How to block certain usernames hitting Freeradius server
Alan DeKok
aland at deployingradius.com
Fri Aug 18 12:24:00 CEST 2017
On Aug 18, 2017, at 12:07 PM, Burn Zero <burnzerog at gmail.com> wrote:
> We have setup Freeradius latest version to help users authenticate,
> authorize to 802.x WIFI. While analyzing logs, we found that certain
> user names ( with random alphabets ) that are trying to authenticate
> every certain minutes. Those are just invalid usernames some people
> have configured in their phone/tablet/system. They won't even get
> authentication success since those are anyways invalid usernames.
Yes, people try that...
> What I am trying to achieve is to prevent these usernames from hitting
> Freeradius servers ( do username, group check in Active Directory) so
> that when those invalid usernames comes to Freeradius it would be
> filtered and no longer go inside tunnels and then for username check
> in Active directory.
Are those usernames visible in the initial Access-Request?
If so, you can do the following:
- add a cache (e.g. rlm_redis) for rejected users
- add users to the cache in the inner-tunnel
- check for the cache entry in the "default" virtual server, in the "authorize" section
- if the user is found in the cache, reject them.
This is a standard way of creating a "negative cache" for bad users.
Alan DeKok.
More information about the Freeradius-Users
mailing list