Avoid locked Active Directory Account when using PAP/krb5 against active directory

Phil Mayers p.mayers at imperial.ac.uk
Fri Jul 27 17:58:34 CEST 2012


On 27/07/12 16:22, Thomas Glanzmann wrote:
> Hello,
> I have Citrix Netscaler which authenticates user against active
> directory with PAP. First against Active Directory using krb5 and second
> against smsotp using a PAP Access challenge. If someone knows a username
> he can type in multiple times the right username with the wrong password
> and can so lock the account in active directory. Now I'm looking for
> solutions to avoid that.
>
> Is there a FreeRadius Module which accounts the login failures of
> another FreeRadius Module (krb5) within a given time range and stops
> prompting the underlying FreeRadius Module (krb5) if a user has
> authenticated itself for example 3 times within one hour, if not
> whatever practical solutions do you have in mind?

I don't think there is a built-in module. However, you could emulate 
this with SQL and post-auth / authorize queries. For example:

authorize {
   update control {
     Tmp-Integer-0 = "%{sql:select count(*) from fails where 
username='%{User-Name}' and now()-failtime < '1 hour'}"
   }
   if (control:Tmp-Integer-0 > 10) {
     update reply {
       Reply-Message := "10+ auth fails per hour"
     }
     reject
   }
   ...
}


post-auth {
   Post-Auth-Type Reject {
     update control {
       Tmp-String-0 := "%{sql:insert into fails (username,time) values 
('%{User-Name}', now())}"
     }
   }
}

Customise as appropriate for your SQL schema / site config.


More information about the Freeradius-Users mailing list