Lockout by IP number?

Thu Sep 28 02:23:01 UTC 2023

On Sep 27, 2023, at 8:06 PM, Ann Cantelow <cantelow at csd.net> wrote:
> I am looking to implement a lockout for excessive login tries. I have been following advice offered at https://wiki.freeradius.org/guide/lockout , and thank you very much for that. Is there a variable like '%{User-Name}' for IP number?

  Run the server in debug mode, and you'll see what attributes are available.  If something isn't in the debug output, you can't write policies based on it.

  Using the correct terminology helps, too.  There aren't "variables" in the server.  There are attributes which come in RADIUS packets.  So the problem isn't finding the magic "variable" which does what you want.  The problem is running the server in debug mode to see what it gets.

> I would like to do a lockout based on IP number as well as User-Name. I see the IP is listed in the radius log, but I haven't been able to find an attribute that I figure will give this information. I've looked in the dictionary files, but maybe I've somehow missed it.

  Or, read the debug output?

  There are ~10K attributes in the dictionaries.  There are ~20 attributes in a packet.  Which one is easier to read?

> My radius version is 2.1.12 on RHEL6, and client nastype is cisco. Radius upgrade to version 3 is planned.

  v2 was marked end of life close to a decade ago.  While it's a vote of confidence to see that v2 works fine for a decade, I suggest it's time to upgrade.

> Radius log example lines showing ip numbers:

  Debug output.   Really.  Anything else is just wasting your time.

  Alan DeKok.