Incremental Reject delay

Krzysztof Grobelak kgrobelak at airspeed.ie
Wed Nov 4 14:59:21 CET 2015


´╗┐On 04/11/15 13:37, Alan DeKok wrote:
> On Nov 4, 2015, at 7:48 AM, Krzysztof Grobelak <kgrobelak at airspeed.ie> wrote:
>>> the default delay from radiusd.conf. Keep in mind that there is a
>>> maximum of 10 seconds, larger values will be set to 10.
>>>
>> Is this value hard code you know or is there other factor limiting it?
>> If its hard coded i can probably modify it myself in the code before building.
>   It's hard-coded.  And it's there for a reason.  Changing it is likely to cause other problems.
>
>   We don't just put things in the server at random.  They exist for a reason.  And the reason is best summarized as 20+ years of experience with RADIUS.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello Alan,

Of course I dont want to argue with experience especially 20+ times more experience than i have :)
Thats why I asked.

So then instead of delaying the reject would it be maybe more optimal solution to simply blacklist the user for certain amount of time?
Create a database entry for user after the first failed attempt and then after 3 failed attemts blacklist for a period of time.
The setup would not be much more complex than the one for incremental reject delay and it would save me the need to upgrade.
I'm on version 3.0.7 right now.

Does this sounds reasonable?

Thanks for the help!

Regards,
Krzysztof





Airspeed Telecom


More information about the Freeradius-Users mailing list