Change FreeRADIUS Default Port Number
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Fri Jan 23 15:33:46 CET 2015
> On 23 Jan 2015, at 21:20, Winfield, Alister <Alister.Winfield at bskyb.com> wrote:
>
> Real life suggests 100:1 bad login to good login attempts. Mostly because
> the bad cases just try again and again and again and vendors haven¹t heard
> of backing off on failure.
>
> If its normal and not actively malicious clients, try caching the rejects
> for a short period to avoid bothering to go through the full logic on
> every request.
Yes, the best solution for that is probably a holding pen, thats the strategy
other other ISPs have adopted to prevent spurious re-authentication attempts.
Just send back a different set of tunnel end-points and reduce the Session-Timeout.
Works rather well for throttling re-authentication attempts. That or you build a
system that can handle the load, which is actually fairly easy with modern
hardware and an LDAP or REDIS backend.
Other options are using the caching module to send back a canned reject for n
minutes.
-Arran
More information about the Freeradius-Users
mailing list