How to block certain usernames hitting Freeradius server
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Fri Aug 18 12:33:23 CEST 2017
> On 18 Aug 2017, at 18:24, Alan DeKok <aland at deployingradius.com> wrote:
>
> On Aug 18, 2017, at 12:07 PM, Burn Zero <burnzerog at gmail.com> wrote:
>> We have setup Freeradius latest version to help users authenticate,
>> authorize to 802.x WIFI. While analyzing logs, we found that certain
>> user names ( with random alphabets ) that are trying to authenticate
>> every certain minutes. Those are just invalid usernames some people
>> have configured in their phone/tablet/system. They won't even get
>> authentication success since those are anyways invalid usernames.
>
> Yes, people try that...
>
>> What I am trying to achieve is to prevent these usernames from hitting
>> Freeradius servers ( do username, group check in Active Directory) so
>> that when those invalid usernames comes to Freeradius it would be
>> filtered and no longer go inside tunnels and then for username check
>> in Active directory.
>
> Are those usernames visible in the initial Access-Request?
>
> If so, you can do the following:
>
> - add a cache (e.g. rlm_redis) for rejected users
The redis cache driver is only available in v4.0.x, but you can do caching manually with the redis xlat in v3.0.x, or just use rlm_cache with the memcached driver in v3.0.x.
-Arran
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170818/edb2c49a/attachment.sig>
More information about the Freeradius-Users
mailing list