addition to policy.conf

alan buxey A.L.M.Buxey at
Tue Jun 5 10:39:23 CEST 2012


> If I wanted to do a DoS attack, I would simply submit valid-looking (but
> non-existent) realms, or indeed invalid usernames at valid realms, which
> would force the proxying all the way through to the end server for that
> realm.

well, HOPEFULLY you wouldnt be able to do that as any sane site will have a maximum
number of EAP attempts within a threshold time after which your requests are blocked
locally by the NAS - I believe that Cisco, for example, has 3 attempts and you're
blocked for 60s by default.

from looking at logs, however, a LOT of sites dont have such mitigation turned on
and we see continous attempts with a duff username - even though we send REJECT back
(duff clients or NAS - however, with mitigation on the NAS these requests arent
a problem)

the biggest problem comes from remote RADIUS servers that dont respond.......

> In that case though, I would be inclined to write a validation regexp which
> fully matches the ABNF in RFC 2486.

as said..and Stefan points out - this isnt as useful as then sites/systems that are
okay with, e.g. underscores or some 'illegal character' couldnt just comment that bit out.

after all, this is an OPTION. its there for people to use IF THEY WANT, noones
forcing you to use it - just like all the other options in the policy.conf
would just be very very useful to have there by default  :-)


More information about the Freeradius-Devel mailing list