Change FreeRADIUS Default Port Number

Arran Cudbard-Bell a.cudbardb at freeradius.org
Fri Jan 23 15:33:46 CET 2015


> On 23 Jan 2015, at 21:20, Winfield, Alister <Alister.Winfield at bskyb.com> wrote:
> 
> Real life suggests 100:1 bad login to good login attempts. Mostly because
> the bad cases just try again and again and again and vendors haven¹t heard
> of backing off on failure.
> 
> If its normal and not actively malicious clients, try caching the rejects
> for a short period to avoid bothering to go through the full logic on
> every request.

Yes, the best solution for that is probably a holding pen, thats the strategy 
other other ISPs have adopted to prevent spurious re-authentication attempts.

Just send back a different set of tunnel end-points and reduce the Session-Timeout.

Works rather well for throttling re-authentication attempts. That or you build a 
system that can handle the load, which is actually fairly easy with modern 
hardware and an LDAP or REDIS backend.

Other options are using the caching module to send back a canned reject for n 
minutes.

-Arran


More information about the Freeradius-Users mailing list