limit/throttle the amount of authentication requests handled by a handler (in this case AuthBy LSA) when an authentication fails.
To elaborate the idea behind this..

Our AD account lockout policy is 10 bad logins within 30 minutes.
If a user has multiple devices that connect to our WiFi (802.1x) using radius authentication and their password expires/needs to be changed, this will need to be changed on all devices.
However sometimes the user will not always have access to all devices, for example the device is left at work while the user resets their password at home.
Or a user has like 5-6 devices, and once the password has been changed on 1 device the account might already be locked by the time the last device will be edited (some devices seem to ignore bad credentials and keep retrying).

In order to "battle" this account lockout discussion we always seem to have with end users, I figure... "what if" we can prevent the radius server from sending authentication requests for a certain amount of time, if for example 3 bad authentications have occurred in x time. If that's the case, then the bad authentication requests won't even be sent to the domain controllers resulting is fewer locked out accounts.

Is something like this possible? Any other helpful ideas are also welcome. I'm pretty sure we won't change our AD lockout / password policy (increase bad password count or disable expiring passwords).

Kind regards,

Stephan Schwarz
Senior Security Administrator | Leiden University Medical Center

Tel.: +31 (0)71-526-1822
Email: s.schwarz at lumc.nl

More information about the radiator mailing list