hi there
here my version of an user lockout via mysql for freeradius
Create a table like:
CREATE TABLE IF NOT EXISTS `failed` ( `stationid` text NOT NULL, `nasip` text NOT NULL, `username` text NOT NULL, `authdate` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP ) ENGINE=InnoDB DEFAULT CHARSET=latin1;
vi /etc/freeradius/policy.conf
lockout_check { update control { Tmp-Integer-0 := "%{sql:SELECT COUNT(*) FROM failed where username='%{User-Name}' AND authdate>=DATE_SUB(NOW(), INTERVAL 15 MINUTE)}" } if (control:Tmp-Integer-0 > 5) { reject } } lockout_incr { update control { Tmp-Integer-0 := "%{sql:INSERT INTO failed (stationid,nasip,username,authdate) VALUES ('%{Calling-Station-Id}','%{NAS-IP-Address}','%{User-Name}', NOW())}" Tmp-Integer-1 := "%{sql:DELETE FROM failed WHERE authdate<=DATE_SUB(NOW(), INTERVAL 30 MINUTE)}" } }
vi /etc/freeradius/sites-enabled/default
authorize { lockout_check ..... }
post-auth { Post-Auth-Type REJECT { lockout_incr } ..... }
Have fun!