Skip to content

feat: add REJECT_UNKNOWN_USERS option#7

Closed
jozefrebjak wants to merge 1 commit intodevelopfrom
feat/reject-unknown-users
Closed

feat: add REJECT_UNKNOWN_USERS option#7
jozefrebjak wants to merge 1 commit intodevelopfrom
feat/reject-unknown-users

Conversation

@jozefrebjak
Copy link
Copy Markdown
Contributor

@jozefrebjak jozefrebjak commented Apr 2, 2026

Summary

  • Add REJECT_UNKNOWN_USERS env var that rejects non-existent users early in the authorize section
  • Uses Auth-Type := Reject so the attempt is still logged in radpostauth via Post-Auth-Type REJECT
  • Runs on every container start (outside init lock) with duplicate detection
  • Skips the authenticate phase for unknown users, reducing unnecessary processing

Motivation

Brute force / dictionary attacks generate large volumes of auth attempts with non-existent usernames (e.g. admin, Cisco, common names). This rejects them earlier while maintaining audit logs.

Usage

REJECT_UNKNOWN_USERS: "true"

Test plan

  • Start container with REJECT_UNKNOWN_USERS=true
  • Verify unlang block is inserted after first -sql in authorize section of sites-available/default
  • Test with non-existent username — verify Access-Reject and entry in radpostauth
  • Test with valid username — verify normal authentication flow
  • Restart container — verify no duplicate blocks are inserted
  • Disable REJECT_UNKNOWN_USERS and restart — verify block remains (idempotent, no removal needed since config is rebuilt from defaults on init)

Closes #6

@jozefrebjak
feat: add REJECT_UNKNOWN_USERS option to reject non-existent users early
52a0b4e 
Add env var REJECT_UNKNOWN_USERS that inserts an unlang check after the
SQL lookup in the authorize section. Users not found in radcheck are
rejected via Auth-Type := Reject, skipping authenticate but still
logging the attempt in radpostauth via Post-Auth-Type REJECT.

Runs on every container start (outside init lock) with duplicate
detection to prevent multiple insertions.

Closes #6
@github-actions github-actions bot added the enhancement Enhancements ⬆️ label Apr 2, 2026
@jozefrebjak
Copy link
Copy Markdown
Contributor Author

jozefrebjak commented Apr 2, 2026

Closing in favor of a more effective approach: auth reject logging for fail2ban integration.

@jozefrebjak jozefrebjak closed this Apr 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

enhancement Enhancements ⬆️

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: add option to reject unknown users early in authorize section

1 participant

@jozefrebjak