| Anonymous | Login | 2024-11-21 16:59 EST |  |
| Main | My View | View Issues | Change Log | Roadmap |
| View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | ||||||
| 0001630 | PacketFence | security | public | 2013-02-12 09:55 | 2013-09-03 05:35 | ||||||
| Reporter | bemosior | ||||||||||
| Assigned To | ludovic | ||||||||||
| Priority | normal | Severity | feature | Reproducibility | N/A | ||||||
| Status | assigned | Resolution | open | ||||||||
| Platform | OS | OS Version | |||||||||
| Product Version | |||||||||||
| Target Version | +1 | Fixed in Version | |||||||||
| Summary | 0001630: Username Registration Blacklist | ||||||||||
| Description | We see value in the addition of a username blacklist feature in order to prevent certain AD/LDAP registrations from occurring. Use Case: An individual may no longer register his/her own devices on the network (due to violations), but he/she may still use public lab machines. Disabling the AD/LDAP account is not an option, as the individual must still be able to access other services using AD/LDAP for authentication. Workflow (my understanding of it, at least): User attempts internet access and is redirected to the registration page. User enters username. PF compares username against blacklist, failing the process on match (with a user-facing error). In this case, no LDAP query is made/executed. | ||||||||||
| Tags | No tags attached. | ||||||||||
| fixed in git revision | |||||||||||
| fixed in mtn revision | |||||||||||
| Attached Files | |||||||||||
 Relationships |
|
 Relationships |
|
Notes |
|
|
(0003298) bemosior (reporter) 2013-02-12 09:57 |
I am assuming this blacklist is maintained independently by the local PF administrators and is simply a list of disallowed usernames. |
|
(0003299) ludovic (administrator) 2013-02-13 19:27 |
Would be easy to do in PF v4 with a per-source blacklist of IDs. |
|
(0003435) dranix (reporter) 2013-09-03 05:35 |
I have made a script where wireless devices (MAC) are banned upon attempting to brute-force password guess (LocalDB or LDAP account). The script runs in the background and listens to the /usr/local/pf/log/packetfence.log and keep track of failed attempts. After 10 failed attempts, the MAC is placed in the iptables and all packets will be dropped from accessing the inline interface. Would the developers be interested in the script? |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2013-02-12 09:55 | bemosior | New Issue | |
| 2013-02-12 09:57 | bemosior | Note Added: 0003298 | |
| 2013-02-13 19:26 | ludovic | Target Version | => +1 |
| 2013-02-13 19:26 | ludovic | Status | new => assigned |
| 2013-02-13 19:26 | ludovic | Assigned To | => ludovic |
| 2013-02-13 19:27 | ludovic | Note Added: 0003299 | |
| 2013-09-03 05:35 | dranix | Note Added: 0003435 | |
|
Issue History |
| Copyright © 2000 - 2012 MantisBT Group |
 |