ppp connection chasten

Usage Scenario

To prevent unauthorized users from initiating the brute force attack to crack the password of the authorized user, you can restrict the number of access attempts. If a user fails to be authenticated for N times, the user account is blocked for a period of time, thwarting unauthorized users' efforts in cracking the password of the authorized user. You can set the authentication interval of a user to the <request-period> seconds. If the authentication of the same user fails for <request-sessions> times during <request-period> seconds, the user account is frozen for <blocking-period> seconds.

In a scenario in which a large number of users go offline immediately after they go online, the CPU may be overloaded and the RADIUS server may even go Down. To prevent this problem, you can configure quickoffline to restrict the number of a user's quick offline attempts within a specified time. If a PPP user immediately goes offline after going online for <request-sessions> times within <request-period> seconds, the user account is frozen for <blocking-period> seconds.

Configuration Impact

If padi-discard is configured, the packets of the users whose accounts are frozen are discarded in the PADI phase, saving a response message from the system and improving system performance. The option 105 information is filtered only in PADI when padi-discard is configured. However, when option105 and padi-discard are both configured and even if the user packet carries option 105 only in the PADR phase, the matching packet is discarded in the PADR phase.

If the

ppp connection chasten is run more than once in the same view, the latest configuration overrides the previous one.

NOTE:

If you run the ppp connection chasten command without quickoffline and another ppp connection chasten command with quickoffline on a device, both commands can coexist. The command without quickoffline freezes user accounts if the users fail to be authenticated for a specific number of times. The command with quickoffline freezes user accounts if the users go offline immediately after going online for a specific number of times. If you modify the configuration of one of these commands, the modification does not override the configuration of the other command.

For example, if you configure the ppp connection chasten 100 500 1000 and ppp connection chasten 300 500 1000 quickoffline commands in the system view, both command can coexist. Suppose that you configure the ppp connection chasten option105 100 500 2000 and ppp connection chasten 300 500 2000 quickoffline commands to adjust the original configurations. In this situation, the ppp connection chasten option105 100 500 2000 command overrides only the original ppp connection chasten 100 500 1000 command. Similarly, the ppp connection chasten 300 500 2000 quickoffline command overrides only the original ppp connection chasten 300 500 1000 quickoffline command.

Precautions

This command is supported only on the admin VS.

On the MAC address in scenarios, after the maximum number of access users is set to more than 1 using the pppoe-server max-sessions remote-mac command and option105 is not specified in the ppp connection chasten command, restriction on the number of connection requests from a PPP user based on MAC addresses does not take effect. To allow it to take effect, configure multi-sessions-permac. If option105 is specified in the ppp connection chasten command, restriction on the number of connection requests from a PPP user based on the Option 105 information takes effect.

In the system view, this command takes effect on all users that access the . In the VLAN view, the command takes effect only on VLAN users that access the interface where the VLAN resides. If this command is configured in both the system and VLAN views, the command that first meets the restriction condition takes effect.