Incremental Reject delay
Herwin Weststrate
herwin at quarantainenet.nl
Wed Nov 4 12:53:44 CET 2015
On 04-11-15 12:46, Krzysztof Grobelak wrote:
> Hello List,
>
> Apologies if this was asked here before.
>
> I would like to configure freeRadius to send Access-Reject with values that increment with each failed attempt.
>
> I noticed in the mailing list some discussion about an "FreeRADIUS-Response-Delay-Usec" is there an attribute that would allow for full seconds delay?
>
> Something like "FreeRADIUS-Response-Delay" maybe?
>
> I could then query the database for the last delay and increment it accordingly
> like such:
>
> update reply {
> Tmp-String-0 := "%{sql:SELECT delay+delay FROM failed_login_delay WHERE username=&User-Name}"
> FreeRADIUS-Response-Delay := &Tmp-String-0
> }
>
> I hope this does makes sense...
>
> Obviously i'm aware of the reject_delay setting in radiusd.conf but I would like to be able to increment the delay dynamically.
> Or is there some other obvious way to do this?
Your gut feeling was pretty correct, since 3.0.10 you can use
FreeRADIUS-Response-Delay and FreeRADIUS-Response-Delay-USec to override
the default delay from radiusd.conf. Keep in mind that there is a
maximum of 10 seconds, larger values will be set to 10.
--
Herwin Weststrate
More information about the Freeradius-Users
mailing list