[RADIATOR] Question regarding to rate limiting bad credentials

Hugh Irvine hugh at open.com.au
Sat Feb 18 00:42:38 UTC 2017

Hello Stephan -

I have written a couple of “rate-limiting” hooks that you will find in “goodies/hooks.txt”.

You may be able to modify one or the other to do what you describe.



> On 18 Feb 2017, at 03:52, <S.Schwarz at lumc.nl> <S.Schwarz at lumc.nl> wrote:
> Hi,
> I was wondering whether it's possible for Radiator to limit/throttle the amount of authentication requests handled by a handler (in this case AuthBy LSA) when an authentication fails.
> To elaborate the idea behind this..
> Our AD account lockout policy is 10 bad logins within 30 minutes.
> If a user has multiple devices that connect to our WiFi (802.1x) using radius authentication and their password expires/needs to be changed, this will need to be changed on all devices.
> However sometimes the user will not always have access to all devices, for example the device is left at work while the user resets their password at home.
> Or a user has like 5-6 devices, and once the password has been changed on 1 device the account might already be locked by the time the last device will be edited (some devices seem to ignore bad credentials and keep retrying).
> In order to "battle" this account lockout discussion we always seem to have with end users, I figure... "what if" we can prevent the radius server from sending authentication requests for a certain amount of time, if for example 3 bad authentications have occurred in x time. If that's the case, then the bad authentication requests won't even be sent to the domain controllers resulting is fewer locked out accounts.
> Is something like this possible? Any other helpful ideas are also welcome. I'm pretty sure we won't change our AD lockout / password policy (increase bad password count or disable expiring passwords).
> Kind regards,
> Stephan Schwarz
> Senior Security Administrator | Leiden University Medical Center
> Tel.: +31 (0)71-526-1822
> Email: s.schwarz at lumc.nl
> _______________________________________________
> radiator mailing list
> radiator at lists.open.com.au
> http://lists.open.com.au/mailman/listinfo/radiator


Hugh Irvine
hugh at open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

More information about the radiator mailing list