On 27/07/12 16:22, Thomas Glanzmann wrote:
Hello, I have Citrix Netscaler which authenticates user against active directory with PAP. First against Active Directory using krb5 and second against smsotp using a PAP Access challenge. If someone knows a username he can type in multiple times the right username with the wrong password and can so lock the account in active directory. Now I'm looking for solutions to avoid that.
Is there a FreeRadius Module which accounts the login failures of another FreeRadius Module (krb5) within a given time range and stops prompting the underlying FreeRadius Module (krb5) if a user has authenticated itself for example 3 times within one hour, if not whatever practical solutions do you have in mind?
I don't think there is a built-in module. However, you could emulate this with SQL and post-auth / authorize queries. For example: authorize { update control { Tmp-Integer-0 = "%{sql:select count(*) from fails where username='%{User-Name}' and now()-failtime < '1 hour'}" } if (control:Tmp-Integer-0 > 10) { update reply { Reply-Message := "10+ auth fails per hour" } reject } ... } post-auth { Post-Auth-Type Reject { update control { Tmp-String-0 := "%{sql:insert into fails (username,time) values ('%{User-Name}', now())}" } } } Customise as appropriate for your SQL schema / site config.