Account redirection lets you flag an account for special processing after a configurable number of failed login attempts within a configurable time period. The redirect.ini initialization file specifies the settings used for account redirection when users forget or mis-enter their passwords.
The [Settings] section of redirect.ini (Table 54) enables and configures account redirection settings.
Table 54: redirect.ini [Settings] Syntax
Default value is 0.
Note: Account redirection and account lockout are incompatible. Do not enable account redirection if account lockout is enabled.
The number of seconds in the account redirection lockout period. For example, a lockout period of 86,400 seconds locks a user out for one day if account redirection processing fails to authenticate the user.
Default value is 600 seconds (10 minutes).
The name of the global profile that supplies the values and attributes used for the user after account redirection is triggered.
Default value is Redirect.
The number of seconds during which a user is in redirect state. If the redirection period elapses without another user authentication request, the user is returned to normal state.
Default value is 120 seconds.
The number of rejected attempts before redirection.
Default value is 3.
The period in seconds during which a specified number of rejects causes account redirection.
Default value is 180 seconds (3 minutes).
For example, the following [Settings] section of redirect.ini specifies that, if a user fails authentication three times within 180 seconds, the user account is placed into redirect state. If the user does not submit another authentication request within 120 seconds of entering redirect state, the user account is restored to normal state.
[Settings] Enable = 0 Rejects = 3 Within = 180 Redirect = 120 Profile = RedirectProfile Lockout = 86400
If the user submits another authentication request within 120 seconds of entering redirect state, the user is accepted without authentication or authorization processing, the user’s account is placed into accept-pending state, and the RADIUS accept message for the user contains the values and attributes specified in the global RedirectProfile profile. (These values or attributes can be used by an external customer process to direct the user to a secure webpage that asks for alternative authentication information or billing information; the external process might then mail the user an access password if the user satisfies the external process requirements.)
When a user is in accept-pending state, the user’s next authentication request determines whether Steel-Belted Radius Carrier accepts or locks out the user:
If the next authentication is successful, the user account is returned to normal state.
If the next authentication fails to accept the user, the user account is locked out for 86,400 seconds (one day). During this lockout period, authentication requests for this user are rejected automatically, even if the user enters the correct password.
The [ClientExclusionList] section of redirect.ini identifies the RADIUS clients that are excluded from account redirection processing. Each entry in the [ClientExclusionList] section of redirect.ini consists of the name of a RADIUS client device, as configured in the Steel-Belted Radius Carrier database.