Avoid locked Active Directory Account when using PAP/krb5 against active directory
Phil Mayers
p.mayers at imperial.ac.uk
Fri Jul 27 17:58:34 CEST 2012
On 27/07/12 16:22, Thomas Glanzmann wrote:
> Hello,
> I have Citrix Netscaler which authenticates user against active
> directory with PAP. First against Active Directory using krb5 and second
> against smsotp using a PAP Access challenge. If someone knows a username
> he can type in multiple times the right username with the wrong password
> and can so lock the account in active directory. Now I'm looking for
> solutions to avoid that.
>
> Is there a FreeRadius Module which accounts the login failures of
> another FreeRadius Module (krb5) within a given time range and stops
> prompting the underlying FreeRadius Module (krb5) if a user has
> authenticated itself for example 3 times within one hour, if not
> whatever practical solutions do you have in mind?
I don't think there is a built-in module. However, you could emulate
this with SQL and post-auth / authorize queries. For example:
authorize {
update control {
Tmp-Integer-0 = "%{sql:select count(*) from fails where
username='%{User-Name}' and now()-failtime < '1 hour'}"
}
if (control:Tmp-Integer-0 > 10) {
update reply {
Reply-Message := "10+ auth fails per hour"
}
reject
}
...
}
post-auth {
Post-Auth-Type Reject {
update control {
Tmp-String-0 := "%{sql:insert into fails (username,time) values
('%{User-Name}', now())}"
}
}
}
Customise as appropriate for your SQL schema / site config.
More information about the Freeradius-Users
mailing list