Trigger EDIR-Intruder Lockout in FR3

Arran Cudbard-Bell a.cudbardb at freeradius.org
Tue Sep 8 11:48:44 CEST 2015


> On 8 Sep 2015, at 04:09, Anja Ruckdaeschel <Anja.Ruckdaeschel at rz.uni-regensburg.de> wrote:
> 
> Hi there,
> 
> I wonder what is the designated way in FR 3.0.9 to trigger an eDirectory-Intruder Lockout
> with edir_autz=yes in addition?
> 
> I want to use
> a, universal password retrieval
> b, grace login consumation, account expire check, password expire check, login time restrictions check, attribute checks, etc.
> c, intruder lockout trigger (I do a named ldap bind with the login-user with a password which is bad, if mschap rejects)

I guess something like this:

post-auth {
	Post-Auth-Type REJECT {
		update request {
			User-Password := 'junk'
		}
		ldap.authrorize
	}
}

> 
> in one radius config for PEAP/MSCHAPv2 with eDIR.
> 
> So far, I only manage to get a and b OR a and c running.
> 
> Perhaps you can give me a hint?
> 
> Thank you for your time.
> 
> Ciao Anja
> 
> 
> 
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150908/473fa2f6/attachment.sig>


More information about the Freeradius-Users mailing list