On 18 Aug 2017, at 18:24, Alan DeKok <aland@deployingradius.com> wrote:
On Aug 18, 2017, at 12:07 PM, Burn Zero <burnzerog@gmail.com> wrote:
We have setup Freeradius latest version to help users authenticate, authorize to 802.x WIFI. While analyzing logs, we found that certain user names ( with random alphabets ) that are trying to authenticate every certain minutes. Those are just invalid usernames some people have configured in their phone/tablet/system. They won't even get authentication success since those are anyways invalid usernames.
Yes, people try that...
What I am trying to achieve is to prevent these usernames from hitting Freeradius servers ( do username, group check in Active Directory) so that when those invalid usernames comes to Freeradius it would be filtered and no longer go inside tunnels and then for username check in Active directory.
Are those usernames visible in the initial Access-Request?
If so, you can do the following:
- add a cache (e.g. rlm_redis) for rejected users
The redis cache driver is only available in v4.0.x, but you can do caching manually with the redis xlat in v3.0.x, or just use rlm_cache with the memcached driver in v3.0.x. -Arran