Incremental Reject delay

Herwin Weststrate herwin at
Wed Nov 4 12:53:44 CET 2015

On 04-11-15 12:46, Krzysztof Grobelak wrote:
> Hello List,
> Apologies if this was asked here before.
> I would like to configure freeRadius to send Access-Reject with values that increment with each failed attempt.
> I noticed in the mailing list some discussion about  an "FreeRADIUS-Response-Delay-Usec" is there an attribute that would allow for full seconds delay?
> Something like "FreeRADIUS-Response-Delay" maybe?
> I could then query the database for the last delay and increment it accordingly
> like such:
> update reply {
>     Tmp-String-0 := "%{sql:SELECT delay+delay FROM failed_login_delay WHERE username=&User-Name}"
>      FreeRADIUS-Response-Delay := &Tmp-String-0
> }
> I hope this does makes sense...
> Obviously i'm aware of the reject_delay setting in radiusd.conf but I would like to be able to increment the delay dynamically.
> Or is there some other obvious way to do this?

Your gut feeling was pretty correct, since 3.0.10 you can use
FreeRADIUS-Response-Delay and FreeRADIUS-Response-Delay-USec to override
the default delay from radiusd.conf. Keep in mind that there is a
maximum of 10 seconds, larger values will be set to 10.

Herwin Weststrate

More information about the Freeradius-Users mailing list