Avoid locked Active Directory Account when using PAP/krb5 against active directory
Hello, I have Citrix Netscaler which authenticates user against active directory with PAP. First against Active Directory using krb5 and second against smsotp using a PAP Access challenge. If someone knows a username he can type in multiple times the right username with the wrong password and can so lock the account in active directory. Now I'm looking for solutions to avoid that. Is there a FreeRadius Module which accounts the login failures of another FreeRadius Module (krb5) within a given time range and stops prompting the underlying FreeRadius Module (krb5) if a user has authenticated itself for example 3 times within one hour, if not whatever practical solutions do you have in mind? Cheers, Thomas
On 27/07/12 16:22, Thomas Glanzmann wrote:
Hello, I have Citrix Netscaler which authenticates user against active directory with PAP. First against Active Directory using krb5 and second against smsotp using a PAP Access challenge. If someone knows a username he can type in multiple times the right username with the wrong password and can so lock the account in active directory. Now I'm looking for solutions to avoid that.
Is there a FreeRadius Module which accounts the login failures of another FreeRadius Module (krb5) within a given time range and stops prompting the underlying FreeRadius Module (krb5) if a user has authenticated itself for example 3 times within one hour, if not whatever practical solutions do you have in mind?
I don't think there is a built-in module. However, you could emulate this with SQL and post-auth / authorize queries. For example: authorize { update control { Tmp-Integer-0 = "%{sql:select count(*) from fails where username='%{User-Name}' and now()-failtime < '1 hour'}" } if (control:Tmp-Integer-0 > 10) { update reply { Reply-Message := "10+ auth fails per hour" } reject } ... } post-auth { Post-Auth-Type Reject { update control { Tmp-String-0 := "%{sql:insert into fails (username,time) values ('%{User-Name}', now())}" } } } Customise as appropriate for your SQL schema / site config.
Hello everyone, today I wrote a new version of sms otp in perl utilizing rlm_perl. If I would have realized earlier how powerful rlm_perl is I would have gone with that solution in the first place. You can find the code here: http://thomas.glanzmann.de/smsotpd.2012-07-28.tar.bz2 This code allows to do active directory authentication followed by sms one time password authentication using pap access challenge without using rlm_smsotpd or another daemon. It also has the ability to block calls to kerberos if a user has mistyped his or her password three times. Cheers, Thomas
participants (2)
-
Phil Mayers -
Thomas Glanzmann