Authentication Failure Lockout Policy

Access Server automatically locks out user accounts after repeated failed authentication attempts to prevent brute-force attacks. When locked out, users see messages like "LOCKOUT" or "User temporarily locked out due to multiple authentication failures."

Access Server 2.10 and newer: The lockout triggers after five failed attempts within 15 minutes and expires after 15 minutes.
Access Server 2.9 and older: Lockout triggers after three failed attempts and expires after 15 minutes.
Access Server tracks incorrect passwords in a lockout dictionary (stored as hashes). The dictionary is purged if it reaches its limit. The default settings are usually sufficient, but high-volume environments may require adjustments.
External authentication systems (LDAP, RADIUS, SAML) may have their own lockout policies.
Exceptions for Access Server 2.9 and older ONLY: User-locked connection profiles and bootstrap accounts don't trigger lockouts.

Admins can modify lockout settings or manually lift a lockout if needed.

Configure the lockout policy

You can configure the lockout policy from the Admin Web UI (Access Server 2.10.2 and newer) or the command-line interface (CLI).

Important

If you’re using an external authentication system, that system might have its own lockout policy.

Tutorial: Configure the Authentication Failure Lockout Policy

Manually unlock a locked-out user account

If you wish to unlock a locked-out user manually, follow the steps below.

Tip

You can't unlock a single, specific user. The steps below allow you to set the automatic lockout reset period to one second and then revert it back to the default value.

Manually unlock a user from the Admin Web UI

Access Server 2.10.2 and newer configures the lockout policy in the Admin Web UI. To manually unlock users, follow these steps:

Sign in to the Admin Web UI.
Click Authentication > Settings.
Under Password Lockout Policy, take note of your current value for the Lockout release timeout in seconds.
Set the value to 1.
Click Save Settings and Update Running Server.
Wait two seconds.
Set the value back to your initial value.
Tip
Access Server's default lockout is set to 900 seconds, or 15 minutes.
Click Save Settings and Update Running Server.
- The locked-out user can sign in again.

Manually unlock a user from the CLI

Connect to your Access Server console and get root privileges.
Change your directory to use the sacli tool.
```
cd /usr/local/openvpn_as/scripts/
```
Run these commands to set the lockout to one second, wait two seconds, and then set it back to the default value of 15 minutes. (If desired, modify the command for your preferred lockout time.)
```
./sacli --key "vpn.server.lockout_policy.reset_time" --value "1" ConfigPut
./sacli start
sleep 2
./sacli --key "vpn.server.lockout_policy.reset_time" --value "900" ConfigPut
./sacli start
```
The locked-out user can sign in again.

In this section: