Using counters or Password-Retry attribute (RFC2869)

[Martin.Ward at uk.neceur.com]

Hi all,

I am having another go at trying to implement a "maximum login attempts"
using FreeRadius.

>From what I can glean from the documentation and files I (currently) have
two choices:

1. Use the Password-Retry attribute as per RFC2869. This attribute is used
in Access-Reject packets (according to my O'Reilly book) and as I
understand it is simply a number that is set in the Radius server which
states how many times a user is allowed to attempt to login before they are
locked out. The lock-out function is done by the FreeRadius client and
clearly this client must understand and utilise the Password-Retry
attribute for it to have any effect.

I have no idea if my Radius client uses this attribute or not since I can't
find a sensible place to store the attribute, at least I've tried it in
various places and none of them work but this may simply be due to the fact
that the client just ignores this attribute.

2. Use the counter module. While this might not be the way the modules was
intended for use I have been thinking I could have it count the number of
password failure attempts and when that value reaches a limit, say 3, the
FreeRadius system rejects logins for that ID from then onwards.

Investigating this option shows that I am missing a number of things:

a. The counter should only be incremented when a password attempt fails.
b. Ideally the counter should reset when the user logs in correctly, but it
would be acceptable for the counter to be reset once a week or once a day
or something like that. I know I can reset the counter at a given time
('reset' attribute of the counter module) but resetting it at a successful
login would be best.

So I guess I ma asking three questions.
1. Where should I put the Password-Retry attribute in the FreeRadius config
files so that I can prove or disprove that the Radius client is using this
attribute.
2a. How do I use the counter module to increment a counter only on
Access-Reject?
2b. Can I reset the counter value on Access-Accept?

Thanks fellows,

|\/|artin
--
Senior Network Consultant, NEC (Europe) Ltd.
Acton extension: 3379
NEC*Net: 800-44-21-3379
Direct: +44 20 8752 3379
Fax: +44 20 8752 3389
Mobile: +44 7721 869 356
*****************************************************************
IMPORTANT: The information contained in this e-mail and attachment (if any)
is intended for the person to whom it is addressed and may contain
confidential and/or privileged information. The contents of this message
may contain personal views which are not the views of NEC Europe Ltd or its
subsidiaries, unless specifically stated. You should not copy, retain,
forward or disclose its contents to anyone else, or take any action based
upon it, if it is not addressed to you personally.  If you have received
this e-mail in error please contact the sender immediately. Any legally
binding agreement resulting from its content must be made separately in a
printed medium.
*****************************************************************