Chapter Contents
One of Elektron’s primary functions is to provide user authentication services. This chapter describes how to select and configure the method the Elektron will use to authenticate your network users.
Services
Elektron includes a number of distinct services to provide user authentication services to clients. The PEAP, TTLS, EAP-FAST, LEAP, and EAP-TLS services are targeted at Wi-Fi clients, while the RADIUS service provides basic authentication types like PAP and CHAP to other network access servers, such as modem pools and VPN concentrators.
Authentication Settings
There are several options that affect all authentication protocols to give you some additional control over how user logins are handled. These options are configured using the Authentication Settings pane in the Elektron Settings application.
Delay Sending Access-Reject Messages
When a user login is denied, the final message that is sent in the RADIUS protocol exchange is the “Access-Reject” message. Elektron includes an option for delaying the sending of the Access-Reject by a predefined interval. This is useful to prevent the server from being used as an oracle by an attacker attempting to guess user passwords by brute force. That is, by delaying the server’s response by a second or two an attacker attempting to guess user passwords by flooding the server with bogus authentication requests will be slowed down.
The default Access-Reject delay is one second. You may set this to any number greater than zero, but be careful setting it greater than three to five seconds: most network access devices have a timeout configured in that range. If the RADIUS server doesn’t respond within that timeout window, the access device will interpret the delay as a dropped connection rather than a rejected login and will restart the authentication process.
Enable Account Lockout
Another way to prevent an attacker from flooding Elektron with authentication requests in an attempt to guess user passwords is to use account lockouts. With this option enabled, access will be denied after a preset number of failed login attempts, even if the password is finally entered correctly. If an attacker tries a thousand different passwords, there will be no indication if the password was guessed correctly.
Account lockout applies to any account, regardless of the authentication method used. The two available options are:
Lockout After Attempts After this many failed login attempts, the password lockout will be enabled
Lockout For Determines the length of the lockout. The account is disabled for this period of time, and any login attempts will fail.
TLS Session Resumption
With this option selected, your users will be able to re-login using cached credentials for a period of 24 hours from their previous login. This reduces load on the server and speeds up individual logins, as the full TLS handshake does not need to occur for TLS-wrapped protocols like PEAP and TTLS.
Authentication Domains
The most important Elektron authentication concept to understand is authentication domains. The Authentication Domains pane in Elektron Settings allows you to configure Elektron to use the accounts on your server, LDAP, ODBC, and other options to authenticate users.