delayed Access Reject response
Using freeradius-1.1.7 on Linux Fedora 7. Authentication backend is "unix". Clients so far are Cisco and pam_radius_auth If authentication is correct, the reply from server is sent back to the client quick enough. If the password is incorrect, the Access Reject reply is delayed until the user enters the password the second time. It's like the server waits for the next auth attempt to send back the Reject. What could be the cause? -- Florin Andrei http://florin.myip.org/
On 10/30/07, Florin Andrei <florin@andrei.myip.org> wrote:
Using freeradius-1.1.7 on Linux Fedora 7. Authentication backend is "unix". Clients so far are Cisco and pam_radius_auth
If authentication is correct, the reply from server is sent back to the client quick enough.
If the password is incorrect, the Access Reject reply is delayed until the user enters the password the second time. It's like the server waits for the next auth attempt to send back the Reject.
What could be the cause?
Look at "reject_delay" in radiusd.conf. May be that will answer your question. BR, Khalid
manIP wrote:
On 10/30/07, *Florin Andrei* <florin@andrei.myip.org <mailto:florin@andrei.myip.org>> wrote:
If the password is incorrect, the Access Reject reply is delayed until the user enters the password the second time. It's like the server waits for the next auth attempt to send back the Reject.
Look at "reject_delay" in radiusd.conf. May be that will answer your question.
It was set to 1, but the actual delay is clearly bigger than that. In fact, it doesn't seem to be constant, it seems to wait until a new request was sent, and then it unleashes the reject. I set reject_delay to 0 and now there's no delay, but I'm not sure I like it that way, due to possible brute-force attacks. -- Florin Andrei http://florin.myip.org/
Hi,
It was set to 1, but the actual delay is clearly bigger than that. In fact, it doesn't seem to be constant, it seems to wait until a new request was sent, and then it unleashes the reject.
I set reject_delay to 0 and now there's no delay, but I'm not sure I like it that way, due to possible brute-force attacks.
correct. that is why reject_delay exists. and yes, a value of 1 wont directly map to a count of 1 as there is also the cleanup_delay which occurs. alan
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Florin Andrei -
manIP