On Aug 18, 2017, at 12:07 PM, Burn Zero <burnzerog@gmail.com> wrote:
We have setup Freeradius latest version to help users authenticate, authorize to 802.x WIFI. While analyzing logs, we found that certain user names ( with random alphabets ) that are trying to authenticate every certain minutes. Those are just invalid usernames some people have configured in their phone/tablet/system. They won't even get authentication success since those are anyways invalid usernames.
Yes, people try that...
What I am trying to achieve is to prevent these usernames from hitting Freeradius servers ( do username, group check in Active Directory) so that when those invalid usernames comes to Freeradius it would be filtered and no longer go inside tunnels and then for username check in Active directory.
Are those usernames visible in the initial Access-Request? If so, you can do the following: - add a cache (e.g. rlm_redis) for rejected users - add users to the cache in the inner-tunnel - check for the cache entry in the "default" virtual server, in the "authorize" section - if the user is found in the cache, reject them. This is a standard way of creating a "negative cache" for bad users. Alan DeKok.