Avoid locked Active Directory Account when using PAP/krb5 against active directory

Thomas Glanzmann thomas at glanzmann.de
Fri Jul 27 17:22:24 CEST 2012

I have Citrix Netscaler which authenticates user against active
directory with PAP. First against Active Directory using krb5 and second
against smsotp using a PAP Access challenge. If someone knows a username
he can type in multiple times the right username with the wrong password
and can so lock the account in active directory. Now I'm looking for
solutions to avoid that.

Is there a FreeRadius Module which accounts the login failures of
another FreeRadius Module (krb5) within a given time range and stops
prompting the underlying FreeRadius Module (krb5) if a user has
authenticated itself for example 3 times within one hour, if not
whatever practical solutions do you have in mind?


More information about the Freeradius-Users mailing list