lockout.ini File

[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]

Steel Belted Radius Carrier 7.0 Reference Guide > Authentication Configuration Files > lockout.ini File
lockout.ini File

The lockout.ini configuration file enables and configures account lockout settings. Account lockout lets you disable an account after a configurable number of failed login attempts within a configurable period. For example, if a user enters an incorrect password three times within two minutes, Steel-Belted Radius Carrier can lock out the user's account temporarily. During the lockout period, the user cannot log in, even with the correct password. Attempts to authenticate against a locked out account cause Steel-Belted Radius Carrier to respond with an Access-Reject message immediately.

The lockout.ini file contains one configuration section called [Settings] (Table 44), which has settings similar to the following:
[Settings]
Enable = 0
Rejects = 3
Within = 120
Lockout = 600
Table 44: lockout.ini [Setting] Syntax

Parameter

Function

Enable

If set to 0, lockout is disabled.

If set to 1, lockout is enabled.

Default value is 0.

Lockout

Specifies the lockout period in seconds.

Default value is 600 seconds (10 minutes).

Rejects

Specifies the number of rejected attempts prior to lockout.

Default value is 3.

Within

Specifies the period in seconds during which a specified number of rejects causes a lockout.

Default value is 120 seconds (two minutes).

[ClientExclusionList] Section

You can add a ClientExclusionList section to the lockout.ini file. Use this section to list clients which are excepted from the lockout functionality. Enter one client name per line. For example,
[ClientExclusionList]
exampleclient1
exampleclient2
[UserExclusionList] Section

You can add a UserExclusionList section to the lockout.ini file. Use this section to prevent certain reserved user names, such as anonymous, from being locked out. Enter one user name per line. For example:
[UserExclusionList]
anonymous
NOTE: If you enable the lockout facility in Steel-Belted Radius Carrier and you use a tunneled authentication method (TTLS or PEAP) with a prefetch-capable method (native user, SQL, or LDAP) and an enabled EAP protocol (MS-CHAP v2, MD5-Challenge, LEAP, TLS), then you must enable Handle via Auto-EAP First in that prefetch-capable method to prevent the outer username (anonymous) from being added to the lockout list.

Otherwise, when Steel-Belted Radius Carrier receives an authentication request that uses an unconfigured EAP method, Steel-Belted Radius Carrier rejects the user (because the EAP method is not configured) and add the outer username (anonymous) to its lockout list. This results in all users with an outer authentication name of anonymous being rejected until the lockout period expires.

Parameter	Function
Enable	If set to 0, lockout is disabled. If set to 1, lockout is enabled. Default value is 0.
Lockout	Specifies the lockout period in seconds. Default value is 600 seconds (10 minutes).
Rejects	Specifies the number of rejected attempts prior to lockout. Default value is 3.
Within	Specifies the period in seconds during which a specified number of rejects causes a lockout. Default value is 120 seconds (two minutes).

[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]