[RADIATOR] Question regarding to rate limiting bad credentials

Hugh Irvine hugh at open.com.au
Sat Feb 18 00:42:38 UTC 2017 

Hello Stephan -

I have written a couple of “rate-limiting” hooks that you will find in “goodies/hooks.txt”.

You may be able to modify one or the other to do what you describe.

regards

Hugh


> On 18 Feb 2017, at 03:52, <S.Schwarz at lumc.nl> <S.Schwarz at lumc.nl> wrote:
> 
> Hi,
> 
> I was wondering whether it's possible for Radiator to limit/throttle the amount of authentication requests handled by a handler (in this case AuthBy LSA) when an authentication fails.
> To elaborate the idea behind this..
> 
> Our AD account lockout policy is 10 bad logins within 30 minutes.
> If a user has multiple devices that connect to our WiFi (802.1x) using radius authentication and their password expires/needs to be changed, this will need to be changed on all devices.
> However sometimes the user will not always have access to all devices, for example the device is left at work while the user resets their password at home.
> Or a user has like 5-6 devices, and once the password has been changed on 1 device the account might already be locked by the time the last device will be edited (some devices seem to ignore bad credentials and keep retrying).
> 
> In order to "battle" this account lockout discussion we always seem to have with end users, I figure... "what if" we can prevent the radius server from sending authentication requests for a certain amount of time, if for example 3 bad authentications have occurred in x time. If that's the case, then the bad authentication requests won't even be sent to the domain controllers resulting is fewer locked out accounts.
> 
> Is something like this possible? Any other helpful ideas are also welcome. I'm pretty sure we won't change our AD lockout / password policy (increase bad password count or disable expiring passwords).
> 
> 
> Kind regards,
> 
> Stephan Schwarz
> Senior Security Administrator | Leiden University Medical Center
> 
> 
> Tel.: +31 (0)71-526-1822
> Email: s.schwarz at lumc.nl
> 
> 
> _______________________________________________
> radiator mailing list
> radiator at lists.open.com.au
> http://lists.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
hugh at open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

More information about the radiator mailing list