[RADIATOR] AuthBy FAILUREPOLICY always results in IGNORE
Heikki Vatiainen
hvn at open.com.au
Thu Feb 6 12:39:52 UTC 2020
On 05/02/2020 14.24, Ralf Wenk wrote:
> The handler statements are
>
> <Handler Client-Identifier=IZ, Realm=VPN>
> AcctLogFileName %L/vpn/AcctLog-%Y-%m
> RewriteUsername s/@.+//o
> UsernameCharset a-z0-9
> <AuthBy FAILUREPOLICY>
> Identifier Fail_Policy
> ConsecutiveFailures 5
> ConsecutiveLockTime 300
> CumulativeFailures 200
> CumulativeLockTime 14400
> CumulativeWindow 43200
> </AuthBy>
> AuthBy SQL_VPN
> AuthLog AuthLogFile-VPN
> AuthLog AuthLogSyslog-VPN
> AuthLog AuthLogSQL-VPN
> AuthBy SQL_Acct_Log_VPN
> Identifier VPN
> </Handler>
>
> and the Radiator version is 4.24-10.
>
> I think the cause is behind the "No failure policy history exists ..."
> message.
Quite likely so. This means that there's no history yet for the user. If
there should be, then the it's likely that nothing has created and
updated the history for the user.
> Did I make a wrong assumption or is there a configuration mistake in
> the FAILUREPOLICY I do not see?
There's one thing that seems to be missing, note that in
failurepolicy.cfg goodies file there's PostAuthHook defined. This hook
checks the result and then maintains the history.
If you try the goodies configuration sample with, for example SQLite,
watching the SQL updates gives a good look at who it works. When the
information is kept in-memory, functionality is similar.
> By the way, "3.114.8. CumulativeLockTime" of the manual shows
> "ConsecutiveLockTime" as the configuration statement not the
> "CumulativeLockTime" one.
Thanks for the note. I'll see that it gets fixed.
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
More information about the radiator
mailing list