Incremental Reject delay

Krzysztof Grobelak kgrobelak at airspeed.ie
Wed Nov 4 13:48:07 CET 2015


´╗┐On 04/11/15 11:53, Herwin Weststrate wrote:
> On 04-11-15 12:46, Krzysztof Grobelak wrote:
>> Hello List,
>>
>> Apologies if this was asked here before.
>>
>> I would like to configure freeRadius to send Access-Reject with values that increment with each failed attempt.
>>
>> I noticed in the mailing list some discussion about  an "FreeRADIUS-Response-Delay-Usec" is there an attribute that would allow for full seconds delay?
>>
>> Something like "FreeRADIUS-Response-Delay" maybe?
>>
>> I could then query the database for the last delay and increment it accordingly
>> like such:
>>
>> update reply {
>>     Tmp-String-0 := "%{sql:SELECT delay+delay FROM failed_login_delay WHERE username=&User-Name}"
>>      FreeRADIUS-Response-Delay := &Tmp-String-0
>> }
>>
>> I hope this does makes sense...
>>
>> Obviously i'm aware of the reject_delay setting in radiusd.conf but I would like to be able to increment the delay dynamically.
>> Or is there some other obvious way to do this?
Hello Herwin,
> Your gut feeling was pretty correct, since 3.0.10 you can use
> FreeRADIUS-Response-Delay and FreeRADIUS-Response-Delay-USec to override
Great, need to upgrade the system though.
> the default delay from radiusd.conf. Keep in mind that there is a
> maximum of 10 seconds, larger values will be set to 10.
>
Is this value hard code you know or is there other factor limiting it?
If its hard coded i can probably modify it myself in the code before building.

Thanks for the response and advice!

Regards,
Krzysztof




Airspeed Telecom


More information about the Freeradius-Users mailing list