The lockout.ini configuration file enables and configures account lockout settings. Account lockout lets you disable an account after a configurable number of failed login attempts within a configurable period. For example, if a user enters an incorrect password three times within two minutes, Steel-Belted Radius Carrier can lock out the user’s account temporarily. During the lockout period, the user cannot log in, even with the correct password. Attempts to authenticate against a locked out account cause Steel-Belted Radius Carrier to respond with an Access-Reject message immediately.
The lockout.ini file contains one configuration section called [Settings] (Table 53), which has settings similar to the following:
Table 53: lockout.ini [Setting] Syntax
Default value is 0.
Specifies the lockout period in seconds.
Default value is 600 seconds (10 minutes).
Specifies the number of rejected attempts before lockout.
Default value is 3.
Specifies the period in seconds during which a specified number of rejects causes a lockout.
Default value is 120 seconds (two minutes).
You can add a ClientExclusionList section to the lockout.ini file. Use this section to list clients that are excepted from the lockout functionality. Enter one client name per line. For example,
[ClientExclusionList] exampleclient1 exampleclient2
You can add a UserExclusionList section to the lockout.ini file. Use this section to prevent certain reserved usernames, such as anonymous, from being locked out. Enter one username per line. For example:
If you enable the lockout facility in Steel-Belted Radius Carrier and you use a tunneled authentication method (TTLS or PEAP) with a prefetch-capable method (native user, SQL, or LDAP) and an enabled EAP protocol (MS-CHAP v2, MD5-Challenge, TLS), then you must enable Handle via Auto-EAP First in that prefetch-capable method to prevent the outer username (anonymous) from being added to the lockout list.
Otherwise, when Steel-Belted Radius Carrier receives an authentication request that uses an unconfigured EAP method, Steel-Belted Radius Carrier rejects the user (because the EAP method is not configured) and add the outer username (anonymous) to its lockout list. This results in all users with an outer authentication name of anonymous being rejected until the lockout period expires.
When running a Session State Register cluster, the account lockout configuration (lockout.ini) and state information (number of times each user has supplied a wrong password in a given time period) is maintained locally on each server in the cluster, not in the high-availability database. Consequently, a user who is locked out on one SBR Carrier server can request access from a different SBR Carrier server participating in the same Session State Register cluster.