On 01/08/2014 07:38 PM, Heinz, Dave wrote: > Security team for my company would like us to be able to lock an account > (tacacs in this case) in the event the user fails X times in Y minutes. > > We use Yubikey for 2-factor authentication with the Radiator TACACS server. > > Is there a way for it to flag an account and “disable” the account > meeting the failed criteria? Would this have to be a “feature” request > for the next version?
Currently the Yubikey SQL DB holds information that is only directly related to Yubikey use. Any logic to lock the account would need to be implemented separately e.g., by a PostAuthHook or a specific module that does locking policy. If implemented by a hook, the information could go into the current Yubikey table. Required number of columns could be added to the table to hold the bad login count, timestamps and any other information the implementation needs. The hook then updates and maintains this information based on the AuthBy result and current time. However, this may not be enough depeding on the requirements. More about this later. A more generic approach could be to create a module that implements locking. It could be then used with the other AuthBys too, for example AuthBy FILE when stacked with a suitable AuthByPolicy. If you want to implement this yourself, I'd ask for a clear specification how the locking needs to be done. For example: Does your security team require that the account stays locked or should the lock be automatically cleared after a certain time has passed? Would a successful login clear failed attempts or is it strict, e.g., 5 bad logins within last 10 minutes no matter if there were good logins too. Also, if the bad logins continue during the lock down period, are they counted too? If this should be Radiator feature, we would most likely make it a generic SQL based module. Any comments related to this would be appreciated. Thanks, Heikki -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator